write export tool to automatically pull password hashes from keycloak

Project repo: https://gitlab.archlinux.org/archlinux/mail-credential-syncer

Since many members of arch-devops work with rust and it's good security characteristics, this tool shall be written in rust (#210 (comment 6535) contains a very dirty POC in Go).

Three config parameters:

Path to mapping file for keycloak UUID -> arch mail address on local FS
Keycloak hostname
Post-receive script

Implementation:

Use inotify to receive events when the mapping file changes
Subscribe to pw change events for the keycloak user attribute mail_password_hash

Whenever an event fires:

iterate over mapping
get pw hash from keycloak
check if the hash is valid and contains no malicious input (probably with a regex)
export dovecot and opensmtpd version of virtual user file
backup old config files
run post receive script
when the post receive script failes, restore old config files
report error via e-mail (or prometheus?)

Edited Dec 01, 2020 by Frederik Schwan

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information