Use client creds

TheLab-ms · Jan 1, 2024 · 3fc8049 · 3fc8049
1 parent 62ee061
commit 3fc8049
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -21,12 +21,13 @@ Provide configuration in environment variables:
 
 - `ACCESS_CONTROL_HOST`: hostname:port of the access controller's web interface
 - `POSTGRES_HOST`, `POSTGRES_USER`, `POSTGRES_PASSWORD`: Postgres configuration for fob swipe reporting
-- `KEYCLOAK_URL`, `KEYCLOAK_USER`, `KEYCLOAK_PASSWORD`, `KEYCLOAK_REALM`: Keycloak connection info
+- `KEYCLOAK_URL`, `KEYCLOAK_REALM`: Keycloak connection info
 - `AUTHORIZED_GROUP_ID`: the UUID of the Keycloak group that should be granted building access
 - `WEBHOOK_ADDR`: Address to serve the Keycloak webhook server on
 - `CALLBACK_URL`: The URL that Keycloak should use when sending webhooks
 
 All configuration is optional. Omitting a value will disable the corresponding functionality.
+Assumes Keycloak client credentials are provided using [keycloak-k8s-shim](https://github.com/jveski/keycloak-k8s-shim).
 
 
 ### Keycloak Webhooks

diff --git a/conf/conf.go b/conf/conf.go
@@ -13,8 +13,6 @@ type Env struct {
 	PostgresPassword string `split_words:"true"`
 
 	KeycloakURL       string `split_words:"true"`
-	KeycloakUser      string `split_words:"true"`
-	KeycloakPassword  string `split_words:"true"`
 	KeycloakRealm     string `default:"master" split_words:"true"`
 	AuthorizedGroupID string `split_words:"true"`
 

diff --git a/keycloak/keycloak.go b/keycloak/keycloak.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"os"
 	"strconv"
 	"sync"
 	"time"
@@ -14,9 +15,8 @@ import (
 )
 
 type Keycloak struct {
-	client            *gocloak.GoCloak
-	user, pass, realm string
-	baseURL, groupID  string
+	client                  *gocloak.GoCloak
+	realm, baseURL, groupID string
 
 	// use ensureToken to access these
 	tokenLock      sync.Mutex
@@ -25,7 +25,7 @@ type Keycloak struct {
 }
 
 func New(c *conf.Env) *Keycloak {
-	return &Keycloak{client: gocloak.NewClient(c.KeycloakURL), user: c.KeycloakUser, pass: c.KeycloakPassword, realm: c.KeycloakRealm, baseURL: c.KeycloakURL, groupID: c.AuthorizedGroupID}
+	return &Keycloak{client: gocloak.NewClient(c.KeycloakURL), realm: c.KeycloakRealm, baseURL: c.KeycloakURL, groupID: c.AuthorizedGroupID}
 }
 
 func (k *Keycloak) ListUsers(ctx context.Context) ([]*AccessUser, error) {
@@ -117,7 +117,16 @@ func (k *Keycloak) ensureToken(ctx context.Context) (*gocloak.JWT, error) {
 		return k.token, nil
 	}
 
-	token, err := k.client.LoginAdmin(ctx, k.user, k.pass, k.realm)
+	clientID, err := os.ReadFile("/var/lib/keycloak/client-id")
+	if err != nil {
+		return nil, fmt.Errorf("reading client id: %w", err)
+	}
+	clientSecret, err := os.ReadFile("/var/lib/keycloak/client-secret")
+	if err != nil {
+		return nil, fmt.Errorf("reading client secret: %w", err)
+	}
+
+	token, err := k.client.LoginClient(ctx, string(clientID), string(clientSecret), k.realm)
 	if err != nil {
 		return nil, err
 	}