diff --git a/applications/accounts/scripts/create_api_user.sh b/applications/accounts/scripts/create_api_user.sh index caf92fff..43bcac20 100755 --- a/applications/accounts/scripts/create_api_user.sh +++ b/applications/accounts/scripts/create_api_user.sh @@ -1,25 +1,78 @@ #!/bin/bash -NAMESPACE=${CH_ACCOUNTS_REALM} -USERNAME=admin_api -PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password) +export API_USERNAME="admin_api" +export API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") +export TMP_CLIENT="tmp_api_client" +export TMP_CLIENT_SECRET="${KC_BOOTSTRAP_ADMIN_USERNAME}" -echo "Checking if API user exists..." +sleep 120 -# Check if user already exists -if /opt/keycloak/bin/kcadm.sh get users -q "username=$USERNAME" | grep -q "$USERNAME"; then - echo "ERROR: API user $USERNAME already exists, but password is out of sync. You may need to reset it manually." - # /opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD" - # Removed automatic password reset as that would only work if the main admin password is unchanged from the default password - # That would create the false impression that the password is reset successfully when in fact it has not on production systems +echo "create_api_user: waiting for Keycloak to start..." + +create_temporary_client() { + /opt/keycloak/bin/kc.sh bootstrap-admin service --client-id=${TMP_CLIENT} --client-secret:env=TMP_CLIENT_SECRET --http-management-port 9876 +} + +delete_temporary_client() { + CLIENT_ID=$(/opt/keycloak/bin/kcadm.sh get clients -r master -q clientId=${TMP_CLIENT} --fields id --format csv|tr -d '"') + if [ -n "$CLIENT_ID" ]; then + /opt/keycloak/bin/kcadm.sh delete clients/$CLIENT_ID -r master + fi +} + +create_kc_config() { + /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --client ${TMP_CLIENT} --secret ${TMP_CLIENT_SECRET} +} + +api_user_exists() { + return $(/opt/keycloak/bin/kcadm.sh get users -q "username=$API_USERNAME" | grep -q "$API_USERNAME"; echo $?) +} + +create_api_user() { + /opt/keycloak/bin/kcadm.sh create users -s "username=${API_USERNAME}" -s enabled=True +} + +set_password_and_roles() { + /opt/keycloak/bin/kcadm.sh set-password --username "$API_USERNAME" --new-password "$API_PASSWORD" + /opt/keycloak/bin/kcadm.sh add-roles --uusername "$API_USERNAME" --rolename admin +} + +# Wait for Keycloak to be ready - just give it some time to start up + + +echo "Attempting authentication..." + +# First, try to authenticate as admin_api +if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \ + --server http://localhost:8080 \ + --realm master \ + --user "$API_USERNAME" \ + --password "$API_PASSWORD" 2>/dev/null; then + echo "Successfully authenticated as $API_USERNAME" + echo "Startup scripts not needed (admin_api user already exists)" exit 0 fi -echo "Creating API user $USERNAME" -set -e -# create the user and reload keycloak -/opt/keycloak/bin/kcadm.sh create users -s "username=$USERNAME" -s enabled=True -/opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD" -/opt/keycloak/bin/kcadm.sh add-roles --uusername "$USERNAME" --rolename admin +echo "admin_api user does not exist or authentication failed. Authenticating to create the user..." + +set -e +create_temporary_client +create_kc_config +echo "Temporary credentials successfully created." + +echo "Checking if API user exists..." +# Check if user already exists +if ! api_user_exists; then + echo "API user $API_USERNAME doesn't exists, creating..." + create_api_user + echo "API user created successfully" +else + echo "API user $API_USERNAME already exists." +fi +set +e + +echo "Setting password and role." +set_password_and_roles -echo "API user created successfully" \ No newline at end of file +echo "Cleaning up temporary client." +delete_temporary_client diff --git a/applications/accounts/scripts/kc-entrypoint.sh b/applications/accounts/scripts/kc-entrypoint.sh index 2657b53c..042a59db 100644 --- a/applications/accounts/scripts/kc-entrypoint.sh +++ b/applications/accounts/scripts/kc-entrypoint.sh @@ -2,51 +2,16 @@ /opt/keycloak/bin/kc.sh $@ & -API_USERNAME="admin_api" -API_PASSWORD=$(cat /opt/cloudharness/resources/auth/api_user_password 2>/dev/null || echo "") -echo "Waiting for Keycloak to start..." - -# Wait for Keycloak to be ready - just give it some time to start up -sleep 120s - -echo "Attempting authentication..." - -# First, try to authenticate as admin_api -if [ -n "$API_PASSWORD" ] && /opt/keycloak/bin/kcadm.sh config credentials \ - --server http://localhost:8080 \ - --realm master \ - --user "$API_USERNAME" \ - --password "$API_PASSWORD" 2>/dev/null; then - echo "Successfully authenticated as $API_USERNAME" - echo "Startup scripts not needed (admin_api user already exists)" -else - echo "admin_api user does not exist or authentication failed. Authenticating as bootstrap admin to create the user..." - - # Authenticate as bootstrap admin to create admin_api user - if ! /opt/keycloak/bin/kcadm.sh config credentials \ - --server http://localhost:8080 \ - --realm master \ - --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \ - --password "$KC_BOOTSTRAP_ADMIN_PASSWORD"; then - echo "ERROR: Failed to authenticate as bootstrap admin. Check KC_BOOTSTRAP_ADMIN credentials." - echo "Continuing without running startup scripts..." - wait - exit 0 - fi - - echo "Successfully authenticated as bootstrap admin" - - # Run startup scripts to create admin_api user - for script in /opt/keycloak/startup-scripts/*.sh; +# Run startup scripts to create admin_api user +for script in /opt/keycloak/startup-scripts/*.sh; do echo "Running startup script: $script" if bash "$script"; then echo "Successfully executed $script" else echo "Warning: $script failed with exit code $?" - fi - done -fi + fi +done wait \ No newline at end of file