initial commit based on the branch of my openFGA eventlistener fork

.gitignore

@@ -1,3 +1,38 @@
+# OS stuff
+###################
+.DS_Store
+
+# Intellij
+###################
+.idea
+*.iml
+
+# Eclipse #
+###########
+.project
+.settings
+.classpath
+# reverting this as e.g. /distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/
+# should not be ignored
+#bin/
+.factorypath
+
+
+# NetBeans #
+############
+nbactions.xml
+nb-configuration.xml
+catalog.xml
+nbproject
+
+# VS Code #
+###########
+*.code-workspace
+
+# Maven #
+#########
+target
+
 # Compiled class file
 *.class
 
@@ -21,3 +56,4 @@
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
+

Dockerfile

@@ -0,0 +1,14 @@
+FROM quay.io/keycloak/keycloak:20.0.3 as builder
+
+ENV KC_DB=postgres
+ENV KC_HTTP_RELATIVE_PATH=/auth
+
+COPY ./target/keycloak-spicedb-event-listener-2.0.0-jar-with-dependencies.jar /opt/keycloak/providers/keycloak-spicedb-event-listener-2.0.0.jar
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM quay.io/keycloak/keycloak:20.0.3
+
+COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
+COPY --from=builder /opt/keycloak/providers/ /opt/keycloak/providers/
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "--debug","start-dev"]

README.md

@@ -1,2 +1,19 @@
-# kc-spicedb-events
-An event listener for Keycloak, creating spiceDB relationship data for keycloak users and groups by listening on the events in keycloak and using the spiceDB java client. 
+# keycloak-spicedb-eventlistener
+An event listener for Keycloak, creating spiceDB relationship data for keycloak users and groups by listening on the events in keycloak and using the spiceDB java client.
+
+Inspired by [this](https://github.com/embesozzi/keycloak-openfga-event-listener) implementation for openFGA
+
+**warning** 
+This is a highly experimental WIP PoC for now, so use at your own risk and definitely nowhere near production. It may likely be that it gets abandoned shortly. :warning:
+
+
+# try it out:
+
+1) mvn clean install
+2) docker build . -t dguhr/keycloak_spicedbtest
+3) docker compose up
+
+4) create users and groups in keycloak
+5) go to realm settings -> events and activate 'spicedb-events'
+6) add users to groups. 
+7) use e.g. zed (the spicedb command line tool) to connect to the spiceDB instance and see that relations are written containing the username (form: userid_username)

docker-compose.yml

@@ -0,0 +1,186 @@
+version: '3'
+
+volumes:
+  postgres_data:
+    driver: local
+  caddy_data:
+    driver: local
+
+services:
+  postgres:
+    image: postgres:11
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: password
+    ports:
+      - 5433:5432
+  keycloak:
+    build: .
+    image: dguhr/keycloak_spicedbtest
+    environment:
+      KEYCLOAK_USER: admin
+      KEYCLOAK_PASSWORD: password
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: password
+      KC_DB_URL_HOST: postgres
+      KC_DB_URL_DATABASE: keycloak
+      KC_DB_SCHEMA: public
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: password
+      KC_HOSTNAME_STRICT: 'false'
+      KC_HTTP_ENABLED: 'true'
+      KC_HOSTNAME_ADMIN: localhost
+      KC_HOSTNAME: localhost
+      # Keycloak SpiceDB Event Listener SPI configuration
+      KC_SPI_EVENTS_LISTENER_SPICEDB_EVENTS_SERVICE_HANDLER_NAME: FILE
+      # TODO evaluate if needed
+      KC_SPI_EVENTS_LISTENER_SPICEDB_EVENTS_CLIENT_ID: keycloak-producer
+      KC_SPI_EVENTS_LISTENER_SPICEDB_EVENTS_ADMIN_TOPIC: spicedb-topic
+      KC_SPI_EVENTS_LISTENER_SPICEDB_EVENTS_BOOTSTRAP_SERVERS: PLAINTEXT://kafka:19092
+      KC_LOG_LEVEL: INFO, io.dguhr:debug
+      DEBUG_PORT: "*:8787"
+    ports:
+      - 8080:8080
+      - 8443:8443
+      - 8787:8787 # debug
+    depends_on:
+      - postgres
+      - spicedb
+    networks:
+      default:
+        aliases:
+          -  keycloak
+# zookeeper:
+#   image: confluentinc/cp-zookeeper:7.2.2
+#   hostname: zookeeper
+#   container_name: zookeeper
+#   ports:
+#     - "2181:2181"
+#   environment:
+#     ZOOKEEPER_CLIENT_PORT: 2181
+#     ZOOKEEPER_SERVER_ID: 1
+# kafka:
+#   image: confluentinc/cp-kafka:7.2.2
+#   hostname: kafka
+#   container_name: kafka
+#   ports:
+#     - "9092:9092"
+#     - "19092:19092"
+#     - "29092:29092"
+#   environment:
+#     KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka:19092
+#     KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:PLAINTEXT
+#     KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
+#     KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'true'
+#     KAFKA_DELETE_TOPIC_ENABLE: 'true'
+#     KAFKA_CREATE_TOPICS: openfga-topic:1.1
+#     KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+#     KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+#     KAFKA_ADVERTISED_HOST_NAME: kafka
+#   depends_on:
+#     - zookeeper
+
+# removed for later use.
+
+# spicedb on cockrach start: cluster does not find members. commenting out, lets use postgres to try out.
+# spicedb:
+#   image: "authzed/spicedb"
+#   command: "serve"
+#   restart: "always"
+#   ports:
+#     - "8080:8080"
+#     - "9090:9090"
+#     - "50051:50051"
+#   environment:
+#     SPICEDB_GRPC_PRESHARED_KEY: foobar
+#     SPICEDB_DATASTORE_ENGINE: cockroachdb
+#     SPICEDB_DATASTORE_CONN_URI: "postgresql://root:secret@crdb:26257/spicedb?sslmode=disable"
+#     SPICEDB_LOG_LEVEL: info
+#     SPICEDB_LOG_FORMAT: console
+#   depends_on:
+#     - "migrate"
+
+# migrate:
+#   image: "authzed/spicedb"
+#   command: "migrate head"
+#   restart: "on-failure:3"
+#   environment:
+#     - "SPICEDB_DATASTORE_ENGINE=cockroachdb"
+#     - "SPICEDB_DATASTORE_CONN_URI=postgresql://root:secret@crdb:26257/spicedb?sslmode=disable"
+#     - "SPICEDB_LOG_LEVEL=info"
+#     - "SPICEDB_LOG_FORMAT=console"
+#   depends_on:
+#     - "init_database"
+
+# init_database:
+#   image: "cockroachdb/cockroach"
+#   restart: "on-failure:3"
+#   command: "sql --insecure -e 'CREATE DATABASE IF NOT EXISTS spicedb;'"
+#   environment:
+#     - "COCKROACH_HOST=crdb:26257"
+#   depends_on:
+#     - "init_cluster"
+
+# init_cluster:
+#   image: "cockroachdb/cockroach"
+#   restart: "on-failure:3"
+#   command: "init --insecure"
+#   environment:
+#     # initialize cluster through node 1
+#     - "COCKROACH_HOST=datastores-crdb-1:26257"
+#   depends_on:
+#     - "crdb"
+
+# crdb:
+#   image: "cockroachdb/cockroach"
+#   # in order to make the cluster form, the host name is <project>-<service>-<number>
+#   # The setup will support --scale arg with any value
+#   command: "start --join=datastores-crdb-1,datastores-crdb-2,datastores-crdb-3 --insecure"
+#   ports:
+#     - "8080"
+#     - "26257"
+#   environment:
+#     - "POSTGRES_PASSWORD=secret"
+#   healthcheck:
+#     test: "curl --fail http://localhost:8080/health?ready=1 || exit 1"
+#     interval: "2s"
+#     retries: 3
+#     start_period: "15s"
+#     timeout: "5s"
+
+#spicedb on postgres
+  spicedb:
+    image: "authzed/spicedb"
+    command: "serve"
+    restart: "always"
+    ports:
+      - "8081:8080"
+      - "9090:9090"
+      - "50051:50051"
+    environment:
+      - "SPICEDB_GRPC_PRESHARED_KEY=12345"
+      - "SPICEDB_DATASTORE_ENGINE=postgres"
+      - "SPICEDB_DATASTORE_CONN_URI=postgres://postgres:secret@sdb-database:5432/spicedb?sslmode=disable"
+    depends_on:
+      - "migrate"
+
+  migrate:
+    image: "authzed/spicedb"
+    command: "migrate head"
+    restart: "on-failure"
+    environment:
+      - "SPICEDB_DATASTORE_ENGINE=postgres"
+      - "SPICEDB_DATASTORE_CONN_URI=postgres://postgres:secret@sdb-database:5432/spicedb?sslmode=disable"
+    depends_on:
+      - "sdb-database"
+
+  sdb-database:
+    image: "postgres"
+    ports:
+      - "5432:5432"
+    environment:
+      - "POSTGRES_PASSWORD=secret"
+      - "POSTGRES_DB=spicedb"

pom.xml

@@ -0,0 +1,110 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>io.dguhr.keycloak</groupId>
+	<artifactId>keycloak-spicedb-event-listener</artifactId>
+	<version>2.0.0</version>
+
+	<properties>
+		<maven.compiler.source>11</maven.compiler.source>
+		<maven.compiler.target>11</maven.compiler.target>
+		<keycloak.version>20.0.3</keycloak.version>
+		<kafka.version>3.3.1</kafka.version>
+		<junit.version>5.8.1</junit.version>
+	</properties>
+
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.keycloak</groupId>
+				<artifactId>keycloak-parent</artifactId>
+				<version>${keycloak.version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
+
+	<dependencies>
+		<dependency>
+			<groupId>org.keycloak</groupId>
+			<artifactId>keycloak-core</artifactId>
+			<version>${keycloak.version}</version>
+			<scope>provided</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.keycloak</groupId>
+			<artifactId>keycloak-server-spi</artifactId>
+			<version>${keycloak.version}</version>
+			<scope>provided</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.keycloak</groupId>
+			<artifactId>keycloak-server-spi-private</artifactId>
+			<version>${keycloak.version}</version>
+			<scope>provided</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.jboss.logging</groupId>
+			<artifactId>jboss-logging</artifactId>
+			<scope>provided</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.apache.kafka</groupId>
+			<artifactId>kafka-clients</artifactId>
+			<version>${kafka.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter-api</artifactId>
+			<version>${junit.version}</version>
+			<scope>test</scope>
+		</dependency>
+
+		<!-- spicedb java client -->
+		<dependency>
+			<groupId>com.authzed.api</groupId>
+			<artifactId>authzed</artifactId>
+			<version>0.4.0</version>
+		</dependency>
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-protobuf</artifactId>
+			<version>1.52.1</version>
+		</dependency>
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-stub</artifactId>
+			<version>1.52.1</version>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<artifactId>maven-assembly-plugin</artifactId>
+				<configuration>
+					<descriptorRefs>
+						<descriptorRef>jar-with-dependencies</descriptorRef>
+					</descriptorRefs>
+				</configuration>
+				<executions>
+					<execution>
+						<id>make-assembly</id>
+						<phase>package</phase>
+						<goals>
+							<goal>single</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>