diff --git a/scripts/dev-oidc.sh b/scripts/dev-oidc.sh new file mode 100755 index 0000000000..017c7f07c6 --- /dev/null +++ b/scripts/dev-oidc.sh @@ -0,0 +1,81 @@ +#!/usr/bin/env bash + +SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") +# shellcheck source=scripts/lib.sh +source "${SCRIPT_DIR}/lib.sh" + +# Allow toggling verbose output +[[ -n ${VERBOSE:-} ]] && set -x +set -euo pipefail + +KEYCLOAK_VERSION="${KEYCLOAK_VERSION:-22.0}" + +cat </tmp/example-realm.json +{ + "realm": "coder", + "enabled": true, + "sslRequired": "none", + "registrationAllowed": true, + "privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", + "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", + "requiredCredentials": ["password"], + "users": [ + { + "username": "oidcuser", + "email": "oidcuser@coder.com", + "emailVerified": true, + "enabled": true, + "credentials": [ + { + "type": "password", + "value": "password" + } + ], + "clientRoles": { + "realm-management": ["realm-admin"], + "account": ["manage-account"] + } + } + ], + "clients": [ + { + "clientId": "coder", + "directAccessGrantsEnabled": true, + "enabled": true, + "fullScopeAllowed": true, + "baseUrl": "/coder", + "redirectUris": ["*"], + "secret": "coder" + } + ] +} +EOF + +echo '== Starting Keycloak' +docker rm -f keycloak || true +# Start Keycloak +docker run --rm -d \ + --name keycloak \ + -p 9080:8080 \ + -e KEYCLOAK_ADMIN=admin \ + -e KEYCLOAK_ADMIN_PASSWORD=password \ + -v /tmp/example-realm.json:/opt/keycloak/data/import/example-realm.json \ + "quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}" \ + start-dev \ + --import-realm + +echo '== Waiting for keycloak to become ready' +# Start the timeout in the background so interrupting this script +# doesn't hang for 60s. +timeout 60s bash -c 'until curl -s --fail http://localhost:9080/realms/coder/.well-known/openid-configuration > /dev/null 2>&1; do sleep 0.5; done' || + fatal 'Keycloak did not become ready in time' & +wait $! + +echo '== Starting Coder' +hostname=$(hostname -f) +export CODER_OIDC_ISSUER_URL="http://${hostname}:9080/realms/coder" +export CODER_OIDC_CLIENT_ID=coder +export CODER_OIDC_CLIENT_SECRET=coder +export CODER_DEV_ACCESS_URL="http://${hostname}:8080" + +exec "${SCRIPT_DIR}/develop.sh" "$@"