Keycloak Server
Silent install package for Keycloak Server
21.1.1-9
Security
System and network
Security
System and network
- package: tis-keycloak-server
- name: Keycloak Server
- version: 21.1.1-9
- categories: Security, System and network
- maintainer: Kevin Guerineau,WAPT Team,Tranquil IT
- editor: JBoss Red Hat
- licence: Apache 2.0
- locale: all
- target_os: debian_based
- impacted_process: keycloak
- architecture: all
- signature_date:
- size: 175.48 Mo
- homepage : https://www.keycloak.org/
package : tis-keycloak-server
version : 21.1.1-9
architecture : all
section : base
priority : optional
name : Keycloak Server
categories : Security, System and network
maintainer : Kevin Guerineau,WAPT Team,Tranquil IT
description : Keycloak is an open-source software package that enables a single authentication method to be introduced through identity and access management.
depends :
conflicts :
maturity : PROD
locale : all
target_os : debian_based
min_wapt_version : 2.2
sources :
installed_size :
impacted_process : keycloak
description_fr : Keycloak est un logiciel à code source ouvert permettant d'instaurer une méthode d'authentification unique à travers la gestion par identité et par accès.
description_pl : Keycloak to pakiet oprogramowania typu open-source, który umożliwia wprowadzenie pojedynczej metody uwierzytelniania poprzez zarządzanie tożsamością i dostępem.
description_de : Keycloak ist eine quelloffene Software, mit der Sie eine Single-Sign-On-Methode durch Identitäts- und Zugriffsverwaltung einführen können.
description_es : Keycloak es un paquete de software de código abierto que permite introducir un único método de autenticación mediante la gestión de identidades y accesos.
description_pt : O Keycloak é um pacote de software de código aberto que permite a introdução de um único método de autenticação através da gestão da identidade e do acesso.
description_it : Keycloak è un pacchetto software open-source che consente di introdurre un unico metodo di autenticazione attraverso la gestione delle identità e degli accessi.
description_nl : Keycloak is een open-source softwarepakket waarmee één authenticatiemethode kan worden ingevoerd via identiteits- en toegangsbeheer.
description_ru : Keycloak - это пакет программного обеспечения с открытым исходным кодом, который позволяет внедрить единый метод аутентификации в рамках управления идентификацией и доступом.
audit_schedule :
editor : JBoss Red Hat
keywords :
licence : Apache 2.0
homepage : https://www.keycloak.org/
package_uuid : 38bbd4ea-be55-40a4-af08-cec3178afa49
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version : 11
max_os_version :
icon_sha256sum : f844ec0989ea764ddcbb17e3e0ea7c15aa95e53d6e47d1c4950a1742a15707f5
signer : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature : bdwcFlo3DWDgToOgNpSswHljrprPnWPgsR5cpLWFf99axUBIm4f3lrnn83XdYodGZZQue8CQtWyp+GoWSk9Y4xdpb9ncvw0NIqannWBATt4vsFMu1Ln8p3x3rx9HyWJH2PkchstC4sidK0inxICnD4WOVKM4akqGAiBDaRBGQJ/GbEbHygkQ7HkjL3ffTXV7KlomyNVZ62qJQvG4LFrFldszfWqRf+ZlgsUm3pDRlFawWffjQNTplftU1dv63HCem/BtFpB1Kb/rsSGNfTPwDkzk3dgVq6cWPqL6XMNO4o6VAHviNW93HnVnzbQnhfiZc7/75zx1v+Mj1xqERHyjoA==
signature_date : 2023-06-18T13:00:14.866734
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes# -*- coding: utf-8 -*-
from setuphelpers import *
import string
import random
import jinja2
from waptcrypto import SSLCertificate, SSLPrivateKey
kc_url = 'https://keycloak.domain.com' # Values : URL String
kc_health = True # Values : True / False
kc_metrics = False # Values : True / False
use_apache2 = True # Values : True / False
generate_ssl_cert = True # Values : True / False. Use False if you use commercial, Let's Encrypt or your PKI certificate.
# In this case, please configure "ssl_certificate_path" and "ssl_key_path".
ssl_certificate_path = None # Set None if generate_ssl_cert = True
ssl_key_path = None # Set None if generate_ssl_cert = True
keycloak_installdir = makepath('/opt','keycloak')
keycloak_installdir_bck = makepath('/opt','keycloak.bck')
keytabfile_path = makepath(keycloak_installdir,'conf','http-krb5.keytab')
keytabfile_path_bck = makepath(keycloak_installdir_bck,'conf','http-krb5.keytab')
keycloak_a2site = makepath('/etc','apache2','sites-available','keycloak.conf')
def systemd_enable_start_service(servicename):
return run('LANG=C systemctl enable --now %s' % (servicename))
def install():
print('If upgrade, stop keycloak service')
try:
systemd_stop_service('keycloak.service')
first_install = False
except:
print("It's the first install")
first_install = True
print('Install requirements')
install_apt('openjdk-17-jdk')
install_apt('postgresql')
if not first_install:
print('Create backup of old installation.')
copytree2(keycloak_installdir,keycloak_installdir_bck)
remove_tree(keycloak_installdir)
mkdirs(keycloak_installdir)
print('Extract archive')
version = control.version.split('-')[0]
run(f'tar xzf keycloak-{version}.tar.gz -C {keycloak_installdir}')
# Patch to use keycloak folder without version number in directory name.
copytree2(makepath(keycloak_installdir,f'keycloak-{version}'),keycloak_installdir)
remove_tree(makepath(keycloak_installdir,f'keycloak-{version}'))
if first_install:
print('Create group and user')
run('groupadd -r keycloak')
run(f'useradd -r -g keycloak -d {keycloak_installdir} -s /sbin/nologin keycloak')
print('Create Postgresql user and database')
run('sudo -u postgres psql -c "create database keycloak with encoding \'UTF8\';" ')
database_password = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 15))
run(f""" sudo -u postgres psql -c "create user keycloak with password '{database_password}';" """)
print('Create service')
service = f"""[Unit]
Description=Keycloak Service
After=network.target syslog.target postgresql.target
[Service]
User=keycloak
Group=keycloak
ExecStart={keycloak_installdir}/bin/kc.sh start
SuccessExitStatus=0 143
WorkingDirectory={keycloak_installdir}
[Install]
WantedBy=multi-user.target
"""
with open('/lib/systemd/system/keycloak.service','w') as service_file:
service_file.write(service)
run('systemctl daemon-reload')
print('Set user rights')
run(f'chown -R keycloak:keycloak {keycloak_installdir}')
if first_install:
if use_apache2:
print('Install Apache2')
install_apt('apache2')
print('Enable Apache2 modules')
run('a2enmod ssl headers proxy proxy_http')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
template = jinja_env.get_template('apache2.conf.j2')
if generate_ssl_cert:
print('Generate SSL key and certificate')
ap_ssl_dir = makepath('/etc','ssl')
mkdirs(ap_ssl_dir)
key_fn = os.path.join(ap_ssl_dir,'private','keycloak_key.pem')
key = SSLPrivateKey(key_fn)
if not os.path.isfile(key_fn):
print('Create SSL RSA Key %s' % key_fn)
key.create()
key.save_as_pem()
cert_fn = os.path.join(ap_ssl_dir,'certs','keycloak_cert.pem')
if os.path.isfile(cert_fn):
crt = SSLCertificate(cert_fn)
if os.path.isfile(cert_fn):
crt = SSLCertificate(cert_fn)
if crt.cn != get_fqdn():
os.rename(cert_fn,"%s-%s.old" % (cert_fn,'{:%Y%m%d-%Hh%Mm%Ss}'.format(datetime.datetime.now())))
crt = key.build_sign_certificate(cn=get_fqdn(),dnsname=get_fqdn(),is_code_signing=False)
print('Create X509 cert %s' % cert_fn)
crt.save_as_pem(cert_fn)
else:
crt = key.build_sign_certificate(cn=get_fqdn(),dnsname=get_fqdn(),is_code_signing=False)
print('Create X509 cert %s' % cert_fn)
crt.save_as_pem(cert_fn)
template_variables = {
'kc_url': kc_url.replace('https://','').replace('http://',''),
'ssl_certificate_path': cert_fn.replace('\\','/'),
'ssl_key_path': key_fn.replace('\\','/')
}
else:
template_variables = {
'kc_url': kc_url.replace('https://','').replace('http://',''),
'ssl_certificate_path': ssl_certificate_path,
'ssl_key_path': ssl_key_path
}
print('Write Apache2 site configfile')
config_string = template.render(template_variables)
print(f'Create Apache2 configuration file {keycloak_a2site}')
with open(keycloak_a2site, 'w') as dst_file:
dst_file.write(config_string)
print('Enable keycloak site and disable default site')
run('a2ensite keycloak.conf')
run_notfatal('a2dissite 000-default.conf')
print('Restart apache2 service')
run('systemctl restart apache2')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))
template = jinja_env.get_template('keycloak.conf.j2')
template_variables = {
'use_apache2': use_apache2,
'pgsql_passwd': database_password,
'kc_health': kc_health,
'kc_metrics': kc_metrics,
'kc_url': kc_url.replace('https://','').replace('http://',''),
}
print('Write Keycloak configuration')
config_string = template.render(template_variables)
print('Create Keycloak configuration file %s' % makepath(keycloak_installdir,'conf/keycloak.conf'))
with open(makepath(keycloak_installdir,'conf/keycloak.conf'), 'w') as dst_file:
dst_file.write(config_string)
if not first_install:
print('Copy old configfile')
filecopyto(makepath(keycloak_installdir_bck,'conf/keycloak.conf'), makepath(keycloak_installdir,'conf','keycloak.conf'))
if isfile(keytabfile_path_bck):
filecopyto(keytabfile_path_bck,keytabfile_path)
print('Set user rights')
run('chown -R keycloak:keycloak {keycloak_installdir}')
print('Build Keycloak for production')
run("/opt/keycloak/bin/kc.sh build")
print('Start Keycloak service')
systemd_enable_start_service('keycloak')# -*- coding: utf-8 -*-
from setuphelpers import *
import platform
import json
# Declaring specific app values (TO CHANGE)
package_name = "rocketchat-server"
def update_package():
print("Download/Update package content from upstream binary sources")
# Getting proxy informations from WAPT settings
proxy = {}
if platform.system() == "Windows" and isfile(makepath(user_local_appdata(), "waptconsole", "waptconsole.ini")):
proxywapt = inifile_readstring(makepath(user_local_appdata(), "waptconsole", "waptconsole.ini"), "global", "http_proxy")
if proxywapt:
proxy = {"http": proxywapt, "https": proxywapt}
# Specific app values
app_name = control.name
git_repo = "keycloak/keycloak"
url_api = "https://api.github.com/repos/%s/releases/latest" % git_repo
# Getting latest informations from Github API
json_load = json.loads(wgets(url_api, proxies=proxy))
for asset in json_load['assets']:
if '.tar.gz' in asset['name']:
url_dl = asset['browser_download_url']
break
version = json_load["tag_name"]
latest_bin = f"keycloak-{version}.tar.gz"
print("Latest " + app_name + " version is: " + version)
print("Download url for APT-based systems is: " + url_dl)
# Downloading latest binaries
if not isfile(latest_bin):
print("Downloading: " + latest_bin)
wget(url_dl, latest_bin, proxies=proxy)
# Changing version of the package
control.version = "%s-%s" % (version, int(control.version.split("-", 1)[1]) + 1)
control.save_control_to_wapt()
print("Changing version to " + control.version + " in WAPT\\control")
else:
print("This package is already up-to-date")
# Deleting outdated binaries
for bin_in_dir in glob.glob("*.deb"):
if bin_in_dir != latest_bin_deb:
print("Outdated binary: " + bin_in_dir + " Deleted")
remove_file(bin_in_dir)
9e0c622eee0f7409b478e1fcdc643474b99742dd4abe898163d4e537c3f67116 : setup.py
e15338029da66541850deaeb4974bcebe5e76c811a5e0c0fb57cc4212dd00b8c : templates/keycloak.conf.j2
b6111903a9f2d54ed6ef7455761683efb020a9cf6d146a3ccb570ed1b756afc4 : templates/apache2.conf.j2
e510a5b7cec505cd4281c0b822c13f6ccfbae9726bd0a730a78523d3c1c9514e : update_package.py
f844ec0989ea764ddcbb17e3e0ea7c15aa95e53d6e47d1c4950a1742a15707f5 : WAPT/icon.png
a5a97261381e1d0ad46ee15916abec9c2631d0201f5cc50ceb0197a165a0bbbf : WAPT/certificate.crt
33935118b767f431b1d6765912e4c254c92898b76cc6fead72d5fcc81bacfc54 : luti.json
8f5213398f69003b6760943c3d7be4149fb292e6fa35c61a641b1975139adc4e : keycloak-21.1.1.tar.gz
11836266e348ce1c0a4626f93f41452b194fbf00cacdf698ecd2113cfedeb433 : WAPT/control