feat(lab-04): Traefik SSO — ForwardAuth middleware via Keycloak + oauth2-proxy

RedjiJB · RedjiJB · commit dbf583c19a69 · 2026-02-28T15:19:26.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -174,4 +174,37 @@ jobs:
 
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.advanced.yml down -v
+        run: docker compose -f docker/docker-compose.advanced.yml down -v
+
+  lab-04-smoke:
+    name: Lab 04 — Traefik ForwardAuth SSO via Keycloak
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install tools
+        run: sudo apt-get install -y netcat-openbsd curl
+
+      - name: Start SSO stack (KC + Traefik + oauth2-proxy + whoami services)
+        run: docker compose -f docker/docker-compose.sso.yml up -d
+
+      - name: Wait for Keycloak
+        run: timeout 200 bash -c 'until curl -sf http://localhost:8080/health/ready | grep -q UP; do sleep 5; done'
+
+      - name: Wait for Traefik
+        run: timeout 60 bash -c 'until curl -sf http://localhost:8080/api/version | grep -q Version; do sleep 3; done'
+
+      - name: Run Lab 18-04 test script
+        env:
+          KC_PASS: "Lab04Password!"
+        run: bash tests/labs/test-lab-18-04.sh
+
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.sso.yml logs
+
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.sso.yml down -v
diff --git a/docker/docker-compose.sso.yml b/docker/docker-compose.sso.yml
@@ -1,34 +1,127 @@
-# Lab 04 — SSO Integration: traefik with Keycloak OIDC authentication
----
 services:
-  traefik:
-    image: traefik:v3.0
-    container_name: it-stack-traefik
-    restart: unless-stopped
-    ports:
-      - "80:$firstPort"
+
+  # ── Keycloak backing DB (internal) ────────────────────────────────
+  kc-db:
+    image: postgres:16-alpine
     environment:
-      - IT_STACK_ENV=lab-04-sso
-      - KEYCLOAK_URL=
-      - KEYCLOAK_REALM=
-      - KEYCLOAK_CLIENT_ID=traefik
-      - KEYCLOAK_CLIENT_SECRET=
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: kcadmin
+      POSTGRES_PASSWORD: Lab04Password!
     networks:
-      - it-stack-net
+      - kc-db-net
+    volumes:
+      - kc-db-sso:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U kcadmin -d keycloak"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
 
-  # Local Keycloak for SSO lab (replace with lab-id1 in real env)
+  # ── Keycloak SSO provider ──────────────────────────────────────────
   keycloak:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-traefik-keycloak
+    image: quay.io/keycloak/keycloak:24.0
     command: start-dev
+    depends_on:
+      kc-db:
+        condition: service_healthy
     environment:
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: Lab04Password!
+      KC_DB: postgres
+      KC_DB_URL: "jdbc:postgresql://kc-db:5432/keycloak"
+      KC_DB_USERNAME: kcadmin
+      KC_DB_PASSWORD: Lab04Password!
+      KC_HTTP_PORT: "8080"
+      KC_HOSTNAME_STRICT: "false"
+      KC_PROXY: edge
+    ports:
+      - "8080:8080"
+    networks:
+      - proxy-sso-net
+      - kc-db-net
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 30
+      start_period: 60s
+
+  # ── oauth2-proxy: Traefik forwardAuth backend ──────────────────────
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    depends_on:
+      keycloak:
+        condition: service_healthy
+    command:
+      - --provider=oidc
+      - --oidc-issuer-url=http://keycloak:8080/realms/it-stack
+      - --client-id=oauth2-proxy
+      - --client-secret=Lab04Password!
+      - --cookie-secret=YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4
+      - --email-domain=*
+      - --upstream=static://202
+      - --http-address=0.0.0.0:4180
+      - --redirect-url=http://localhost:4180/oauth2/callback
+      - --cookie-secure=false
+      - --skip-jwt-bearer-tokens=true
+    networks:
+      - proxy-sso-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.oauth2.rule=PathPrefix(`/oauth2`)"
+      - "traefik.http.routers.oauth2.entrypoints=web"
+      - "traefik.http.services.oauth2.loadbalancer.server.port=4180"
+
+  # ── Traefik reverse proxy ──────────────────────────────────────────
+  traefik:
+    image: traefik:v3.0
+    command:
+      - --api.dashboard=true
+      - --api.insecure=true
+      - --entrypoints.web.address=:80
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
     ports:
+      - "80:80"
       - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - proxy-sso-net
+    depends_on:
+      keycloak:
+        condition: service_healthy
+
+  # ── Protected whoami (requires SSO) ──────────────────────────────
+  whoami-protected:
+    image: traefik/whoami:latest
     networks:
-      - it-stack-net
+      - proxy-sso-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami-protected.rule=PathPrefix(`/protected`)"
+      - "traefik.http.routers.whoami-protected.entrypoints=web"
+      - "traefik.http.routers.whoami-protected.middlewares=forward-auth"
+      - "traefik.http.middlewares.forward-auth.forwardauth.address=http://oauth2-proxy:4180"
+      - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
+
+  # ── Public whoami (no auth) ────────────────────────────────────────
+  whoami-public:
+    image: traefik/whoami:latest
+    networks:
+      - proxy-sso-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami-public.rule=PathPrefix(`/public`)"
+      - "traefik.http.routers.whoami-public.entrypoints=web"
 
 networks:
-  it-stack-net:
+  proxy-sso-net:
     driver: bridge
+  kc-db-net:
+    driver: bridge
+    internal: true
+
+volumes:
+  kc-db-sso:
diff --git a/tests/labs/test-lab-18-04.sh b/tests/labs/test-lab-18-04.sh
@@ -1,71 +1,103 @@
 #!/usr/bin/env bash
-# test-lab-18-04.sh — Lab 18-04: SSO Integration
-# Module 18: Traefik reverse proxy and load balancer
-# traefik with Keycloak OIDC/SAML authentication
+# test-lab-18-04.sh — Traefik Lab 04: ForwardAuth SSO via Keycloak OIDC
+# Tests: Keycloak setup, OIDC, oauth2-proxy ForwardAuth, public vs protected routes
 set -euo pipefail
 
-LAB_ID="18-04"
-LAB_NAME="SSO Integration"
-MODULE="traefik"
-COMPOSE_FILE="docker/docker-compose.sso.yml"
-PASS=0
-FAIL=0
+PASS=0; FAIL=0
+KC_PASS="${KC_PASS:-Lab04Password!}"
+KC_URL="http://localhost:8080"
+REALM="it-stack"
+TRAEFIK_URL="http://localhost:80"
 
-# ── Colors ────────────────────────────────────────────────────────────────────
-RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
-CYAN='\033[0;36m'; NC='\033[0m'
+pass()  { ((++PASS)); echo "  [PASS] $1"; }
+fail()  { ((++FAIL)); echo "  [FAIL] $1"; }
+warn()  { echo "  [WARN] $1"; }
+header(){ echo; echo "=== $1 ==="; }
 
-pass() { echo -e "${GREEN}[PASS]${NC} $1"; ((PASS++)); }
-fail() { echo -e "${RED}[FAIL]${NC} $1"; ((FAIL++)); }
-info() { echo -e "${CYAN}[INFO]${NC} $1"; }
-warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+kc_token() {
+  curl -sf -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
+    -d "client_id=admin-cli&grant_type=password&username=admin&password=${KC_PASS}" \
+    | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4
+}
 
-echo -e "${CYAN}======================================${NC}"
-echo -e "${CYAN} Lab ${LAB_ID}: ${LAB_NAME}${NC}"
-echo -e "${CYAN} Module: ${MODULE}${NC}"
-echo -e "${CYAN}======================================${NC}"
-echo ""
+header "1. Keycloak Health"
+if curl -sf "$KC_URL/health/ready" | grep -q '"status":"UP"'; then
+  pass "Keycloak /health/ready UP"
+else
+  fail "Keycloak not ready"; exit 1
+fi
+
+header "2. Admin Auth + Realm/Client/User Setup"
+TOKEN=$(kc_token)
+[[ -n "$TOKEN" ]] && pass "Admin token from master realm" || { fail "Admin auth failed"; exit 1; }
+curl -sf -X POST "$KC_URL/admin/realms" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"realm\":\"$REALM\",\"enabled\":true}" -o /dev/null && pass "Realm '$REALM' created" || warn "Realm may exist"
+TOKEN=$(kc_token)
+curl -sf -X POST "$KC_URL/admin/realms/$REALM/clients" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"clientId\":\"oauth2-proxy\",\"secret\":\"$KC_PASS\",\"publicClient\":false,
+       \"serviceAccountsEnabled\":true,\"redirectUris\":[\"http://localhost:4180/*\"],
+       \"enabled\":true}" -o /dev/null && pass "oauth2-proxy client created" || warn "Client may exist"
+TOKEN=$(kc_token)
+STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$KC_URL/admin/realms/$REALM/users" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"username\":\"labuser\",\"enabled\":true,\"email\":\"labuser@lab.local\",
+       \"emailVerified\":true,
+       \"credentials\":[{\"type\":\"password\",\"value\":\"$KC_PASS\",\"temporary\":false}]}")
+[[ "$STATUS" =~ ^(201|409)$ ]] && pass "User 'labuser' ready" || fail "User creation failed (HTTP $STATUS)"
 
-# ── PHASE 1: Setup ────────────────────────────────────────────────────────────
-info "Phase 1: Setup"
-docker compose -f "${COMPOSE_FILE}" up -d
-info "Waiting 30s for ${MODULE} to initialize..."
-sleep 30
+header "3. OIDC Discovery"
+DISCOVERY=$(curl -sf "$KC_URL/realms/$REALM/.well-known/openid-configuration")
+for field in token_endpoint authorization_endpoint jwks_uri; do
+  echo "$DISCOVERY" | grep -q "\"$field\"" && pass "Discovery: $field present" || fail "Discovery missing $field"
+done
 
-# ── PHASE 2: Health Checks ────────────────────────────────────────────────────
-info "Phase 2: Health Checks"
+header "4. Client Credentials Token"
+SA_TOKEN=$(curl -sf -X POST "$KC_URL/realms/$REALM/protocol/openid-connect/token" \
+  -d "client_id=oauth2-proxy&client_secret=${KC_PASS}&grant_type=client_credentials" \
+  | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4)
+[[ -n "$SA_TOKEN" ]] && pass "Client credentials token obtained" || fail "Client credentials failed"
+IFS='.' read -ra P <<< "$SA_TOKEN"
+[[ "${#P[@]}" -eq 3 ]] && pass "JWT structure valid" || fail "Invalid JWT"
 
-if docker compose -f "${COMPOSE_FILE}" ps | grep -q "running\|Up"; then
-    pass "Container is running"
+header "5. Traefik Dashboard"
+if curl -sf http://localhost:8080/api/version | grep -q "Version"; then
+  pass "Traefik dashboard API accessible"
 else
-    fail "Container is not running"
+  fail "Traefik dashboard not accessible"
 fi
 
-# ── PHASE 3: Functional Tests ─────────────────────────────────────────────────
-info "Phase 3: Functional Tests (Lab 04 — SSO Integration)"
+header "6. Public Route (no auth required)"
+PUB=$(curl -s -o /dev/null -w "%{http_code}" "$TRAEFIK_URL/public")
+[[ "$PUB" -eq 200 ]] && pass "Public route /public → 200 OK" || fail "Public route failed (HTTP $PUB)"
 
-# TODO: Add module-specific functional tests here
-# Example:
-# if curl -sf http://localhost:80/health > /dev/null 2>&1; then
-#     pass "Health endpoint responds"
-# else
-#     fail "Health endpoint not reachable"
-# fi
+header "7. Protected Route (ForwardAuth — expect SSO redirect)"
+PROT=$(curl -s -o /dev/null -w "%{http_code}" --max-redirect 0 "$TRAEFIK_URL/protected" 2>/dev/null || true)
+if [[ "$PROT" =~ ^(302|307|401)$ ]]; then
+  pass "Protected route /protected → HTTP $PROT (ForwardAuth intercepted)"
+else
+  fail "Protected route unexpected response: HTTP $PROT"
+fi
 
-warn "Functional tests for Lab 18-04 pending implementation"
+header "8. oauth2-proxy /oauth2/callback Reachable via Traefik"
+OAUTH_STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-redirect 0 "$TRAEFIK_URL/oauth2/callback" 2>/dev/null || true)
+[[ "$OAUTH_STATUS" =~ ^(200|302|400)$ ]] && pass "/oauth2/callback route accessible (HTTP $OAUTH_STATUS)" \
+  || fail "/oauth2/callback not accessible (HTTP $OAUTH_STATUS)"
 
-# ── PHASE 4: Cleanup ──────────────────────────────────────────────────────────
-info "Phase 4: Cleanup"
-docker compose -f "${COMPOSE_FILE}" down -v --remove-orphans
-info "Cleanup complete"
+header "9. ForwardAuth Middleware in Traefik Config"
+ROUTERS=$(curl -sf http://localhost:8080/api/http/routers 2>/dev/null || echo "[]")
+echo "$ROUTERS" | grep -q "forward-auth\|forwardauth\|oauth2" \
+  && pass "ForwardAuth middleware referenced in router config" || warn "ForwardAuth middleware not visible in API (may use labels only)"
 
-# ── Results ───────────────────────────────────────────────────────────────────
-echo ""
-echo -e "${CYAN}======================================${NC}"
-echo -e " Lab ${LAB_ID} Complete"
-echo -e " ${GREEN}PASS: ${PASS}${NC} | ${RED}FAIL: ${FAIL}${NC}"
-echo -e "${CYAN}======================================${NC}"
+header "10. Traefik Router Count"
+ROUTER_COUNT=$(echo "$ROUTERS" | grep -o '"routerName"' | wc -l || echo "0")
+# Count routers differently
+ROUTER_COUNT=$(curl -sf http://localhost:8080/api/http/routers 2>/dev/null | grep -o '"provider"' | wc -l || echo "0")
+[[ "$ROUTER_COUNT" -ge 2 ]] && pass "Traefik has $ROUTER_COUNT routers (public + protected expected)" || warn "Router count: $ROUTER_COUNT"
 
-if [ "${FAIL}" -gt 0 ]; then
-    exit 1
-fi
+echo
+echo "═══════════════════════════════════════"
+echo " Lab 18-04 Results: $PASS passed, $FAIL failed"
+echo "═══════════════════════════════════════"
+[[ "$FAIL" -eq 0 ]]
