Skip to content

Commit

Permalink
Merge branch 'main' of github.com:orthanc-team/orthanc-auth-service i…
Browse files Browse the repository at this point in the history
…nto main
  • Loading branch information
amazy committed Sep 20, 2024
2 parents b1dc4f3 + ecc7e83 commit 4a067e6
Show file tree
Hide file tree
Showing 15 changed files with 410 additions and 126 deletions.
17 changes: 8 additions & 9 deletions minimal-setup/keycloak-meddream-full/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ version: "3"
services:

nginx:
image: orthancteam/orthanc-nginx:24.7.1
image: orthancteam/orthanc-nginx:24.9.0
depends_on: [orthanc, orthanc-auth-service, orthanc-for-api, meddream-viewer, keycloak]
restart: unless-stopped
ports: ["80:80"]
Expand All @@ -24,7 +24,7 @@ services:
ENABLE_ORTHANC_FOR_API: "true"

orthanc:
image: orthancteam/orthanc:24.7.1
image: orthancteam/orthanc:24.8.3
volumes:
- orthanc-storage:/var/lib/orthanc/db
depends_on: [orthanc-db]
Expand Down Expand Up @@ -76,7 +76,7 @@ services:
}
orthanc-auth-service:
image: orthancteam/orthanc-auth-service:24.7.1
image: orthancteam/orthanc-auth-service:24.9.0
depends_on: [keycloak, meddream-token-service]
# permissions can be customized in the permissions.json file
volumes:
Expand Down Expand Up @@ -104,7 +104,7 @@ services:
POSTGRES_HOST_AUTH_METHOD: "trust"

keycloak:
image: orthancteam/orthanc-keycloak:24.7.1
image: orthancteam/orthanc-keycloak:24.9.0
depends_on: [keycloak-db]
restart: unless-stopped
environment:
Expand All @@ -114,8 +114,7 @@ services:
KC_DB_URL: "jdbc:postgresql://keycloak-db:5432/keycloak"
KC_DB_USERNAME: "keycloak"
KC_DB_PASSWORD: "keycloak"
# KC_HOSTNAME_URL: "https://mydomain.com/keycloak"
# KC_HOSTNAME_ADMIN_URL: "https://mydomain.com/keycloak"
# KC_HOSTNAME: "https://mydomain.com/keycloak"

keycloak-db:
image: postgres:14
Expand All @@ -127,11 +126,11 @@ services:
POSTGRES_DB: "keycloak"

meddream-token-service:
image: orthancteam/meddream-token-service:24.7.1
image: orthancteam/meddream-token-service:24.9.0
restart: unless-stopped

meddream-viewer:
image: orthancteam/meddream-viewer:24.7.1
image: orthancteam/meddream-viewer:24.9.0
restart: unless-stopped
depends_on:
- orthanc-for-api
Expand All @@ -153,7 +152,7 @@ services:

# An orthanc dedicated for API accesses and also used by MedDream
orthanc-for-api:
image: orthancteam/orthanc:24.7.1
image: orthancteam/orthanc:24.8.3
volumes:
- orthanc-storage:/var/lib/orthanc/db
- ./meddream-plugin.py:/scripts/meddream-plugin.py
Expand Down
15 changes: 6 additions & 9 deletions minimal-setup/keycloak/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ version: "3"
services:

nginx:
image: orthancteam/orthanc-nginx:24.7.1
image: orthancteam/orthanc-nginx:24.9.0
depends_on: [orthanc, orthanc-auth-service, keycloak]
restart: unless-stopped
ports: ["80:80"]
Expand All @@ -24,7 +24,7 @@ services:
ENABLE_OHIF: "true"

orthanc:
image: orthancteam/orthanc:24.7.1
image: orthancteam/orthanc:24.8.3
volumes:
- orthanc-storage:/var/lib/orthanc/db
depends_on: [orthanc-db]
Expand Down Expand Up @@ -90,7 +90,7 @@ services:
}
orthanc-auth-service:
image: orthancteam/orthanc-auth-service:24.7.1
image: orthancteam/orthanc-auth-service:24.9.0
# always disable port mapping in production !!!
# ports: ["8000:8000"]
# permissions can be customized in the permissions.json file
Expand Down Expand Up @@ -124,28 +124,25 @@ services:

# to use OHIF-plugin: you don't need this container
ohif:
image: orthancteam/ohif-v3:24.7.1
image: orthancteam/ohif-v3:24.9.0
# uncomment if you want to customize ohif configuration
# volumes:
# - ./ohif-app-config.js:/usr/share/nginx/html/app-config.js
restart: unless-stopped


keycloak:
image: orthancteam/orthanc-keycloak:24.7.1
image: orthancteam/orthanc-keycloak:24.9.0
depends_on: [keycloak-db]
restart: unless-stopped
# healthcheck:
# test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
environment:
KEYCLOAK_ADMIN: "admin"
KEYCLOAK_ADMIN_PASSWORD: "change-me"
KC_DB: "postgres"
KC_DB_URL: "jdbc:postgresql://keycloak-db:5432/keycloak"
KC_DB_USERNAME: "keycloak"
KC_DB_PASSWORD: "keycloak"
# KC_HOSTNAME_URL: "https://mydomain.com/keycloak"
# KC_HOSTNAME_ADMIN_URL: "https://mydomain.com/keycloak"
# KC_HOSTNAME: "https://mydomain.com/keycloak"

keycloak-db:
image: postgres:14
Expand Down
30 changes: 30 additions & 0 deletions minimal-setup/openldap/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0
# What is it about?

This is a tiny setup to quickly spin up an LDAP server to perform some tests (with Keycloak).
All users have the same password:
```
change-me
```

## Cheat code to run it aside Keycloak

From the keycloak folder (minimal-setup):
```
docker compose -f docker-compose.yml -f ../openldap/docker-compose.yml up -d
```

## Login to the mgmt web ui
```
http://localhost:6443
cn=admin,dc=myorg,dc=com
change-me
```

## List all the users from the terminal
```
ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=myorg,dc=com" -w "change-me" -b "OU=users,DC=myorg,DC=com"
```
27 changes: 27 additions & 0 deletions minimal-setup/openldap/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0

version: "3"
services:

openldap-server:
image: osixia/openldap
ports:
- 389:389
- 636:636
environment:
LDAP_ORGANISATION: "MyOrg"
LDAP_DOMAIN: "myorg.com"
LDAP_ADMIN_PASSWORD: "change-me"
LDAP_SEED_INTERNAL_LDIF_PATH: "/home/ldif"
volumes:
- ../openldap/ldif:/home/ldif

phpldapadmin:
image: osixia/phpldapadmin
ports:
- 6443:80
environment:
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_LDAP_HOSTS: "openldap-server"
110 changes: 110 additions & 0 deletions minimal-setup/openldap/ldif/test.ldif
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0

# LDIF Export for dc=myorg,dc=com
# Server: openldap-server (openldap-server)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 9
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on September 16, 2024 11:47 am
# Version: 1.2.5

version: 1

# Entry 1: dc=myorg,dc=com
# dn: dc=myorg,dc=com
# dc: myorg
# o: MyOrg
# objectclass: top
# objectclass: dcObject
# objectclass: organization

# Entry 2: ou=groups,dc=myorg,dc=com
dn: ou=groups,dc=myorg,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups

# Entry 3: cn=developers,ou=groups,dc=myorg,dc=com
dn: cn=developers,ou=groups,dc=myorg,dc=com
cn: developers
objectclass: top
objectclass: groupOfUniqueNames
uniquemember: uid=john.doe,ou=users,dc=myorg,dc=com
uniquemember: uid=jane.doe,ou=users,dc=myorg,dc=com

# Entry 4: cn=managers,ou=groups,dc=myorg,dc=com
dn: cn=managers,ou=groups,dc=myorg,dc=com
cn: managers
objectclass: top
objectclass: groupOfUniqueNames
uniquemember: uid=alice.smith,ou=users,dc=myorg,dc=com
uniquemember: uid=bob.jones,ou=users,dc=myorg,dc=com

# Entry 5: ou=users,dc=myorg,dc=com
dn: ou=users,dc=myorg,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users

# Entry 6: uid=alice.smith,ou=users,dc=myorg,dc=com
dn: uid=alice.smith,ou=users,dc=myorg,dc=com
cn: Alice Smith
gidnumber: 500
homedirectory: /home/alice.smith
loginshell: /bin/bash
mail: [email protected]
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Smith
uid: alice.smith
uidnumber: 1003
userpassword: {SSHA}gPG0Te3ggmrEBf1cFg0wgymawpCOKF85

# Entry 7: uid=bob.jones,ou=users,dc=myorg,dc=com
dn: uid=bob.jones,ou=users,dc=myorg,dc=com
cn: Bob Jones
gidnumber: 500
homedirectory: /home/bob.jones
loginshell: /bin/bash
mail: [email protected]
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Jones
uid: bob.jones
uidnumber: 1004
userpassword: {SSHA}uJVNDjOzKANIzuFZusa7PfJlcTM/odaO

# Entry 8: uid=jane.doe,ou=users,dc=myorg,dc=com
dn: uid=jane.doe,ou=users,dc=myorg,dc=com
cn: Jane Doe
gidnumber: 500
homedirectory: /home/jane.doe
loginshell: /bin/bash
mail: [email protected]
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Doe
uid: jane.doe
uidnumber: 1002
userpassword: {SSHA}Nzle/2CA2DA7A+jFZVZiHraEKkkb+zJc

# Entry 9: uid=john.doe,ou=users,dc=myorg,dc=com
dn: uid=john.doe,ou=users,dc=myorg,dc=com
cn: John Doe
gidnumber: 500
homedirectory: /home/john.doe
loginshell: /bin/bash
mail: [email protected]
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Doe
uid: john.doe
uidnumber: 1001
userpassword: {SSHA}zQ/DwEuaAun5KYC7yWFc769EbbDTi/k7
14 changes: 13 additions & 1 deletion release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,20 @@ SPDX-License-Identifier: GPL-3.0-or-later
Pending changes
===============

- Fixed roles removed from Keycloak that were still being listed in `/settings/roles`


v 24.9.0
========

- Fixed typo in `KEYCLOAK_ADMIN_URI` that was not read correctly.
- Fixed special characters that were not allowed in API keys.
- Fixed roles removed from Keycloak that were still being listed in /settings/roles
- Upgraded Keycloak from 22.0.5 to 25.0.5
- enabled brut force detection by default in orthanc Keycloak realm

BREAKING CHANGES:
- Keycloak Docker image env var `KC_HOSTNAME_URL` is replaced by `KC_HOSTNAME`
- Keycloak Docker image env var `KC_HOSTNAME_ADMIN_URL` is removed (no longer needed)


v 24.7.2
Expand All @@ -18,6 +29,7 @@ v 24.7.2
- added `PROXY_READ_TIMEOUT` env var for nginx
- fix: read KEYCLOAK_CLIENT_SECRET from secrets or environment variable


v 24.7.1
========

Expand Down
19 changes: 11 additions & 8 deletions sources/keycloak/Dockerfile.orthanc-keycloak
Original file line number Diff line number Diff line change
Expand Up @@ -3,35 +3,38 @@
#
# SPDX-License-Identifier: CC0-1.0

FROM quay.io/keycloak/keycloak:22.0.5 as builder
FROM quay.io/keycloak/keycloak:25.0.5 AS builder

WORKDIR /opt/keycloak
ENV KC_DB=postgres
ENV KC_HOSTNAME_URL=http://localhost/keycloak
ENV KC_HOSTNAME_ADMIN_URL=http://localhost/keycloak
ENV KC_HOSTNAME_=http://localhost/keycloak

RUN mkdir themes/orthanc
ADD keycloak/orthanc-theme /opt/keycloak/themes/orthanc

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:22.0.5
FROM quay.io/keycloak/keycloak:25.0.5
COPY --from=builder /opt/keycloak/ /opt/keycloak/

COPY keycloak/realm-export.json /opt/keycloak/data/import/

ENV KC_HOSTNAME_URL=http://localhost/keycloak
ENV KC_HOSTNAME_ADMIN_URL=http://localhost/keycloak
ENV KC_HOSTNAME=http://localhost/keycloak

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
CMD ["start --optimized --import-realm --proxy edge"]
CMD ["start", "--optimized", "--import-realm", "--http-enabled", "true", "--proxy-headers", "xforwarded"]

# to play with UI/themes/css:
#CMD ["start", "--optimized", "--import-realm", "--http-enabled", "true", "--spi-theme-static-max-age=-1", "--spi-theme-cache-themes=false", "--spi-theme-cache-templates=false"]

# to export the orthanc realm:
# CMD ["export", "--file", "/usr/tmp/realm-export.json", "--realm", "orthanc"]

### To export the realm of a working Keycloak to a json file:
# - stop the setup
# - bind a volume to /usr/tmp (copose file)
# - replace the last "CMD" command of current Docker file by the following one:
# CMD ["export --file /usr/tmp/realm-export.json --realm orthanc --users realm_file"]
# CMD ["export --file /usr/tmp/realm-export.json --realm orthanc"]
# - rebuild the keycloak image (adapt path for files to copy in current file: lines 13 and 20)
# - start your setup
# - then keycloak will start, export the realm and exit. From that moment, your realm
Expand Down
Loading

0 comments on commit 4a067e6

Please sign in to comment.