Add hCaptcha to Keycloak registration forms

2024-05-06 13:26:03 +02:00 · 2023-06-15 22:46:49 +02:00 · 2023-06-15 22:46:49 +02:00 · ced598b176
parent 36e7ddca57
commit ced598b176
4 changed files with 65 additions and 64 deletions
--- a/misc/vaults/vault_hcaptcha.yml
+++ b/misc/vaults/vault_hcaptcha.yml
@ -1,16 +1,18 @@
 $ANSIBLE_VAULT;1.2;AES256;super
-66393332376266313239623134383062653533363433386537313161623731646437643934376333
-3030643638623062653964333862323731326165623636370a616632313130363861336238656362
-64613737323939633037636136316335303434653033313634313039363537303130353166313034
-6266636635653536330a653835663931656466343034323766346363666436663266343836383039
-35643463623264646664346132346162303135386635353439643364626537663330363237396438
-33353435316538353239623166333630636331626330623839623739323532303262303966303365
-64636338323266616336353033363066623731396666303935633832376463646637626261333062
-36393230336561343638346439383837363037623162666133626565393534613063386366356639
-32626635643937613563623232333063356338663735663666343966313730396637366134396339
-30326537323361663365636637386666396263636239303263323630323166643039346364393636
-39383335666530353932646264633435333139353337623661313231633731386139613161396232
-66373931643835336566616439333634313266306135376232323133323136373236656336393864
-61643965366137613831616333303063623062613430396436396333666332646161336363646131
-35386539393261333831313463373837653839396136393266623334346234633863373065313332
-616566313639663362613164383061373038
+39373831626463313432326266363434313633643864336163343632613364376639376336653632
+6262363461386664376431393264373631393139313663320a336131333336353137663266326430
+62653764376137626266356636626234633232666263346631646635333861633662316139636663
+3831653264303762340a626535623932353939376533613835366131353162356339326334656434
+38363434336139353339393939636266323334656335376663313033316462656436336530653633
+34353364373864343036643234326365356137646332393961343535336232343732316364376365
+37366639643163633263623264373534333361633432333938316138653337383866643336383735
+39396361353663653663306337373838353461623837633239633538393962303237313734396564
+64396561316363363866393136383035613162323765366665313736393034313032653064623462
+61313961303361303965326561633932633736346663323864613366326134353131303033353332
+61656639346538343064386362303263373532323862666464303130646337343935323762393037
+39313964373735366639613366393837333731636636633533346663363864636535613936643230
+35656363623432373739303039333336653531376330643935623133616666376534383466376164
+38313165353230636461666231333833396535343565333465393732663733393365656365383262
+37303432666532303230666134363333313439356462653762393737366664323332316430663264
+39393266363865636366613165313936343738316534353066616538376163336563383638313363
+6339
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -1,5 +1,5 @@
 - name: Install keycloak
-  pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present
+  pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,keycloak-hcaptcha,python-passlib state=present

 - name: Create postgres keycloak user
  postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
--- a/tf-stage2/.terraform.lock.hcl
+++ b/tf-stage2/.terraform.lock.hcl
@ -2,45 +2,45 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/external" {
-  version = "2.2.2"
+  version = "2.3.1"
  hashes = [
-    "h1:e7RpnZ2PbJEEPnfsg7V0FNwbfSk0/Z3FdrLsXINBmDY=",
-    "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca",
-    "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28",
-    "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b",
-    "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39",
+    "h1:bROCw6g5D/3fFnWeJ01L4IrdnJl1ILU8DGDgXCtYzaY=",
+    "zh:001e2886dc81fc98cf17cf34c0d53cb2dae1e869464792576e11b0f34ee92f54",
+    "zh:2eeac58dd75b1abdf91945ac4284c9ccb2bfb17fa9bdb5f5d408148ff553b3ee",
+    "zh:2fc39079ba61411a737df2908942e6970cb67ed2f4fb19090cd44ce2082903dd",
+    "zh:472a71c624952cff7aa98a7b967f6c7bb53153dbd2b8f356ceb286e6743bb4e2",
+    "zh:4cff06d31272aac8bc35e9b7faec42cf4554cbcbae1092eaab6ab7f643c215d9",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327",
-    "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955",
-    "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb",
-    "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0",
-    "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a",
-    "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372",
-    "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809",
+    "zh:7ed16ccd2049fa089616b98c0bd57219f407958f318f3c697843e2397ddf70df",
+    "zh:842696362c92bf2645eb85c739410fd51376be6c488733efae44f4ce688da50e",
+    "zh:8985129f2eccfd7f1841ce06f3bf2bbede6352ec9e9f926fbaa6b1a05313b326",
+    "zh:a5f0602d8ec991a5411ef42f872aa90f6347e93886ce67905c53cfea37278e05",
+    "zh:bf4ab82cbe5256dcef16949973bf6aa1a98c2c73a98d6a44ee7bc40809d002b8",
+    "zh:e70770be62aa70198fa899526d671643ff99eecf265bf1a50e798fc3480bd417",
  ]
 }

 provider "registry.terraform.io/mrparkers/keycloak" {
-  version = "4.0.1"
+  version = "4.3.1"
  hashes = [
-    "h1:z6heuWAzDy7WO7cbpw2QEfdZMqbF5roM6mcQX+ec4gM=",
-    "zh:136b81afb4bdf7b71bcaeefde00a8e097d20199037971a552046ac197d648875",
-    "zh:1cb69126e08c58cf7b67b14ecfa3999ba952f60f5ec2918796ec57486576c202",
-    "zh:1d51c878d0ca7cd3014025e2e01f6d1ee7fc73e7ccb67a1833765c3183224513",
-    "zh:335727454863886d6865cae3a5131cc3cca6dbfe251729669bce5d431a9b91df",
-    "zh:33af47e488fdce76101c9e25b3fa9bc3c9b07caf618e194584d356a261736c13",
-    "zh:68a4583a5026a87c6ce2684c54473eb9cef5408f865d0580fe5d9875c032180c",
-    "zh:68c7b96c6b553018321413d2d208cd4d0ebc83942affd565c8e51d04f18dac3b",
-    "zh:7868a220f477bdc4dc66449bb020fd74fc43168b66869906d025990a67a346d9",
-    "zh:7a7fbe2a8e38bba5928b57fbd1e94956d1e7f72e461145fef0ada8ce7fccb645",
-    "zh:87df541fdb3569204d53fe21aca032c01dc234859085cce6a9febf0ca0129183",
-    "zh:8d0eaa5031a6937dcb06d0ced7ae871328c87a3cb8cd8bceef71b08c094d7a66",
-    "zh:9616d1ff5ed8377920f9b89eac0cf2103969d2cde829dac55e7a2c3e208baa97",
-    "zh:99af64a38b7f5e3a7c714cb485321280a83dfed2efcbe0751923aca725fb6d51",
-    "zh:b3c1977bad48f8df311a9f25e7fa2a57ff175768cc548533f4d4a2b8652e5b9a",
-    "zh:c6b97dd6162934155454f3f891c4f32185af9e48ceb5e2d71dd7dce74f95efcf",
-    "zh:c924c9dabaa64b8dcef39bda9b67af27a714eb87ee1e01bd404b5823dc604b18",
-    "zh:db3b4d02fef69217055ac1536902bb694f3800c5d9929c7032ab31a3bd7147e1",
+    "h1:iYMw6G+fa3ZxO0u1yd+AKwhIqbeb6zICCRHCCR34xt8=",
+    "zh:2476767ef61e2e4a3e9c654e07bafc550ba36232c91301edcc703eb580d7cf1c",
+    "zh:3c60a8d9284ed5bc1c3a57f948bd726a29eecb1cf283f43f9f6df3b6595022d3",
+    "zh:4087277c8e79d72524d806048715c07d196faaf1ff8475131f558a6178f9d6f6",
+    "zh:426b4dde08ea33c32d9e2cc8c6a7a7b06a2d339f5770b6dc6f83cb5b8ca9b793",
+    "zh:476c52c28ebd97d2c14be1254e37b568625398090e0a828562f30c55429835eb",
+    "zh:563d21232e5cf2f5012f9a7c4ce6a6fd479b53383a47e44174c4855bdb536e29",
+    "zh:6542076d66db89e668bd916e20c6dc26059318e5f8ad9367d9699e6f3deffbd4",
+    "zh:66542debaec2514701a3744a13e01d188ebb5fbb044c9ee2bc484df2a975d72f",
+    "zh:77b37b37e76be7f21358ed683d1a5aa4f788af9f9c761e005d153b724d61b69a",
+    "zh:7e4ed34fb2523ca52b3b59cc992741dc41f56415655dce98d75c323a0b45debb",
+    "zh:7f703fc12304c767e5067aebf4302e232b4e5eee3fd184bacb95f368f4bc2b30",
+    "zh:930bc8ce87a1f883fdbf1466ba7d972929baaeaecba1b9099ddd030cc8ffe148",
+    "zh:cf2e7f5ca1cb0e70342815ede3530caff2fdefaf0d3e5993349e333ac1df1bf7",
+    "zh:cf87def6c46c997d9601ad10f4632882c9f1791f1c220cf29c2c6c144e51d0e2",
+    "zh:d168f1702efe239d7fdef8bf55ca526f53181f6b44ac9b91bcd7c26941116682",
+    "zh:e631c5ddd5116a730cc0da1b18879a4312edcb6f8edac2e6fa77d72c7ef334be",
+    "zh:f2f8ccaf97866e9d3f27449896c105c7fa325cedc65a62f618f38ff8e57a4d46",
  ]
 }

--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@ -14,10 +14,10 @@ data "external" "vault_keycloak" {
  "--format", "json"]
 }

-data "external" "vault_google" {
-  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_google.yml",
-    "vault_google_recaptcha_site_key",
-    "vault_google_recaptcha_secret_key",
+data "external" "vault_hcaptcha" {
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../misc/vaults/vault_hcaptcha.yml",
+    "vault_hcaptcha_accounts_archlinux_org_sitekey",
+    "vault_hcaptcha_secret_key",
  "--format", "json"]
 }

@ -110,8 +110,8 @@ resource "keycloak_realm" "archlinux" {

  security_defenses {
    headers {
-      x_frame_options                     = "ALLOW-FROM https://www.google.com"
-      content_security_policy             = "frame-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none';"
+      x_frame_options                     = "ALLOW-FROM https://www.google.com https://newassets.hcaptcha.com"
+      content_security_policy             = "frame-src 'self' https://www.google.com https://newassets.hcaptcha.com; frame-ancestors 'self'; object-src 'none';"
      content_security_policy_report_only = ""
      x_content_type_options              = "nosniff"
      x_robots_tag                        = "none"
@ -472,11 +472,11 @@ resource "keycloak_group_roles" "externalcontributor" {
  ]
 }

-// Add new custom registration flow with reCAPTCHA
+// Add new custom registration flow with hCaptcha
 resource "keycloak_authentication_flow" "arch_registration_flow" {
  realm_id    = "archlinux"
  alias       = "Arch Registration"
-  description = "Customized Registration flow that forces enables ReCAPTCHA."
+  description = "Customized Registration flow that forces enables hCaptcha."
 }

 resource "keycloak_authentication_subflow" "registration_form" {
@ -511,22 +511,21 @@ resource "keycloak_authentication_execution" "registration_password_action" {
  depends_on        = [keycloak_authentication_execution.registration_profile_action]
 }

-resource "keycloak_authentication_execution" "registration_recaptcha_action" {
+resource "keycloak_authentication_execution" "registration_hcaptcha_action" {
  realm_id          = "archlinux"
  parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
-  authenticator     = "registration-recaptcha-action"
+  authenticator     = "registration-hcaptcha-action"
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_execution.registration_password_action]
 }

-resource "keycloak_authentication_execution_config" "registration_recaptcha_action_config" {
+resource "keycloak_authentication_execution_config" "registration_hcaptcha_action_config" {
  realm_id     = "archlinux"
-  alias        = "reCAPTCHA config"
-  execution_id = keycloak_authentication_execution.registration_recaptcha_action.id
+  alias        = "hCaptcha config"
+  execution_id = keycloak_authentication_execution.registration_hcaptcha_action.id
  config = {
-    "useRecaptchaNet" = "false",
-    "site.key"        = data.external.vault_google.result.vault_google_recaptcha_site_key
-    "secret"          = data.external.vault_google.result.vault_google_recaptcha_secret_key
+    "site.key" = data.external.vault_hcaptcha.result.vault_hcaptcha_accounts_archlinux_org_sitekey
+    "secret"   = data.external.vault_hcaptcha.result.vault_hcaptcha_secret_key
  }
 }