Populate generated secrets with more metadata

NASA-IMPACT · Oct 31, 2024 · 1c03469 · 1c03469
1 parent 9757f8d
commit 1c03469
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 10 deletions.
diff --git a/deploy/app.ts b/deploy/app.ts
@@ -36,7 +36,7 @@ const privateOauthClients = getPrivateClientIds(join(CONFIG_DIR, "src"));
 privateOauthClients.length
   ? console.log(
       `Found client IDs in ${CONFIG_DIR}:\n${arrayStringify(
-        privateOauthClients
+        privateOauthClients.map(({ id }) => id)
       )}`
     )
   : console.warn(`No client IDs found in ${CONFIG_DIR}`);

diff --git a/deploy/lib/KeycloakConfig.ts b/deploy/lib/KeycloakConfig.ts
@@ -13,7 +13,7 @@ interface KeycloakConfigConstructProps {
   hostname: string;
   configDir: string;
   idpOauthClientSecrets: Record<string, string>;
-  privateOauthClients: string[];
+  privateOauthClients: Array<{ id: string; realm: string }>;
 }
 
 type clientSecretTuple = Array<[string, secretsManager.ISecret]>;
@@ -37,15 +37,20 @@ export class KeycloakConfig extends Construct {
 
     // Create a client secret for each private client
     const createdClientSecrets: clientSecretTuple =
-      props.privateOauthClients.map((clientSlug) => [
+      props.privateOauthClients.map(({ id: clientSlug, realm }) => [
         clientSlug,
         // WARNING: Changing the secret name or id will cause a new secret to be created
         new secretsManager.Secret(this, `${clientSlug}-client-secret`, {
           secretName: `${cdk.Stack.of(this).stackName}-client-${clientSlug}`,
           generateSecretString: {
             excludePunctuation: true,
             includeSpace: false,
-            secretStringTemplate: JSON.stringify({ id: clientSlug }),
+            secretStringTemplate: JSON.stringify({
+              id: clientSlug,
+              auth_url: `${props.hostname}/realms/${realm}/protocol/openid-connect/auth",`,
+              token_url: `${props.hostname}/realms/${realm}/protocol/openid-connect/token",`,
+              userinfo_url: `${props.hostname}/realms/${realm}/protocol/openid-connect/userinfo",`,
+            }),
             generateStringKey: "secret",
             passwordLength: 16,
           },
@@ -68,7 +73,7 @@ export class KeycloakConfig extends Construct {
     const taskClientSecrets = Object.fromEntries(
       [...createdClientSecrets, ...importedClientSecrets].flatMap(
         ([clientSlug, secret]) =>
-          ["id", "secret"].map((key) => [
+          ["client_id", "client_secret"].map((key) => [
             `${clientSlug}_CLIENT_${key}`.toUpperCase(),
             ecs.Secret.fromSecretsManager(secret, key),
           ])

diff --git a/deploy/lib/KeycloakStack.ts b/deploy/lib/KeycloakStack.ts
@@ -11,7 +11,7 @@ export interface StackInputProps {
   keycloakVersion: string;
   configDir: string;
   idpOauthClientSecrets: Record<string, string>;
-  privateOauthClients: string[];
+  privateOauthClients: Array<{ id: string; realm: string }>;
 }
 
 interface StackProps extends cdk.StackProps, StackInputProps {

diff --git a/deploy/lib/utils.ts b/deploy/lib/utils.ts
@@ -20,8 +20,10 @@ export function getOauthSecrets(): Record<string, string> {
  * @param configDir Path to the directory containing the YAML files
  * @returns
  */
-export function getPrivateClientIds(configDir: string): string[] {
-  const clientIds: string[] = [];
+export function getPrivateClientIds(
+  configDir: string
+): { realm: string; id: string }[] {
+  const clientIds: { realm: string; id: string }[] = [];
 
   // Read files in the directory
   const files = fs
@@ -35,6 +37,7 @@ export function getPrivateClientIds(configDir: string): string[] {
 
       // Parse YAML
       const data = yaml.load(fileContents) as {
+        realm: string;
         clients?: Array<{ clientId: string; secret?: string }>;
       };
 
@@ -45,7 +48,7 @@ export function getPrivateClientIds(configDir: string): string[] {
           .filter((client) => client.secret)
           .forEach((client) => {
             if (client.clientId) {
-              clientIds.push(client.clientId);
+              clientIds.push({ id: client.clientId, realm: data.realm });
             } else {
               console.warn(
                 `Missing clientId for client ${JSON.stringify(
@@ -60,7 +63,7 @@ export function getPrivateClientIds(configDir: string): string[] {
     }
   }
 
-  clientIds.forEach(validateClientId);
+  clientIds.forEach((client) => validateClientId(client.id));
 
   return clientIds;
 }