Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • infrastructure infrastructure
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 113
    • Issues 113
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 10
    • Merge requests 10
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Arch Linux
  • infrastructureinfrastructure
  • Issues
  • #218
Closed
Open
Created Nov 14, 2020 by Frederik Schwan@freswaDeveloper0 of 2 tasks completed0/2 tasks

write export tool to automatically pull password hashes from keycloak

Moved from: #50 and #210 (closed)

Project repo: https://gitlab.archlinux.org/archlinux/mail-credential-syncer

Since many members of arch-devops work with rust and it's good security characteristics, this tool shall be written in rust (#210 (comment 6535) contains a very dirty POC in Go).

Three config parameters:

  • Path to mapping file for keycloak UUID -> arch mail address on local FS
  • Keycloak hostname
  • Post-receive script

Implementation:

  • Use inotify to receive events when the mapping file changes
  • Subscribe to pw change events for the keycloak user attribute mail_password_hash

Whenever an event fires:

  • iterate over mapping
  • get pw hash from keycloak
  • check if the hash is valid and contains no malicious input (probably with a regex)
  • export dovecot and opensmtpd version of virtual user file
  • backup old config files
  • run post receive script
  • when the post receive script failes, restore old config files
  • report error via e-mail (or prometheus?)
Edited Dec 01, 2020 by Frederik Schwan
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking