@continuoussecuritytooling/keycloak-reporter 0.5.1 → 0.7.0

package/.eslintrc.cjs

@@ -2,13 +2,14 @@
 module.exports = {
   env: {
     node: true,
-    commonjs: true
+    commonjs: true,
   },
   extends: ['eslint:recommended', 'plugin:@typescript-eslint/recommended'],
   parser: '@typescript-eslint/parser',
   plugins: ['@typescript-eslint'],
   root: true,
   rules: {
-    quotes: [2, 'single', { avoidEscape: true }]
-  }
+    quotes: [2, 'single', { avoidEscape: true }],
+    'comma-dangle': ['error', 'only-multiline'],
+  },
 };

package/.github/workflows/pipeline.yml

@@ -6,6 +6,8 @@ on:
   push:
     branches:
       - develop
+    tags:
+      - '*'
 
 jobs:
   build:
@@ -23,7 +25,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: 'Use Node.js ${{ matrix.node_version }}'
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '${{ matrix.node_version }}'
       - name: npm build and test
@@ -53,7 +55,7 @@ jobs:
           check-latest: true
 
       - name: Helm Chart Testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.0
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -92,7 +94,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: 'Use Node.js ${{ matrix.node_version }}'
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '${{ matrix.node_version }}'
       - name: Install Java
@@ -131,24 +133,38 @@ jobs:
       - end2end
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
-        # TODO: Support Node 16+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '16'
+          # renovate: datasource=docker depName=node
+          node-version: '18'
       - name: 'Build Package'
         run: |
           npm run clean
           npm run build
-      - name: Buildah Action
+
+      - name: Write version vars
+        run: |
+          BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
+          VERSION=${GITHUB_REF_NAME#v}
+          echo Version: $VERSION
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "APP_VERSION=$VERSION" >> $GITHUB_ENV
+          echo "BUILD_DATE=$BUILD_DATE" >> $GITHUB_ENV
+
+      - name: Build Container Image
         id: build-image
         uses: redhat-actions/buildah-build@v2
         with:
           image: continuoussecuritytooling/keycloak-reporting-cli
-          tags: 'v1 ${{ github.sha }}'
+          tags: 'rc_build ${{ github.sha }}'
           containerfiles: |
             ./Dockerfile
+          build-args: |
+            BUILD_DATE=${{env.BUILD_DATE}}
+            APP_VERSION=${{env.APP_VERSION}}
+
       - name: Push To Docker Hub
-        id: push-to-dockerhub
+        id: push-to-dockerhub-preview
         uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ steps.build-image.outputs.image }}
@@ -156,4 +172,15 @@ jobs:
           registry: registry.hub.docker.com
           username: continuoussecuritytooling
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
-        if: github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/main'
+        if: github.ref == 'refs/heads/develop'
+
+      - name: Push To Docker Hub
+        id: push-to-dockerhub-tagged
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: latest ${VERSION}
+          registry: registry.hub.docker.com
+          username: continuoussecuritytooling
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+        if: github.ref_type == 'tag'

package/.github/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
           python-version: '3.9'
           check-latest: true
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.0
 
       - name: Run chart-testing (lint)
         run: ct lint --config .ct.yaml 

package/.prettierrc

@@ -1,6 +1,6 @@
 {
   "semi": true,
-  "trailingComma": "none",
+  "trailingComma": "es5",
   "singleQuote": true,
-  "printWidth": 80
+  "printWidth": 120
 }

package/Dockerfile

@@ -1,6 +1,15 @@
 FROM node:18
 
-LABEL org.opencontainers.image.source https://github.com/ContinuousSecurityTooling/keycloak-reporter
+ARG BUILD_DATE
+ARG APP_VERSION
+
+LABEL org.opencontainers.image.authors='Martin Reinhardt (martin@m13t.de)' \
+    org.opencontainers.image.created=$BUILD_DATE \
+    org.opencontainers.image.version=$APP_VERSION \
+    org.opencontainers.image.url='https://hub.docker.com/r/continuoussecuritytooling/keycloak-reporting-cli' \
+    org.opencontainers.image.documentation='https://github.com/ContinuousSecurityTooling/keycloak-reporter' \
+    org.opencontainers.image.source='https://github.com/ContinuousSecurityTooling/keycloak-reporter.git' \
+    org.opencontainers.image.licenses='MIT'
 
 ENV CONFIG_FILE=/app/config.json
 
@@ -8,6 +17,14 @@ COPY dist/ docker_entrypoint.sh package.json /app
 
 WORKDIR /app
 
-RUN cd /app && npm i
+RUN cd /app && npm install --omit=dev &&\
+    chown -R 1000:2000 /app
+
+# apt update
+RUN apt-get update && apt-get -y upgrade &&\
+  # clean up to slim image
+  apt-get clean autoclean && apt-get autoremove --yes && rm -rf /var/lib/{apt,dpkg,cache,log}/
+
+USER 1000
 
 ENTRYPOINT ["/app/docker_entrypoint.sh"]

package/README.md

@@ -1,5 +1,6 @@
 # Keycloak Reporter
 
+Keycloak user and client reporting tool for automated regular access checks.
 
 [![License](https://img.shields.io/github/license/ContinuousSecurityTooling/keycloak-reporter.svg)](LICENSE)
 [![CI](https://github.com/ContinuousSecurityTooling/keycloak-reporter/actions/workflows/pipeline.yml/badge.svg)](https://github.com/ContinuousSecurityTooling/keycloak-reporter/actions/workflows/pipeline.yml)
@@ -7,8 +8,8 @@
 [![npm downloads](https://img.shields.io/npm/dm/@continuoussecuritytooling%2Fkeycloak-reporter.svg)](https://www.npmjs.com/package/@continuoussecuritytooling/keycloak-reporter)
 [![Docker Stars](https://img.shields.io/docker/stars/continuoussecuritytooling/keycloak-reporting-cli.svg)](https://hub.docker.com/r/continuoussecuritytooling/keycloak-reporting-cli/)
 [![Known Vulnerabilities](https://snyk.io/test/github/ContinuousSecurityTooling/keycloak-reporter/badge.svg)](https://snyk.io/test/github/ContinuousSecurityTooling/keycloak-reporter)
-
 [![Docker Stars](https://img.shields.io/docker/stars/continuoussecuritytooling/keycloak-reporting-cli.svg)](https://hub.docker.com/r/continuoussecuritytooling/keycloak-reporting-cli/)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/keycloak-reporter)](https://artifacthub.io/packages/helm/keycloak-reporter/keycloak-reporter)
 
 ## Usage
 
@@ -58,10 +59,10 @@ Valid commands are:
 
 ### Helm
 
-To install the Helm Chart use the OCI Package:
+To install the Helm Chart use the [OCI Package Registry](https://github.com/orgs/CloudTooling/packages):
 
 ```
-helm install keycloak-reporter oci://cloudtooling/helm-charts
+helm install keycloak-reporter oci://ghcr.io/cloudtooling/helm-charts
 ```
 
 ### Config file

package/artifacthub-repo.yml

@@ -0,0 +1,6 @@
+# Artifact Hub repository metadata file
+# Used to become verified publisher and more - https://artifacthub.io/docs/topics/repositories/#verified-publisher
+repositoryID: 7283911f-50c6-484a-961c-36546321ef56
+owners:
+  - name: hypery2k
+    email: martin@m13t.de

package/charts/keycloak-reporter/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: keycloak-reporter
-description: A Helm chart for Kubernetes
+description: Keycloak user and client reporting tool for automated regular access checks.
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,15 +15,21 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 # renovate: datasource=github-tags depName=ContinuousSecurityTooling/keycloak-reporter
-appVersion: "0.5.0"
+appVersion: '0.6.0'
 maintainers:
   # Martin Reinhardt
   - name: hypery2k
     email: martin@m13t.de
+annotations:
+  artifacthub.io/links: |
+    - name: GitHub
+      url: https://github.com/ContinuousSecurityTooling/keycloak-reporter
+    - name: Keycloak Auditor
+      url: https://github.com/ContinuousSecurityTooling/keycloak-auditor

package/charts/keycloak-reporter/README.md

@@ -1,8 +1,8 @@
 # keycloak-reporter
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.0](https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.0](https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square)
 
-A Helm chart for Kubernetes
+Keycloak user and client reporting tool for automated regular access checks.
 
 ## Maintainers
 
@@ -15,37 +15,23 @@ A Helm chart for Kubernetes
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| cronjobs[0].name | string | `"clients"` |  |
-| cronjobs[0].schedule | string | `"0 0 1 */3 *"` |  |
-| cronjobs[0].script | string | `"/app/index.js listClients"` |  |
-| cronjobs[1].name | string | `"users"` |  |
-| cronjobs[1].schedule | string | `"0 0 1 */3 *"` |  |
-| cronjobs[1].script | string | `"/app/index.js listUsers"` |  |
-| env | object | `{}` |  |
+| cronjobs | map | `{"clients":"0 0 1 */3 *","users":"0 0 1 */3 *"}` | Cron configuration |
+| env | map | `{}` | additonal environment variables |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"continuoussecuritytooling/keycloak-reporting-cli"` |  |
-| image.tag | string | `"latest"` |  |
+| image.tag | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
-| keycloak.config.clientId | string | `""` |  |
-| keycloak.config.clientSecret | string | `""` |  |
-| keycloak.config.output | string | `"webhook"` |  |
-| keycloak.config.url | string | `""` |  |
+| keycloak | map | `{"config":{"clientId":"","clientSecret":"","output":"webhook","url":"","useAuditingEndpoint":false,"webhookMessage":"","webhookType":"","webhookUrl":""},"volumes":{"reports":""}}` | Keycloak configuration |
 | keycloak.config.webhookMessage | string | `""` | optional message for the webhook post |
-| keycloak.config.webhookType | string | `""` |  |
-| keycloak.config.webhookUrl | string | `""` |  |
-| keycloak.volumes.reports | string | `""` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
 | replicaCount | int | `1` |  |
-| resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
 | tolerations | list | `[]` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)

package/charts/keycloak-reporter/templates/_helpers.tpl

@@ -66,18 +66,18 @@ Create the name of the service account to use
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "keycloak-reporter.cronJobs" }}
-{{- $cronJobs := list -}}
+{{- define "keycloak-reporter.cronJobs" -}}
 {{- if .Values.cronjobs.users }}
-{{- $userCron := dict "name" "users" "script" "listUsers" "schedule" .Values.cronjobs.users }}
-{{-   $cronJobs = printf "%s" $userCron . | append $cronJobs -}}
+users: 
+  script: "listUsers"
+  schedule: {{ .Values.cronjobs.users }}
 {{- end }}
 {{- if .Values.cronjobs.clients }}
-{{- $clientCron := dict "name" "users" "script" "listClients" "schedule" .Values.cronjobs.clients }}
-{{-   $cronJobs = printf "%s" $clientCron . | append $cronJobs -}}
-{{- end }}
-{{ join "," $cronJobs }}
+clients: 
+  script: "listClients"
+  schedule: {{ .Values.cronjobs.clients }}
 {{- end }}
+{{- end -}}
 
 
 

package/charts/keycloak-reporter/templates/cronjob.yaml

@@ -1,38 +1,47 @@
 {{- $fullName := include "keycloak-reporter.fullname" . }}
-{{- range include "keycloak-reporter.cronJobs" $ | split "," }}
+{{- range $name, $config := include "keycloak-reporter.cronJobs" $ | fromYaml }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: {{ printf "%s-job-%s" $fullName .name }}
+  name: {{ printf "%s-job-%s" $fullName $name }}
 spec:
-  schedule: "{{ .schedule }}"
+  schedule: {{ $config.schedule }}
   jobTemplate:
     spec:
       template:
         {{- with $.Values.podAnnotations }}
         annotations:
-          {{- toYaml . | nindent 8 }}
+          {{- toYaml $ | nindent 10 }}
         {{- end }}
         spec:
           {{- with $.Values.imagePullSecrets }}
           imagePullSecrets:
-            {{- toYaml . | nindent 8 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
+          # automountServiceAccountToken: false # fix KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect OPA policy
+          serviceAccountName: {{ default "default" ($.Values.serviceAccount).name }}
+          securityContext:
+            {{- toYaml $.Values.podSecurityContext | nindent 12 }}
           containers:
-            - name: {{ .name }}
+            - name: {{ $name }}
               image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}"
               imagePullPolicy: {{ $.Values.image.pullPolicy }}
               command:
-                - /bin/sh
-                - -c
-                - |
-                  node /app/cli.js {{ .script }}
+                - node
+                - /app/cli.js 
+                - {{ $config.script }}
               env:
                 - name: CONFIG_FILE
                   value: "/app/config.json"
               {{- with $.Values.env }}
               {{- tpl (toYaml .) $  | nindent 12 }}
               {{- end }}
+              {{- if $.Values.resources }}
+              resources:
+                {{- toYaml $.Values.resources | nindent 16 }}
+              {{- end }}
+              securityContext:
+                {{- toYaml $.Values.securityContext | nindent 16 }}
               volumeMounts:
                 - name: config-file
                   mountPath: "/app/config.json"
@@ -43,17 +52,13 @@ spec:
                   mountPath: "/app/reports"
                 {{- end }}
           restartPolicy: OnFailure
-          {{- if $.Values.resources }}
-          resources:
-            {{ toYaml $.Values.resources }}
-          {{- end }}
           {{- if $.Values.nodeSelector }}
           nodeSelector:
-            {{ toYaml $.Values.nodeSelector | indent 12 }}
+            {{ toYaml $.Values.nodeSelector | nindent 12 }}
           {{- end }}
           {{- if $.Values.tolerations }}
           tolerations:
-            {{ toYaml $.Values.tolerations | indent 12 }}
+            {{ toYaml $.Values.tolerations | nindent 12 }}
           {{- end }}
           volumes:
           - name: config-file

package/charts/keycloak-reporter/templates/secret.yaml

@@ -4,11 +4,9 @@ kind: Secret
 metadata:
   name: {{ $fullName }}
 stringData:
-  {{- range $k, $v := .Values.keycloak.config }}
-  {{- if $v}}
-  {{ $k }}: {{ $v }}
-  {{- end }}
-  {{- end }}
-  {{- if (.Values.keycloak.config.volumes).reports }}
-  reports: /app/reports
-  {{- end }}
+  config.json: |
+    {{- $config:= .Values.keycloak.config }}
+    {{- if (.Values.keycloak.config.volumes).reports }}
+    $config := merge $config (dict "reports" "/app/reports")
+    {{- end }}
+    {{ $config | toJson  }}

package/charts/keycloak-reporter/values.yaml

@@ -8,11 +8,11 @@ image:
   repository: continuoussecuritytooling/keycloak-reporting-cli
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  #tag: "latest"
+  tag: ""
 
 imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
+nameOverride: ''
+fullnameOverride: ''
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -21,52 +21,55 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: ""
+  name: ''
 
 podAnnotations: {}
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-
+# @ignore, Configure pod security context
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  fsGroup: 2000
+# @ignore, Configure security context
+securityContext:
+  runAsUser: 1000
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  # Hardening
+  capabilities:
+    drop: ['ALL']
+  seccompProfile:
+    type: 'RuntimeDefault'
+# -- (map) additonal environment variables
 env: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
+# -- (map) Keycloak configuration
 keycloak:
   config:
-    url: ""
-    clientId: ""
-    clientSecret: ""
-    output: "webhook"
-    webhookType: ""
-    webhookUrl: ""
+    url: ''
+    clientId: ''
+    clientSecret: ''
+    output: 'webhook'
+    webhookType: ''
+    webhookUrl: ''
+    useAuditingEndpoint: false
     # -- optional message for the webhook post
-    webhookMessage: ""
+    webhookMessage: ''
   volumes:
-    reports: ""
+    reports: ''
 
+# -- (map) Cron configuration
 cronjobs:
-  clients: "0 0 1 */3 *"
-  users: "0 0 1 */3 *"
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+  clients: '0 0 1 */3 *'
+  users: '0 0 1 */3 *'
 
+# @ignore, Configure resource limits
+resources:
+  limits:
+    cpu: 200m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
 
 nodeSelector: {}