From 9fe03e068ed5fd7c3c77e787aee452a2e535dba4 Mon Sep 17 00:00:00 2001 From: lucdew Date: Sat, 21 Dec 2024 20:24:43 +0100 Subject: [PATCH 1/3] Add mTLS support for keycloak client Signed-off-by: lucdew --- docs/index.md | 2 ++ keycloak/keycloak_client.go | 18 +++++++++++++----- keycloak/keycloak_client_test.go | 5 +++-- provider/provider.go | 16 +++++++++++++++- provider/provider_test.go | 27 +++++++++++++++------------ 5 files changed, 48 insertions(+), 20 deletions(-) diff --git a/docs/index.md b/docs/index.md index 965ad6d67..d3730e547 100644 --- a/docs/index.md +++ b/docs/index.md @@ -87,5 +87,7 @@ The following arguments are supported: - `client_timeout` - (Optional) Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to the environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or `15` if the environment variable is not specified. - `tls_insecure_skip_verify` - (Optional) Allows ignoring insecure certificates when set to `true`. Defaults to `false`. Disabling this security check is dangerous and should only be done in local or test environments. - `root_ca_certificate` - (Optional) Allows x509 calls using an unknown CA certificate (for development purposes) +- `tls_client_certificate` - (Optional) The TLS client certificate in PEM format when the keycloak server is configured with TLS mutual authentication. +- `tls_client_private_key` - (Optional) The TLS client pkcs1 private key in PEM format when the keycloak server is configured with TLS mutual authentication. - `base_path` - (Optional) The base path used for accessing the Keycloak REST API. Defaults to the environment variable `KEYCLOAK_BASE_PATH`, or an empty string if the environment variable is not specified. Note that users of the legacy distribution of Keycloak will need to set this attribute to `/auth`. - `additional_headers` - (Optional) A map of custom HTTP headers to add to each request to the Keycloak API. diff --git a/keycloak/keycloak_client.go b/keycloak/keycloak_client.go index 425370831..9458f677a 100644 --- a/keycloak/keycloak_client.go +++ b/keycloak/keycloak_client.go @@ -7,7 +7,6 @@ import ( "crypto/x509" "encoding/json" "fmt" - "github.com/hashicorp/terraform-plugin-log/tflog" "io/ioutil" "net/http" "net/http/cookiejar" @@ -17,6 +16,8 @@ import ( "strings" "time" + "github.com/hashicorp/terraform-plugin-log/tflog" + "github.com/hashicorp/go-version" "golang.org/x/net/publicsuffix" @@ -60,7 +61,7 @@ var redHatSSO7VersionMap = map[int]string{ 4: "9.0.17", } -func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecret, realm, username, password string, initialLogin bool, clientTimeout int, caCert string, tlsInsecureSkipVerify bool, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) { +func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecret, realm, username, password string, initialLogin bool, clientTimeout int, caCert string, tlsClientCert string, tlsClientPrivateKey string, tlsInsecureSkipVerify bool, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) { clientCredentials := &ClientCredentials{ ClientId: clientId, ClientSecret: clientSecret, @@ -79,7 +80,7 @@ func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecre } } - httpClient, err := newHttpClient(tlsInsecureSkipVerify, clientTimeout, caCert) + httpClient, err := newHttpClient(tlsInsecureSkipVerify, clientTimeout, caCert, tlsClientCert, tlsClientPrivateKey) if err != nil { return nil, fmt.Errorf("failed to create http client: %v", err) } @@ -170,7 +171,6 @@ func (keycloakClient *KeycloakClient) login(ctx context.Context) error { serverVersion = strings.ReplaceAll(info.SystemInfo.ServerVersion, ".GA", "") } else { regex, err := regexp.Compile(`\.redhat-\w+`) - if err != nil { fmt.Println("Error compiling regex:", err) return err @@ -499,7 +499,7 @@ func (keycloakClient *KeycloakClient) marshal(body interface{}) ([]byte, error) return json.Marshal(body) } -func newHttpClient(tlsInsecureSkipVerify bool, clientTimeout int, caCert string) (*http.Client, error) { +func newHttpClient(tlsInsecureSkipVerify bool, clientTimeout int, caCert string, tlsClientCert string, tlsClientPrivateKey string) (*http.Client, error) { cookieJar, err := cookiejar.New(&cookiejar.Options{ PublicSuffixList: publicsuffix.List, }) @@ -518,6 +518,14 @@ func newHttpClient(tlsInsecureSkipVerify bool, clientTimeout int, caCert string) transport.TLSClientConfig.RootCAs = caCertPool } + if tlsClientCert != "" && tlsClientPrivateKey != "" { + clientKeyPairCert, err := tls.X509KeyPair([]byte(tlsClientCert), []byte(tlsClientPrivateKey)) + if err != nil { + return nil, err + } + transport.TLSClientConfig.Certificates = []tls.Certificate{clientKeyPairCert} + } + retryClient := retryablehttp.NewClient() retryClient.RetryMax = 1 retryClient.RetryWaitMin = time.Second * 1 diff --git a/keycloak/keycloak_client_test.go b/keycloak/keycloak_client_test.go index 6493c215b..13d932232 100644 --- a/keycloak/keycloak_client_test.go +++ b/keycloak/keycloak_client_test.go @@ -2,10 +2,11 @@ package keycloak import ( "context" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "os" "strconv" "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" ) var requiredEnvironmentVariables = []string{ @@ -48,7 +49,7 @@ func TestAccKeycloakApiClientRefresh(t *testing.T) { t.Fatal("KEYCLOAK_CLIENT_TIMEOUT must be an integer") } - keycloakClient, err := NewKeycloakClient(ctx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), true, clientTimeout, "", false, "", false, map[string]string{ + keycloakClient, err := NewKeycloakClient(ctx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), true, clientTimeout, "", "", "", false, "", false, map[string]string{ "foo": "bar", }) if err != nil { diff --git a/provider/provider.go b/provider/provider.go index a30091284..6bc067f6f 100644 --- a/provider/provider.go +++ b/provider/provider.go @@ -174,6 +174,18 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider { Description: "Allows ignoring insecure certificates when set to true. Defaults to false. Disabling security check is dangerous and should be avoided.", Default: false, }, + "tls_client_certificate": { + Optional: true, + Type: schema.TypeString, + Description: "TLS client certificate as PEM string for mutual authentication", + Default: "", + }, + "tls_client_private_key": { + Optional: true, + Type: schema.TypeString, + Description: "TLS client private key as PEM string for mutual authentication", + Default: "", + }, "red_hat_sso": { Optional: true, Type: schema.TypeBool, @@ -210,6 +222,8 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider { initialLogin := data.Get("initial_login").(bool) clientTimeout := data.Get("client_timeout").(int) tlsInsecureSkipVerify := data.Get("tls_insecure_skip_verify").(bool) + tlsClientCertificate := data.Get("tls_client_certificate").(string) + tlsClientPrivateKey := data.Get("tls_client_private_key").(string) rootCaCertificate := data.Get("root_ca_certificate").(string) redHatSSO := data.Get("red_hat_sso").(bool) additionalHeaders := make(map[string]string) @@ -221,7 +235,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider { userAgent := fmt.Sprintf("HashiCorp Terraform/%s (+https://www.terraform.io) Terraform Plugin SDK/%s", provider.TerraformVersion, meta.SDKVersionString()) - keycloakClient, err := keycloak.NewKeycloakClient(ctx, url, basePath, clientId, clientSecret, realm, username, password, initialLogin, clientTimeout, rootCaCertificate, tlsInsecureSkipVerify, userAgent, redHatSSO, additionalHeaders) + keycloakClient, err := keycloak.NewKeycloakClient(ctx, url, basePath, clientId, clientSecret, realm, username, password, initialLogin, clientTimeout, rootCaCertificate, tlsClientCertificate, tlsClientPrivateKey, tlsInsecureSkipVerify, userAgent, redHatSSO, additionalHeaders) if err != nil { diags = append(diags, diag.Diagnostic{ Severity: diag.Error, diff --git a/provider/provider_test.go b/provider/provider_test.go index 9b8773a52..48d69f516 100644 --- a/provider/provider_test.go +++ b/provider/provider_test.go @@ -4,23 +4,26 @@ import ( "context" "encoding/json" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/meta" - "github.com/keycloak/terraform-provider-keycloak/keycloak" "log" "os" "testing" "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/meta" + "github.com/keycloak/terraform-provider-keycloak/keycloak" ) -var testAccProviderFactories map[string]func() (*schema.Provider, error) -var testAccProvider *schema.Provider -var keycloakClient *keycloak.KeycloakClient -var testAccRealm *keycloak.Realm -var testAccRealmTwo *keycloak.Realm -var testAccRealmUserFederation *keycloak.Realm -var testCtx context.Context +var ( + testAccProviderFactories map[string]func() (*schema.Provider, error) + testAccProvider *schema.Provider + keycloakClient *keycloak.KeycloakClient + testAccRealm *keycloak.Realm + testAccRealmTwo *keycloak.Realm + testAccRealmUserFederation *keycloak.Realm + testCtx context.Context +) var requiredEnvironmentVariables = []string{ "KEYCLOAK_CLIENT_ID", @@ -56,7 +59,7 @@ func init() { } } - keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", true, 5, "", false, userAgent, false, map[string]string{ + keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", true, 5, "", "", "", false, userAgent, false, map[string]string{ "foo": "bar", }) if err != nil { From 8418fb16c5c6c994359562b1190e13c7218a231f Mon Sep 17 00:00:00 2001 From: lucdew Date: Sat, 4 Jan 2025 15:08:50 +0100 Subject: [PATCH 2/3] Fix wrong merge on keycloak_client.go --- keycloak/keycloak_client.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/keycloak/keycloak_client.go b/keycloak/keycloak_client.go index faf917113..ef24a48c8 100644 --- a/keycloak/keycloak_client.go +++ b/keycloak/keycloak_client.go @@ -17,8 +17,6 @@ import ( "strings" "time" - "github.com/hashicorp/terraform-plugin-log/tflog" - "github.com/hashicorp/go-version" "golang.org/x/net/publicsuffix" From 44daeccc910b1195b5b938561896e11a74b1db0c Mon Sep 17 00:00:00 2001 From: lucdew Date: Sat, 4 Jan 2025 22:01:55 +0100 Subject: [PATCH 3/3] Add instructions to run the tests using mTLS Signed-off-by: lucdew --- README.md | 14 +++++++++++++ docker-compose.yml | 6 ++++++ provider/misc/tls-client-cert.pem | 23 ++++++++++++++++++++ provider/misc/tls-client-key.pem | 28 +++++++++++++++++++++++++ provider/misc/tls-other-client-cert.pem | 23 ++++++++++++++++++++ provider/misc/tls-other-client-key.pem | 28 +++++++++++++++++++++++++ provider/misc/tls-server-cert.pem | 23 ++++++++++++++++++++ provider/misc/tls-server-key.pem | 28 +++++++++++++++++++++++++ provider/provider_test.go | 2 +- 9 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 provider/misc/tls-client-cert.pem create mode 100644 provider/misc/tls-client-key.pem create mode 100644 provider/misc/tls-other-client-cert.pem create mode 100644 provider/misc/tls-other-client-key.pem create mode 100644 provider/misc/tls-server-cert.pem create mode 100644 provider/misc/tls-server-key.pem diff --git a/README.md b/README.md index b23d432f4..bcde01913 100644 --- a/README.md +++ b/README.md @@ -127,6 +127,20 @@ KEYCLOAK_URL="http://localhost:8080" \ make testacc ``` +You can also run the same tests on Keycloak's https port with the Keycloak terraform provider authenticating to the server with a client TLS certificate: +``` +KEYCLOAK_CLIENT_ID=terraform \ +KEYCLOAK_CLIENT_SECRET=884e0f95-0f42-4a63-9b1f-94274655669e \ +KEYCLOAK_CLIENT_TIMEOUT=5 \ +KEYCLOAK_REALM=master \ +KEYCLOAK_TEST_PASSWORD_GRANT=true \ +KEYCLOAK_URL="https://localhost:8443" \ +KEYCLOAK_TLS_CLIENT_CERT="$(cat provider/misc/tls-client-cert.pem)" \ +KEYCLOAK_TLS_CLIENT_KEY="$(cat provider/misc/tls-client-key.pem)" \ +KEYCLOAK_TLS_CA_CERT="$(cat provider/misc/tls-server-cert.pem)" \ +make testacc +``` + ### Run examples You can run examples against a Keycloak instance. diff --git a/docker-compose.yml b/docker-compose.yml index 1852b712f..bec56aca1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -34,10 +34,16 @@ services: - KC_FEATURES=preview - QUARKUS_HTTP_ACCESS_LOG_ENABLED=true - QUARKUS_HTTP_RECORD_REQUEST_START_TIME=true + - KC_HTTPS_CLIENT_AUTH=required + - KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/misc/tls-server-cert.pem + - KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/misc/tls-server-key.pem + - KC_TRUSTSTORE_PATHS=/opt/keycloak/misc/tls-client-cert.pem + # Enable for remote java debugging # - PREPEND_JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8787 ports: - "8080:8080" + - "8443:8443" # Enable for remote java debugging # - 8787:8787 volumes: diff --git a/provider/misc/tls-client-cert.pem b/provider/misc/tls-client-cert.pem new file mode 100644 index 000000000..3cfc47b57 --- /dev/null +++ b/provider/misc/tls-client-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIUcoOEfNYDeDbcfofQ98Z7bNR7lT8wDQYJKoZIhvcNAQEL +BQAwcDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu +a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xGTAXBgNV +BAMMEGNsaWVudC1tdGxzLTIwNDgwHhcNMjUwMTA0MjAxMjA5WhcNNDQxMjMwMjAx +MjA5WjBwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHVW5rbm93bjEQMA4GA1UEBwwH +VW5rbm93bjEQMA4GA1UECgwHVW5rbm93bjEQMA4GA1UECwwHVW5rbm93bjEZMBcG +A1UEAwwQY2xpZW50LW10bHMtMjA0ODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAJv/jwZFworhgytS4YN7/A9orKFBQzKWAo7rzm/6pzmNurYaU34NEtKd +OKrfzvJpZf/BRP4pn73hzSoIfoObPZQgWxPaFhF1a59Bmzl68CsLU9WL7ZdmXEeO +WXVMyAKvLciFjrBYOBuJjDGhTsy1TEltZphcDtpHv94iu+VyEU3xJubNdjQ2lC3e +OrytPHmrkKxDMvQql1E/mICJXnIbSylsxyVZ6/nUQO3UJ4mPX3+/c0rxVGGwtnTO +Wai7xzv0C94x1uzyVLoS7DjeiFK5vfWW0oxCc8qEQj49ndegovkmOhEki/dr9Z99 +0s9BmOIjdRNRwq8Hzp3IEbr1PiurOd8CAwEAAaNTMFEwHQYDVR0OBBYEFKCqvIwq +1q1IgxhN0HYKaZxW1bnWMB8GA1UdIwQYMBaAFKCqvIwq1q1IgxhN0HYKaZxW1bnW +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAItRX9VfcUbMfBk2 +JboRVUy9af6il1JjDyIkqlW7sLebUdhAw1lBFN+s/PuWkAWRTxUlql+unlbQawuU +fVzerVG1W3/UxARibyW8v9Ll75zNGJ/eWyTYkbuxswpniNJ9p5DMV32HFhYhrANX +Sb2cYXt08XVeS9TgMMVWZJYnuKCCVjKUs6eNgYQfmST4GQ3N4ZXD+gFLVuBoCoeY +YPOuldF27v3n7n1+6SKBKetzVqdIoGfawtWq6iZURtbRMcFbV3GmNSiOPOZPJTao +7Ek2NbNjTUewRcurrO3tF6nFRHjsMF0VUS7sorMIcy81rXsVPsvtV4IU6p9N30PD +/zGZAjk= +-----END CERTIFICATE----- diff --git a/provider/misc/tls-client-key.pem b/provider/misc/tls-client-key.pem new file mode 100644 index 000000000..264f9877e --- /dev/null +++ b/provider/misc/tls-client-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCb/48GRcKK4YMr +UuGDe/wPaKyhQUMylgKO685v+qc5jbq2GlN+DRLSnTiq387yaWX/wUT+KZ+94c0q +CH6Dmz2UIFsT2hYRdWufQZs5evArC1PVi+2XZlxHjll1TMgCry3IhY6wWDgbiYwx +oU7MtUxJbWaYXA7aR7/eIrvlchFN8SbmzXY0NpQt3jq8rTx5q5CsQzL0KpdRP5iA +iV5yG0spbMclWev51EDt1CeJj19/v3NK8VRhsLZ0zlmou8c79AveMdbs8lS6Euw4 +3ohSub31ltKMQnPKhEI+PZ3XoKL5JjoRJIv3a/WffdLPQZjiI3UTUcKvB86dyBG6 +9T4rqznfAgMBAAECggEABm1E6zE8jpQz3zkO6WfWPpxFYG9b4V2kxVaZrqtY8FoS +cyYqgmrvd5Xam8+UqxAEj8Daos38Msp2tWCcNbfTlaKvneXCOv3nbSw6xOd3tY5F +6epV44LoElqe/OIo61NkQ3qdIk7AIQJNsE3A/VYKyoujSmuggQWrte8gZpeIdvmD +9Oxu8vC/JzQgK6fU+cc+FRi4q5A87ellRb0Kml6o6fxPHgNJDYcqq1Eicjkklz6r +PpQGjutTZRO2afKnF0LMVJiOeR3pCDpQs6yB1A411DpD0c+t16riWThIX9ocVOVI +kELGarYEW2QqGN3LUI2F352KeBW+g/H4rUUzy+enQQKBgQDK8U21DucFfIlKsWzX +4jEvA3ccJrGN8/cHZhmRgbOSr4isHxpvgrH/OLfDP6ecSqXdBKpMyctXYEOxO3Ev +sYZwk1wDAlwyFQ1saVs06VUk0uOo0CeD9FxYwosCEB0qZN7q2njNcb2vH/9xIwpY +D3NyreU5U0AGahHFRbOSflNdqQKBgQDEyFSH790zrNlbxjniu3yrlTBs3hL4GAmv +58aeWJTrnWzp4TtnJlSt8KxX1YL99LIxRfeoHrvQD7ImLv3iEshJzxzWaZoaejog +zqPMuKeMY4tWGdRtbu2xuONhvWrNP4z0bJahjr3p00KyW3GkWHyUTZYOtCCpUmLN +emNS01JARwKBgQCM/eYpwwe3ZRURAoEG3wuiiPrIYQ17/KGDz2g2EfELGM6QHi/E +hv1YvjPU/zVYPPhMvAAAxzVxJ9z/lbeGFgS703TaVlptJPkld3C5Kt5PbgBiePLr +FurNc6MVtNI+cMP6T/wbZ0kMEOPr2xdFpL5lTvDwyaiyjCB6eHlQbllGuQKBgQCI +116hIVZLxxlnzpMWbpaloxuHuW6rg9vIrX7bQnJc3p6MjYoHkwoz4zeV5O4wt+bq +iONN0AF/EEssbmUyvyj02sgM+malnvWpNsmFZatt3xNYDqJAb3Fvs0i8AUKx9E2K +87BULLU4UycAbMK8LKSFZObC1tQXqyj2BvPm9vktpQKBgH9kOuApTTte7DOkDplT +A2lNK/a+PTjz+YdikjJD4LGUb8EkSQP333cUxgEwZLyITZJl8tyHEVhsJBnxhnSY +9zTsz7sQIAaOQC2IDxmcm2JvxgQnyiA/wtpO/Ai5WMpXsgOglDesw0U5kW7HGnGp +GDRJydhsBqcUrgjmyPAnBED1 +-----END PRIVATE KEY----- diff --git a/provider/misc/tls-other-client-cert.pem b/provider/misc/tls-other-client-cert.pem new file mode 100644 index 000000000..eca72e5a1 --- /dev/null +++ b/provider/misc/tls-other-client-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDzTCCArWgAwIBAgIUUdZ8+2xM+2NtYoTttTdv/Nm56p4wDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu +a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xHzAdBgNV +BAMMFm90aGVyLWNsaWVudC1tdGxzLTIwNDgwHhcNMjUwMTA0MjA0NjUyWhcNNDQx +MjMwMjA0NjUyWjB2MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHVW5rbm93bjEQMA4G +A1UEBwwHVW5rbm93bjEQMA4GA1UECgwHVW5rbm93bjEQMA4GA1UECwwHVW5rbm93 +bjEfMB0GA1UEAwwWb3RoZXItY2xpZW50LW10bHMtMjA0ODCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALGuH57//e4KH3cmV2R3kYui8SXUB28Mix0/0L40 +i+XnUHrUp9O39mbE0SZZFVifudbcmNqcFSHu6XaQ0AxmzD0kYEUvwJYo8Nre+V7s +oc/JuWTSh+KrfM75OhAfzd4+iC/tu7v2w0a+WmbA2dB9WESKk6MWtIlEWmkbxyFY +goqkujkGRnkc8DjF5p/QTwCn/J5sA2hOw9TD1l+8zcNBdFHhqlCfzqMqvZg9cK8g +1zgasUKjd0jfJ3maJoarzFL/DOTNg2wYlO0sQNeZFB3YVl6/0lhHSijaTvE/QSco +gcvauEchc8mINOPs4m/pOzgDCN2PhtBAsy+DyvsIGvCuw4ECAwEAAaNTMFEwHQYD +VR0OBBYEFNfUetKkJtaZsjRMDFYTHNUjwBlzMB8GA1UdIwQYMBaAFNfUetKkJtaZ +sjRMDFYTHNUjwBlzMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB +AAtjYANNVer+6IptmkWIAeddQUFavcic/NMZ7I5UdXr2hHgEid/9lXRg3TFPBqX/ +YNktakxWIX1im9goUB58knCPsyqoaOYkhrxeoGBYl8LWGm5Pagiuy0gflMsQ1fBK +C+ns/Kua0i3g0ImQnGQkEBRy8YMrT4BLHIGc55HHmWR20c3kjsb2exUyVhi/1zok +dV0X6OXRFG8PVikmfwdABiYwLhOJqpm3/wzDLElgV97z6sp0pwIudsplYTel9wR8 +m8S9EhE2pt49yWRdQUESVSIfdt46y5rlg9x0rZmr/H2V9Tj2Oivf+n5tYXFmZeZr +DTAguqXtPGMUjKRkkfdDvmo= +-----END CERTIFICATE----- diff --git a/provider/misc/tls-other-client-key.pem b/provider/misc/tls-other-client-key.pem new file mode 100644 index 000000000..5e9a8fa66 --- /dev/null +++ b/provider/misc/tls-other-client-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCxrh+e//3uCh93 +Jldkd5GLovEl1AdvDIsdP9C+NIvl51B61KfTt/ZmxNEmWRVYn7nW3JjanBUh7ul2 +kNAMZsw9JGBFL8CWKPDa3vle7KHPyblk0ofiq3zO+ToQH83ePogv7bu79sNGvlpm +wNnQfVhEipOjFrSJRFppG8chWIKKpLo5BkZ5HPA4xeaf0E8Ap/yebANoTsPUw9Zf +vM3DQXRR4apQn86jKr2YPXCvINc4GrFCo3dI3yd5miaGq8xS/wzkzYNsGJTtLEDX +mRQd2FZev9JYR0oo2k7xP0EnKIHL2rhHIXPJiDTj7OJv6Ts4Awjdj4bQQLMvg8r7 +CBrwrsOBAgMBAAECggEADcNbnrDcphYxpsSZC2a5pvPZsyDv7HmvwvXBASLH3Wik +EserMlqzIvXG764B2coRlqOi0Xg6qNS9T9pay0MhOfE55dITnG4SbhnMfj5dMF/D +VRx7uyKmec/TYBFenIMCgJftLVupd67iCMiSdrRm5HRJiF4HYQSi7jZhH+OfxQZp +NqY1TcMINJPzWTZawj72GXny+4zC/17YX3OxZxIxTt8Tvxu4atTvoJf5KsrGtoFh +5vd/MA6WbisnyfgM8qPXX+vcZOjUqoSOV4ErXUngXAF5r0OL19FZVV4t+/Qohmwf +Ofwk82dZJcuPhWCFeL8yf99RjDX0TWkM2WEVFhAQOwKBgQDyz0lYjFwXZE90hSz9 +KtO0iQ1uZzWOfZKDroRaN0rUHL1izwBkZ7Q2l6e9u4addvKmZ9YdY8/aF3dLmLl0 +77TYTlfcF6aoCEo+pSxI0/Wb42N2ZJ6SVVgk9aAdbSRS9K78d4tvAmnnkWnygrdW +8HYcmMYbXrKsyx3zlS3HZwFjIwKBgQC7VRds9KDgg8Tw+UtmLZa9z9OAoZmSUvB8 +J5kUX/wnYLe55NekMngK0hwgy+sJdIAYWhaxCEudhsShvMMEudxlkNMut3MuqRBC +MAdwhQA4vEVA3BJ2DJVx+9kQZ+LtLblN0jCI32joiKk/NAT+KTWRhOpt3NdY5mJz +GWgiAn8LCwKBgBpNH9nKonMaN40cm+n0iKgmrGDIJ0H/Ei7XaZjIIn/leRJJ7/Xw +UdIUDWR8+rD14ITr/IKEfFBYeGCk83naOVGw8s1xdmj/NOOiSrC83P7825pIffDF +891VCfoGB4hA3u+UF3N35HbkBoDxbeCp/XFNjzAJyvryqZToFORjoP/XAoGBAIYX +Z5g/FvT+fTc8SwNNuKwPmkZl5iZ+JdPJCGM0Par2KSzwKIdI9PJR6X50WL5A3PwR +aFK6LF4KvK9FDZdRbvhojTHQcKtCqvelp32cRkdWRIAjxzcm1MZtTrfWlPHPG+gf +f0xKFq70O6mZE8XWO5j5OlD/lkn1Rx06X3aQsN13AoGAbxrfgGvDAyh4VNvffkAK +PVLSJMt7DaZ5lYwrvIypMpSI9GjO4NFJ/RI5ABRgUs5iUJMCthRPcEUbo5MgZzHj +i3seixfbokbBDO6DxUGhQYFXmokdJ5uN8VWsgSj5xwBQjspWc6UlPXAc4X2n8LPI +Ikp4cUbJbPPRX35/dE5cCnQ= +-----END PRIVATE KEY----- diff --git a/provider/misc/tls-server-cert.pem b/provider/misc/tls-server-cert.pem new file mode 100644 index 000000000..4b690db87 --- /dev/null +++ b/provider/misc/tls-server-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIUL14SHX23LluIcKTpC+PKaLGx7NcwDQYJKoZIhvcNAQEL +BQAwaTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu +a25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNTAxMDQyMDQzMzNaFw00NDEyMzAyMDQzMzNaMGkx +CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdVbmtub3duMRAwDgYDVQQHDAdVbmtub3du +MRAwDgYDVQQKDAdVbmtub3duMRAwDgYDVQQLDAdVbmtub3duMRIwEAYDVQQDDAls +b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVBoaFJgUE +SK+UrWQSDVzqaTwaXo8T0V1Otf3anxlHpO2+VNgsOiGykSyDNQ55g54nPDFn+r9k +b2Zjv3wVNOi8ebuifRvWzIbQ6lAiw3w9wupAPPGzzR6ALP9rCsGzKCtuX4butwfs +RJbdKzco2Al+jyLuIBuWRcSNOpLlOaTldxNktZmrX+GJfW9gviX526rRSpg1W0Z6 +yuD+egbD9Ohin8Y8kkyS+AsU4zoLjaY0g5eewxoL2CJhCXcs5QHMd7Srw9M7NVOm +0/RIP3BgwU+z0fNBGz9+RvcJvTQ4HB0eZkXaD9pc10Krhl8MGKurX1XpA+hvO8M6 ++Si17Mc+/MxvAgMBAAGjaTBnMB0GA1UdDgQWBBSC9Ue0JhMwBosRG7tQlYQFWArX +5jAfBgNVHSMEGDAWgBSC9Ue0JhMwBosRG7tQlYQFWArX5jAPBgNVHRMBAf8EBTAD +AQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAKlGR +N9t2hV8jktObJsT9tBEyBJCG+uR9F1Amfu9AMjGlKCi/P0AG8LzK3uazNA8ki2r7 +rlTLiDKrwMG6Jiy1Q07tWPoI249RS6zty4tJPtp4IE1axqLmAZXN2V7RhI4iRUme +uPV2rul9pgn+vRAWS+WZLq+7HI1zPO+LUvRDEnql/N3YKO9XuYZSt2VOnIOcsWQ7 +kI5lvwAqNwb3i/0UtZYNdq+P3ZAaAMDE3QseBWlsrssztbfaJd21WstWkWJwttfu +RE4lyP0niffWAO6A5pzcgLiQqDuIPaEFtygZjX3a1FOIPcrLmDc/ZMRJgzlMZ+Uy +K6wAm+1GFTUIdZq5mw== +-----END CERTIFICATE----- diff --git a/provider/misc/tls-server-key.pem b/provider/misc/tls-server-key.pem new file mode 100644 index 000000000..a6c6e5529 --- /dev/null +++ b/provider/misc/tls-server-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCVBoaFJgUESK+U +rWQSDVzqaTwaXo8T0V1Otf3anxlHpO2+VNgsOiGykSyDNQ55g54nPDFn+r9kb2Zj +v3wVNOi8ebuifRvWzIbQ6lAiw3w9wupAPPGzzR6ALP9rCsGzKCtuX4butwfsRJbd +Kzco2Al+jyLuIBuWRcSNOpLlOaTldxNktZmrX+GJfW9gviX526rRSpg1W0Z6yuD+ +egbD9Ohin8Y8kkyS+AsU4zoLjaY0g5eewxoL2CJhCXcs5QHMd7Srw9M7NVOm0/RI +P3BgwU+z0fNBGz9+RvcJvTQ4HB0eZkXaD9pc10Krhl8MGKurX1XpA+hvO8M6+Si1 +7Mc+/MxvAgMBAAECggEAHjj7kQc73zmKekGL2Oli3ZtH+CUTKTa9kJfyCqNXciMt +n/r++EE10kwE1fstm1EpAtX/QxIkPI8nGbWcyYQ4avjZJ8PtoGtMMBRE+jfg+3mL +Hkn9zrQbqmz1w9SjodzUqgavi7wM3EqwudvozNy7WDJZKCfU0G4HxYiKf/hny61C +RPQM4Qp8oZ7NE65byIYuDQuSRFLrIDrGDjhl2IF58IBAwAOD1LFjxkZzi3Juh2gA +cvHn3FvjlggnjpUhwG5K2Tr0R0nCocBfE1Bm5hdgDgy12V6CxX8tnREa6WG3c8eX +OUbQi5iuTY5G7Xku79y++Kr63HHONftBb0fgSu3mqQKBgQDETIQ2AbMFx0aE3ptC +/eIvMSdBEryiEHh1NvZ3trzWKBB0zq7jI58oLLcc0pp9DZvkDzAfHIRl/grIzSBI +/XfC94N0KTxUIKBSG8nYv0WwM87IdLeTKyXcbZED6bB6bcCduPs+IFhLSFAL6nLM +YyY7GF/6QeWea9cJRSOh2/l86wKBgQDCWWLCRZZURgx9U6uELuHqWoQpAbzCDi20 +KbLTC5044uYL1WSFub+xgi4e613KfIyZVAMGrdgPooraPJ9x9In21jZxK8gnRPbP +YrpjmM9jEdLmkug5x0tXbpssAHBvSq1++H8b0HSuzpT75wi7VwWQqoETprAtU58t +bt91a609jQKBgQCXZCvTOxxGqJnKf6Re1k9K9i3AEiNJGkrMm8caLOUWhW+rpnta +0m49Hb9bi1F6gLRp/wyt8eBqiLLoissLf/CNfTb0r5jHiSIcMTJK57lnW41vLBUo +e26HwjjFO8XPpjWXbsLV9zwhU3PovLgsyYsCqJnc+FWPCLyfeaMxgeW4YQJ/CqDY +xccIcZNjG3d36cKmmCpbD+MIb5RW64NcRC5ear391qfU13tRAGQeIZK9jlVBWyE9 +CSB4sGIzNbwa/CBjaxxL3eSHDZ634J+FkezJaqGO5w0hpgdAF4f09HMRswRieI8e +ZGcB+o1RmHUKBTS9GSw54tk6yT/JdLKbhdBdqQKBgAitrjLzFh5vCRGasE7f1mk2 +PELThDX8UfYYea1YGiWVwYy/mE58qGg5/DuxZBQ9iIhrBBMXbTkEmQZn7rPqi+0H +0lLwUAVd21RbYHO5gN7b4Pl4/kz9VOf1c2V6+airbquFIPicXF4026u/sqD7k932 +HfB4mpzpgjvY3FPribTw +-----END PRIVATE KEY----- diff --git a/provider/provider_test.go b/provider/provider_test.go index 48d69f516..6e5dbeadb 100644 --- a/provider/provider_test.go +++ b/provider/provider_test.go @@ -59,7 +59,7 @@ func init() { } } - keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", true, 5, "", "", "", false, userAgent, false, map[string]string{ + keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", true, 5, os.Getenv("KEYCLOAK_TLS_CA_CERT"), os.Getenv("KEYCLOAK_TLS_CLIENT_CERT"), os.Getenv("KEYCLOAK_TLS_CLIENT_KEY"), false, userAgent, false, map[string]string{ "foo": "bar", }) if err != nil {