feat(lab-05): iRedMail Advanced Integration -- OpenLDAP primary auth, Keycloak LDAP federation, mailhog relay

RedjiJB · RedjiJB · commit 015a7facf734 · 2026-03-01T10:29:17.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -189,4 +189,31 @@ jobs:
         run: docker compose -f docker/docker-compose.sso.yml logs
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.sso.yml down -v
+        run: docker compose -f docker/docker-compose.sso.yml down -v
+  lab-05-smoke:
+    name: Lab 05 -- iRedMail Advanced Integration (LDAP + Keycloak federation)
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install tools
+        run: sudo apt-get install -y curl ldap-utils
+      - name: Validate integration compose
+        run: docker compose -f docker/docker-compose.integration.yml config -q && echo "Integration compose valid"
+      - name: Start integration stack
+        run: docker compose -f docker/docker-compose.integration.yml up -d
+      - name: Wait for Keycloak
+        run: timeout 180 bash -c 'until curl -sf http://localhost:8108/health/ready | grep -q UP; do sleep 5; done'
+      - name: Wait for OpenLDAP
+        run: timeout 120 bash -c 'until docker exec iredmail-int-ldap ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapAdmin05! > /dev/null 2>&1; do sleep 5; done'
+      - name: Wait for iRedMail
+        run: timeout 360 bash -c 'until curl -sf http://localhost:9180/ > /dev/null 2>&1; do sleep 15; done'
+      - name: Run Lab 09-05 test script
+        run: bash tests/labs/test-lab-09-05.sh --no-cleanup
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.integration.yml logs
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.integration.yml down -v
diff --git a/docker/docker-compose.integration.yml b/docker/docker-compose.integration.yml
@@ -1,26 +1,121 @@
-# Lab 05 — Advanced Integration: iredmail with full IT-Stack ecosystem
----
+# docker-compose.integration.yml -- Lab 05: Advanced Integration
+# iRedMail + OpenLDAP (FreeIPA sim) + Keycloak LDAP federation + Mailhog
+# Lab 05 tests: LDAP primary auth, Keycloak LDAP federation, mailbox from LDAP users
+#
+# Ports:
+#   9180 -- iRedMail HTTP admin (Roundcube / SOGo)
+#   9443 -- iRedMail HTTPS
+#   9025 -- SMTP (mailhog relay)
+#   9587 -- SMTP submission
+#   9143 -- IMAP
+#   9993 -- IMAPS
+#   8108 -- Keycloak admin console
+#   3892 -- OpenLDAP
+#   8025 -- Mailhog web UI
+#
+# Credentials:
+#   LDAP admin:    cn=admin,dc=lab,dc=local / LdapAdmin05!
+#   LDAP readonly: cn=readonly,dc=lab,dc=local / ReadOnly05!
+#   Keycloak:      admin / Lab05Admin!
+#   Mail domain:   lab.local / postmaster@lab.local / MailAdmin05!
+
 services:
-  iredmail:
-    image: iredmail/iredmail:stable
-    container_name: it-stack-iredmail
-    restart: unless-stopped
+  iredmail-int-ldap:
+    image: osixia/openldap:1.5.0
+    container_name: iredmail-int-ldap
+    environment:
+      LDAP_ORGANISATION: "IT-Stack Lab"
+      LDAP_DOMAIN: lab.local
+      LDAP_ADMIN_PASSWORD: LdapAdmin05!
+      LDAP_READONLY_USER: "true"
+      LDAP_READONLY_USER_USERNAME: readonly
+      LDAP_READONLY_USER_PASSWORD: ReadOnly05!
     ports:
-      - "25:$firstPort"
+      - "3892:389"
+    networks:
+      - mail-int-dir-net
+    healthcheck:
+      test: ["CMD-SHELL", "ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapAdmin05! > /dev/null 2>&1"]
+      interval: 15s
+      timeout: 10s
+      retries: 5
+      start_period: 20s
+
+  iredmail-int-keycloak:
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: iredmail-int-keycloak
+    command: start-dev
     environment:
-      - IT_STACK_ENV=lab-05-integration
-      - KEYCLOAK_URL=
-      - DB_HOST=
-      - REDIS_HOST=
-      - SMTP_HOST=
-      - GRAYLOG_HOST=
-    extra_hosts:
-      - "lab-id1:10.0.50.11"
-      - "lab-db1:10.0.50.12"
-      - "lab-proxy1:10.0.50.15"
+      KC_HEALTH_ENABLED: "true"
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: Lab05Admin!
+    ports:
+      - "8108:8080"
     networks:
-      - it-stack-net
+      - mail-int-app-net
+      - mail-int-dir-net
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready | grep -q UP || exit 1"]
+      interval: 20s
+      timeout: 10s
+      retries: 10
+      start_period: 60s
+
+  iredmail-int-smtp-relay:
+    image: mailhog/mailhog:latest
+    container_name: iredmail-int-smtp-relay
+    ports:
+      - "8025:8025"
+      - "9025:1025"
+    networks:
+      - mail-int-app-net
+
+  iredmail-int-app:
+    image: iredmail/mariadb:stable
+    container_name: iredmail-int-app
+    depends_on:
+      iredmail-int-ldap:
+        condition: service_healthy
+      iredmail-int-keycloak:
+        condition: service_healthy
+    environment:
+      HOSTNAME: mail.lab.local
+      FIRST_MAIL_DOMAIN: lab.local
+      FIRST_MAIL_DOMAIN_ADMIN_PASSWORD: MailAdmin05!
+      MLMMJADMIN_API_TOKEN: MailApiToken05!
+      ROUNDCUBE_DES_KEY: RoundcubeKey05xyz!
+      LDAP_SERVER_HOST: iredmail-int-ldap
+      LDAP_SERVER_PORT: "389"
+      LDAP_BIND_DN: "cn=readonly,dc=lab,dc=local"
+      LDAP_BIND_PASSWORD: ReadOnly05!
+      LDAP_BASEDN: "dc=lab,dc=local"
+      RELAY_HOST: iredmail-int-smtp-relay
+      RELAY_PORT: "1025"
+    ports:
+      - "9180:80"
+      - "9443:443"
+      - "9587:587"
+      - "9143:143"
+      - "9993:993"
+    volumes:
+      - iredmail-int-data:/var/vmail
+      - iredmail-int-db:/var/lib/mysql
+      - iredmail-int-clamav:/var/lib/clamav
+    networks:
+      - mail-int-app-net
+      - mail-int-dir-net
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost/mail/"]
+      interval: 30s
+      timeout: 15s
+      retries: 10
+      start_period: 120s
+
+volumes:
+  iredmail-int-data:
+  iredmail-int-db:
+  iredmail-int-clamav:
 
 networks:
-  it-stack-net:
-    driver: bridge
+  mail-int-app-net:
+  mail-int-dir-net:
diff --git a/tests/labs/test-lab-09-05.sh b/tests/labs/test-lab-09-05.sh
@@ -1,71 +1,134 @@
 #!/usr/bin/env bash
-# test-lab-09-05.sh — Lab 09-05: Advanced Integration
-# Module 09: iRedMail email server
-# iredmail integrated with full IT-Stack ecosystem
+# test-lab-09-05.sh -- Lab 05: iRedMail Advanced Integration
+# Tests: OpenLDAP bind, Keycloak realm+LDAP-federation, iRedMail LDAP config, mailhog relay
+#
+# Usage: bash tests/labs/test-lab-09-05.sh [--no-cleanup]
 set -euo pipefail
 
-LAB_ID="09-05"
-LAB_NAME="Advanced Integration"
-MODULE="iredmail"
 COMPOSE_FILE="docker/docker-compose.integration.yml"
-PASS=0
-FAIL=0
-
-# ── Colors ────────────────────────────────────────────────────────────────────
-RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
-CYAN='\033[0;36m'; NC='\033[0m'
-
-pass() { echo -e "${GREEN}[PASS]${NC} $1"; ((PASS++)); }
-fail() { echo -e "${RED}[FAIL]${NC} $1"; ((FAIL++)); }
-info() { echo -e "${CYAN}[INFO]${NC} $1"; }
-warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
-
-echo -e "${CYAN}======================================${NC}"
-echo -e "${CYAN} Lab ${LAB_ID}: ${LAB_NAME}${NC}"
-echo -e "${CYAN} Module: ${MODULE}${NC}"
-echo -e "${CYAN}======================================${NC}"
-echo ""
-
-# ── PHASE 1: Setup ────────────────────────────────────────────────────────────
-info "Phase 1: Setup"
-docker compose -f "${COMPOSE_FILE}" up -d
-info "Waiting 30s for ${MODULE} to initialize..."
-sleep 30
-
-# ── PHASE 2: Health Checks ────────────────────────────────────────────────────
-info "Phase 2: Health Checks"
-
-if docker compose -f "${COMPOSE_FILE}" ps | grep -q "running\|Up"; then
-    pass "Container is running"
+KC_PORT=8108
+MAIL_PORT=9180
+LDAP_PORT=3892
+MAILHOG_PORT=8025
+KC_ADMIN=admin
+KC_PASS="Lab05Admin!"
+LDAP_ADMIN_DN="cn=admin,dc=lab,dc=local"
+LDAP_PASS="LdapAdmin05!"
+READONLY_DN="cn=readonly,dc=lab,dc=local"
+READONLY_PASS="ReadOnly05!"
+CLEANUP=true
+[[ "${1:-}" == "--no-cleanup" ]] && CLEANUP=false
+
+PASS=0; FAIL=0
+pass() { echo "[PASS] $1"; ((PASS++)); }
+fail() { echo "[FAIL] $1"; ((FAIL++)); }
+section() { echo ""; echo "=== $1 ==="; }
+cleanup() { $CLEANUP && docker compose -f "$COMPOSE_FILE" down -v 2>/dev/null || true; }
+trap cleanup EXIT
+
+section "Lab 09-05: iRedMail Advanced Integration"
+echo "Compose file: $COMPOSE_FILE"
+
+section "1. Start Containers"
+docker compose -f "$COMPOSE_FILE" up -d
+echo "Waiting for services to initialize..."
+sleep 40
+
+section "2. Keycloak Health"
+for i in $(seq 1 24); do
+  if curl -sf "http://localhost:${KC_PORT}/health/ready" | grep -q "UP"; then
+    pass "Keycloak health/ready UP"
+    break
+  fi
+  [[ $i -eq 24 ]] && fail "Keycloak did not become healthy" && exit 1
+  sleep 10
+done
+
+section "3. OpenLDAP Connectivity"
+for i in $(seq 1 12); do
+  if docker exec iredmail-int-ldap ldapsearch -x -H ldap://localhost \
+     -b "dc=lab,dc=local" -D "$LDAP_ADMIN_DN" -w "$LDAP_PASS" \
+     -s base "(objectClass=*)" >/dev/null 2>&1; then
+    pass "LDAP admin bind successful"
+    break
+  fi
+  [[ $i -eq 12 ]] && fail "LDAP admin bind failed after 120s"
+  sleep 10
+done
+
+# Readonly bind
+if docker exec iredmail-int-ldap ldapsearch -x -H ldap://localhost \
+   -b "dc=lab,dc=local" -D "$READONLY_DN" -w "$READONLY_PASS" \
+   -s base "(objectClass=*)" >/dev/null 2>&1; then
+  pass "LDAP readonly bind successful"
 else
-    fail "Container is not running"
+  fail "LDAP readonly bind failed"
 fi
 
-# ── PHASE 3: Functional Tests ─────────────────────────────────────────────────
-info "Phase 3: Functional Tests (Lab 05 — Advanced Integration)"
-
-# TODO: Add module-specific functional tests here
-# Example:
-# if curl -sf http://localhost:25/health > /dev/null 2>&1; then
-#     pass "Health endpoint responds"
-# else
-#     fail "Health endpoint not reachable"
-# fi
-
-warn "Functional tests for Lab 09-05 pending implementation"
-
-# ── PHASE 4: Cleanup ──────────────────────────────────────────────────────────
-info "Phase 4: Cleanup"
-docker compose -f "${COMPOSE_FILE}" down -v --remove-orphans
-info "Cleanup complete"
-
-# ── Results ───────────────────────────────────────────────────────────────────
-echo ""
-echo -e "${CYAN}======================================${NC}"
-echo -e " Lab ${LAB_ID} Complete"
-echo -e " ${GREEN}PASS: ${PASS}${NC} | ${RED}FAIL: ${FAIL}${NC}"
-echo -e "${CYAN}======================================${NC}"
-
-if [ "${FAIL}" -gt 0 ]; then
-    exit 1
-fi
+section "4. Keycloak Realm + LDAP Federation"
+KC_TOKEN=$(curl -sf "http://localhost:${KC_PORT}/realms/master/protocol/openid-connect/token" \
+  -d "client_id=admin-cli&grant_type=password&username=${KC_ADMIN}&password=${KC_PASS}" \
+  | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4)
+[[ -n "$KC_TOKEN" ]] && pass "Keycloak admin token obtained" || { fail "Keycloak admin token failed"; exit 1; }
+
+HTTP=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
+  "http://localhost:${KC_PORT}/admin/realms" \
+  -H "Authorization: Bearer $KC_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"realm":"it-stack","enabled":true}')
+[[ "$HTTP" =~ ^(201|409)$ ]] && pass "Realm it-stack created (HTTP $HTTP)" || fail "Realm creation failed (HTTP $HTTP)"
+
+LDAP_FED_PAYLOAD='{"name":"ldap","providerId":"ldap","providerType":"org.keycloak.storage.UserStorageProvider","config":{"vendor":["other"],"connectionUrl":["ldap://iredmail-int-ldap:389"],"bindDn":["'"$LDAP_ADMIN_DN"'"],"bindCredential":["LdapAdmin05!"],"usersDn":["dc=lab,dc=local"],"usernameLDAPAttribute":["uid"],"rdnLDAPAttribute":["uid"],"uuidLDAPAttribute":["entryUUID"],"userObjectClasses":["inetOrgPerson"],"syncRegistrations":["false"],"enabled":["true"]}}'
+HTTP=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
+  "http://localhost:${KC_PORT}/admin/realms/it-stack/components" \
+  -H "Authorization: Bearer $KC_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "$LDAP_FED_PAYLOAD")
+[[ "$HTTP" =~ ^(201|409)$ ]] && pass "Keycloak LDAP federation registered (HTTP $HTTP)" || fail "LDAP federation failed (HTTP $HTTP)"
+
+section "5. iRedMail Environment"
+APP_ENV=$(docker inspect iredmail-int-app --format '{{range .Config.Env}}{{.}} {{end}}')
+
+echo "$APP_ENV" | grep -q "LDAP_SERVER_HOST=iredmail-int-ldap" \
+  && pass "LDAP_SERVER_HOST=iredmail-int-ldap" \
+  || fail "LDAP_SERVER_HOST missing"
+
+echo "$APP_ENV" | grep -q "LDAP_BIND_DN=cn=readonly" \
+  && pass "LDAP_BIND_DN uses readonly account" \
+  || fail "LDAP_BIND_DN missing/wrong"
+
+echo "$APP_ENV" | grep -q "LDAP_BASEDN=dc=lab,dc=local" \
+  && pass "LDAP_BASEDN=dc=lab,dc=local" \
+  || fail "LDAP_BASEDN missing"
+
+echo "$APP_ENV" | grep -q "RELAY_HOST=iredmail-int-smtp-relay" \
+  && pass "RELAY_HOST=iredmail-int-smtp-relay" \
+  || fail "RELAY_HOST missing"
+
+section "6. iRedMail HTTP Admin Panel"
+for i in $(seq 1 20); do
+  HTTP=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:${MAIL_PORT}/" 2>/dev/null || echo "000")
+  if [[ "$HTTP" =~ ^(200|302|301)$ ]]; then
+    pass "iRedMail HTTP admin panel responds (HTTP $HTTP)"
+    break
+  fi
+  [[ $i -eq 20 ]] && fail "iRedMail admin panel did not become ready (last HTTP $HTTP)"
+  sleep 15
+done
+
+section "7. Mailhog SMTP Relay"
+HTTP=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:${MAILHOG_PORT}/" 2>/dev/null || echo "000")
+[[ "$HTTP" =~ ^(200|302)$ ]] \
+  && pass "Mailhog web UI accessible (HTTP $HTTP)" \
+  || fail "Mailhog web UI unreachable (HTTP $HTTP)"
+
+section "8. Keycloak LDAP Components Listed"
+COMPONENTS=$(curl -sf "http://localhost:${KC_PORT}/admin/realms/it-stack/components?type=org.keycloak.storage.UserStorageProvider" \
+  -H "Authorization: Bearer $KC_TOKEN" 2>/dev/null || echo "[]")
+echo "$COMPONENTS" | grep -q "ldap" \
+  && pass "Keycloak LDAP user storage provider listed" \
+  || fail "Keycloak LDAP provider not found in components"
+
+section "Summary"
+echo "Passed: $PASS | Failed: $FAIL"
+[[ $FAIL -eq 0 ]] && echo "Lab 09-05 PASSED" || { echo "Lab 09-05 FAILED"; exit 1; }
