From ed19221404d7a68a2cfa5ff24c271df931258186 Mon Sep 17 00:00:00 2001 From: Evangelos Foutras Date: Sat, 12 Nov 2022 16:07:09 +0200 Subject: [PATCH] keycloak: remove /auth from all Keycloak endpoints From [1]: "By default, the new Quarkus distribution removes /auth from the context-path." [1] https://www.keycloak.org/migration/migrating-to-quarkus --- misc/kcadm_wrapper.sh | 2 +- one-shots/keycloak-importer/import_user_groups.py | 2 +- one-shots/keycloak-keyfetcher/get_fingerprint.sh | 2 +- roles/gitlab/tasks/main.yml | 6 +++--- roles/grafana/templates/grafana.ini.j2 | 8 ++++---- roles/hedgedoc/templates/hedgedoc.service.d.j2 | 6 +++--- roles/keycloak/templates/keycloak.conf.j2 | 1 - roles/keycloak/templates/nginx.d.conf.j2 | 6 +++--- roles/matrix/templates/homeserver.yaml.j2 | 2 +- roles/prometheus/templates/prometheus.yml.j2 | 2 +- roles/security_tracker/templates/20-user.local.conf.j2 | 2 +- tf-stage2/keycloak.tf | 8 ++------ 12 files changed, 21 insertions(+), 26 deletions(-) diff --git a/misc/kcadm_wrapper.sh b/misc/kcadm_wrapper.sh index 239a1d58..0a6adc0e 100755 --- a/misc/kcadm_wrapper.sh +++ b/misc/kcadm_wrapper.sh @@ -14,7 +14,7 @@ kcadm "$@" \ -r archlinux \ --no-config \ - --server https://accounts.archlinux.org/auth \ + --server https://accounts.archlinux.org \ --realm master \ --user $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_user) \ --password $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_password) diff --git a/one-shots/keycloak-importer/import_user_groups.py b/one-shots/keycloak-importer/import_user_groups.py index f42453a2..90300774 100755 --- a/one-shots/keycloak-importer/import_user_groups.py +++ b/one-shots/keycloak-importer/import_user_groups.py @@ -19,7 +19,7 @@ IMPORT_GROUPS = { CLIENT_ID = "admin-cli" KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"] KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"] -KEYCLOAK_URL = "https://accounts.archlinux.org/auth" +KEYCLOAK_URL = "https://accounts.archlinux.org" KEYCLOAK_REALM = "archlinux" REALM_URL = f"{KEYCLOAK_URL}/realms/master" diff --git a/one-shots/keycloak-keyfetcher/get_fingerprint.sh b/one-shots/keycloak-keyfetcher/get_fingerprint.sh index 2d40dcea..3f4e2233 100755 --- a/one-shots/keycloak-keyfetcher/get_fingerprint.sh +++ b/one-shots/keycloak-keyfetcher/get_fingerprint.sh @@ -1,3 +1,3 @@ #!/usr/bin/env bash -curl -s https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]' +curl -s https://accounts.archlinux.org/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]' diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml index 7e9d721f..c618bc28 100644 --- a/roles/gitlab/tasks/main.yml +++ b/roles/gitlab/tasks/main.yml @@ -23,7 +23,7 @@ # 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run # one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field. # 2. In order to logout properly we need to configure the "After sign out path" and set it to - # https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org + # https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org # https://gitlab.com/gitlab-org/gitlab/issues/14414 # # In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below. @@ -78,8 +78,8 @@ args: { assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback', idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B', - idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab', - idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml', + idp_sso_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/saml_gitlab', + idp_slo_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml', issuer: 'saml_gitlab', attribute_statements: { first_name: ['first_name'], diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2 index 6848e40f..6ac46ac3 100644 --- a/roles/grafana/templates/grafana.ini.j2 +++ b/roles/grafana/templates/grafana.ini.j2 @@ -433,7 +433,7 @@ disable_login_form = true ;disable_signout_menu = false # URL to redirect the user to after sign out -signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }} +signout_redirect_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }} # Set to true to attempt login with OAuth automatically, skipping the login screen. # This setting is ignored if multiple OAuth providers are configured. @@ -573,9 +573,9 @@ email_attribute_path = email ;login_attribute_path = ;name_attribute_path = ;id_token_attribute_name = -auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth -token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token -api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo +auth_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth +token_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token +api_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo ;teams_url = ;allowed_domains = ;team_ids = diff --git a/roles/hedgedoc/templates/hedgedoc.service.d.j2 b/roles/hedgedoc/templates/hedgedoc.service.d.j2 index 36810b00..b6497775 100644 --- a/roles/hedgedoc/templates/hedgedoc.service.d.j2 +++ b/roles/hedgedoc/templates/hedgedoc.service.d.j2 @@ -1,10 +1,10 @@ [Service] -Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo +Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo Environment=CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username Environment=CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email -Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token -Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth +Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token +Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }} Environment=CMD_OAUTH2_SCOPE="openid email profile roles" diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2 index 6da32f33..88add918 100644 --- a/roles/keycloak/templates/keycloak.conf.j2 +++ b/roles/keycloak/templates/keycloak.conf.j2 @@ -5,7 +5,6 @@ metrics-enabled=true http-enabled=true http-host=127.0.0.1 http-port={{ keycloak_port }} -http-relative-path=/auth proxy=edge db=postgres diff --git a/roles/keycloak/templates/nginx.d.conf.j2 b/roles/keycloak/templates/nginx.d.conf.j2 index 1525e57c..2d71a2f0 100644 --- a/roles/keycloak/templates/nginx.d.conf.j2 +++ b/roles/keycloak/templates/nginx.d.conf.j2 @@ -32,10 +32,10 @@ server { # https://w3c.github.io/webappsec-change-password-url/ location = /.well-known/change-password { - return 302 https://$server_name/auth/realms/archlinux/account/#/security/signingin; + return 302 https://$server_name/realms/archlinux/account/#/security/signingin; } - location ~ /auth/realms/[a-z]+/metrics { + location ~ /realms/[a-z]+/metrics { auth_basic "Prometheus exporter"; auth_basic_user_file {{ keycloak_nginx_htpasswd }}; @@ -59,6 +59,6 @@ server { } location = / { - return 301 https://$server_name/auth/realms/archlinux/account; + return 301 https://$server_name/realms/archlinux/account; } } diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2 index 319c35f9..7317dd1b 100644 --- a/roles/matrix/templates/homeserver.yaml.j2 +++ b/roles/matrix/templates/homeserver.yaml.j2 @@ -143,7 +143,7 @@ oidc_providers: idp_name: "Arch Linux" idp_icon: "mxc://archlinux.org/iQmyhmksPLmphXWFUxiLEwVw" idp_brand: archlinux - issuer: "https://accounts.archlinux.org/auth/realms/archlinux" + issuer: "https://accounts.archlinux.org/realms/archlinux" client_id: "openid_matrix" client_secret: "{{ vault_matrix_openid_client_secret }}" scopes: ["openid", "profile", "email", "roles"] diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index 1b3f7a91..49734f5b 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -90,7 +90,7 @@ scrape_configs: - job_name: 'keycloak' scheme: https - metrics_path: "/auth/realms/master/metrics" + metrics_path: "/realms/master/metrics" basic_auth: username: "{{ vault_keycloak_nginx_user }}" password: "{{ vault_keycloak_nginx_passwd }}" diff --git a/roles/security_tracker/templates/20-user.local.conf.j2 b/roles/security_tracker/templates/20-user.local.conf.j2 index 56ea0b3b..c06a59be 100644 --- a/roles/security_tracker/templates/20-user.local.conf.j2 +++ b/roles/security_tracker/templates/20-user.local.conf.j2 @@ -3,7 +3,7 @@ secret_key = '{{ vault_security_tracker.secret_key }}' [sso] enabled = yes -metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration +metadata_url = https://accounts.archlinux.org/realms/archlinux/.well-known/openid-configuration client_id = openid_security_tracker client_secret = {{ vault_security_tracker_openid_client_secret }} administrator_group = /Arch Linux Staff/Security Team/Admins diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf index c0798ab2..6c300efe 100644 --- a/tf-stage2/keycloak.tf +++ b/tf-stage2/keycloak.tf @@ -57,10 +57,6 @@ provider "keycloak" { username = data.external.vault_keycloak.result.vault_keycloak_admin_user password = data.external.vault_keycloak.result.vault_keycloak_admin_password url = "https://accounts.archlinux.org" - - # TODO: remove this once our Keycloak instance is no longer served under /auth - # https://github.com/mrparkers/terraform-provider-keycloak/blob/master/CHANGELOG.md#v400-october-10-2022 - base_path = "/auth" } variable "gitlab_instance" { @@ -213,7 +209,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" { realm = "archlinux" alias = "github" provider_id = "github" - authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint" + authorization_url = "https://accounts.archlinux.org/realms/archlinux/broker/github/endpoint" client_id = data.external.vault_github.result.vault_github_oauth_app_client_id client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret token_url = "" @@ -765,7 +761,7 @@ output "gitlab_saml_configuration" { issuer = keycloak_saml_client.saml_gitlab.client_id assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url admin_groups = [keycloak_role.devops.name] - idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}" + idp_sso_target_url = "https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}" signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate } }