EW-965 Fixes for latest Keycloak upgrade

ansible/roles/schulcloud-server-core/templates/admin-api-server-configmap.yml.j2

@@ -17,6 +17,7 @@ data:
   FEATURE_IDENTITY_MANAGEMENT_ENABLED: "{{ FEATURE_IDENTITY_MANAGEMENT_ENABLED }}"
   FEATURE_IDENTITY_MANAGEMENT_STORE_ENABLED: "{{ FEATURE_IDENTITY_MANAGEMENT_STORE_ENABLED }}"
   FEATURE_IDENTITY_MANAGEMENT_LOGIN_ENABLED: "{{ FEATURE_IDENTITY_MANAGEMENT_LOGIN_ENABLED }}"
-  IDENTITY_MANAGEMENT__URI: "{{ IDENTITY_MANAGEMENT__URI }}"
+  IDENTITY_MANAGEMENT__INTERNAL_URI: "{{ IDENTITY_MANAGEMENT__INTERNAL_URI }}"
+  IDENTITY_MANAGEMENT__EXTERNAL_URI: "{{ IDENTITY_MANAGEMENT__EXTERNAL_URI }}"
   IDENTITY_MANAGEMENT__TENANT: "{{ IDENTITY_MANAGEMENT__TENANT }}"
   IDENTITY_MANAGEMENT__CLIENTID: "{{ IDENTITY_MANAGEMENT__CLIENTID }}"

apps/server/src/infra/identity-management/identity-management.module.ts

@@ -1,5 +1,6 @@
 import { HttpModule } from '@nestjs/axios';
 import { Module } from '@nestjs/common';
+import { LoggerModule } from '@src/core/logger';
 import { EncryptionModule } from '../encryption';
 import { IdentityManagementOauthService } from './identity-management-oauth.service';
 import { IdentityManagementService } from './identity-management.service';
@@ -9,7 +10,7 @@ import { KeycloakIdentityManagementOauthService } from './keycloak/service/keycl
 import { KeycloakIdentityManagementService } from './keycloak/service/keycloak-identity-management.service';
 
 @Module({
-	imports: [KeycloakModule, KeycloakAdministrationModule, HttpModule, EncryptionModule],
+	imports: [KeycloakModule, KeycloakAdministrationModule, HttpModule, EncryptionModule, LoggerModule],
 	providers: [
 		{ provide: IdentityManagementService, useClass: KeycloakIdentityManagementService },
 		{ provide: IdentityManagementOauthService, useClass: KeycloakIdentityManagementOauthService },

apps/server/src/infra/identity-management/keycloak-administration/interface/keycloak-settings.interface.ts

@@ -1,7 +1,8 @@
 export const KeycloakSettings = Symbol('KeycloakSettings');
 
 export interface IKeycloakSettings {
-	baseUrl: string;
+	internalBaseUrl: string;
+	externalBaseUrl: string;
 	realmName: string;
 	clientId: string;
 	credentials: {

apps/server/src/infra/identity-management/keycloak-administration/keycloak-config.ts

@@ -4,7 +4,8 @@ import { IKeycloakSettings } from './interface/keycloak-settings.interface';
 export default class KeycloakAdministration {
 	static keycloakSettings = (Configuration.get('FEATURE_IDENTITY_MANAGEMENT_ENABLED') as boolean)
 		? ({
-				baseUrl: Configuration.get('IDENTITY_MANAGEMENT__URI') as string,
+				internalBaseUrl: Configuration.get('IDENTITY_MANAGEMENT__INTERNAL_URI') as string,
+				externalBaseUrl: Configuration.get('IDENTITY_MANAGEMENT__EXTERNAL_URI') as string,
 				realmName: Configuration.get('IDENTITY_MANAGEMENT__TENANT') as string,
 				clientId: Configuration.get('IDENTITY_MANAGEMENT__CLIENTID') as string,
 				credentials: {

apps/server/src/infra/identity-management/keycloak-administration/service/keycloak-administration.service.spec.ts

@@ -15,7 +15,8 @@ describe('KeycloakAdministrationService', () => {
 
 	const getSettings = (): IKeycloakSettings => {
 		return {
-			baseUrl: 'http://localhost:8080',
+			internalBaseUrl: 'http://localhost:8080',
+			externalBaseUrl: 'http://localhost:8080',
 			realmName: 'master',
 			clientId: 'client',
 			credentials: {
@@ -110,7 +111,7 @@ describe('KeycloakAdministrationService', () => {
 	describe('getWellKnownUrl', () => {
 		it('should return the well known URL', () => {
 			const wellKnownUrl = service.getWellKnownUrl();
-			expect(wellKnownUrl).toContain(settings.baseUrl);
+			expect(wellKnownUrl).toContain(settings.internalBaseUrl);
 			expect(wellKnownUrl).toContain(settings.realmName);
 		});
 	});

apps/server/src/infra/identity-management/keycloak-administration/service/keycloak-administration.service.ts

@@ -13,7 +13,7 @@ export class KeycloakAdministrationService {
 		@Inject(KeycloakSettings) private readonly kcSettings: IKeycloakSettings
 	) {
 		this.kcAdminClient.setConfig({
-			baseUrl: kcSettings.baseUrl,
+			baseUrl: kcSettings.internalBaseUrl,
 			realmName: kcSettings.realmName,
 		});
 	}
@@ -33,7 +33,7 @@ export class KeycloakAdministrationService {
 	}
 
 	public getWellKnownUrl(): string {
-		return `${this.kcSettings.baseUrl}/realms/${this.kcSettings.realmName}/.well-known/openid-configuration`;
+		return `${this.kcSettings.externalBaseUrl}/realms/${this.kcSettings.realmName}/.well-known/openid-configuration`;
 	}
 
 	public getAdminUser(): string {

apps/server/src/infra/identity-management/keycloak-configuration/service/keycloak-configuration.service.spec.ts

@@ -50,7 +50,8 @@ describe('KeycloakConfigurationService Unit', () => {
 
 	const getSettings = (): IKeycloakSettings => {
 		return {
-			baseUrl: 'http://localhost:8080',
+			internalBaseUrl: 'http://localhost:8080',
+			externalBaseUrl: 'http://localhost:8080',
 			realmName: 'master',
 			clientId: 'dBildungscloud',
 			credentials: {

apps/server/src/infra/identity-management/keycloak/errors/idm-login-error.loggable.spec.ts

@@ -0,0 +1,16 @@
+import { IDMLoginError } from './idm-login-error.loggable';
+
+describe('IDMLoginError', () => {
+	describe('getLogMessage', () => {
+		it('should return log message', () => {
+			const err = new Error();
+			const loggable = new IDMLoginError(err);
+
+			expect(loggable.getLogMessage()).toStrictEqual({
+				message: 'Error while trying to login via IDM',
+				stack: err.stack,
+				type: 'IDM_LOGIN_ERROR',
+			});
+		});
+	});
+});

apps/server/src/infra/identity-management/keycloak/errors/idm-login-error.loggable.ts

@@ -0,0 +1,13 @@
+import { ErrorLogMessage, Loggable, LogMessage, ValidationErrorLogMessage } from '@src/core/logger';
+
+export class IDMLoginError implements Loggable {
+	constructor(private readonly error: Error) {}
+
+	public getLogMessage(): LogMessage | ErrorLogMessage | ValidationErrorLogMessage {
+		return {
+			message: 'Error while trying to login via IDM',
+			stack: this.error.stack,
+			type: 'IDM_LOGIN_ERROR',
+		};
+	}
+}

apps/server/src/infra/identity-management/keycloak/service/keycloak-identity-management-oauth.service.spec.ts

@@ -2,10 +2,10 @@ import { createMock, DeepMocked } from '@golevelup/ts-jest';
 import { DefaultEncryptionService, EncryptionService, SymetricKeyEncryptionService } from '@infra/encryption';
 import KeycloakAdminClient from '@keycloak/keycloak-admin-client';
 import { HttpService } from '@nestjs/axios';
-import { ConfigService } from '@nestjs/config';
 import { Test, TestingModule } from '@nestjs/testing';
 import { AxiosResponse } from 'axios';
 import { of } from 'rxjs';
+import { Logger } from '@src/core/logger';
 import { KeycloakAdministrationService } from '../../keycloak-administration/service/keycloak-administration.service';
 import { KeycloakIdentityManagementOauthService } from './keycloak-identity-management-oauth.service';
 
@@ -32,8 +32,8 @@ describe('KeycloakIdentityManagementService', () => {
 					useValue: createMock<HttpService>(),
 				},
 				{
-					provide: ConfigService,
-					useValue: createMock<ConfigService>(),
+					provide: Logger,
+					useValue: createMock<Logger>(),
 				},
 				{
 					provide: DefaultEncryptionService,

apps/server/src/infra/identity-management/keycloak/service/keycloak-identity-management-oauth.service.ts

@@ -2,10 +2,12 @@ import { DefaultEncryptionService, EncryptionService } from '@infra/encryption';
 import { OauthConfig } from '@modules/system/domain';
 import { HttpService } from '@nestjs/axios';
 import { Inject, Injectable } from '@nestjs/common';
+import { Logger } from '@src/core/logger';
 import qs from 'qs';
 import { lastValueFrom } from 'rxjs';
 import { IdentityManagementOauthService } from '../../identity-management-oauth.service';
 import { KeycloakAdministrationService } from '../../keycloak-administration/service/keycloak-administration.service';
+import { IDMLoginError } from '../errors/idm-login-error.loggable';
 
 @Injectable()
 export class KeycloakIdentityManagementOauthService extends IdentityManagementOauthService {
@@ -14,7 +16,8 @@ export class KeycloakIdentityManagementOauthService extends IdentityManagementOa
 	constructor(
 		private readonly kcAdminService: KeycloakAdministrationService,
 		private readonly httpService: HttpService,
-		@Inject(DefaultEncryptionService) private readonly oAuthEncryptionService: EncryptionService
+		@Inject(DefaultEncryptionService) private readonly oAuthEncryptionService: EncryptionService,
+		private readonly logger: Logger
 	) {
 		super();
 	}
@@ -54,15 +57,15 @@ export class KeycloakIdentityManagementOauthService extends IdentityManagementOa
 	}
 
 	async resourceOwnerPasswordGrant(username: string, password: string): Promise<string | undefined> {
-		const { clientId, clientSecret, tokenEndpoint } = await this.getOauthConfig();
-		const data = {
-			username,
-			password,
-			grant_type: 'password',
-			client_id: clientId,
-			client_secret: this.oAuthEncryptionService.decrypt(clientSecret),
-		};
 		try {
+			const { clientId, clientSecret, tokenEndpoint } = await this.getOauthConfig();
+			const data = {
+				username,
+				password,
+				grant_type: 'password',
+				client_id: clientId,
+				client_secret: this.oAuthEncryptionService.decrypt(clientSecret),
+			};
 			const response = await lastValueFrom(
 				this.httpService.request<{ access_token: string }>({
 					method: 'post',
@@ -75,6 +78,8 @@ export class KeycloakIdentityManagementOauthService extends IdentityManagementOa
 			);
 			return response.data.access_token;
 		} catch (err) {
+			this.logger.warning(new IDMLoginError(err as Error));
+
 			return undefined;
 		}
 	}

apps/server/src/modules/account/domain/services/account-idm.service.ts

@@ -193,8 +193,8 @@ export class AccountServiceIdm extends AbstractAccountService {
 	}
 
 	public async isUniqueEmail(email: string): Promise<boolean> {
-		const [, count] = await this.identityManager.findAccountsByUsername(email);
-		const isUniqueEmail = count === 0;
+		const [accounts] = await this.identityManager.findAccountsByUsername(email, { exact: true });
+		const isUniqueEmail = accounts.length === 0;
 
 		return isUniqueEmail;
 	}

config/default.schema.json

@@ -434,12 +434,25 @@
 		"IDENTITY_MANAGEMENT": {
 			"type": "object",
 			"description": "Identity management server properties.",
-			"required": ["URI", "TENANT", "CLIENTID", "ADMIN_CLIENTID", "ADMIN_USER", "ADMIN_PASSWORD"],
+			"required": [
+				"INTERNAL_URI",
+				"EXTERNAL_URI",
+				"TENANT",
+				"CLIENTID",
+				"ADMIN_CLIENTID",
+				"ADMIN_USER",
+				"ADMIN_PASSWORD"
+			],
 			"properties": {
-				"URI": {
+				"INTERNAL_URI": {
+					"type": "string",
+					"default": null,
+					"description": "The ErWIn IDM base URI for Kubernetes cluster internal use."
+				},
+				"EXTERNAL_URI": {
 					"type": "string",
 					"default": null,
-					"description": "The ErWIn IDM base URI."
+					"description": "The ErWIn IDM base URI for Kubernetes cluster external use."
 				},
 				"TENANT": {
 					"type": "string",

config/development.json

@@ -40,7 +40,8 @@
 	},
 	"FEATURE_IDENTITY_MANAGEMENT_ENABLED": true,
 	"IDENTITY_MANAGEMENT": {
-		"URI": "http://localhost:8080",
+		"INTERNAL_URI": "http://localhost:8080",
+		"EXTERNAL_URI": "http://localhost:8080",
 		"TENANT": "dBildungscloud",
 		"CLIENTID": "dbc",
 		"ADMIN_CLIENTID": "admin-cli",

config/test.json

@@ -33,7 +33,8 @@
 	},
 	"FEATURE_IDENTITY_MANAGEMENT_ENABLED": true,
 	"IDENTITY_MANAGEMENT": {
-		"URI": "http://localhost:8080",
+		"INTERNAL_URI": "http://localhost:8080",
+		"EXTERNAL_URI": "http://localhost:8080",
 		"TENANT": "master",
 		"CLIENTID": "dbc",
 		"ADMIN_CLIENTID": "admin-cli",