Allow using keycloak tokens

Author: nonameentername

Diff for: .env.example

@@ -14,8 +14,13 @@ GITHUB_API_URL=https://api.github.com
 GITHUB_CLIENT_ID=redacted
 GITHUB_CLIENT_SECRET=redacted
 GITHUB_OAUTH_TOKEN=redacted
+KEYCLOAK_API_URL=http://localhost:8080/auth
+KEYCLOAK_CLIENT_ID=redacted
+KEYCLOAK_CLIENT_SECRET=redacted
+KEYCLOAK_REALM=redacted
 HASH_SECRET=redacted
 COTURN_USERNAME=redacted
 COTURN_PASSWORD=redacted
 ACTIVE_PUB_SUB_GATEWAY=pusher
 ACTIVE_ICE_SERVER_PROVIDER=twilio
+ACTIVE_IDENTITY_PROVIDER=github

Diff for: .env.local.example

@@ -14,8 +14,13 @@ GITHUB_API_URL=https://api.github.com
 GITHUB_CLIENT_ID=redacted
 GITHUB_CLIENT_SECRET=redacted
 GITHUB_OAUTH_TOKEN=redacted
+KEYCLOAK_API_URL=http://localhost:8080/auth
+KEYCLOAK_CLIENT_ID=teletype
+KEYCLOAK_CLIENT_SECRET=redacted
+KEYCLOAK_REALM=teletype
 HASH_SECRET=redacted
 COTURN_USERNAME=teletype
 COTURN_PASSWORD=password
 ACTIVE_PUB_SUB_GATEWAY=socketcluster
 ACTIVE_ICE_SERVER_PROVIDER=coturn
+ACTIVE_IDENTITY_PROVIDER=keycloak

Diff for: .gitignore

@@ -3,3 +3,4 @@ node_modules
 newrelic_agent.log
 database
 test-database
+keycloak-database

Diff for: app.json

@@ -44,14 +44,30 @@
     "COTURN_USERNAME": {
       "required": true
     },
+
     "COTURN_PASSWORD": {
       "required": true
     },
+    "KEYCLOAK_API_URL": {
+      "required": true
+    },
+    "KEYCLOAK_CLIENT_ID": {
+      "required": true
+    },
+    "KEYCLOAK_CLIENT_SECRET": {
+      "required": true
+    },
+    "KEYCLOAK_REALM": {
+      "required": true
+    },
     "ACTIVE_PUB_SUB_GATEWAY": {
       "required": true
     },
     "ACTIVE_ICE_SERVER_PROVIDER": {
       "required": true
+    },
+    "ACTIVE_IDENTITY_PROVIDER": {
+      "required": true
     }
   },
   "formation": {},

Diff for: docker-compose.yml

@@ -55,5 +55,37 @@ services:
         aliases:
           - socketcluster
 
+  keycloak:
+    image: jboss/keycloak
+    ports:
+     - 8080:8080
+    restart: always
+    environment:
+      DB_VENDOR: postgres
+      DB_ADDR: keycloak-database
+      KEYCLOAK_USER: teletype
+      KEYCLOAK_PASSWORD: password
+    networks:
+      teletype:
+        aliases:
+          - keycloak
+
+  keycloak-database:
+    image: postgres
+    ports:
+     - 5434:5432
+    volumes:
+     - ./keycloak-database:/var/lib/postgresql/data
+    restart: always
+    environment:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: password
+      POSTGRES_DB: keycloak
+    networks:
+      teletype:
+        aliases:
+          - keycloak-database
+
+
 networks:
   teletype:

Diff for: index.js

@@ -23,13 +23,18 @@ async function startServer (id) {
     githubClientId: process.env.GITHUB_CLIENT_ID,
     githubClientSecret: process.env.GITHUB_CLIENT_SECRET,
     githubOauthToken: process.env.GITHUB_OAUTH_TOKEN,
+    keycloakApiUrl: process.env.KEYCLOAK_API_URL,
+    keycloakClientId: process.env.KEYCLOAK_CLIENT_ID,
+    keycloakClientSecret: process.env.KEYCLOAK_CLIENT_SECRET,
+    keycloakRealm: process.env.KEYCLOAK_REALM,
     boomtownSecret: process.env.BOOMTOWN_SECRET,
     hashSecret: process.env.HASH_SECRET,
     port: process.env.PORT || 3000,
     coturnUsername: process.env.COTURN_USERNAME,
     coturnPassword: process.env.COTURN_PASSWORD,
     activePubSubGateway: process.env.ACTIVE_PUB_SUB_GATEWAY,
-    activeIceServerProvider: process.env.ACTIVE_ICE_SERVER_PROVIDER
+    activeIceServerProvider: process.env.ACTIVE_ICE_SERVER_PROVIDER,
+    activeIdentityProvider: process.env.ACTIVE_IDENTITY_PROVIDER
   })
   await server.start()
   console.log(`Worker ${id} (pid: ${process.pid}): listening on port ${server.port}`)

Diff for: lib/identity-provider.js renamed to lib/github-identity-provider.js

@@ -1,7 +1,7 @@
 const {StatusCodeError} = require('request-promise-core/lib/errors')
 
 module.exports =
-class IdentityProvider {
+class GithubIdentityProvider {
   constructor ({request, apiUrl, clientId, clientSecret, oauthToken}) {
     this.request = request
     this.apiUrl = apiUrl

Diff for: lib/keycloak-identity-provider.js

@@ -0,0 +1,80 @@
+const {StatusCodeError} = require('request-promise-core/lib/errors')
+
+module.exports =
+class KeycloakIdentityProvider {
+  constructor ({request, apiUrl, clientId, clientSecret, realm}) {
+    this.request = request
+    this.apiUrl = apiUrl
+    this.clientId = clientId
+    this.clientSecret = clientSecret
+    this.realm = realm
+  }
+
+  make_base_auth(clientId, clientSecret) {
+    var token = clientId + ':' + clientSecret
+    var hash = Buffer.from(token).toString('base64')
+    return "Basic " + hash
+  }
+
+  async identityForToken (oauthToken) {
+    try {
+      var options = {
+        method: 'POST',
+        uri: `${this.apiUrl}/realms/${this.realm}/protocol/openid-connect/token/introspect`,
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'User-Agent': 'api.teletype.atom.io',
+          'Authorization': this.make_base_auth(this.clientId, this.clientSecret)
+        },
+        body: `token=${oauthToken}`
+      }
+      const response = await this.request(options)
+      const user = JSON.parse(response)
+
+      if (!user.active) {
+        const error = new Error('Token not provided.')
+        error.statusCode = 400
+        throw error
+      }
+      return {id: user.sub, login: user.username}
+    } catch (e) {
+      let errorMessage, statusCode
+      if (e instanceof StatusCodeError) {
+        const error = JSON.parse(e.error)
+        const description = (error.message != null) ? error.message : e.error
+        errorMessage = `${this.apiUrl} responded with ${e.statusCode}: ${description}`
+        statusCode = e.statusCode
+      } else if (e instanceof Error) {
+        errorMessage = `Failed to query ${this.apiUrl}: ${e.message}`
+        statusCode = 400
+      } else {
+        errorMessage = `Failed to query ${this.apiUrl}: ${e.message}`
+        statusCode = 500
+      }
+
+      const error = new Error(errorMessage)
+      error.statusCode = statusCode
+      throw error
+    }
+  }
+
+  async isOperational () {
+    try {
+      var options = {
+        method: 'POST',
+        uri: `${this.apiUrl}/realms/${this.realm}/protocol/openid-connect/token/introspect`,
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'User-Agent': 'api.teletype.atom.io',
+          'Authorization': this.make_base_auth(this.clientId, this.clientSecret)
+        },
+        body: `token=`
+      }
+
+      await this.request(options)
+      return true
+    } catch (e) {
+      return false
+    }
+  }
+}

Diff for: lib/server.js

@@ -1,7 +1,8 @@
 const buildControllerLayer = require('./controller-layer')
 const pgp = require('pg-promise')()
 const request = require('request-promise-native')
-const IdentityProvider = require('./identity-provider')
+const GithubIdentityProvider = require('./github-identity-provider')
+const KeycloakIdentityProvider = require('./keycloak-identity-provider')
 const ModelLayer = require('./model-layer')
 const PusherPubSubGateway = require('./pusher-pub-sub-gateway')
 const SocketClusterPubSubGateway = require('./socketcluster-pub-sub-gateway')
@@ -22,59 +23,81 @@ class Server {
     this.githubClientId = options.githubClientId
     this.githubClientSecret = options.githubClientSecret
     this.githubOauthToken = options.githubOauthToken
+    this.keycloakApiUrl = options.keycloakApiUrl
+    this.keycloakClientId = options.keycloakClientId
+    this.keycloakClientSecret = options.keycloakClientSecret
+    this.keycloakRealm = options.keycloakRealm
     this.boomtownSecret = options.boomtownSecret
     this.hashSecret = options.hashSecret
     this.port = options.port,
     this.coturnUsername = options.coturnUsername,
     this.coturnPassword = options.coturnPassword,
     this.activePubSubGateway = options.activePubSubGateway,
     this.activeIceServerProvider = options.activeIceServerProvider
+    this.activeIdentityProvider = options.activeIdentityProvider
   }
 
   async start () {
     const modelLayer = new ModelLayer({db: pgp(this.databaseURL), hashSecret: this.hashSecret})
-    const identityProvider = new IdentityProvider({
-      request,
-      apiUrl: this.githubApiUrl,
-      clientId: this.githubClientId,
-      clientSecret: this.githubClientSecret,
-      oauthToken: this.githubOauthToken
-    })
+
+    var identityProvider
+
+    switch(this.activeIdentityProvider) {
+      case 'keycloak':
+        identityProvider = new KeycloakIdentityProvider({
+          request,
+          apiUrl: this.keycloakApiUrl,
+          clientId: this.keycloakClientId,
+          clientSecret: this.keycloakClientSecret,
+          realm: this.keycloakRealm
+        })
+        break;
+      case 'github':
+      default:
+        identityProvider = new GithubIdentityProvider({
+          request,
+          apiUrl: this.githubApiUrl,
+          clientId: this.githubClientId,
+          clientSecret: this.githubClientSecret,
+          oauthToken: this.githubOauthToken
+        })
+        break;
+    }
 
     var pubSubGateway
 
     switch(this.activePubSubGateway) {
-        case 'socketcluster':
-            pubSubGateway = new SocketClusterPubSubGateway({})
-            break;
+      case 'socketcluster':
+        pubSubGateway = new SocketClusterPubSubGateway({})
+        break;
 
-        case 'pusher':
-        default:
-            pubSubGateway = new PusherPubSubGateway({
-              appId: this.pusherAppId,
-              key: this.pusherKey,
-              secret: this.pusherSecret,
-              cluster: this.pusherCluster
-            })
-            break;
+      case 'pusher':
+      default:
+        pubSubGateway = new PusherPubSubGateway({
+          appId: this.pusherAppId,
+          key: this.pusherKey,
+          secret: this.pusherSecret,
+          cluster: this.pusherCluster
+        })
+        break;
     }
 
     var iceServerProvider
     switch(this.activeIceServerProvider) {
-        case 'coturn':
-            iceServerProvider = new CoturnIceServerProvider({
-                coturnUsername: this.coturnUsername,
-                coturnPassword: this.coturnPassword
-            })
-            break;
+      case 'coturn':
+        iceServerProvider = new CoturnIceServerProvider({
+          coturnUsername: this.coturnUsername,
+          coturnPassword: this.coturnPassword
+        })
+        break;
 
-        case 'twilio':
-        default:
-            iceServerProvider = new TwilioIceServerProvider({
-                twilioAccount: this.twilioAccount,
-                twilioAuthToken: this.twilioAuthToken
-            })
-            break;
+      case 'twilio':
+      default:
+        iceServerProvider = new TwilioIceServerProvider({
+          twilioAccount: this.twilioAccount,
+          twilioAuthToken: this.twilioAuthToken
+        })
+        break;
     }
 
     const controllerLayer = buildControllerLayer({

Diff for: test/identity-provider.test.js renamed to test/github-identity-provider.test.js

@@ -1,8 +1,8 @@
 const assert = require('assert')
 const {RequestError, StatusCodeError} = require('request-promise-core/lib/errors')
-const IdentityProvider = require('../lib/identity-provider')
+const GithubIdentityProvider = require('../lib/github-identity-provider')
 
-suite('IdentityProvider', () => {
+suite('GithubIdentityProvider', () => {
   test('returns user associated with OAuth token', async () => {
     const request = {
       get: async function (url, {headers}) {
@@ -19,7 +19,7 @@ suite('IdentityProvider', () => {
       }
     }
 
-    const provider = new IdentityProvider({request})
+    const provider = new GithubIdentityProvider({request})
 
     const user1 = await provider.identityForToken('user-1-token')
     assert.deepEqual(user1, {id: '1', login: 'user-1'})
@@ -36,7 +36,7 @@ suite('IdentityProvider', () => {
       }
     }
 
-    const provider = new IdentityProvider({request})
+    const provider = new GithubIdentityProvider({request})
 
     let error = null
     try {
@@ -56,7 +56,7 @@ suite('IdentityProvider', () => {
       }
     }
 
-    const provider = new IdentityProvider({request})
+    const provider = new GithubIdentityProvider({request})
 
     let error = null
     try {
@@ -75,7 +75,7 @@ suite('IdentityProvider', () => {
       }
     }
 
-    const provider = new IdentityProvider({request})
+    const provider = new GithubIdentityProvider({request})
 
     let error = null
     try {