Início / server / Perguntas / 1076851
Accepted
McLayn
Asked: 2021-09-08 01:37:33 +0800 CST

Wildfly standalone.xml - passando segredo para KeyCloak SPI do armazenamento de credenciais elytron

  • 772

Estou migrando as senhas do KeyCloak v15 (WildFly v23) do antigo cofre para o armazenamento de credenciais elytron. Funciona bem para o caso de uso padrão. Em standalone.xml, tenho: /server/extensions/extension:

<extension module="org.wildfly.extension.elytron"/>

/server/profile/subsystem:

<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="elytron" disallowed-providers="OracleUcrypto">
    <providers>
        <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
    </providers>
    <audit-logging>
        <file-audit-log name="local-audit" path="audit-log.log" relative-to="jboss.server.log.dir" format="JSON"/>
    </audit-logging>
    <credential-stores>
        <credential-store name="credStore" location="/data/credStore.jceks">
            <implementation-properties>
                <property name="keyStoreType" value="JCEKS"/>
            </implementation-properties>
            <credential-reference clear-text="MASK-123456789;salt123;42"/>
        </credential-store>
    </credential-stores>
</subsystem>

e eu acesso as senhas usando /server/profile/subsystem[@xmlns="urn:jboss:domain:jgroups:8.0"]/stacks/stack[@name="tcp"]/auth-protocol/digest-token/shared-secret-reference:

<shared-secret-reference store="credStore" alias="myBlock::mySecret"/>

No entanto, há um segredo que preciso passar para um SPI em uma propriedade. Alguma ideia de como fazer? Esta era a maneira antiga do cofre:

/server/system-properties/property:

<property name="secret" value="${VAULT::myBlock::mySecret::1}"/>

/server/profile/subsystem[@xmlns="urn:jboss:domain:keycloak-server:1.1"]/spi:

<spi name="mySpi">
    <provider name="file" enabled="true">
        <properties>
            <property name="password" value="${secret}"/>
        </properties>
    </provider>
</spi>
configuration keycloak wildfly

2 respostas

  1. Encontrei 2 possibilidades:

    1. Reescreva o SPI para recuperar o segredo diretamente do armazenamento de credenciais Elytron em Java
    2. Defina uma variável de ambiente de antemão ( export SECRET="$(secret-getter-script)") e use a variável em standalone.xml:
    <spi name="mySpi">
    <provider name="file" enabled="true">
        <properties>
            <property name="password" value="${env.SECRET}"/>
        </properties>
    </provider>
</spi>
    • 0
  2. Best Answer

    Eu tive que reescrever nosso SPI para ler o conteúdo da loja de credenciais Elytron:

    import org.jboss.as.server.CurrentServiceContainer;
import org.jboss.msc.service.ServiceController;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.ServiceRegistry;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.credential.store.CredentialStore;
import org.wildfly.security.credential.store.CredentialStoreException;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.interfaces.ClearPassword;

      private static String getClientSecret(String credentialStore, String secretAlias) {
    final ServiceName SERVICE_NAME_CRED_STORE = ServiceName.of("org", "wildfly", "security", "credential-store");
    final ServiceName sn = ServiceName.of(SERVICE_NAME_CRED_STORE, credentialStore);
    final ServiceRegistry registry = CurrentServiceContainer.getServiceContainer();
    final ServiceController<?> credStoreService = registry.getService(sn);
    final CredentialStore cs = (CredentialStore) credStoreService.getValue();
//    if (!cs.exists(secretAlias, PasswordCredential.class)) {
//      throw new CredentialStoreException("Alias " + secretAlias + " not found in credential store.");
//    }
    final Password password;
    try {
      password = cs.retrieve(secretAlias, PasswordCredential.class).getPassword();
    } catch (CredentialStoreException e) {
      e.printStackTrace();
      return null;
    }
    if (!(password instanceof ClearPassword)) {
      throw new ClassCastException("Password is not of type ClearPassword");
    }
    return new String(((ClearPassword) password).getPassword());
  }
    • 0

relate perguntas