write export tool to automatically pull password hashes from keycloak
Moved from: #50 and #210 (closed)
Project repo: https://gitlab.archlinux.org/archlinux/mail-credential-syncer
Since many members of arch-devops work with rust and it's good security characteristics, this tool shall be written in rust (#210 (comment 6535) contains a very dirty POC in Go).
Three config parameters:
- Path to mapping file for keycloak UUID -> arch mail address on local FS
- Keycloak hostname
- Post-receive script
Implementation:
-
Use inotify to receive events when the mapping file changes -
Subscribe to pw change events for the keycloak user attribute mail_password_hash
Whenever an event fires:
- iterate over mapping
- get pw hash from keycloak
- check if the hash is valid and contains no malicious input (probably with a regex)
- export dovecot and opensmtpd version of virtual user file
- backup old config files
- run post receive script
- when the post receive script failes, restore old config files
- report error via e-mail (or prometheus?)
Edited by Frederik Schwan