AIRAVATA-2342 Keycloak: adding ca cert
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/ec006aad Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/ec006aad Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/ec006aad Branch: refs/heads/develop Commit: ec006aad067c9715acbf588a8656b1ff2e079675 Parents: e9f3b24 Author: Marcus Christie <[email protected]> Authored: Fri Apr 28 16:05:29 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Fri Apr 28 16:05:29 2017 -0400 ---------------------------------------------------------------------- app/config/pga_config.php.template | 16 +++------------- app/libraries/Keycloak/Keycloak.php | 9 ++++++++- app/libraries/Keycloak/KeycloakServiceProvider.php | 1 + 3 files changed, 12 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ec006aad/app/config/pga_config.php.template ---------------------------------------------------------------------- diff --git a/app/config/pga_config.php.template b/app/config/pga_config.php.template index 782b6d3..e225cf0 100644 --- a/app/config/pga_config.php.template +++ b/app/config/pga_config.php.template @@ -59,7 +59,7 @@ return array( /** * OAuth Grant Type (password or authorization_code) */ - 'oauth-grant-type' => 'authorization_code', + 'oauth-grant-type' => 'password', /** * OAuth call back url (only if the grant type is authorization_code) @@ -69,17 +69,12 @@ return array( /** * For OIDC servers that support the discovery protocol. */ - 'openid-connect-discovery-url' => 'https://some.identity.provider.org/.well-known/openid-configuration', - - /** - * Identity server domain - */ - 'server' => 'idp.scigap.org', + 'openid-connect-discovery-url' => 'https://iam.scigap.org/auth/realms/_MY_REALM_/.well-known/openid-configuration', /** * Identity server url */ - 'service-url' => 'https://idp.scigap.org:9443/', + 'service-url' => 'https://iam.scigap.org/auth', /** * Enable HTTPS server verification @@ -90,11 +85,6 @@ return array( * Path to the server certificate file */ 'cafile-path' => app_path() . '/resources/security/idp_scigap_org.pem', - - /** - * Allow self signed server certificates - */ - 'allow-self-signed-cert' => false ], http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ec006aad/app/libraries/Keycloak/Keycloak.php ---------------------------------------------------------------------- diff --git a/app/libraries/Keycloak/Keycloak.php b/app/libraries/Keycloak/Keycloak.php index 71706e5..a33b245 100644 --- a/app/libraries/Keycloak/Keycloak.php +++ b/app/libraries/Keycloak/Keycloak.php @@ -18,6 +18,7 @@ class Keycloak { private $client_id; private $client_secret; private $callback_url; + private $cafile_path; private $verify_peer; // API clients @@ -29,13 +30,14 @@ class Keycloak { * Constructor * */ - public function __construct($realm, $openid_connect_discovery_url, $client_id, $client_secret, $callback_url, $verify_peer, $base_endpoint_url, $admin_username, $admin_password) { + public function __construct($realm, $openid_connect_discovery_url, $client_id, $client_secret, $callback_url, $cafile_path, $verify_peer, $base_endpoint_url, $admin_username, $admin_password) { $this->realm = $realm; $this->openid_connect_discovery_url = $openid_connect_discovery_url; $this->client_id = $client_id; $this->client_secret = $client_secret; $this->callback_url = $callback_url; + $this->cafile_path = $cafile_path; $this->verify_peer = $verify_peer; $this->role_mapper = new RoleMapper($base_endpoint_url, $admin_username, $admin_password, $verify_peer); @@ -62,6 +64,7 @@ class Keycloak { // Decode compressed responses. curl_setopt($r, CURLOPT_ENCODING, 1); curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + curl_setopt($r, CURLOPT_CAINFO, $this->cafile_path); // Add client ID and client secret to the headers. curl_setopt($r, CURLOPT_HTTPHEADER, array( @@ -110,6 +113,7 @@ class Keycloak { // Decode compressed responses. curl_setopt($r, CURLOPT_ENCODING, 1); curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + curl_setopt($r, CURLOPT_CAINFO, $this->cafile_path); // Add client ID and client secret to the headers. curl_setopt($r, CURLOPT_HTTPHEADER, array( @@ -145,6 +149,7 @@ class Keycloak { // Decode compressed responses. curl_setopt($r, CURLOPT_ENCODING, 1); curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + curl_setopt($r, CURLOPT_CAINFO, $this->cafile_path); curl_setopt($r, CURLOPT_HTTPHEADER, array( "Authorization: Bearer " . $token )); @@ -187,6 +192,7 @@ class Keycloak { // Decode compressed responses. curl_setopt($r, CURLOPT_ENCODING, 1); curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + curl_setopt($r, CURLOPT_CAINFO, $this->cafile_path); // Add client ID and client secret to the headers. curl_setopt($r, CURLOPT_HTTPHEADER, array( @@ -390,6 +396,7 @@ class Keycloak { // Decode compressed responses. curl_setopt($r, CURLOPT_ENCODING, 1); curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + curl_setopt($r, CURLOPT_CAINFO, $this->cafile_path); $result = curl_exec($r); if ($result == false) { http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ec006aad/app/libraries/Keycloak/KeycloakServiceProvider.php ---------------------------------------------------------------------- diff --git a/app/libraries/Keycloak/KeycloakServiceProvider.php b/app/libraries/Keycloak/KeycloakServiceProvider.php index 1992972..530d446 100644 --- a/app/libraries/Keycloak/KeycloakServiceProvider.php +++ b/app/libraries/Keycloak/KeycloakServiceProvider.php @@ -40,6 +40,7 @@ class KeycloakServiceProvider extends ServiceProvider { $identityServerConfig['oauth-client-key'], $identityServerConfig['oauth-client-secret'], $identityServerConfig['oauth-callback-url'], + $identityServerConfig['cafile-path'], $identityServerConfig['verify-peer'], $identityServerConfig['service-url'], $identityServerConfig['admin-username'],
