Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • infrastructure infrastructure
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 110
    • Issues 110
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 15
    • Merge requests 15
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Arch LinuxArch Linux
  • infrastructureinfrastructure
  • Issues
  • #218
Closed
Open
Issue created Nov 14, 2020 by Frederik Schwan@freswaDeveloper

write export tool to automatically pull password hashes from keycloak

Moved from: #50 and #210 (closed)

Project repo: https://gitlab.archlinux.org/archlinux/mail-credential-syncer

Since many members of arch-devops work with rust and it's good security characteristics, this tool shall be written in rust (#210 (comment 6535) contains a very dirty POC in Go).

Three config parameters:

  • Path to mapping file for keycloak UUID -> arch mail address on local FS
  • Keycloak hostname
  • Post-receive script

Implementation:

  • Use inotify to receive events when the mapping file changes
  • Subscribe to pw change events for the keycloak user attribute mail_password_hash

Whenever an event fires:

  • iterate over mapping
  • get pw hash from keycloak
  • check if the hash is valid and contains no malicious input (probably with a regex)
  • export dovecot and opensmtpd version of virtual user file
  • backup old config files
  • run post receive script
  • when the post receive script failes, restore old config files
  • report error via e-mail (or prometheus?)
Edited Dec 01, 2020 by Frederik Schwan
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking