commit 2714a2252133c88e779b685c0e8a6e1630df9f16 · pyrox.dev/nixpkgs

+25 -2

nixos/modules/services/web-apps/keycloak.nix

···

       482
       482
        
                   assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);

     

       483
       483
        
                   message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL";

     

       484
       484
        
                 }

     

       485
       485
       +
                 {

     

       486
       486
       +
                   assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;

     

       487
       487
       +
                   message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably";

     

       488
       488
       +
                 }

     

       485
       489
        
               ];

     

       486
       490
        
       

     

       487
       491
        
               environment.systemPackages = [ keycloakBuild ];

     
···

       544
       548
        
                   create_role="$(mktemp)"

     

       545
       549
        
                   trap 'rm -f "$create_role"' EXIT

     

       546
       550
        
       

     

       551
       551
       +
                   # Read the password from the credentials directory and

     

       552
       552
       +
                   # escape any single quotes by adding additional single

     

       553
       553
       +
                   # quotes after them, following the rules laid out here:

     

       554
       554
       +
                   # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS

     

       547
       555
        
                   db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"

     

       556
       556
       +
                   db_password="''${db_password//\'/\'\'}"

     

       557
       557
       +
       

     

       548
       558
        
                   echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" > "$create_role"

     

       549
       559
        
                   psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role"

     

       550
       560
        
                   psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"'

     
···

       566
       576
        
                 script = ''

     

       567
       577
        
                   set -o errexit -o pipefail -o nounset -o errtrace

     

       568
       578
        
                   shopt -s inherit_errexit

     

       579
       579
       +
       

     

       580
       580
       +
                   # Read the password from the credentials directory and

     

       581
       581
       +
                   # escape any single quotes by adding additional single

     

       582
       582
       +
                   # quotes after them, following the rules laid out here:

     

       583
       583
       +
                   # https://dev.mysql.com/doc/refman/8.0/en/string-literals.html

     

       569
       584
        
                   db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"

     

       570
       570
       -
                   ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';"

     

       585
       585
       +
                   db_password="''${db_password//\'/\'\'}"

     

       586
       586
       +
       

     

       587
       587
       +
                   ( echo "SET sql_mode = 'NO_BACKSLASH_ESCAPES';"

     

       588
       588
       +
                     echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';"

     

       571
       589
        
                     echo "CREATE DATABASE IF NOT EXISTS keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;"

     

       572
       590
        
                     echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';"

     

       573
       591
        
                   ) | mysql -N

     
···

       632
       650
        
       

     

       633
       651
        
                     ${secretReplacements}

     

       634
       652
        
       

     

       653
       653
       +
                     # Escape any backslashes in the db parameters, since

     

       654
       654
       +
                     # they're otherwise unexpectedly read as escape

     

       655
       655
       +
                     # sequences.

     

       656
       656
       +
                     sed -i '/db-/ s|\\|\\\\|g' /run/keycloak/conf/keycloak.conf

     

       657
       657
       +
       

     

       635
       658
        
                   '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''

     

       636
       659
        
                     mkdir -p /run/keycloak/ssl

     

       637
       660
        
                     cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/

     

       638
       661
        
                   '' + ''

     

       639
       662
        
                     export KEYCLOAK_ADMIN=admin

     

       640
       640
       -
                     export KEYCLOAK_ADMIN_PASSWORD=${cfg.initialAdminPassword}

     

       663
       663
       +
                     export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword}

     

       641
       664
        
                     kc.sh start --optimized

     

       642
       665
        
                   '';

     

       643
       666
        
                 };

+10 -7

nixos/tests/keycloak.nix

···

       5
       5
        
       let

     

       6
       6
        
         certs = import ./common/acme/server/snakeoil-certs.nix;

     

       7
       7
        
         frontendUrl = "https://${certs.domain}";

     

       8
       8
       -
         initialAdminPassword = "h4IhoJFnt2iQIR9";

     

       9
       8
        
       

     

       10
       9
        
         keycloakTest = import ./make-test-python.nix (

     

       11
       10
        
           { pkgs, databaseType, ... }:

     

       11
       11
       +
           let

     

       12
       12
       +
             initialAdminPassword = "h4Iho\"JFn't2>iQIR9";

     

       13
       13
       +
             adminPasswordFile = pkgs.writeText "admin-password" "${initialAdminPassword}";

     

       14
       14
       +
           in

     

       12
       15
        
           {

     

       13
       16
        
             name = "keycloak";

     

       14
       17
        
             meta = with pkgs.lib.maintainers; {

     
···

       37
       40
        
                     type = databaseType;

     

       38
       41
        
                     username = "bogus";

     

       39
       42
        
                     name = "also bogus";

     

       40
       40
       -
                     passwordFile = "${pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"}";

     

       43
       43
       +
                     passwordFile = "${pkgs.writeText "dbPassword" ''wzf6\"vO"Cb\nP>p#6;c&o?eu=q'THE'''H''''E''}";

     

       41
       44
        
                   };

     

       42
       45
        
                   plugins = with config.services.keycloak.package.plugins; [

     

       43
       46
        
                     keycloak-discord

     
···

       111
       114
        
                 keycloak.succeed("""

     

       112
       115
        
                     curl -sSf -d 'client_id=admin-cli' \

     

       113
       116
        
                          -d 'username=admin' \

     

       114
       114
       -
                          -d 'password=${initialAdminPassword}' \

     

       117
       117
       +
                          -d "password=$(<${adminPasswordFile})" \

     

       115
       118
        
                          -d 'grant_type=password' \

     

       116
       119
        
                          '${frontendUrl}/realms/master/protocol/openid-connect/token' \

     

       117
       120
        
                          | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header

     
···

       119
       122
        
       

     

       120
       123
        
                 # Register the metrics SPI

     

       121
       124
        
                 keycloak.succeed(

     

       122
       122
       -
                     "${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt",

     

       123
       123
       -
                     "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password '${initialAdminPassword}'",

     

       124
       124
       -
                     "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'",

     

       125
       125
       -
                     "curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"

     

       125
       125
       +
                     """${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""",

     

       126
       126
       +
                     """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """,

     

       127
       127
       +
                     """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""",

     

       128
       128
       +
                     """curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"""

     

       126
       129
        
                 )

     

       127
       130
        
       

     

       128
       131
        
                 # Publish the realm, including a test OIDC client and user