Add GitHub OAuth for Keycloak

8942802c · Sven-Hendrik Haase · 682d34c5 · 8942802c · 8942802c · 8942802c
Commit 8942802c authored May 27, 2020 by Sven-Hendrik Haase
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ It also contains git submodules so you have to run `git submodule update --init
 Install these packages:
  - terraform
  - terraform-provider-keycloak
+  - python-typer
 ### Instructions
@@ -53,7 +54,7 @@ Note that some roles already run this automatically.
 We use packer to build snapshots on hcloud to use as server base images.
 In order to use this, you need to install packer and then run
-    packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key env) packer/archlinux.json
+    packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
 This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.

--- a/group_vars/all/vault_github.yml
+++ b/group_vars/all/vault_github.yml
+$ANSIBLE_VAULT;1.1;AES256
+34363332353038316637303436316631666563666264313531616334306135373565353333653532
+6231316461666563316462373266356338616262623463350a633631376361343430336235326430
+35353265643161666333313330383137633965303862303963616537643363393532666236373934
+3830323863326235640a346537613464316364613139386362363136643138363538613835393135
+34663063383763323733356361323530303761323739303538636237663834353538643066393230
+61663836616137616339353630616238323763663136363365363966363763386331623935393336
+34656161663539346263633738636533613532383231366266633230316138346330363834636338
+39366435383561306330666663396138363066646466663465613134346136616565383336653162
+63663432646563373631363765386635323430323161313162343962396634353234336438326364
+37653931613636323166613939383736343465323561326236336161626333653266623130303463
+346430393562333431363766636263316633
--- a/misc/get_key.py
+++ b/misc/get_key.py
 #!/usr/bin/python3
-from contextlib import contextmanager
-from enum import Enum
-from pathlib import Path
-import argparse
 import json
 import os
 import sys
+from contextlib import contextmanager
+from enum import Enum
+from pathlib import Path
+from typing import List
+import typer
 import yaml
+app = typer.Typer()
 @contextmanager
 def chdir(path):
@@ -45,7 +48,7 @@ def load_vault(path):
        )
-class Output(Enum):
+class OutputFormat(str, Enum):
    BARE = "bare"
    ENV = "env"
    JSON = "json"
@@ -54,37 +57,31 @@ class Output(Enum):
        return self.value
-def parse_args():
+def main(
-    parser = argparse.ArgumentParser(
+    vault: Path = typer.Argument(...),
-        description="Retrieve a password from an Ansible vault."
+    keys: List[str] = typer.Argument(...),
-    )
+    format: OutputFormat = typer.Option(
-    parser.add_argument(dest="vault", type=Path, help="vault to open")
+        OutputFormat.BARE, show_default=True, help="Output format"
-    parser.add_argument(dest="key", help="key to extract")
+    ),
-    parser.add_argument(
+):
-        dest="output",
+    """
-        nargs="?",
+    Get a bunch of entries from the vault located at VAULT.
-        type=Output,
-        choices=Output,
+    Use KEYS to choose which keys in the vault you want to output.
-        default=Output.BARE,
+    """
-        help="style of output",
+    vault = load_vault(vault)
-    )
+    filtered = {vault_key: vault[vault_key] for vault_key in keys}
-    return parser.parse_args()
+    if format == OutputFormat.BARE:
+        for secret in filtered.values():
-def main():
+            print(secret)
-    args = parse_args()
+    elif format == OutputFormat.ENV:
-    value = load_vault(args.vault)[args.key]
+        for key, secret in filtered.items():
+            print(f"{key}={secret}")
-    if args.output == Output.BARE:
+    elif format == OutputFormat.JSON:
-        print(value)
+        json.dump(filtered, sys.stdout)
-    elif args.output == Output.ENV:
-        print(f"{args.key}={value}")
-    elif args.output == Output.JSON:
-        json.dump({args.key: value}, sys.stdout)
        print()
-    else:
-        assert False
 if __name__ == "__main__":
-    main()
+    typer.run(main)
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -5,7 +5,7 @@ terraform {
 }
 data "external" "hetzner_cloud_api_key" {
-  program = ["${path.module}/../misc/get_key.py", "misc/vault_hetzner.yml", "hetzner_cloud_api_key", "json"]
+  program = ["${path.module}/../misc/get_key.py", "misc/vault_hetzner.yml", "hetzner_cloud_api_key", "--format", "json"]
 }
 data "hcloud_image" "archlinux" {

--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -4,34 +4,33 @@ terraform {
  }
 }
-data "external" "keycloak_admin_user" {
+data "external" "vault_keycloak" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_admin_user", "json"]
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml",
+    "vault_keycloak_admin_user",
+    "vault_keycloak_admin_password",
+    "vault_keycloak_smtp_user",
+    "vault_keycloak_smtp_password",
+    "--format", "json"]
 }
-data "external" "keycloak_admin_password" {
+data "external" "vault_google" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_admin_password", "json"]
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml",
+    "vault_google_recaptcha_site_key",
+    "vault_google_recaptcha_secret_key",
+    "--format", "json"]
 }
-data "external" "keycloak_smtp_user" {
+data "external" "vault_github" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_smtp_user", "json"]
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_github.yml",
-}
+    "vault_github_oauth_app_client_id",
+    "vault_github_oauth_app_client_secret",
-data "external" "keycloak_smtp_password" {
+    "--format", "json"]
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_smtp_password", "json"]
-}
-data "external" "google_recaptcha_site_key" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml", "vault_google_recaptcha_site_key", "json"]
-}
-data "external" "google_recaptcha_secret_key" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml", "vault_google_recaptcha_secret_key", "json"]
 }
 provider "keycloak" {
  client_id = "admin-cli"
-  username = data.external.keycloak_admin_user.result.vault_keycloak_admin_user
+  username = data.external.vault_keycloak.result.vault_keycloak_admin_user
-  password = data.external.keycloak_admin_password.result.vault_keycloak_admin_password
+  password = data.external.vault_keycloak.result.vault_keycloak_admin_password
  url = "https://accounts.archlinux.org"
 }
@@ -65,8 +64,8 @@ resource "keycloak_realm" "archlinux" {
    starttls = true
    auth {
-      username = data.external.keycloak_smtp_user.result.vault_keycloak_smtp_user
+      username = data.external.vault_keycloak.result.vault_keycloak_smtp_user
-      password = data.external.keycloak_smtp_password.result.vault_keycloak_smtp_password
+      password = data.external.vault_keycloak.result.vault_keycloak_smtp_password
    }
  }
@@ -92,6 +91,24 @@ resource "keycloak_realm" "archlinux" {
  }
 }
+resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
+  realm = "archlinux"
+  alias = "github"
+  provider_id = "github"
+  authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
+  client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
+  client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
+  token_url = ""
+  default_scopes = ""
+  enabled = false
+  trust_email = false
+  store_token = false
+  backchannel_supported = false
+  extra_config = {
+    syncMode = "IMPORT"
+  }
+}
 resource "keycloak_saml_client" "saml_gitlab" {
  realm_id = "archlinux"
  client_id = "saml_gitlab"
@@ -299,8 +316,8 @@ resource "keycloak_authentication_execution_config" "registration_recaptcha_acti
  execution_id = keycloak_authentication_execution.registration_recaptcha_action.id
  config = {
    "useRecaptchaNet" = "false",
-    "site.key" = data.external.google_recaptcha_site_key.result.vault_google_recaptcha_site_key
+    "site.key" = data.external.vault_google.result.vault_google_recaptcha_site_key
-    "secret" = data.external.google_recaptcha_secret_key.result.vault_google_recaptcha_secret_key
+    "secret" = data.external.vault_google.result.vault_google_recaptcha_secret_key
  }
 }