topologies: add keycloak topology

sumit-bose · pbrezina · commit 3db73377684e · 2025-05-16T11:59:18.000+02:00
diff --git a/sssd_test_framework/topology.py b/sssd_test_framework/topology.py
@@ -14,6 +14,7 @@
     IPATopologyController,
     IPATrustADTopologyController,
     IPATrustSambaTopologyController,
+    KeycloakTopologyController,
     LDAPTopologyController,
     SambaTopologyController,
 )
@@ -118,6 +119,19 @@ def test_ldap(client: Client, ldap: LDAP):
     .. topology-mark:: KnownTopology.IPATrustSamba
     """
 
+    Keycloak = SSSDTopologyMark(
+        name="keycloak",
+        topology=Topology(TopologyDomain("sssd", client=1, keycloak=1)),
+        controller=KeycloakTopologyController(),
+        fixtures=dict(
+            client="sssd.client[0]",
+            keycloak="sssd.keycloak[0]",
+        ),
+    )
+    """
+    .. topology-mark:: KnownTopology.Keycloak
+    """
+
 
 class KnownTopologyGroup(KnownTopologyGroupBase):
     """
diff --git a/sssd_test_framework/topology_controllers.py b/sssd_test_framework/topology_controllers.py
@@ -7,6 +7,7 @@
 from .hosts.ad import ADHost
 from .hosts.client import ClientHost
 from .hosts.ipa import IPAHost
+from .hosts.keycloak import KeycloakHost
 from .hosts.samba import SambaHost
 from .misc.ssh import retry_command
 
@@ -17,6 +18,7 @@
     "SambaTopologyController",
     "IPATrustADTopologyController",
     "IPATrustSambaTopologyController",
+    "KeycloakTopologyController",
 ]
 
 
@@ -173,3 +175,45 @@ class IPATrustSambaTopologyController(IPATrustADTopologyController):
     """
 
     pass
+
+
+class KeycloakTopologyController(ProvisionedBackupTopologyController):
+    """
+    Keycloak Topology Controller.
+    """
+
+    @BackupTopologyController.restore_vanilla_on_error
+    def topology_setup(self, client: ClientHost, keycloak: KeycloakHost) -> None:
+        if self.provisioned:
+            self.logger.info(f"Topology '{self.name}' is already provisioned")
+            return
+
+        self.logger.info(f"Enrolling {client.hostname} into {keycloak.hostname} by creating an IdP client")
+
+        # Create an IdP client
+        keycloak.kclogin()
+        keycloak.conn.run(
+            "/opt/keycloak/bin/kcadm.sh create clients -r master "
+            '-b \'{"clientId": "myclient", "clientAuthenticatorType": "client-secret", '
+            '"secret": "ClientSecret123", "serviceAccountsEnabled": true, '
+            '"attributes": {"oauth2.device.authorization.grant.enabled": "true"}}\' '
+        )
+        keycloak.conn.run(
+            "/opt/keycloak/bin/kcadm.sh add-roles -r master "
+            "--cclientid account --rolename view-groups --uusername service-account-myclient"
+        )
+        keycloak.conn.run(
+            "/opt/keycloak/bin/kcadm.sh add-roles -r master "
+            "--cclientid master-realm --rolename view-users --uusername service-account-myclient"
+        )
+        keycloak.conn.run(
+            "/opt/keycloak/bin/kcadm.sh add-roles -r master "
+            "--cclientid master-realm --rolename query-users --uusername service-account-myclient"
+        )
+        keycloak.conn.run(
+            "/opt/keycloak/bin/kcadm.sh add-roles -r master "
+            "--cclientid master-realm --rolename query-groups --uusername service-account-myclient"
+        )
+
+        # Backup so we can restore to this state after each test
+        super().topology_setup()
