Mirrors/Stirling-PDF
1
0
Fork 0
mirror of https://github.com/Frooodle/Stirling-PDF.git synced 2026-03-04 02:20:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Saml fix (#5651)

Browse Source 
# Description of Changes
When password login is disabled UI changes to have central style SSO
button

<img width="2057" height="1369" alt="image"
src="https://github.com/user-attachments/assets/8f65f778-0809-4c54-a9c4-acf3a67cfa63"
/>

Auto SSO login functionality

Massively increases auth debugging visibility: verbose console logging
in ErrorBoundary, AuthProvider, Landing, AuthCallback.

Improves OAuth/SAML testability: adds Keycloak docker-compose setups +
realm JSON exports + start/validate scripts for OAuth and SAML
environments.

Hardens license upload path handling: better logs + safer directory
traversal protection by normalizing absolute paths before startsWith
check.

UI polish for SSO-only login: new “single provider” centered layout +
updated button styles (pill buttons, variants, icon wrapper, arrow).


<!--
Please provide a summary of the changes, including:

- What was changed
- Why the change was made
- Any challenges encountered

Closes #(issue_number)
-->

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### Translations (if applicable)

- [ ] I ran
[`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.
This commit is contained in:
Anthony Stirling
2026-02-05 12:26:41 +00:00
committed by GitHub
parent a844c7d09e
commit 00136f9e20
22 changed files with 1951 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
testing/compose/docker-compose-keycloak-oauth.yml Normal file
View File

@@ -0,0 +1,127 @@
services:
keycloak-oauth-db:
container_name: stirling-keycloak-oauth-db
image: postgres:16-alpine
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: keycloak
healthcheck:
test: ["CMD-SHELL", "pg_isready -U keycloak"]
interval: 5s
timeout: 5s
retries: 10
networks:
- stirling-oauth-test
keycloak-oauth:
container_name: stirling-keycloak-oauth
image: quay.io/keycloak/keycloak:24.0
command:
- start-dev
- --import-realm
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://keycloak-oauth-db:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: keycloak
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
# Use a consistent hostname for browser + containers (configure in hosts file)
KC_HOSTNAME: "${KEYCLOAK_HOST:-kubernetes.docker.internal}"
KC_HOSTNAME_PORT: 9080
KC_HOSTNAME_STRICT: "false"
KC_HTTP_ENABLED: "true"
ports:
- "9080:8080"
volumes:
- ./keycloak-realm-oauth.json:/opt/keycloak/data/import/realm-export.json:ro
depends_on:
keycloak-oauth-db:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET /realms/stirling-oauth HTTP/1.1\\nHost: localhost\\nConnection: close\\n\\n' >&3 && timeout 2 cat <&3 | head -n 1 | grep -q '200'"]
interval: 10s
timeout: 10s
retries: 30
start_period: 60s
networks:
- stirling-oauth-test
stirling-pdf-oauth:
container_name: stirling-pdf-oauth-test
image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest
build:
context: ../..
dockerfile: docker/embedded/Dockerfile
extra_hosts:
- "localhost:host-gateway"
- "${KEYCLOAK_HOST:-kubernetes.docker.internal}:host-gateway"
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:8080/api/v1/info/status | grep -q 'UP'"]
interval: 5s
timeout: 10s
retries: 30
ports:
- "8080:8080"
volumes:
- ../../../stirling/keycloak-oauth-test/data:/usr/share/tessdata:rw
- ../../../stirling/keycloak-oauth-test/config:/configs:rw
- ../../../stirling/keycloak-oauth-test/logs:/logs:rw
environment:
# Basic settings
DOCKER_ENABLE_SECURITY: "true"
SECURITY_ENABLELOGIN: "true"
SECURITY_LOGINMETHOD: "${SECURITY_LOGINMETHOD:-all}"
SYSTEM_DEFAULTLOCALE: en-US
SYSTEM_BACKENDURL: "http://localhost:8080"
PREMIUM_KEY: "${PREMIUM_KEY:-00000000-0000-0000-0000-000000000000}"
PREMIUM_ENABLED: "true"
PREMIUM_PROFEATURES_SSOAUTOLOGIN: "${PREMIUM_PROFEATURES_SSOAUTOLOGIN:-false}"
UI_APPNAME: Stirling-PDF OAuth Test
UI_HOMEDESCRIPTION: Keycloak OAuth2/OIDC Test Instance
UI_APPNAMENAVBAR: Stirling-PDF OAuth
SYSTEM_MAXFILESIZE: "100"
# OAuth2 Configuration (Keycloak-specific path)
SECURITY_OAUTH2_ENABLED: "true"
SECURITY_OAUTH2_AUTOCREATEUSER: "true"
# Must match Keycloak's advertised issuer
SECURITY_OAUTH2_CLIENT_KEYCLOAK_ISSUER: "http://${KEYCLOAK_HOST:-kubernetes.docker.internal}:9080/realms/stirling-oauth"
SECURITY_OAUTH2_CLIENT_KEYCLOAK_CLIENTID: "stirling-pdf-client"
SECURITY_OAUTH2_CLIENT_KEYCLOAK_CLIENTSECRET: "test-client-secret-change-in-production"
SECURITY_OAUTH2_CLIENT_KEYCLOAK_USEASUSERNAME: "email"
SECURITY_OAUTH2_CLIENT_KEYCLOAK_SCOPES: "openid,profile,email"
# Disable SAML (OAuth only)
SECURITY_SAML2_ENABLED: "false"
# Debug Logging
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_OAUTH2: DEBUG
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY: DEBUG
# LibreOffice settings
PROCESS_EXECUTOR_AUTO_UNO_SERVER: "true"
PROCESS_EXECUTOR_SESSION_LIMIT_LIBRE_OFFICE_SESSION_LIMIT: "1"
# Permissions
PUID: 1002
PGID: 1002
UMASK: "022"
# Features
DISABLE_ADDITIONAL_FEATURES: "false"
METRICS_ENABLED: "true"
SYSTEM_GOOGLEVISIBILITY: "false"
SHOW_SURVEY: "false"
depends_on:
keycloak-oauth:
condition: service_healthy
networks:
- stirling-oauth-test
restart: on-failure:5
networks:
stirling-oauth-test:
driver: bridge

148
testing/compose/docker-compose-keycloak-saml.yml Normal file
View File

@@ -0,0 +1,148 @@
services:
keycloak-saml:
container_name: stirling-keycloak-saml
image: quay.io/keycloak/keycloak:24.0
command:
- start-dev
- --import-realm
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://keycloak-saml-db:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: keycloak
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KC_HOSTNAME: localhost
KC_HOSTNAME_PORT: 9080
KC_HOSTNAME_STRICT: "false"
KC_HTTP_ENABLED: "true"
KC_PROXY: edge
KC_HTTP_RELATIVE_PATH: "/"
ports:
- "9080:8080"
volumes:
- ./keycloak-realm-saml.json:/opt/keycloak/data/import/realm-export.json:ro
depends_on:
keycloak-saml-db:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET /realms/stirling-saml/protocol/saml/descriptor HTTP/1.1\\nHost: localhost\\nConnection: close\\n\\n' >&3 && timeout 2 cat <&3 | grep -q 'EntityDescriptor'"]
interval: 10s
timeout: 10s
retries: 30
start_period: 60s
networks:
- stirling-saml-test
keycloak-saml-db:
container_name: stirling-keycloak-saml-db
image: postgres:16-alpine
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: keycloak
healthcheck:
test: ["CMD-SHELL", "pg_isready -U keycloak"]
interval: 5s
timeout: 5s
retries: 10
networks:
- stirling-saml-test
stirling-pdf-saml:
container_name: stirling-pdf-saml-test
image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest
build:
context: ../..
dockerfile: docker/embedded/Dockerfile
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:8080/api/v1/info/status | grep -q 'UP'"]
interval: 5s
timeout: 10s
retries: 30
ports:
- "8080:8080"
volumes:
- ../../../stirling/keycloak-saml-test/data:/usr/share/tessdata:rw
- ../../../stirling/keycloak-saml-test/config:/configs:rw
- ../../../stirling/keycloak-saml-test/logs:/logs:rw
- ./keycloak-saml-cert.pem:/app/keycloak-saml-cert.pem:ro
- ./saml-private-key.key:/app/saml-private-key.key:ro
- ./saml-public-cert.crt:/app/saml-public-cert.crt:ro
environment:
# Basic settings
DOCKER_ENABLE_SECURITY: "true"
SECURITY_ENABLELOGIN: "true"
SECURITY_LOGINMETHOD: "${SECURITY_LOGINMETHOD:-all}"
SYSTEM_DEFAULTLOCALE: en-US
SYSTEM_BACKENDURL: "http://localhost:8080"
# Enterprise License (required for SAML)
PREMIUM_KEY: "${PREMIUM_KEY:-00000000-0000-0000-0000-000000000000}"
PREMIUM_ENABLED: "true"
PREMIUM_PROFEATURES_SSOAUTOLOGIN: "${PREMIUM_PROFEATURES_SSOAUTOLOGIN:-false}"
# Debug Logging
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_SAML2: DEBUG
LOGGING_LEVEL_ORG_OPENSAML: DEBUG
LOGGING_LEVEL_STIRLING_SOFTWARE_PROPRIETARY_SECURITY: DEBUG
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY: DEBUG
UI_APPNAME: Stirling-PDF SAML Test
UI_HOMEDESCRIPTION: Keycloak SAML Test Instance
UI_APPNAMENAVBAR: Stirling-PDF SAML
SYSTEM_MAXFILESIZE: "100"
# SAML Configuration (Keycloak)
SECURITY_SAML2_ENABLED: "true"
SECURITY_SAML2_AUTOCREATEUSER: "true"
SECURITY_SAML2_BLOCKREGISTRATION: "false"
SECURITY_SAML2_PROVIDER: "keycloak"
SECURITY_SAML2_REGISTRATIONID: "keycloak"
# IdP Issuer must match what's in the SAML metadata
SECURITY_SAML2_IDP_ISSUER: "http://localhost:9080/realms/stirling-saml"
# Entity ID must match what's configured in Keycloak
SECURITY_SAML2_IDP_ENTITYID: "http://localhost:9080/realms/stirling-saml"
# Metadata URL for Keycloak realm (use service name for internal)
SECURITY_SAML2_IDP_METADATAURI: "http://keycloak-saml:8080/realms/stirling-saml/protocol/saml/descriptor"
# SSO/SLO URLs (required - metadata URI doesn't auto-populate these)
SECURITY_SAML2_IDPSINGLELOGINURL: "http://localhost:9080/realms/stirling-saml/protocol/saml"
SECURITY_SAML2_IDPSINGLELOGOUTURL: "http://localhost:9080/realms/stirling-saml/protocol/saml"
# Certificate file paths
SECURITY_SAML2_IDP_CERT: "/app/keycloak-saml-cert.pem"
SECURITY_SAML2_PRIVATEKEY: "/app/saml-private-key.key"
SECURITY_SAML2_SP_CERT: "/app/saml-public-cert.crt"
# SP Entity ID (this application)
SECURITY_SAML2_SP_ENTITYID: "http://localhost:8080"
# Assertion Consumer Service (ACS) URL
SECURITY_SAML2_SP_ACS: "http://localhost:8080/login/saml2/sso/keycloak"
# Single Logout Service URL
SECURITY_SAML2_SP_SLS: "http://localhost:8080/logout/saml2/slo"
# Disable OAuth (SAML only)
SECURITY_OAUTH2_ENABLED: "false"
# LibreOffice settings
PROCESS_EXECUTOR_AUTO_UNO_SERVER: "true"
PROCESS_EXECUTOR_SESSION_LIMIT_LIBRE_OFFICE_SESSION_LIMIT: "1"
# Permissions
PUID: 1002
PGID: 1002
UMASK: "022"
# Features
DISABLE_ADDITIONAL_FEATURES: "false"
METRICS_ENABLED: "true"
SYSTEM_GOOGLEVISIBILITY: "false"
SHOW_SURVEY: "false"
depends_on:
keycloak-saml:
condition: service_healthy
networks:
- stirling-saml-test
restart: on-failure:5
networks:
stirling-saml-test:
driver: bridge

370
testing/compose/keycloak-realm-oauth.json Normal file
View File

@@ -0,0 +1,370 @@
{
"id": "stirling-oauth",
"realm": "stirling-oauth",
"displayName": "Stirling PDF OAuth Test",
"displayNameHtml": "<div class=\"kc-logo-text\"><span>Stirling PDF OAuth</span></div>",
"enabled": true,
"sslRequired": "none",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"verifyEmail": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": false,
"accessTokenLifespan": 300,
"accessTokenLifespanForImplicitFlow": 900,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"offlineSessionIdleTimeout": 2592000,
"users": [
{
"username": "oauthuser@example.com",
"email": "oauthuser@example.com",
"emailVerified": true,
"firstName": "OAuth",
"lastName": "TestUser",
"enabled": true,
"credentials": [
{
"type": "password",
"value": "oauthpassword",
"temporary": false
}
],
"realmRoles": ["user"],
"attributes": {
"phone": ["+1234567890"],
"organization": ["Test Corp"]
}
},
{
"username": "oauthadmin@example.com",
"email": "oauthadmin@example.com",
"emailVerified": true,
"firstName": "OAuth",
"lastName": "Admin",
"enabled": true,
"credentials": [
{
"type": "password",
"value": "oauthadminpass",
"temporary": false
}
],
"realmRoles": ["user", "admin"],
"attributes": {
"phone": ["+1987654321"],
"organization": ["Test Corp IT"]
}
}
],
"roles": {
"realm": [
{
"name": "user",
"description": "Regular user role",
"composite": false,
"clientRole": false
},
{
"name": "admin",
"description": "Administrator role",
"composite": false,
"clientRole": false
}
]
},
"clients": [
{
"clientId": "stirling-pdf-client",
"name": "Stirling PDF OAuth2 Client",
"description": "OAuth2/OIDC client for Stirling PDF testing",
"rootUrl": "http://localhost:8080",
"adminUrl": "http://localhost:8080",
"baseUrl": "http://localhost:8080",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "test-client-secret-change-in-production",
"redirectUris": [
"http://localhost:8080/*",
"http://localhost:8080/login/oauth2/code/keycloak",
"http://stirling-pdf-oauth:8080/*",
"http://stirling-pdf-oauth:8080/login/oauth2/code/keycloak"
],
"webOrigins": [
"http://localhost:8080",
"http://stirling-pdf-oauth:8080"
],
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"oauth2.device.authorization.grant.enabled": "false",
"display.on.consent.screen": "false",
"backchannel.logout.revoke.offline.tokens": "false"
},
"fullScopeAllowed": true,
"protocolMappers": [
{
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "email",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email",
"jsonType.label": "String"
}
},
{
"name": "email_verified",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "emailVerified",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email_verified",
"jsonType.label": "boolean"
}
},
{
"name": "given_name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "firstName",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "given_name",
"jsonType.label": "String"
}
},
{
"name": "family_name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "lastName",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "family_name",
"jsonType.label": "String"
}
},
{
"name": "preferred_username",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "username",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "preferred_username",
"jsonType.label": "String"
}
},
{
"name": "roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-realm-role-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "roles",
"jsonType.label": "String",
"multivalued": "true"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
],
"clientScopes": [
{
"name": "email",
"description": "OpenID Connect built-in scope: email",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "email",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email",
"jsonType.label": "String"
}
},
{
"name": "email verified",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "emailVerified",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email_verified",
"jsonType.label": "boolean"
}
}
]
},
{
"name": "profile",
"description": "OpenID Connect built-in scope: profile",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "given name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "firstName",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "given_name",
"jsonType.label": "String"
}
},
{
"name": "family name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "lastName",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "family_name",
"jsonType.label": "String"
}
},
{
"name": "username",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "username",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "preferred_username",
"jsonType.label": "String"
}
}
]
},
{
"name": "roles",
"description": "OpenID Connect scope for user roles",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "realm roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-realm-role-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "roles",
"jsonType.label": "String",
"multivalued": "true"
}
}
]
}
],
"defaultDefaultClientScopes": [
"role_list",
"profile",
"email",
"roles",
"web-origins",
"acr"
],
"defaultOptionalClientScopes": [
"offline_access",
"address",
"phone",
"microprofile-jwt"
],
"browserSecurityHeaders": {
"contentSecurityPolicyReportOnly": "",
"xContentTypeOptions": "nosniff",
"referrerPolicy": "no-referrer",
"xRobotsTag": "none",
"xFrameOptions": "SAMEORIGIN",
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
"xXSSProtection": "1; mode=block",
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
},
"eventsEnabled": false,
"eventsListeners": ["jboss-logging"],
"enabledEventTypes": [],
"adminEventsEnabled": false,
"adminEventsDetailsEnabled": false,
"internationalizationEnabled": false,
"supportedLocales": [],
"keycloakVersion": "24.0.0"
}

210
testing/compose/keycloak-realm-saml.json Normal file
View File

@@ -0,0 +1,210 @@
{
"id": "stirling-saml",
"realm": "stirling-saml",
"displayName": "Stirling PDF SAML Test",
"displayNameHtml": "<div class=\"kc-logo-text\"><span>Stirling PDF SAML</span></div>",
"enabled": true,
"sslRequired": "none",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"verifyEmail": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": false,
"users": [
{
"username": "samluser",
"email": "samluser@example.com",
"emailVerified": true,
"firstName": "SAML",
"lastName": "TestUser",
"enabled": true,
"credentials": [
{
"type": "password",
"value": "samlpassword",
"temporary": false
}
],
"realmRoles": ["user"],
"attributes": {
"department": ["Engineering"],
"employeeId": ["EMP001"]
}
},
{
"username": "samladmin",
"email": "samladmin@example.com",
"emailVerified": true,
"firstName": "SAML",
"lastName": "Admin",
"enabled": true,
"credentials": [
{
"type": "password",
"value": "samladminpass",
"temporary": false
}
],
"realmRoles": ["user", "admin"],
"attributes": {
"department": ["IT"],
"employeeId": ["ADM001"]
}
}
],
"roles": {
"realm": [
{
"name": "user",
"description": "Regular user role",
"composite": false,
"clientRole": false
},
{
"name": "admin",
"description": "Administrator role",
"composite": false,
"clientRole": false
}
]
},
"clients": [
{
"clientId": "http://localhost:8080/saml2/service-provider-metadata/keycloak",
"name": "Stirling PDF SAML Client",
"description": "SAML2 client for Stirling PDF testing",
"rootUrl": "http://localhost:8080",
"adminUrl": "http://localhost:8080",
"baseUrl": "http://localhost:8080",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"http://localhost:8080/*"
],
"webOrigins": [
"http://localhost:8080"
],
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "saml",
"attributes": {
"saml.force.post.binding": "true",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"saml.server.signature": "true",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "true",
"display.on.consent.screen": "false",
"saml_name_id_format": "email",
"saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
"saml.assertion.signature": "true"
},
"fullScopeAllowed": true,
"protocolMappers": [
{
"name": "email",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "URI Reference",
"user.attribute": "email",
"friendly.name": "email",
"attribute.name": "email"
}
},
{
"name": "firstName",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "URI Reference",
"user.attribute": "firstName",
"friendly.name": "firstName",
"attribute.name": "firstName"
}
},
{
"name": "lastName",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "URI Reference",
"user.attribute": "lastName",
"friendly.name": "lastName",
"attribute.name": "lastName"
}
},
{
"name": "username",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "URI Reference",
"user.attribute": "username",
"friendly.name": "username",
"attribute.name": "username"
}
},
{
"name": "role list",
"protocol": "saml",
"protocolMapper": "saml-role-list-mapper",
"consentRequired": false,
"config": {
"single": "true",
"attribute.nameformat": "Basic",
"attribute.name": "Role"
}
},
{
"name": "department",
"protocol": "saml",
"protocolMapper": "saml-user-attribute-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "Basic",
"user.attribute": "department",
"friendly.name": "department",
"attribute.name": "department"
}
}
]
}
],
"browserSecurityHeaders": {
"contentSecurityPolicyReportOnly": "",
"xContentTypeOptions": "nosniff",
"referrerPolicy": "no-referrer",
"xRobotsTag": "none",
"xFrameOptions": "SAMEORIGIN",
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
"xXSSProtection": "1; mode=block",
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
},
"eventsEnabled": false,
"eventsListeners": ["jboss-logging"],
"enabledEventTypes": [],
"adminEventsEnabled": false,
"adminEventsDetailsEnabled": false,
"internationalizationEnabled": false,
"supportedLocales": [],
"keycloakVersion": "24.0.0"
}

171
testing/compose/start-oauth-test.sh Normal file
View File

@@ -0,0 +1,171 @@
#!/bin/bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
echo -e "${BLUE}╔════════════════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║ Stirling PDF + Keycloak OAuth Test Environment ║${NC}"
echo -e "${BLUE}╚════════════════════════════════════════════════════╝${NC}"
echo ""
AUTO_LOGIN=false
FORCE_ALL_LOGIN=false
COMPOSE_UP_ARGS=(-d --build)
for arg in "$@"; do
case "$arg" in
--auto)
AUTO_LOGIN=true
;;
--all)
FORCE_ALL_LOGIN=true
;;
--nobuild)
COMPOSE_UP_ARGS=(-d)
;;
-h|--help)
echo "Usage: $0 [--auto] [--nobuild]"
echo ""
echo " --auto Enable SSO auto-login and force OAuth-only login method"
echo " --all Force login method to allow all providers (overrides --auto)"
echo " --nobuild Skip building images (use existing images)"
exit 0
;;
*)
echo -e "${RED}Unknown option: $arg${NC}"
exit 1
;;
esac
done
if ! docker info > /dev/null 2>&1; then
echo -e "${RED}✗ Docker is not running${NC}"
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR"
# Hostname used by Keycloak issuer (must resolve on host + containers)
KEYCLOAK_HOST="${KEYCLOAK_HOST:-kubernetes.docker.internal}"
export KEYCLOAK_HOST
# Preflight check: ensure host can resolve the issuer hostname (skippable + bounded timeouts)
if [ "${SKIP_OAUTH_PREFLIGHT:-false}" != "true" ]; then
if ! curl -sf --connect-timeout 2 --max-time 3 "http://${KEYCLOAK_HOST}:9080/realms/stirling-oauth" >/dev/null 2>&1; then
echo -e "${YELLOW}⚠ Cannot reach http://${KEYCLOAK_HOST}:9080 from this machine.${NC}"
echo -e "${YELLOW} Add a hosts entry pointing ${KEYCLOAK_HOST} to 127.0.0.1, then retry.${NC}"
echo ""
echo -e "${BLUE}Windows:${NC} C:\\Windows\\System32\\drivers\\etc\\hosts"
echo -e "${BLUE}macOS/Linux:${NC} /etc/hosts"
echo ""
echo -e "${GREEN}127.0.0.1 ${KEYCLOAK_HOST}${NC}"
echo ""
fi
fi
# Prompt for license key (optional)
if [ -z "$PREMIUM_KEY" ]; then
echo -e "${YELLOW}Enter license key (press Enter to use default test key):${NC}"
read -r LICENSE_INPUT
if [ -n "$LICENSE_INPUT" ]; then
export PREMIUM_KEY="$LICENSE_INPUT"
echo -e "${GREEN}✓ Using provided license key${NC}"
else
echo -e "${BLUE}Using default test license key${NC}"
fi
echo ""
fi
if [ "$FORCE_ALL_LOGIN" = true ]; then
AUTO_LOGIN=false
export SECURITY_LOGINMETHOD=all
echo -e "${GREEN}✓ Login method forced to all providers${NC}"
echo ""
elif [ "$AUTO_LOGIN" = true ]; then
export PREMIUM_PROFEATURES_SSOAUTOLOGIN=true
export SECURITY_LOGINMETHOD=oauth2
COMPOSE_UP_ARGS+=(--force-recreate)
echo -e "${GREEN}✓ SSO auto-login enabled (OAuth-only)${NC}"
echo ""
fi
echo -e "${YELLOW}▶ Starting Keycloak (OAuth) containers...${NC}"
docker-compose -f docker-compose-keycloak-oauth.yml up "${COMPOSE_UP_ARGS[@]}" keycloak-oauth-db keycloak-oauth
echo ""
echo -e "${YELLOW}▶ Waiting for Keycloak (OAuth)...${NC}"
MAX_WAIT=180
WAITED=0
while [ $WAITED -lt $MAX_WAIT ]; do
if curl -sf http://localhost:9080/realms/stirling-oauth > /dev/null 2>&1; then
echo -e "${GREEN}✓ Keycloak is ready${NC}"
break
fi
echo -n "."
sleep 2
WAITED=$((WAITED + 2))
done
if [ $WAITED -ge $MAX_WAIT ]; then
echo -e "${RED}✗ Keycloak failed to start${NC}"
exit 1
fi
echo ""
echo -e "${YELLOW}▶ Starting Stirling PDF...${NC}"
docker-compose -f docker-compose-keycloak-oauth.yml up "${COMPOSE_UP_ARGS[@]}" stirling-pdf-oauth
echo ""
echo -e "${YELLOW}▶ Waiting for Stirling PDF...${NC}"
WAITED=0
while [ $WAITED -lt $MAX_WAIT ]; do
if curl -sf http://localhost:8080/api/v1/info/status 2>/dev/null | grep -q "UP"; then
echo -e "${GREEN}✓ Stirling PDF is ready${NC}"
break
fi
echo -n "."
sleep 2
WAITED=$((WAITED + 2))
done
if [ $WAITED -ge $MAX_WAIT ]; then
echo -e "${RED}✗ Stirling PDF failed to start${NC}"
exit 1
fi
echo ""
echo -e "${GREEN}╔════════════════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ OAuth Test Environment Ready! ✓ ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════════════════╝${NC}"
echo ""
echo -e "${BLUE}📍 Services:${NC}"
echo -e " Stirling PDF: ${GREEN}http://localhost:8080${NC}"
echo -e " Keycloak Admin: ${GREEN}http://${KEYCLOAK_HOST}:9080/admin${NC}"
echo ""
echo -e "${BLUE}🔑 Keycloak Admin:${NC}"
echo -e " Username: ${GREEN}admin${NC}"
echo -e " Password: ${GREEN}admin${NC}"
echo ""
echo -e "${BLUE}👥 Test Users (OAuth):${NC}"
echo -e " ${YELLOW}Regular User:${NC}"
echo -e " Email: ${GREEN}oauthuser@example.com${NC}"
echo -e " Password: ${GREEN}oauthpassword${NC}"
echo ""
echo -e " ${YELLOW}Admin User:${NC}"
echo -e " Email: ${GREEN}oauthadmin@example.com${NC}"
echo -e " Password: ${GREEN}oauthadminpass${NC}"
echo ""
echo -e "${BLUE}🧪 Test OAuth:${NC}"
echo -e " 1. Go to ${GREEN}http://localhost:8080${NC}"
echo -e " 2. Click 'Login' and select OAuth2"
echo -e " 3. Login with test credentials"
echo ""
echo -e "${BLUE}📊 View logs:${NC}"
echo -e " docker-compose -f docker-compose-keycloak-oauth.yml logs -f"
echo ""
echo -e "${BLUE}⏹ Stop:${NC}"
echo -e " docker-compose -f docker-compose-keycloak-oauth.yml down -v"
echo ""

179
testing/compose/start-saml-test.sh Normal file
View File

@@ -0,0 +1,179 @@
#!/bin/bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
echo -e "${BLUE}╔════════════════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║ Stirling PDF + Keycloak SAML Test Environment ║${NC}"
echo -e "${BLUE}╚════════════════════════════════════════════════════╝${NC}"
echo ""
AUTO_LOGIN=false
COMPOSE_UP_ARGS=(-d --build)
for arg in "$@"; do
case "$arg" in
--auto)
AUTO_LOGIN=true
;;
--nobuild)
COMPOSE_UP_ARGS=(-d)
;;
-h|--help)
echo "Usage: $0 [--auto] [--nobuild]"
echo ""
echo " --auto Enable SSO auto-login and force SAML-only login method"
echo " --nobuild Skip building images (use existing images)"
exit 0
;;
*)
echo -e "${RED}Unknown option: $arg${NC}"
exit 1
;;
esac
done
if ! docker info > /dev/null 2>&1; then
echo -e "${RED}✗ Docker is not running${NC}"
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR"
# Prompt for license key (optional)
if [ -z "$PREMIUM_KEY" ]; then
echo -e "${YELLOW}Enter Enterprise license key (press Enter to use default test key):${NC}"
read -r LICENSE_INPUT
if [ -n "$LICENSE_INPUT" ]; then
export PREMIUM_KEY="$LICENSE_INPUT"
echo -e "${GREEN}✓ Using provided license key${NC}"
else
echo -e "${BLUE}Using default test license key${NC}"
fi
echo ""
fi
if [ "$AUTO_LOGIN" = true ]; then
export PREMIUM_PROFEATURES_SSOAUTOLOGIN=true
export SECURITY_LOGINMETHOD=saml2
COMPOSE_UP_ARGS+=(--force-recreate)
echo -e "${GREEN}✓ SSO auto-login enabled (SAML-only)${NC}"
echo ""
fi
echo -e "${YELLOW}▶ Starting Keycloak (SAML) containers...${NC}"
docker-compose -f docker-compose-keycloak-saml.yml up "${COMPOSE_UP_ARGS[@]}" keycloak-saml-db keycloak-saml
echo ""
echo -e "${YELLOW}▶ Waiting for Keycloak (SAML)...${NC}"
MAX_WAIT=180
WAITED=0
while [ $WAITED -lt $MAX_WAIT ]; do
if curl -sf http://localhost:9080/realms/stirling-saml/protocol/saml/descriptor 2>/dev/null | grep -q "EntityDescriptor"; then
echo -e "${GREEN}✓ Keycloak is ready${NC}"
break
fi
echo -n "."
sleep 2
WAITED=$((WAITED + 2))
done
if [ $WAITED -ge $MAX_WAIT ]; then
echo -e "${RED}✗ Keycloak failed to start${NC}"
exit 1
fi
echo ""
echo -e "${YELLOW}▶ Generating SAML SP certificates if needed...${NC}"
PRIVATE_KEY="${SCRIPT_DIR}/saml-private-key.key"
PUBLIC_CERT="${SCRIPT_DIR}/saml-public-cert.crt"
# Remove any directories that Docker might have created
[ -d "$PRIVATE_KEY" ] && rm -rf "$PRIVATE_KEY"
[ -d "$PUBLIC_CERT" ] && rm -rf "$PUBLIC_CERT"
if [ ! -f "$PRIVATE_KEY" ] || [ ! -f "$PUBLIC_CERT" ]; then
openssl req -x509 -newkey rsa:2048 -keyout "$PRIVATE_KEY" -out "$PUBLIC_CERT" \
-days 3650 -nodes -subj "/CN=stirling-pdf-saml-sp" >/dev/null 2>&1
echo -e "${GREEN}✓ Generated SAML SP certificates${NC}"
else
echo -e "${BLUE}Using existing SAML SP certificates${NC}"
fi
echo ""
echo -e "${YELLOW}▶ Fetching Keycloak SAML signing certificate...${NC}"
CERT_PATH="${SCRIPT_DIR}/keycloak-saml-cert.pem"
CERT_BODY="$(curl -sf http://localhost:9080/realms/stirling-saml/protocol/saml/descriptor \
| awk 'BEGIN{RS="<[^>]*X509Certificate>|</[^>]*X509Certificate>"} NR==2{gsub(/[[:space:]]+/,""); print; exit}')"
if [ -n "$CERT_BODY" ]; then
{
echo "-----BEGIN CERTIFICATE-----"
echo "$CERT_BODY"
echo "-----END CERTIFICATE-----"
} > "$CERT_PATH"
fi
if [ ! -s "$CERT_PATH" ]; then
echo -e "${RED}✗ Failed to fetch Keycloak SAML certificate${NC}"
exit 1
fi
echo -e "${GREEN}✓ Keycloak SAML certificate updated${NC}"
echo ""
echo -e "${YELLOW}▶ Starting Stirling PDF...${NC}"
docker-compose -f docker-compose-keycloak-saml.yml up "${COMPOSE_UP_ARGS[@]}" stirling-pdf-saml
echo ""
echo -e "${YELLOW}▶ Waiting for Stirling PDF...${NC}"
WAITED=0
while [ $WAITED -lt $MAX_WAIT ]; do
if curl -sf http://localhost:8080/api/v1/info/status 2>/dev/null | grep -q "UP"; then
echo -e "${GREEN}✓ Stirling PDF is ready${NC}"
break
fi
echo -n "."
sleep 2
WAITED=$((WAITED + 2))
done
if [ $WAITED -ge $MAX_WAIT ]; then
echo -e "${RED}✗ Stirling PDF failed to start${NC}"
exit 1
fi
echo ""
echo -e "${GREEN}╔════════════════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║ SAML Test Environment Ready! ✓ ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════════════════╝${NC}"
echo ""
echo -e "${BLUE}📍 Services:${NC}"
echo -e " Stirling PDF: ${GREEN}http://localhost:8080${NC}"
echo -e " Keycloak Admin: ${GREEN}http://localhost:9080/admin${NC}"
echo ""
echo -e "${BLUE}🔑 Keycloak Admin:${NC}"
echo -e " Username: ${GREEN}admin${NC}"
echo -e " Password: ${GREEN}admin${NC}"
echo ""
echo -e "${BLUE}👥 Test Users (SAML):${NC}"
echo -e " ${YELLOW}Regular User:${NC}"
echo -e " Email: ${GREEN}samluser@example.com${NC}"
echo -e " Password: ${GREEN}samlpassword${NC}"
echo ""
echo -e " ${YELLOW}Admin User:${NC}"
echo -e " Email: ${GREEN}samladmin@example.com${NC}"
echo -e " Password: ${GREEN}samladminpass${NC}"
echo ""
echo -e "${BLUE}🧪 Test SAML:${NC}"
echo -e " 1. Go to ${GREEN}http://localhost:8080${NC}"
echo -e " 2. Click 'Login' and select SAML"
echo -e " 3. Login with test credentials"
echo ""
echo -e "${BLUE}📊 View logs:${NC}"
echo -e " docker-compose -f docker-compose-keycloak-saml.yml logs -f"
echo ""
echo -e "${BLUE}⏹ Stop:${NC}"
echo -e " docker-compose -f docker-compose-keycloak-saml.yml down -v"
echo ""

58
testing/compose/validate-oauth-test.sh Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
echo -e "${YELLOW}Validating OAuth test environment...${NC}"
echo ""
# Check Keycloak health
echo -n "Checking Keycloak health... "
if curl -sf http://localhost:9080/health/ready > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ Keycloak is not ready${NC}"
exit 1
fi
# Check OAuth realm
echo -n "Checking OAuth realm... "
if curl -sf http://localhost:9080/realms/stirling-oauth > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ OAuth realm not found${NC}"
exit 1
fi
# Check OIDC configuration
echo -n "Checking OIDC configuration endpoint... "
if curl -sf http://localhost:9080/realms/stirling-oauth/.well-known/openid-configuration > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ OIDC configuration not available${NC}"
exit 1
fi
# Check Stirling PDF
echo -n "Checking Stirling PDF status... "
if curl -sf http://localhost:8080/api/v1/info/status 2>/dev/null | grep -q "UP"; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ Stirling PDF is not ready${NC}"
exit 1
fi
# Check OAuth login endpoint
echo -n "Checking OAuth login endpoint... "
if curl -sf http://localhost:8080/oauth2/authorization/keycloak > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ OAuth login endpoint not available${NC}"
exit 1
fi
echo ""
echo -e "${GREEN}All OAuth environment checks passed!${NC}"

58
testing/compose/validate-saml-test.sh Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
echo -e "${YELLOW}Validating SAML test environment...${NC}"
echo ""
# Check Keycloak health
echo -n "Checking Keycloak health... "
if curl -sf http://localhost:9080/health/ready > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ Keycloak is not ready${NC}"
exit 1
fi
# Check SAML realm
echo -n "Checking SAML realm... "
if curl -sf http://localhost:9080/realms/stirling-saml > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ SAML realm not found${NC}"
exit 1
fi
# Check SAML metadata
echo -n "Checking SAML metadata endpoint... "
if curl -sf http://localhost:9080/realms/stirling-saml/protocol/saml/descriptor > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ SAML metadata not available${NC}"
exit 1
fi
# Check Stirling PDF
echo -n "Checking Stirling PDF status... "
if curl -sf http://localhost:8080/api/v1/info/status 2>/dev/null | grep -q "UP"; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ Stirling PDF is not ready${NC}"
exit 1
fi
# Check Stirling PDF SAML metadata
echo -n "Checking Stirling PDF SAML metadata... "
if curl -sf http://localhost:8080/saml2/service-provider-metadata/keycloak > /dev/null 2>&1; then
echo -e "${GREEN}${NC}"
else
echo -e "${RED}✗ Stirling PDF SAML metadata not available${NC}"
exit 1
fi
echo ""
echo -e "${GREEN}All SAML environment checks passed!${NC}"