movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-14 21:49:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/keycloak: Escape admin password properly

Browse source
This commit is contained in:
talyz 2022-10-29 13:17:23 +02:00
parent b7fddb65f4
commit b82316bc91
No known key found for this signature in database
GPG key ID: 2DED2151F4671A2B
2 changed files with 10 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/services/web-apps/keycloak.nix
View file

@ -637,7 +637,7 @@ in
cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/
'' + '' '' + ''
export KEYCLOAK_ADMIN=admin export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=${cfg.initialAdminPassword} export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword}
kc.sh start --optimized kc.sh start --optimized
''; '';
}; };

15
nixos/tests/keycloak.nix
View file

@ -5,10 +5,13 @@
let let
certs = import ./common/acme/server/snakeoil-certs.nix; certs = import ./common/acme/server/snakeoil-certs.nix;
frontendUrl = "https://${certs.domain}"; frontendUrl = "https://${certs.domain}";
initialAdminPassword = "h4IhoJFnt2iQIR9";
keycloakTest = import ./make-test-python.nix ( keycloakTest = import ./make-test-python.nix (
{ pkgs, databaseType, ... }: { pkgs, databaseType, ... }:
let
initialAdminPassword = "h4Iho\"JFn't2>iQIR9";
adminPasswordFile = pkgs.writeText "admin-password" "${initialAdminPassword}";
in
{ {
name = "keycloak"; name = "keycloak";
meta = with pkgs.lib.maintainers; { meta = with pkgs.lib.maintainers; {
@ -111,7 +114,7 @@ let
keycloak.succeed(""" keycloak.succeed("""
curl -sSf -d 'client_id=admin-cli' \ curl -sSf -d 'client_id=admin-cli' \
-d 'username=admin' \ -d 'username=admin' \
-d 'password=${initialAdminPassword}' \ -d "password=$(<${adminPasswordFile})" \
-d 'grant_type=password' \ -d 'grant_type=password' \
'${frontendUrl}/realms/master/protocol/openid-connect/token' \ '${frontendUrl}/realms/master/protocol/openid-connect/token' \
| jq -r '"Authorization: bearer " + .access_token' >admin_auth_header | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header
@ -119,10 +122,10 @@ let
# Register the metrics SPI # Register the metrics SPI
keycloak.succeed( keycloak.succeed(
"${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt", """${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""",
"KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password '${initialAdminPassword}'", """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """,
"KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'", """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""",
"curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'" """curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"""
) )
# Publish the realm, including a test OIDC client and user # Publish the realm, including a test OIDC client and user