Initial commit

scripts/setup-authentik.sh

@@ -0,0 +1,249 @@
+#!/bin/bash
+# Setup Authentik SSO for AI Tax Agent using Blueprint Import
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+DOMAIN=${DOMAIN:-local}
+AUTHENTIK_URL="https://auth.${DOMAIN}"
+AUTHENTIK_API_URL="$AUTHENTIK_URL/api/v3"
+ADMIN_EMAIL="admin@local"
+ADMIN_PASSWORD="${AUTHENTIK_ADMIN_PASSWORD:-admin123}"
+BOOTSTRAP_FILE="infra/compose/authentik/bootstrap.yaml"
+
+echo -e "${BLUE}🔧 Setting up Authentik SSO for AI Tax Agent using Blueprint Import...${NC}"
+echo
+
+# Function to wait for Authentik to be ready
+wait_for_authentik() {
+    echo -e "${YELLOW}⏳ Waiting for Authentik to be ready...${NC}"
+    local max_attempts=60
+    local attempt=1
+    local host
+    host=$(echo "$AUTHENTIK_URL" | sed -E 's#^https?://([^/]+).*$#\1#')
+    local resolve=(--resolve "${host}:443:127.0.0.1")
+
+    while [ $attempt -le $max_attempts ]; do
+        code_setup=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/if/flow/initial-setup/" || true)
+        code_login=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/if/flow/default-authentication-flow/" || true)
+        code_root=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/" || true)
+        if [[ "$code_setup" == "404" ]]; then
+            if [[ "$code_login" =~ ^(200|302|401)$ || "$code_root" =~ ^(200|302|401)$ ]]; then
+                echo -e "${GREEN}✅ Authentik is ready!${NC}"; return 0
+            fi
+        fi
+        if [[ "$code_setup" =~ ^(200|302|401)$ || "$code_login" =~ ^(200|302|401)$ || "$code_root" =~ ^(200|302|401)$ ]]; then
+            echo -e "${GREEN}✅ Authentik is ready!${NC}"; return 0
+        fi
+        echo -n "."
+        sleep 5
+        ((attempt++))
+    done
+
+    echo -e "${RED}❌ Authentik failed to start within expected time${NC}"
+    return 1
+}
+
+# Function to generate secrets
+generate_secrets() {
+    echo -e "${YELLOW}🔑 Generating secure secrets...${NC}"
+
+    # Generate client secrets if not already set
+    if [ -z "${AUTHENTIK_API_CLIENT_SECRET:-}" ]; then
+        export AUTHENTIK_API_CLIENT_SECRET=$(openssl rand -base64 32 | tr -d '=+/')
+        echo "Generated API client secret"
+    fi
+
+    if [ -z "${AUTHENTIK_GRAFANA_CLIENT_SECRET:-}" ]; then
+        export AUTHENTIK_GRAFANA_CLIENT_SECRET=$(openssl rand -base64 32 | tr -d '=+/')
+        echo "Generated Grafana client secret"
+    fi
+
+    if [ -z "${AUTHENTIK_SECRET_KEY:-}" ]; then
+        export AUTHENTIK_SECRET_KEY=$(openssl rand -base64 50 | tr -d '=+/')
+        echo "Generated Authentik secret key"
+    fi
+
+    echo -e "${GREEN}✅ Secrets generated${NC}"
+}
+
+# Function to get API token
+get_api_token() {
+    echo -e "${YELLOW}🔑 Getting API token...${NC}"
+
+    # Use bootstrap token if available
+    if [ -n "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ]; then
+        echo "$AUTHENTIK_BOOTSTRAP_TOKEN"
+        return 0
+    fi
+
+    # Try to get token via API (requires manual setup first)
+    local token_response
+    token_response=$(curl -s -X POST "$AUTHENTIK_API_URL/core/tokens/" \
+        -H "Content-Type: application/json" \
+        -u "$ADMIN_EMAIL:$ADMIN_PASSWORD" \
+        -d '{
+            "identifier": "ai-tax-agent-setup",
+            "description": "Setup token for AI Tax Agent",
+            "expires": "2025-12-31T23:59:59Z"
+        }' 2>/dev/null || echo "")
+
+    if [ -n "$token_response" ]; then
+        echo "$token_response" | python3 -c "import sys, json; print(json.load(sys.stdin)['key'])" 2>/dev/null || echo ""
+    else
+        echo ""
+    fi
+}
+
+# Function to import blueprint
+import_blueprint() {
+    local token="$1"
+
+    echo -e "${YELLOW}📋 Importing Authentik blueprint...${NC}"
+
+    if [ ! -f "$BOOTSTRAP_FILE" ]; then
+        echo -e "${RED}❌ Bootstrap file not found: $BOOTSTRAP_FILE${NC}"
+        return 1
+    fi
+
+    # Create blueprint instance
+    local blueprint_response
+    blueprint_response=$(curl -s -X POST "$AUTHENTIK_API_URL/managed/blueprints/" \
+        -H "Content-Type: application/json" \
+        -H "Authorization: Bearer $token" \
+        -d '{
+            "name": "AI Tax Agent Bootstrap",
+            "path": "/blueprints/bootstrap.yaml",
+            "context": {},
+            "enabled": true
+        }' 2>/dev/null || echo "")
+
+    local blueprint_pk
+    blueprint_pk=$(echo "$blueprint_response" | python3 -c "import sys, json; print(json.load(sys.stdin).get('pk', ''))" 2>/dev/null || echo "")
+
+    if [ -n "$blueprint_pk" ]; then
+        echo -e "${GREEN}✅ Blueprint created with ID: $blueprint_pk${NC}"
+
+        # Apply the blueprint
+        echo -e "${YELLOW}🔄 Applying blueprint...${NC}"
+        local apply_response
+        apply_response=$(curl -s -X POST "$AUTHENTIK_API_URL/managed/blueprints/$blueprint_pk/apply/" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer $token" \
+            -d '{}' 2>/dev/null || echo "")
+
+        if echo "$apply_response" | grep -q "success\|applied" 2>/dev/null; then
+            echo -e "${GREEN}✅ Blueprint applied successfully${NC}"
+        else
+            echo -e "${YELLOW}⚠️  Blueprint application may have had issues. Check Authentik logs.${NC}"
+        fi
+    else
+        echo -e "${RED}❌ Failed to create blueprint${NC}"
+        return 1
+    fi
+}
+
+# Function to check blueprint status
+check_blueprint_status() {
+    local token="$1"
+
+    echo -e "${YELLOW}🔍 Checking blueprint status...${NC}"
+
+    local blueprints_response
+    blueprints_response=$(curl -s -X GET "$AUTHENTIK_API_URL/managed/blueprints/" \
+        -H "Authorization: Bearer $token" 2>/dev/null || echo "")
+
+    if [ -n "$blueprints_response" ]; then
+        echo "$blueprints_response" | python3 -c "
+import sys, json
+try:
+    data = json.load(sys.stdin)
+    for bp in data.get('results', []):
+        print(f\"Blueprint: {bp['name']} - Status: {'Enabled' if bp['enabled'] else 'Disabled'}\")
+except:
+    print('Could not parse blueprint status')
+" 2>/dev/null || echo "Could not check blueprint status"
+    fi
+}
+
+
+
+# Main setup function
+main() {
+    # Generate secrets first
+    generate_secrets
+
+    # Check if Authentik is running
+    if ! wait_for_authentik; then
+        echo -e "${RED}❌ Authentik is not accessible. Please ensure it's running.${NC}"
+        exit 1
+    fi
+
+    # Check if initial setup is needed
+    local host
+    host=$(echo "$AUTHENTIK_URL" | sed -E 's#^https?://([^/]+).*$#\1#')
+    local resolve=(--resolve "${host}:443:127.0.0.1")
+    local setup_code
+    setup_code=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/if/flow/initial-setup/" || true)
+
+    if [[ "$setup_code" == "200" ]]; then
+        echo -e "${YELLOW}📋 Initial Authentik setup required:${NC}"
+        echo -e "  1. Open ${BLUE}https://auth.local/if/flow/initial-setup/${NC}"
+        echo -e "  2. Complete the setup wizard with admin user"
+        echo -e "  3. Re-run this script after setup is complete"
+        echo
+        echo -e "${BLUE}💡 Tip: Use these credentials:${NC}"
+        echo -e "  • Email: ${BLUE}$ADMIN_EMAIL${NC}"
+        echo -e "  • Password: ${BLUE}$ADMIN_PASSWORD${NC}"
+        return 0
+    fi
+
+    # Try to get API token
+    local api_token
+    api_token=$(get_api_token)
+
+    if [ -n "$api_token" ]; then
+        echo -e "${GREEN}🔑 API token obtained, proceeding with blueprint import...${NC}"
+
+        # Import the blueprint configuration
+        if import_blueprint "$api_token"; then
+            echo -e "${GREEN}🎉 Authentik configuration imported successfully!${NC}"
+
+            # Check status
+            check_blueprint_status "$api_token"
+
+            # Display client secrets for configuration
+            echo
+            echo -e "${BLUE}🔑 Client Secrets (save these for service configuration):${NC}"
+            echo -e "  • API Client Secret: ${YELLOW}${AUTHENTIK_API_CLIENT_SECRET}${NC}"
+            echo -e "  • Grafana Client Secret: ${YELLOW}${AUTHENTIK_GRAFANA_CLIENT_SECRET}${NC}"
+
+        else
+            echo -e "${RED}❌ Blueprint import failed${NC}"
+            exit 1
+        fi
+    else
+        echo -e "${YELLOW}📋 Could not obtain API token. Manual configuration required:${NC}"
+        echo -e "  1. Open ${BLUE}https://auth.local${NC} and log in as admin"
+        echo -e "  2. Go to Admin Interface > Tokens"
+        echo -e "  3. Create a new token and set AUTHENTIK_BOOTSTRAP_TOKEN in .env"
+        echo -e "  4. Re-run this script"
+    fi
+
+    echo
+    echo -e "${BLUE}🔗 Access URLs:${NC}"
+    echo -e "  • Authentik Admin: ${BLUE}https://auth.local${NC}"
+    echo -e "  • API Gateway: ${BLUE}https://api.local${NC}"
+    echo -e "  • Grafana: ${BLUE}https://grafana.local${NC}"
+    echo -e "  • Review Portal: ${BLUE}https://review.local${NC}"
+}
+
+# Run main function
+main "$@"