From c56fbb55e0ddd09e243bd2e4114ab86020de6e41 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Thu, 1 Sep 2022 16:50:08 +0200
Subject: [PATCH] tf/keycloak: Add openid client for buildbot

The buildbot POC wants to use Keycloak for user authentication. The
client is public, because it doesn't make sense to have a client secret,
which can't be kept under wrap anyway (it would need to be shipped with
the CLI[1]).

[1] https://gitlab.archlinux.org/foxboron/buildctl
---
 tf-stage2/keycloak.tf | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index fa57f6cc5..65f0e8860 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -891,3 +891,29 @@ resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_ma
 
   claim_name = "groups"
 }
+
+resource "keycloak_openid_client" "buildbot_openid_client" {
+  realm_id  = "archlinux"
+  client_id = "openid_buildbot"
+
+  name    = "Buildbot"
+  enabled = true
+
+  access_type           = "PUBLIC"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+    "https://buildbot.pkgbuild.com/*",
+    "http://127.0.0.1:5000/*",
+  ]
+}
+
+resource "keycloak_openid_user_realm_role_protocol_mapper" "buildbot_user_realm_role_mapper" {
+  realm_id  = "archlinux"
+  client_id = keycloak_openid_client.buildbot_openid_client.id
+  name      = "user realms"
+
+  claim_name          = "roles"
+  multivalued         = true
+  add_to_id_token     = false
+  add_to_access_token = false
+}
-- 
GitLab