feat(lab-04): iRedMail SSO Integration -- Keycloak LDAP federation, ldap-provider API

RedjiJB · RedjiJB · commit bf24fe98084e · 2026-03-01T10:11:30.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -162,4 +162,31 @@ jobs:
         run: docker compose -f docker/docker-compose.advanced.yml logs
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.advanced.yml down -v
+        run: docker compose -f docker/docker-compose.advanced.yml down -v
+  lab-04-smoke:
+    name: Lab 04 — iRedMail SSO Integration (Keycloak LDAP federation)
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install tools
+        run: sudo apt-get install -y curl netcat-openbsd ldap-utils
+      - name: Validate SSO compose
+        run: docker compose -f docker/docker-compose.sso.yml config -q && echo "SSO compose valid"
+      - name: Start SSO stack
+        run: docker compose -f docker/docker-compose.sso.yml up -d
+      - name: Wait for OpenLDAP
+        run: timeout 60 bash -c 'until timeout 3 bash -c "echo > /dev/tcp/localhost/389" 2>/dev/null; do sleep 2; done'
+      - name: Wait for Keycloak
+        run: timeout 120 bash -c 'until curl -sf http://localhost:8087/health/ready | grep -q UP; do sleep 5; done'
+      - name: Wait for iRedMail
+        run: timeout 360 bash -c 'until curl -sf http://localhost:9080/ | grep -qi "roundcube"; do sleep 10; done'
+      - name: Run Lab 09-04 test script
+        run: bash tests/labs/test-lab-09-04.sh
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.sso.yml logs
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.sso.yml down -v
diff --git a/docker/docker-compose.sso.yml b/docker/docker-compose.sso.yml
@@ -1,34 +1,141 @@
-# Lab 04 — SSO Integration: iredmail with Keycloak OIDC authentication
----
+# docker-compose.sso.yml — Lab 09-04: SSO Integration
+# iRedMail with Keycloak LDAP user federation (Keycloak federates from OpenLDAP)
+name: iredmail-sso
+
 services:
-  iredmail:
-    image: iredmail/iredmail:stable
-    container_name: it-stack-iredmail
-    restart: unless-stopped
-    ports:
-      - "25:$firstPort"
+  ldap:
+    image: osixia/openldap:1.5.0
+    container_name: iredmail-sso-ldap
     environment:
-      - IT_STACK_ENV=lab-04-sso
-      - KEYCLOAK_URL=
-      - KEYCLOAK_REALM=
-      - KEYCLOAK_CLIENT_ID=iredmail
-      - KEYCLOAK_CLIENT_SECRET=
+      LDAP_ORGANISATION: "Lab Organization"
+      LDAP_DOMAIN: lab.local
+      LDAP_BASE_DN: "dc=lab,dc=local"
+      LDAP_ADMIN_PASSWORD: Lab04Password!
+      LDAP_READONLY_USER: "true"
+      LDAP_READONLY_USER_USERNAME: readonly
+      LDAP_READONLY_USER_PASSWORD: ReadOnlyPass04!
+      LDAP_TLS: "false"
+    ports:
+      - "389:389"
+    volumes:
+      - ldap_sso_db:/var/lib/ldap
+      - ldap_sso_config:/etc/ldap/slapd.d
     networks:
-      - it-stack-net
+      - mail-dir-net
+    healthcheck:
+      test: ["CMD-SHELL", "ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D 'cn=admin,dc=lab,dc=local' -w Lab04Password! -LLL -z 1 dn 2>/dev/null | grep -q 'dn:'"]
+      interval: 20s
+      timeout: 10s
+      retries: 5
+      start_period: 20s
+    deploy:
+      resources:
+        limits:
+          cpus: "0.25"
+          memory: 256M
+    restart: unless-stopped
 
-  # Local Keycloak for SSO lab (replace with lab-id1 in real env)
   keycloak:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-iredmail-keycloak
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: iredmail-sso-keycloak
     command: start-dev
     environment:
       KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
+      KEYCLOAK_ADMIN_PASSWORD: Lab04Admin!
+      KC_HTTP_PORT: "8080"
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HTTP_ENABLED: "true"
+      KC_HEALTH_ENABLED: "true"
+      KC_PROXY: edge
+    ports:
+      - "8087:8080"
+    networks:
+      - mail-app-net
+      - mail-dir-net
+    depends_on:
+      ldap:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready | grep -q UP"]
+      interval: 20s
+      timeout: 10s
+      retries: 10
+      start_period: 60s
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 768M
+    restart: unless-stopped
+
+  smtp-relay:
+    image: mailhog/mailhog:v1.0.1
+    container_name: iredmail-sso-smtp-relay
     ports:
-      - "8080:8080"
+      - "8025:8025"
     networks:
-      - it-stack-net
+      - mail-app-net
+    restart: unless-stopped
+
+  iredmail:
+    image: iredmail/mariadb:stable
+    container_name: iredmail-sso-app
+    hostname: mail.lab.local
+    ports:
+      - "9080:80"
+      - "9443:443"
+      - "9025:25"
+      - "9587:587"
+      - "9143:143"
+      - "9993:993"
+    environment:
+      FIRST_MAIL_DOMAIN: lab.local
+      FIRST_MAIL_DOMAIN_ADMIN_PASSWORD: Lab04Password!
+      MLMMJADMIN_API_TOKEN: Lab04Token!
+      ROUNDCUBE_DES_KEY: Lab04RoundcubeDesKey01
+      LDAP_SERVER_HOST: ldap
+      LDAP_SERVER_PORT: "389"
+      LDAP_BIND_DN: "cn=readonly,dc=lab,dc=local"
+      LDAP_BIND_PASSWORD: ReadOnlyPass04!
+      LDAP_BASE_DN: "dc=lab,dc=local"
+      ENABLE_DKIM: "1"
+      DKIM_SELECTOR: lab
+      POSTFIX_RELAYHOST: "[smtp-relay]:1025"
+    volumes:
+      - iredmail_sso_data:/var/vmail
+      - iredmail_sso_db:/var/lib/mysql
+      - iredmail_sso_ssl:/opt/iredmail/ssl
+      - iredmail_sso_dkim:/opt/dkim
+    networks:
+      - mail-app-net
+      - mail-dir-net
+    depends_on:
+      ldap:
+        condition: service_healthy
+      keycloak:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost/mail/ | grep -qi 'roundcube\\|webmail\\|login'"]
+      interval: 30s
+      timeout: 15s
+      retries: 10
+      start_period: 120s
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 1G
+    restart: unless-stopped
+
+volumes:
+  ldap_sso_db:
+  ldap_sso_config:
+  iredmail_sso_data:
+  iredmail_sso_db:
+  iredmail_sso_ssl:
+  iredmail_sso_dkim:
 
 networks:
-  it-stack-net:
-    driver: bridge
+  mail-app-net:
+  mail-dir-net:
diff --git a/tests/labs/test-lab-09-04.sh b/tests/labs/test-lab-09-04.sh
@@ -1,71 +1,134 @@
 #!/usr/bin/env bash
-# test-lab-09-04.sh — Lab 09-04: SSO Integration
-# Module 09: iRedMail email server
-# iredmail with Keycloak OIDC/SAML authentication
+# test-lab-09-04.sh — Lab 09-04: iRedMail SSO Integration
+# Tests: Keycloak running, LDAP federation config, Keycloak user sync from LDAP
 set -euo pipefail
-
-LAB_ID="09-04"
-LAB_NAME="SSO Integration"
-MODULE="iredmail"
 COMPOSE_FILE="docker/docker-compose.sso.yml"
-PASS=0
-FAIL=0
-
-# ── Colors ────────────────────────────────────────────────────────────────────
-RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
-CYAN='\033[0;36m'; NC='\033[0m'
-
-pass() { echo -e "${GREEN}[PASS]${NC} $1"; ((PASS++)); }
-fail() { echo -e "${RED}[FAIL]${NC} $1"; ((FAIL++)); }
-info() { echo -e "${CYAN}[INFO]${NC} $1"; }
-warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+KC_PORT="8087"
+PASS=0; FAIL=0
+pass() { echo "  [PASS] $1"; PASS=$((PASS+1)); }
+fail() { echo "  [FAIL] $1"; FAIL=$((FAIL+1)); }
+section() { echo; echo "=== $1 ==="; }
 
-echo -e "${CYAN}======================================${NC}"
-echo -e "${CYAN} Lab ${LAB_ID}: ${LAB_NAME}${NC}"
-echo -e "${CYAN} Module: ${MODULE}${NC}"
-echo -e "${CYAN}======================================${NC}"
-echo ""
+section "Container health"
+for c in iredmail-sso-ldap iredmail-sso-smtp-relay iredmail-sso-keycloak iredmail-sso-app; do
+  if docker inspect --format '{{.State.Running}}' "$c" 2>/dev/null | grep -q true; then
+    pass "Container $c is running"
+  else
+    fail "Container $c is not running"
+  fi
+done
 
-# ── PHASE 1: Setup ────────────────────────────────────────────────────────────
-info "Phase 1: Setup"
-docker compose -f "${COMPOSE_FILE}" up -d
-info "Waiting 30s for ${MODULE} to initialize..."
-sleep 30
+section "OpenLDAP connectivity"
+if timeout 5 bash -c 'echo > /dev/tcp/localhost/389' 2>/dev/null; then
+  pass "OpenLDAP :389 reachable"
+else
+  fail "OpenLDAP :389 not reachable"
+fi
+LDAP_SEARCH=$(ldapsearch -x -H ldap://localhost:389 \
+  -b "dc=lab,dc=local" \
+  -D "cn=admin,dc=lab,dc=local" \
+  -w Lab04Password! -LLL -z 1 dn 2>/dev/null | head -3) || LDAP_SEARCH=""
+if echo "$LDAP_SEARCH" | grep -q "dn:"; then
+  pass "LDAP admin bind and search successful"
+else
+  fail "LDAP admin bind failed"
+fi
 
-# ── PHASE 2: Health Checks ────────────────────────────────────────────────────
-info "Phase 2: Health Checks"
+section "Keycloak health"
+KC_HEALTH=$(curl -sf "http://localhost:${KC_PORT}/health/ready" 2>/dev/null) || KC_HEALTH=""
+if echo "$KC_HEALTH" | grep -q "UP"; then
+  pass "Keycloak health/ready = UP"
+else
+  fail "Keycloak health/ready not UP"
+fi
 
-if docker compose -f "${COMPOSE_FILE}" ps | grep -q "running\|Up"; then
-    pass "Container is running"
+section "Keycloak admin API + realm"
+KC_TOKEN=$(curl -sf -X POST \
+  "http://localhost:${KC_PORT}/realms/master/protocol/openid-connect/token" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "client_id=admin-cli&username=admin&password=Lab04Admin!&grant_type=password" 2>/dev/null \
+  | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4) || KC_TOKEN=""
+if [ -n "$KC_TOKEN" ]; then
+  pass "Keycloak admin token obtained"
 else
-    fail "Container is not running"
+  fail "Keycloak admin login failed"
 fi
 
-# ── PHASE 3: Functional Tests ─────────────────────────────────────────────────
-info "Phase 3: Functional Tests (Lab 04 — SSO Integration)"
+if [ -n "$KC_TOKEN" ]; then
+  curl -sf -X POST "http://localhost:${KC_PORT}/admin/realms" \
+    -H "Authorization: Bearer $KC_TOKEN" -H "Content-Type: application/json" \
+    -d '{"realm":"it-stack","enabled":true}' 2>/dev/null || true
+  REALM_CHECK=$(curl -sf "http://localhost:${KC_PORT}/admin/realms/it-stack" \
+    -H "Authorization: Bearer $KC_TOKEN" 2>/dev/null) || REALM_CHECK=""
+  if echo "$REALM_CHECK" | grep -q '"realm":"it-stack"'; then
+    pass "Keycloak realm 'it-stack' exists"
+  else
+    fail "Keycloak realm 'it-stack' not found"
+  fi
+else
+  fail "Skipping realm check (no admin token)"
+fi
 
-# TODO: Add module-specific functional tests here
-# Example:
-# if curl -sf http://localhost:25/health > /dev/null 2>&1; then
-#     pass "Health endpoint responds"
-# else
-#     fail "Health endpoint not reachable"
-# fi
+section "Keycloak LDAP user federation"
+if [ -n "$KC_TOKEN" ]; then
+  LDAP_PROVIDER=$(curl -sf -X POST \
+    "http://localhost:${KC_PORT}/admin/realms/it-stack/components" \
+    -H "Authorization: Bearer $KC_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d '{"name":"ldap","providerId":"ldap","providerType":"org.keycloak.storage.UserStorageProvider","config":{"vendor":["other"],"connectionUrl":["ldap://ldap:389"],"bindDn":["cn=readonly,dc=lab,dc=local"],"bindCredential":["ReadOnlyPass04!"],"usersDn":["ou=People,dc=lab,dc=local"],"usernameLDAPAttribute":["mail"],"rdnLDAPAttribute":["uid"],"uuidLDAPAttribute":["entryUUID"],"userObjectClasses":["inetOrgPerson"],"importEnabled":["true"],"syncRegistrations":["false"]}}' \
+    2>/dev/null; echo $?) || LDAP_PROVIDER=0
+  COMPONENTS=$(curl -sf \
+    "http://localhost:${KC_PORT}/admin/realms/it-stack/components?type=org.keycloak.storage.UserStorageProvider" \
+    -H "Authorization: Bearer $KC_TOKEN" 2>/dev/null) || COMPONENTS=""
+  if echo "$COMPONENTS" | grep -q '"providerId":"ldap"'; then
+    pass "Keycloak LDAP user federation provider registered"
+  else
+    fail "Keycloak LDAP user federation not found"
+  fi
+else
+  fail "Skipping LDAP federation check (no admin token)"
+fi
 
-warn "Functional tests for Lab 09-04 pending implementation"
+section "iRedMail LDAP config in env"
+IM_ENV=$(docker inspect iredmail-sso-app --format '{{json .Config.Env}}' 2>/dev/null) || IM_ENV="[]"
+if echo "$IM_ENV" | grep -q "LDAP_SERVER_HOST=ldap"; then
+  pass "LDAP_SERVER_HOST=ldap configured"
+else
+  fail "LDAP_SERVER_HOST not set to 'ldap'"
+fi
+if echo "$IM_ENV" | grep -q '"LDAP_BIND_DN=cn=readonly,dc=lab,dc=local"'; then
+  pass "LDAP_BIND_DN = cn=readonly,dc=lab,dc=local"
+else
+  fail "LDAP_BIND_DN not configured"
+fi
 
-# ── PHASE 4: Cleanup ──────────────────────────────────────────────────────────
-info "Phase 4: Cleanup"
-docker compose -f "${COMPOSE_FILE}" down -v --remove-orphans
-info "Cleanup complete"
+section "Roundcube webmail"
+HTTP_CODE=$(curl -sw '%{http_code}' -o /dev/null http://localhost:9080/mail/ 2>/dev/null) || HTTP_CODE="000"
+if echo "$HTTP_CODE" | grep -qE "^(200|301|302)"; then
+  pass "Roundcube /mail/ HTTP $HTTP_CODE"
+else
+  fail "Roundcube /mail/ returned $HTTP_CODE"
+fi
 
-# ── Results ───────────────────────────────────────────────────────────────────
-echo ""
-echo -e "${CYAN}======================================${NC}"
-echo -e " Lab ${LAB_ID} Complete"
-echo -e " ${GREEN}PASS: ${PASS}${NC} | ${RED}FAIL: ${FAIL}${NC}"
-echo -e "${CYAN}======================================${NC}"
+section "SMTP port"
+SMTP_BANNER=$(echo "QUIT" | timeout 5 nc localhost 9025 2>/dev/null | head -1) || SMTP_BANNER=""
+if echo "$SMTP_BANNER" | grep -q "220"; then
+  pass "SMTP :9025 banner OK"
+else
+  fail "SMTP :9025 banner failed"
+fi
 
-if [ "${FAIL}" -gt 0 ]; then
-    exit 1
+section "Keycloak OIDC discovery"
+KC_OIDC=$(curl -sf "http://localhost:${KC_PORT}/realms/it-stack/.well-known/openid-configuration" 2>/dev/null) || KC_OIDC=""
+if echo "$KC_OIDC" | grep -q '"issuer"'; then
+  pass "Keycloak OIDC discovery reachable"
+else
+  fail "Keycloak OIDC discovery failed"
 fi
+
+echo
+echo "====================================="
+echo "  iRedMail Lab 09-04 Results"
+echo "  PASS: $PASS  FAIL: $FAIL"
+echo "====================================="
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1
