From 3fc8049d49187d10b7ef41756c862c98ae6fb082 Mon Sep 17 00:00:00 2001 From: Jordan Olshevski Date: Sun, 31 Dec 2023 20:46:32 -0600 Subject: [PATCH] Use client creds --- README.md | 3 ++- conf/conf.go | 2 -- keycloak/keycloak.go | 19 ++++++++++++++----- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index ec191d2..4192e7d 100644 --- a/README.md +++ b/README.md @@ -21,12 +21,13 @@ Provide configuration in environment variables: - `ACCESS_CONTROL_HOST`: hostname:port of the access controller's web interface - `POSTGRES_HOST`, `POSTGRES_USER`, `POSTGRES_PASSWORD`: Postgres configuration for fob swipe reporting -- `KEYCLOAK_URL`, `KEYCLOAK_USER`, `KEYCLOAK_PASSWORD`, `KEYCLOAK_REALM`: Keycloak connection info +- `KEYCLOAK_URL`, `KEYCLOAK_REALM`: Keycloak connection info - `AUTHORIZED_GROUP_ID`: the UUID of the Keycloak group that should be granted building access - `WEBHOOK_ADDR`: Address to serve the Keycloak webhook server on - `CALLBACK_URL`: The URL that Keycloak should use when sending webhooks All configuration is optional. Omitting a value will disable the corresponding functionality. +Assumes Keycloak client credentials are provided using [keycloak-k8s-shim](https://github.com/jveski/keycloak-k8s-shim). ### Keycloak Webhooks diff --git a/conf/conf.go b/conf/conf.go index b243b8c..ce99d9d 100644 --- a/conf/conf.go +++ b/conf/conf.go @@ -13,8 +13,6 @@ type Env struct { PostgresPassword string `split_words:"true"` KeycloakURL string `split_words:"true"` - KeycloakUser string `split_words:"true"` - KeycloakPassword string `split_words:"true"` KeycloakRealm string `default:"master" split_words:"true"` AuthorizedGroupID string `split_words:"true"` diff --git a/keycloak/keycloak.go b/keycloak/keycloak.go index dd2c87d..601e4a8 100644 --- a/keycloak/keycloak.go +++ b/keycloak/keycloak.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "log" + "os" "strconv" "sync" "time" @@ -14,9 +15,8 @@ import ( ) type Keycloak struct { - client *gocloak.GoCloak - user, pass, realm string - baseURL, groupID string + client *gocloak.GoCloak + realm, baseURL, groupID string // use ensureToken to access these tokenLock sync.Mutex @@ -25,7 +25,7 @@ type Keycloak struct { } func New(c *conf.Env) *Keycloak { - return &Keycloak{client: gocloak.NewClient(c.KeycloakURL), user: c.KeycloakUser, pass: c.KeycloakPassword, realm: c.KeycloakRealm, baseURL: c.KeycloakURL, groupID: c.AuthorizedGroupID} + return &Keycloak{client: gocloak.NewClient(c.KeycloakURL), realm: c.KeycloakRealm, baseURL: c.KeycloakURL, groupID: c.AuthorizedGroupID} } func (k *Keycloak) ListUsers(ctx context.Context) ([]*AccessUser, error) { @@ -117,7 +117,16 @@ func (k *Keycloak) ensureToken(ctx context.Context) (*gocloak.JWT, error) { return k.token, nil } - token, err := k.client.LoginAdmin(ctx, k.user, k.pass, k.realm) + clientID, err := os.ReadFile("/var/lib/keycloak/client-id") + if err != nil { + return nil, fmt.Errorf("reading client id: %w", err) + } + clientSecret, err := os.ReadFile("/var/lib/keycloak/client-secret") + if err != nil { + return nil, fmt.Errorf("reading client secret: %w", err) + } + + token, err := k.client.LoginClient(ctx, string(clientID), string(clientSecret), k.realm) if err != nil { return nil, err }