WIP: Add the dwh/grafana host name to keycloak redirect URIs

didib · didib · commit 31adca82b988 · 2022-10-20T16:01:25.000+03:00
Without this, SSO login to grafana fails with this error, in keycloak.log: 2022-10-19 07:24:26,782Z WARN [org.keycloak.events] (default task-10) [] type=LOGIN_ERROR, realmId=256b7e9d-aff3-4a96-9979-85d2c07326bb, clientId=ovirt-engine-internal, userId=null, ipAddress=0:0:0:0:0:0:0:1, error=invalid_redirect_uri, redirect_uri=https://ost-separate-machine-basic-suite-master-dwh.lago.local/ovirt-engine-grafana/login/generic_oauth TODO: This should probably be done in dwh setup code or at least documented - it's not an issue specific to OST. Main obstacle, technically, is that we do not have the keycloak admin password, so ould have to ask the user, which is (at least) annoying. Change-Id: Icbdf559442da8f04c1669f574c0e401c0be4e25b Signed-off-by: Yedidyah Bar David <didi@redhat.com>
diff --git a/separate-machine-basic-suite-master/test-scenarios/test_001_initialize_engine_and_dwh.py b/separate-machine-basic-suite-master/test-scenarios/test_001_initialize_engine_and_dwh.py
@@ -60,3 +60,59 @@ def test_initialize_dwh(
         '--config-append=/root/dwh-answer-file '
         '--offline '
     )
+
+
+def test_add_dwh_to_keycloak_redirect_uris_for_grafana(
+    ansible_engine,
+    engine_fqdn,
+    engine_password,
+    dwh_fqdn,
+):
+    def run_ansible_engine_kcadm(args):
+        return ansible_engine.shell(
+            'KC_OPTS=-Dcom.redhat.fips=false '
+            '/usr/share/ovirt-engine-wildfly/bin/kcadm.sh '
+            + args
+        )
+
+    # Set truststore, so that https works
+    run_ansible_engine_kcadm(
+        'config truststore '
+        '--trustpass mypass /etc/pki/ovirt-engine/.truststore '
+    )
+
+    # Login
+    run_ansible_engine_kcadm(
+        'config credentials '
+        f'--server https://{engine_fqdn}/ovirt-engine-auth '
+        '--realm master '
+        '--user admin '
+        f'--password {engine_password} '
+    )
+
+    # Get the Id of the internal client. Various hard-coded strings here
+    # must match relevant code/constants from ovirt-engine-keycloak.
+    id_res = run_ansible_engine_kcadm(
+        'get clients '
+        '-r ovirt-internal '
+        '-q clientId=ovirt-engine-internal '
+        '--fields id '
+        '--format csv'
+    )
+    id = id_res['stdout_lines'][0].strip('"')
+
+    # Get current URIs
+    current_uris_res = run_ansible_engine_kcadm(
+        f'get clients/{id} '
+        '-r ovirt-internal '
+        '--fields redirectUris '
+        '--format csv'
+    )
+    current_uris = current_uris_res['stdout_lines'][0]
+
+    # Add dwh
+    run_ansible_engine_kcadm(
+        f'update clients/{id} '
+        '-r ovirt-internal '
+        f'-s redirectUris=\'[{current_uris}, "https://{dwh_fqdn}*"]\''
+    )
