@continuoussecuritytooling/keycloak-reporter 0.1.0

package/e2e/run-tests.sh

@@ -0,0 +1,45 @@
+#!/bin/bash -e
+
+TEST_DIR=reports
+
+run_tests() {
+  FILE_PATH=$1
+  mkdir -p ${TEST_DIR}
+
+  echo "------------------------------------"
+  echo "Running tests for file: ${FILE_PATH}"
+  echo -e "------------------------------------\n"
+
+  if [[ -f ${FILE_PATH} ]]; then
+    TEST_NAME="${FILE_PATH##*/}"
+
+    node ${FILE_PATH} | tee ${TEST_DIR}/${TEST_NAME}.txt
+    cat ${TEST_DIR}/${TEST_NAME}.txt | node ./node_modules/.bin/tap-xunit --package="${TEST_NAME}" > ${TEST_DIR}/${TEST_NAME}.xml
+    RET_VAL=$?
+
+    echo "------------------------------------"
+    echo "Tests for file ${FILE_PATH} finished with return value ${RET_VAL}"
+    echo -e "------------------------------------\n"
+
+    if [[ ${RET_VAL} -ne 0 ]]; then
+      exit 1
+    fi
+  else
+    echo "------------------------------------"
+    echo "Test file ${FILE_PATH} does not exists! Aborting tests execution."
+    echo "------------------------------------"
+    exit 2
+  fi
+}
+
+if [[ "$1" == "group1" ]]; then
+  for i in `ls e2e/spec/*.js | grep -v "enforcer-spec"`; do run_tests ${i}; done
+fi
+
+if [[ "$1" == "group2" ]]; then
+  for i in `ls e2e/spec/*.js | grep "enforcer-spec"`; do run_tests ${i}; done
+fi
+
+if [[ -z "$1" ]]; then
+  for i in `ls e2e/spec/*.js`; do run_tests ${i}; done
+fi

package/e2e/spec/clients.js

@@ -0,0 +1,29 @@
+'use strict';
+
+import { test } from 'tape';
+import { spawn } from 'node:child_process';
+import path from 'node:path';
+
+test('Should list clients as JSON', (t) => {
+  const cli = spawn(
+    path.join(path.dirname('.'), 'node'),
+    [
+      'dist/cli.js',
+      'listClients',
+      'http://localhost:8080',
+      'keycloak-reporter',
+      '3UYhI2hryFwoVtcd7ljlaDuD9HXrGV5r',
+    ],
+    {
+      env: {
+        ...process.env,
+      },
+    }
+  );
+  cli.stdout.on('data', (chunk) => {
+    t.equal(JSON.parse(chunk.toString()).length, 24);
+  });
+  cli.stdout.on('end', () => {
+    t.end();
+  });
+});

package/e2e/spec/users.js

@@ -0,0 +1,29 @@
+'use strict';
+
+import { test } from 'tape';
+import { spawn } from 'node:child_process';
+import path from 'node:path';
+
+test('Should list users as JSON', (t) => {
+  const cli = spawn(
+    path.join(path.dirname('.'), 'node'),
+    [
+      'dist/cli.js',
+      'listUsers',
+      'http://localhost:8080',
+      'keycloak-reporter',
+      '3UYhI2hryFwoVtcd7ljlaDuD9HXrGV5r',
+    ],
+    {
+      env: {
+        ...process.env,
+      },
+    }
+  );
+  cli.stdout.on('data', (chunk) => {
+    t.equal(JSON.parse(chunk.toString()).length, 3);
+  });
+  cli.stdout.on('end', () => {
+    t.end();
+  });
+});

package/e2e/spec/webhooks.js

@@ -0,0 +1,60 @@
+'use strict';
+
+import { test } from 'tape';
+import { spawn } from 'node:child_process';
+import path from 'node:path';
+
+test('Should post message to Teams', (t) => {
+  const cli = spawn(
+    path.join(path.dirname('.'), 'node'),
+    [
+      'dist/cli.js',
+      'listUsers',
+      'http://localhost:8080',
+      'keycloak-reporter',
+      '3UYhI2hryFwoVtcd7ljlaDuD9HXrGV5r',
+      '--output=webhook',
+      '--webhookType=teams',
+      '--webhookUrl=' + process.env.WEBHOOK_TESTING_TEAMS,
+    ],
+    {
+      env: {
+        ...process.env,
+      },
+    }
+  );
+  cli.stdout.on('data', (chunk) => {
+    console.log(chunk.toString())
+  });
+  cli.stdout.on('end', () => {
+    t.end();
+  });
+});
+
+test('Should post message to Slack', (t) => {
+    const cli = spawn(
+      path.join(path.dirname('.'), 'node'),
+      [
+        'dist/cli.js',
+        'listUsers',
+        'http://localhost:8080',
+        'keycloak-reporter',
+        '3UYhI2hryFwoVtcd7ljlaDuD9HXrGV5r',
+        '--output=webhook',
+        '--webhookType=slack',
+        '--webhookUrl=' + process.env.WEBHOOK_TESTING_SLACK,
+      ],
+      {
+        env: {
+          ...process.env,
+        },
+      }
+    );
+    cli.stdout.on('data', (chunk) => {
+      console.log(chunk.toString())
+    });
+    cli.stdout.on('end', () => {
+      t.end();
+    });
+  });
+  

package/index.ts

@@ -0,0 +1,125 @@
+#!/usr/bin/env node
+
+import yargs from 'yargs/yargs';
+import { hideBin } from 'yargs/helpers';
+import { listUsers, listClients } from './src/cli.js';
+import { Options } from './lib/client.js';
+import { convertJSON2CSV } from './lib/convert.js';
+import { post2Webhook } from './lib/output.js';
+
+class WebhookConfig {
+  type: string;
+  url: string;
+  title: string;
+  constructor(type: string, url: string, title: string) {
+    this.type = type;
+    this.url = url;
+    this.title = title;
+  }
+}
+
+async function convert(
+  format: string,
+  output: string,
+  config: WebhookConfig,
+  json: object
+) {
+  let outputContent: string;
+  switch (format) {
+    case 'csv':
+      outputContent = (await convertJSON2CSV(json)).toString();
+      break;
+    // defaulting to JSON
+    default:
+      outputContent = JSON.stringify(json);
+  }
+  switch (output) {
+    case 'webhook':
+      try {
+        await post2Webhook(
+          config.type,
+          config.url,
+          config.title,
+          outputContent
+        );
+      } catch (e) {
+        console.error('Error during sending webhook: ', e);
+      }
+      break;
+    // defaulting to standard out
+    default:
+      console.log(outputContent);
+  }
+}
+
+yargs(hideBin(process.argv))
+  .command(
+    'listUsers [url] [clientId] [clientSecret]',
+    'fetches all users in the realms.',
+    // eslint-disable-next-line @typescript-eslint/no-empty-function
+    () => {},
+    async (argv) => {
+      const users = await listUsers(<Options>{
+        clientId: argv.clientId as string,
+        clientSecret: argv.clientSecret as string,
+        rootUrl: argv.url as string,
+      });
+      await convert(
+        argv.format as string,
+        argv.output as string,
+        new WebhookConfig(
+          argv.webhookType as string,
+          argv.webhookUrl as string,
+          'User Listing'
+        ),
+        users
+      );
+    }
+  )
+  .command(
+    'listClients [url] [clientId] [clientSecret]',
+    'fetches all clients in the realms.',
+    // eslint-disable-next-line @typescript-eslint/no-empty-function
+    () => {},
+    async (argv) => {
+      const clients = await listClients(<Options>{
+        clientId: argv.clientId as string,
+        clientSecret: argv.clientSecret as string,
+        rootUrl: argv.url as string,
+      });
+      await convert(
+        argv.format as string,
+        argv.output as string,
+        new WebhookConfig(
+          argv.webhookType as string,
+          argv.webhookUrl as string,
+          'Client Listing'
+        ),
+        clients
+      );
+    }
+  )
+  .option('format', {
+    alias: 'f',
+    type: 'string',
+    default: 'json',
+    description: 'output format, e.g. JSON|CSV',
+  })
+  .option('output', {
+    alias: 'o',
+    type: 'string',
+    default: 'stdout',
+    description: 'output channel',
+  })
+  .option('webhookType', {
+    alias: 'w',
+    type: 'string',
+    default: 'slack',
+    description: 'Webhook Type',
+  })
+  .option('webhookUrl', {
+    alias: 't',
+    type: 'string',
+    description: 'Webhook URL',
+  })
+  .parse();

package/jest.config.js

@@ -0,0 +1,25 @@
+/** @type {import('ts-jest').JestConfigWithTsJest} */
+export default {
+  roots: [
+    'src',
+    'lib',
+    'test',
+  ],
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  collectCoverage: true,
+  collectCoverageFrom: [
+    'index.ts',
+    'src/**',
+    'lib/**',
+  ],
+  setupFilesAfterEnv: [
+    'jest-extended/all',
+  ],
+  transformIgnorePatterns: [
+      'node_modules/(?!(string-width|strip-ansi|ansi-regex|test-json-import)/)',
+  ],
+  'transform': {
+    '^.+\\.(ts|tsx)$': 'ts-jest',
+  },
+};

package/lib/client.ts

@@ -0,0 +1,55 @@
+import { Issuer } from 'openid-client';
+import KcAdminClient from '@keycloak/keycloak-admin-client';
+
+// Token refresh interval 60 seconds
+const TOKEN_REFRESH = 60;
+
+export interface Options {
+  clientId: string;
+  clientSecret: string;
+  rootUrl: string;
+}
+
+export async function createClient(options: Options): Promise<KcAdminClient> {
+  const kcAdminClient = new KcAdminClient({
+    baseUrl: options.rootUrl,
+    realmName: 'master',
+  });
+
+  try {
+    // client login
+    await kcAdminClient.auth({
+      clientId: options.clientId,
+      clientSecret: options.clientSecret,
+      grantType: 'client_credentials',
+    });
+  } catch (e) {
+    console.error('Check Client Config:',e.response.data.error_description);
+    return Promise.reject();
+  }
+
+  const keycloakIssuer = await Issuer.discover(
+    `${options.rootUrl}/realms/master`
+  );
+
+  const client = new keycloakIssuer.Client({
+    client_id: options.clientId,
+    token_endpoint_auth_method: 'none', // to send only client_id in the header
+  });
+
+  // Use the grant type 'password'
+  const tokenSet = await client.grant({
+    client_id: options.clientId,
+    client_secret: options.clientSecret,
+    grant_type: 'client_credentials',
+  });
+
+  /*
+  // TODO: FIXME - Periodically using refresh_token grant flow to get new access token here
+  setInterval(async () => {
+    const refreshToken = tokenSet.refresh_token;
+    kcAdminClient.setAccessToken((await client.refresh(refreshToken)).access_token);
+  }, TOKEN_REFRESH * 1000); */
+
+  return new Promise((resolve) => resolve(kcAdminClient));
+}

package/lib/convert.ts

@@ -0,0 +1,9 @@
+import { AsyncParser } from '@json2csv/node';
+
+export async function convertJSON2CSV(json: object) {
+  const opts = {};
+  const transformOpts = {};
+  const asyncOpts = {};
+  const parser = new AsyncParser(opts, transformOpts, asyncOpts);
+  return await parser.parse(json).promise();
+}

package/lib/output.ts

@@ -0,0 +1,115 @@
+import { IncomingWebhook as TeamsWebhook } from 'ms-teams-webhook';
+import { Block, SectionBlock } from '@slack/types';
+import { IncomingWebhook as SlackWebhook } from '@slack/webhook';
+
+enum WebhookType {
+  SLACK = 'slack',
+  TEAMS = 'teams',
+}
+
+export interface WebhookMessage {
+  url: string;
+  type: WebhookType;
+}
+
+export async function post2Webhook(
+  type: string,
+  url: string,
+  title: string,
+  reportContent: string
+): Promise<unknown> {
+  //const title= 'Keycloak Reporting';
+  const date = new Date();
+  switch (type) {
+    case WebhookType.TEAMS.toString():
+      return new TeamsWebhook(url).send({
+        type: 'message',
+        attachments: [
+          {
+            contentType: 'application/vnd.microsoft.card.adaptive',
+            content: {
+              $schema: 'http://adaptivecards.io/schemas/adaptive-card.json',
+              type: 'AdaptiveCard',
+              version: '1.2',
+              body: [
+                {
+                  type: 'FactSet',
+                  facts: [
+                    {
+                      title: 'Type',
+                      value: title,
+                    },
+                    {
+                      title: 'Date',
+                      value: `${date.getDate()}-${
+                        date.getMonth() + 1
+                      }-${date.getFullYear()}`,
+                    },
+                  ],
+                },
+              ],
+              actions: [
+                {
+                  type: 'Action.ShowCard',
+                  title: 'Show raw report data',
+                  card: {
+                    type: 'AdaptiveCard',
+                    body: [
+                      {
+                        type: 'TextBlock',
+                        text: reportContent,
+                        wrap: true,
+                      },
+                    ],
+                    $schema:
+                      'http://adaptivecards.io/schemas/adaptive-card.json',
+                  },
+                },
+              ],
+            },
+          },
+        ],
+      });
+    // defaulting to Slack
+    default:
+      return new SlackWebhook(url).send({
+        blocks: [
+          {
+            type: 'section',
+            fields: [
+              { type: 'mrkdwn', text: `*Type*: ${title}` },
+              {
+                type: 'mrkdwn',
+                text: `*Date*: ${date.getDate()}-${
+                  date.getMonth() + 1
+                }-${date.getFullYear()}`,
+              },
+            ],
+          },
+          {
+            type: 'divider',
+          },
+          {
+            type: 'context',
+            elements: [
+              {
+                type: 'mrkdwn',
+                text: `
+\`\`\`
+${reportContent}
+\`\`\`
+`
+              },
+            ],
+          },
+          {
+            type: 'context',
+            elements: [{ type: 'plain_text', text: 'Raw report data' }],
+          },
+        ],
+      });
+  }
+}
+
+/*
+ */

package/lib/user.ts

@@ -0,0 +1,99 @@
+import KcAdminClient from '@keycloak/keycloak-admin-client';
+
+export interface User {
+  username: string;
+  realm: string;
+  id: string;
+  firstName: string;
+  lastName: string;
+  email: string;
+  enabled: boolean;
+}
+
+export interface Client {
+  client: string;
+  realm: string;
+  id: string;
+  description: string;
+  enabled: boolean;
+  public: boolean;
+  allowedOrigins: string;
+}
+
+export async function clientListing(
+  client: KcAdminClient
+): Promise<Array<Client>> {
+  const currentRealm = client.realmName;
+  let realms;
+  try {
+    // iterate over realms
+    realms = await client.realms.find();
+  } catch (e) {
+    console.error('Check Client role:', e.response.statusText);
+    return Promise.reject();
+  }
+  let allClients = new Array<Client>();
+  for (const realm of realms) {
+    // switch realm
+    client.setConfig({
+      realmName: realm.realm,
+    });
+    const realmClients = new Array<Client>();
+    for (const user of await client.clients.find()) {
+      realmClients.push({
+        client: user.clientId,
+        id: user.id,
+        description: user.description,
+        realm: realm.realm,
+        enabled: user.enabled,
+        public: user.publicClient,
+        allowedOrigins: JSON.stringify(user.webOrigins),
+      });
+    }
+    allClients = [...allClients, ...realmClients];
+  }
+  // switch back to realm
+  client.setConfig({
+    realmName: currentRealm,
+  });
+
+  return new Promise((resolve) => resolve(allClients));
+}
+
+export async function userListing(client: KcAdminClient): Promise<Array<User>> {
+  const currentRealm = client.realmName;
+  let realms;
+  // iterate over realms
+  try {
+    realms = await client.realms.find();
+  } catch (e) {
+    console.error('Check Client role:', e.response.statusText);
+    return Promise.reject();
+  }
+  let allUsers = new Array<User>();
+  for (const realm of realms) {
+    // switch realm
+    client.setConfig({
+      realmName: realm.realm,
+    });
+    const realmUsers = new Array<User>();
+    for (const user of await client.users.find()) {
+      realmUsers.push({
+        username: user.username,
+        id: user.id,
+        firstName: user.firstName,
+        lastName: user.lastName,
+        email: user.email,
+        realm: realm.realm,
+        enabled: user.enabled,
+      });
+    }
+    allUsers = [...allUsers, ...realmUsers];
+  }
+  // switch back to realm
+  client.setConfig({
+    realmName: currentRealm,
+  });
+
+  return new Promise((resolve) => resolve(allUsers));
+}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@continuoussecuritytooling/keycloak-reporter",
+  "version": "0.1.0",
+  "description": "Reporting Tools for Keycloak",
+  "main": "dist/index.js",
+  "bin":  "dist/cli.js",
+  "type": "module",
+  "scripts": {
+    "clean": "rm -rf dist/* && npm i",
+    "build": "tsc && chmod +x dist/cli.js && cp package.json dist/",
+    "test": "eslint . && jest",
+    "end2end:start-server": ".bin/start-server.mjs -Dkeycloak.profile.feature.account_api=disabled -Dkeycloak.profile.feature.account2=disabled -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=e2e/fixtures/auth-utils/test-realm.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING",
+    "end2end:test": "./e2e/run-tests.sh"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ContinuousSecurityTooling/keycloak-reporter.git"
+  },
+  "author": "Martin Reinhardt",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/ContinuousSecurityTooling/keycloak-reporter/issues"
+  },
+  "homepage": "https://github.com/ContinuousSecurityTooling/keycloak-reporter#readme",
+  "dependencies": {
+    "@json2csv/node": "^7.0.0",
+    "@keycloak/keycloak-admin-client": "^20.0.5",
+    "@slack/webhook": "^6.1.0",
+    "install": "^0.13.0",
+    "ms-teams-webhook": "^2.0.2",
+    "npm": "^9.6.7",
+    "openid-client": "^5.4.2",
+    "yargs": "^17.7.2"
+  },
+  "devDependencies": {
+    "@octokit/rest": "^19.0.11",
+    "@types/jest": "^29.5.1",
+    "@types/node": "^20.1.5",
+    "@types/yargs": "^17.0.24",
+    "@typescript-eslint/eslint-plugin": "^5.59.6",
+    "@typescript-eslint/parser": "^5.59.6",
+    "eslint": "^8.40.0",
+    "gunzip-maybe": "^1.4.2",
+    "jest": "^29.5.0",
+    "jest-extended": "^3.2.4",
+    "node-fetch": "^3.3.1",
+    "tap-xunit": "^2.4.1",
+    "tape": "^5.6.3",
+    "tar-fs": "^2.1.1",
+    "ts-jest": "^29.1.0",
+    "typescript": "^5.0.4"
+  }
+}

package/renovate.json

@@ -0,0 +1,14 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+      "config:base"
+    ],
+    "packageRules": [
+      {
+        "matchDatasources": ["npm"],
+        "matchUpdateTypes": ["patch"],
+        "automerge": true
+      }
+    ],
+    "prHourlyLimit": 10
+  }

package/src/cli.ts

@@ -0,0 +1,26 @@
+import { Options, createClient } from '../lib/client.js';
+import { User, userListing, clientListing, Client } from '../lib/user.js';
+
+export async function listUsers(options: Options): Promise<Array<User>> {
+  const users = await userListing(
+    await createClient({
+      clientId: options.clientId,
+      clientSecret: options.clientSecret,
+      rootUrl: options.rootUrl,
+    })
+  );
+
+  return new Promise((resolve) => resolve(users));
+}
+
+export async function listClients(options: Options): Promise<Array<Client>> {
+  const clients = await clientListing(
+    await createClient({
+      clientId: options.clientId,
+      clientSecret: options.clientSecret,
+      rootUrl: options.rootUrl,
+    })
+  );
+
+  return new Promise((resolve) => resolve(clients));
+}