@continuoussecuritytooling/keycloak-reporter 0.5.1 → 0.7.0

package/cli.ts

@@ -4,15 +4,8 @@ import { writeFileSync } from 'node:fs';
 import path from 'path';
 import yargs from 'yargs/yargs';
 import { hideBin } from 'yargs/helpers';
-import {
-  listUsers,
-  listClients,
-  Options,
-  convertJSON2CSV,
-  post2Webhook
-} from './index.js';
+import { listUsers, listClients, Options, convertJSON2CSV, post2Webhook } from './index.js';
 import config from './src/config.js';
-
 class WebhookConfig {
   type: string;
   url: string;
@@ -31,13 +24,34 @@ class ReportConfig {
   directory: string;
 }
 
-async function convert(
-  format: string,
-  output: string,
-  reports: ReportConfig,
-  config: WebhookConfig,
-  json: object
-) {
+function getKeycloakConfig(config, argv): Options {
+  return {
+    clientId: config.clientId ? config.clientId : (argv.clientId as string),
+    clientSecret: config.clientSecret ? config.clientSecret : (argv.clientSecret as string),
+    rootUrl: config.url ? config.url : (argv.url as string),
+    useAuditingEndpoint: argv.useAuditingEndpoint == true || config.useAuditingEndpoint.toLowerCase() == 'true',
+  };
+}
+
+function convertData(config, argv, name: string, title: string, json: object) {
+  convert(
+    config.format ? config.format : (argv.format as string),
+    config.output ? config.output : (argv.output as string),
+    {
+      name,
+      directory: argv.reports ? (argv.reports as string) : config.reports,
+    },
+    new WebhookConfig(
+      config.webhookType ? config.webhookType : (argv.webhookType as string),
+      config.webhookUrl ? config.webhookUrl : (argv.webhookUrl as string),
+      title,
+      config.webhookMessage ? config.webhookMessage : (argv.webhookMessage as string)
+    ),
+    json
+  );
+}
+
+async function convert(format: string, output: string, reports: ReportConfig, config: WebhookConfig, json: object) {
   let outputContent: string;
   switch (format) {
     case 'csv':
@@ -52,23 +66,21 @@ async function convert(
     writeFileSync(
       path.join(
         `${reports.directory}`,
-        `${reports.name}_${date.getFullYear()}-${
-          date.getMonth() + 1
-        }-${date.getDate()}.${format.toLowerCase()}`
+        `${reports.name}_${date.getFullYear()}-${date.getMonth() + 1}-${date.getDate()}.${format.toLowerCase()}`
       ),
       outputContent
     );
   }
   switch (output) {
     case 'webhook':
+      if (!config.url) {
+        console.error('No valid Webhook URL given');
+        throw new Error('Please provide a valid --webhookUrl parameter');
+      }
       try {
-        await post2Webhook(
-          config.type,
-          config.url,
-          config.title,
-          outputContent,
-          config.message
-        );
+        console.log(`Sending report via webhook to ${config.type} ....`);
+        await post2Webhook(config.type, config.url, config.title, outputContent, config.message);
+        console.log('Done sending.');
       } catch (e) {
         switch (e.code || e.message) {
           case 'Request failed with status code 400':
@@ -78,10 +90,7 @@ async function convert(
             console.error('Invalid Slack Webhook Payload. Check your params.');
             throw new Error('Invalid Slack Payload');
           default:
-            console.error(
-              `Error during sending webhook.(${e?.code})`,
-              e?.original
-            );
+            console.error(`Error during sending webhook.(${e?.code})`, e?.original);
             throw e;
         }
       }
@@ -99,32 +108,8 @@ yargs(hideBin(process.argv))
     // eslint-disable-next-line @typescript-eslint/no-empty-function
     () => {},
     async (argv) => {
-      const users = await listUsers(<Options>{
-        clientId: config.clientId ? config.clientId : (argv.clientId as string),
-        clientSecret: config.clientSecret
-          ? config.clientSecret
-          : (argv.clientSecret as string),
-        rootUrl: config.url ? config.url : (argv.url as string)
-      });
-      await convert(
-        config.format ? config.format : (argv.format as string),
-        config.output ? config.output : (argv.output as string),
-        {
-          name: 'user_listing',
-          directory: argv.reports ? (argv.reports as string) : config.reports
-        },
-        new WebhookConfig(
-          config.webhookType
-            ? config.webhookType
-            : (argv.webhookType as string),
-          config.webhookUrl ? config.webhookUrl : (argv.webhookUrl as string),
-          'User Listing',
-          config.webhookMessage
-            ? config.webhookMessage
-            : (argv.webhookMessage as string)
-        ),
-        users
-      );
+      const users = await listUsers(getKeycloakConfig(config, argv));
+      convertData(config, argv, 'user_listing', 'User Listing', users);
     }
   )
   .command(
@@ -133,65 +118,47 @@ yargs(hideBin(process.argv))
     // eslint-disable-next-line @typescript-eslint/no-empty-function
     () => {},
     async (argv) => {
-      const clients = await listClients(<Options>{
-        clientId: config.clientId ? config.clientId : (argv.clientId as string),
-        clientSecret: config.clientSecret
-          ? config.clientSecret
-          : (argv.clientSecret as string),
-        rootUrl: config.url ? config.url : (argv.url as string)
-      });
-      await convert(
-        config.format ? config.format : (argv.format as string),
-        config.output ? config.output : (argv.output as string),
-        {
-          name: 'client_listing',
-          directory: argv.reports ? (argv.reports as string) : config.reports
-        },
-        new WebhookConfig(
-          config.webhookType
-            ? config.webhookType
-            : (argv.webhookType as string),
-          config.webhookUrl ? config.webhookUrl : (argv.webhookUrl as string),
-          'Client Listing',
-          config.webhookMessage
-            ? config.webhookMessage
-            : (argv.webhookMessage as string)
-        ),
-        clients
-      );
+      const clients = await listClients(getKeycloakConfig(config, argv));
+      convertData(config, argv, 'client_listing', 'Client Listing', clients);
     }
   )
   .option('format', {
     alias: 'f',
     type: 'string',
     default: 'json',
-    description: 'output format, e.g. JSON|CSV'
+    description: 'output format, e.g. JSON|CSV',
   })
   .option('output', {
     alias: 'o',
     type: 'string',
     default: 'stdout',
-    description: 'output channel'
+    description: 'output channel',
   })
   .option('webhookType', {
     alias: 'w',
     type: 'string',
     default: 'slack',
-    description: 'Webhook Type'
+    description: 'Webhook Type',
   })
   .option('webhookMessage', {
     alias: 'm',
     type: 'string',
-    description: 'Webhook Message'
+    description: 'Webhook Message',
   })
   .option('webhookUrl', {
     alias: 't',
     type: 'string',
-    description: 'Webhook URL'
+    description: 'Webhook URL',
   })
   .option('reports', {
     alias: 'r',
     type: 'string',
-    description: 'Reports directory'
+    description: 'Reports directory',
+  })
+  .option('useAuditingEndpoint', {
+    alias: 'a',
+    type: 'boolean',
+    default: false,
+    description: 'use auditior rest endpoint',
   })
   .parse();

package/config/schema.json

@@ -60,6 +60,11 @@
     "reports": {
       "type": "string",
       "description": "Reports directory"
+    },
+    "useAuditingEndpoint": {
+      "type": "boolean",
+      "default": "false",
+      "description": "Enable usage of keycloak reporter auditing endpoint"
     }
   }
-}
+}

package/index.ts

@@ -1,4 +1,4 @@
-export { listUsers, listClients } from './src/cli.js';
+export { listUsers, listClients } from './src/commands.js';
 export { Options } from './lib/client.js';
 export { convertJSON2CSV } from './lib/convert.js';
 export { post2Webhook } from './lib/output.js';

package/lib/client.ts

@@ -1,21 +1,20 @@
-import { Issuer } from 'openid-client';
 import KcAdminClient from '@keycloak/keycloak-admin-client';
-
-// Token refresh interval 60 seconds
-const TOKEN_REFRESH = 60;
+import { AuditClient } from '@continuoussecuritytooling/keycloak-auditor';
 
 export interface Options {
   clientId: string;
   clientSecret: string;
   rootUrl: string;
+  useAuditingEndpoint: boolean;
 }
 
-export async function createClient(options: Options): Promise<KcAdminClient> {
-  const kcAdminClient = new KcAdminClient({
-    baseUrl: options.rootUrl,
-    realmName: 'master',
-  });
-
+export async function createClient(options: Options): Promise<KcAdminClient | AuditClient> {
+  const kcAdminClient = options.useAuditingEndpoint
+    ? new AuditClient(options.rootUrl, 'master')
+    : new KcAdminClient({
+        baseUrl: options.rootUrl,
+        realmName: 'master',
+      });
   try {
     // client login
     await kcAdminClient.auth({
@@ -24,35 +23,9 @@ export async function createClient(options: Options): Promise<KcAdminClient> {
       grantType: 'client_credentials',
     });
   } catch (e) {
-    console.error(
-      'Check Client Config:',
-      e.response ? e.response.data.error_description : e
-    );
+    console.error('Check Client Config:', e.response ? e.response.data.error_description : e);
     return Promise.reject();
   }
 
-  const keycloakIssuer = await Issuer.discover(
-    `${options.rootUrl}/realms/master`
-  );
-
-  const client = new keycloakIssuer.Client({
-    client_id: options.clientId,
-    token_endpoint_auth_method: 'none', // to send only client_id in the header
-  });
-
-  // Use the grant type 'password'
-  const tokenSet = await client.grant({
-    client_id: options.clientId,
-    client_secret: options.clientSecret,
-    grant_type: 'client_credentials',
-  });
-
-  /*
-  // TODO: FIXME - Periodically using refresh_token grant flow to get new access token here
-  setInterval(async () => {
-    const refreshToken = tokenSet.refresh_token;
-    kcAdminClient.setAccessToken((await client.refresh(refreshToken)).access_token);
-  }, TOKEN_REFRESH * 1000); */
-
   return new Promise((resolve) => resolve(kcAdminClient));
 }

package/lib/output.ts

@@ -29,7 +29,7 @@ export async function post2Webhook(
           {
             contentType: 'application/vnd.microsoft.card.adaptive',
             content: {
-              $schema: 'http://adaptivecards.io/schemas/adaptive-card.json',
+              $schema: 'https://adaptivecards.io/schemas/adaptive-card.json',
               type: 'AdaptiveCard',
               version: '1.2',
               body: [
@@ -68,7 +68,7 @@ export async function post2Webhook(
                       }
                     ],
                     $schema:
-                      'http://adaptivecards.io/schemas/adaptive-card.json'
+                      'https://adaptivecards.io/schemas/adaptive-card.json'
                   }
                 }
               ]

package/lib/user.ts

@@ -1,4 +1,9 @@
 import KcAdminClient from '@keycloak/keycloak-admin-client';
+import {
+  AuditClient,
+  AuditedClientRepresentation,
+  AuditedUserRepresentation,
+} from '@continuoussecuritytooling/keycloak-auditor';
 
 export interface User {
   username: string;
@@ -21,79 +26,111 @@ export interface Client {
 }
 
 export async function clientListing(
-  client: KcAdminClient
-): Promise<Array<Client>> {
-  const currentRealm = client.realmName;
-  let realms;
-  try {
-    // iterate over realms
-    realms = await client.realms.find();
-  } catch (e) {
-    console.error('Check Client role:', e.response.statusText);
-    return Promise.reject();
-  }
-  let allClients = new Array<Client>();
-  for (const realm of realms) {
-    // switch realm
+  client: KcAdminClient | AuditClient
+): Promise<Array<Client | AuditedClientRepresentation>> {
+  let allClients = new Array<Client | AuditedClientRepresentation>();
+  if (client instanceof KcAdminClient) {
+    const currentRealm = client.realmName;
+    let realms;
+    try {
+      // iterate over realms
+      realms = await client.realms.find();
+    } catch (e) {
+      console.error('Check Client role:', e.response.statusText);
+      return Promise.reject();
+    }
+    for (const realm of realms) {
+      // switch realm
+      client.setConfig({
+        realmName: realm.realm,
+      });
+      const realmClients = new Array<Client>();
+      for (const user of await client.clients.find()) {
+        realmClients.push({
+          client: user.clientId,
+          id: user.id,
+          description: user.description,
+          realm: realm.realm,
+          enabled: user.enabled,
+          public: user.publicClient,
+          allowedOrigins: JSON.stringify(user.webOrigins),
+        });
+      }
+      allClients = [...allClients, ...realmClients];
+    }
+    // switch back to realm
     client.setConfig({
-      realmName: realm.realm,
+      realmName: currentRealm,
     });
-    const realmClients = new Array<Client>();
-    for (const user of await client.clients.find()) {
-      realmClients.push({
+  } else {
+    const clients = await client.clientListing();
+    for (const user of clients) {
+      allClients.push({
         client: user.clientId,
         id: user.id,
         description: user.description,
-        realm: realm.realm,
+        realm: user.realm,
         enabled: user.enabled,
         public: user.publicClient,
+        lastLogin: user.lastLogin,
         allowedOrigins: JSON.stringify(user.webOrigins),
       });
     }
-    allClients = [...allClients, ...realmClients];
   }
-  // switch back to realm
-  client.setConfig({
-    realmName: currentRealm,
-  });
-
   return new Promise((resolve) => resolve(allClients));
 }
 
-export async function userListing(client: KcAdminClient): Promise<Array<User>> {
-  const currentRealm = client.realmName;
-  let realms;
-  // iterate over realms
-  try {
-    realms = await client.realms.find();
-  } catch (e) {
-    console.error('Check Client role:', e.response.statusText);
-    return Promise.reject();
-  }
-  let allUsers = new Array<User>();
-  for (const realm of realms) {
-    // switch realm
+export async function userListing(
+  client: KcAdminClient | AuditClient
+): Promise<Array<User | AuditedUserRepresentation>> {
+  let allUsers = new Array<User | AuditedUserRepresentation>();
+  if (client instanceof KcAdminClient) {
+    const currentRealm = client.realmName;
+    let realms;
+    // iterate over realms
+    try {
+      realms = await client.realms.find();
+    } catch (e) {
+      console.error('Check Client role:', e.response.statusText);
+      return Promise.reject();
+    }
+    for (const realm of realms) {
+      // switch realm
+      client.setConfig({
+        realmName: realm.realm,
+      });
+      const realmUsers = new Array<User>();
+      for (const user of await client.users.find()) {
+        realmUsers.push({
+          username: user.username,
+          id: user.id,
+          firstName: user.firstName,
+          lastName: user.lastName,
+          email: user.email,
+          realm: realm.realm,
+          enabled: user.enabled,
+        });
+      }
+      allUsers = [...allUsers, ...realmUsers];
+    }
+    // switch back to realm
     client.setConfig({
-      realmName: realm.realm,
+      realmName: currentRealm,
     });
-    const realmUsers = new Array<User>();
-    for (const user of await client.users.find()) {
-      realmUsers.push({
+  } else {
+    const users = await client.userListing();
+    for (const user of users) {
+      allUsers.push({
         username: user.username,
         id: user.id,
         firstName: user.firstName,
         lastName: user.lastName,
         email: user.email,
-        realm: realm.realm,
+        realm: user.realm,
+        lastLogin: user.lastLogin,
         enabled: user.enabled,
       });
     }
-    allUsers = [...allUsers, ...realmUsers];
   }
-  // switch back to realm
-  client.setConfig({
-    realmName: currentRealm,
-  });
-
   return new Promise((resolve) => resolve(allUsers));
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@continuoussecuritytooling/keycloak-reporter",
-  "version": "0.5.1",
+  "version": "0.7.0",
   "description": "Reporting Tools for Keycloak",
   "main": "dist/index.js",
   "bin": {
@@ -25,9 +25,10 @@
   },
   "homepage": "https://github.com/ContinuousSecurityTooling/keycloak-reporter#readme",
   "dependencies": {
+    "@continuoussecuritytooling/keycloak-auditor": "^1.1.0",
     "@json2csv/node": "^7.0.0",
     "@keycloak/keycloak-admin-client": "^22.0.0",
-    "@slack/webhook": "^6.1.0",
+    "@slack/webhook": "^7.0.0",
     "ajv": "^8.12.0",
     "install": "^0.13.0",
     "ms-teams-webhook": "^2.0.2",
@@ -41,8 +42,8 @@
     "@types/jest": "^29.5.1",
     "@types/node": "^20.1.5",
     "@types/yargs": "^17.0.24",
-    "@typescript-eslint/eslint-plugin": "^5.59.6",
-    "@typescript-eslint/parser": "^5.59.6",
+    "@typescript-eslint/eslint-plugin": "^6.0.0",
+    "@typescript-eslint/parser": "^6.0.0",
     "eslint": "^8.40.0",
     "eslint-config-prettier": "^9.0.0",
     "eslint-plugin-prettier": "^5.0.0",

package/renovate.json

@@ -1,6 +1,9 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:base", ":rebaseStalePrs"],
+  "labels": ["dependencies"],
+  "extends": ["config:base", ":dependencyDashboard", ":rebaseStalePrs"],
+  "automergeSchedule": ["after 5am and before 5pm every weekday"],
+  "separateMinorPatch": true,
   "platformAutomerge": true,
   "packageRules": [
     {
@@ -12,12 +15,16 @@
   ],
   "regexManagers": [
     {
-      "description": "Update version entries in YAML files",
-      "fileMatch": [".*y[a]?ml$"],
+      "description": "Update image variables in YAML files",
+      "fileMatch": ["\\.y[a]?ml$", "\\.y[a]?ml\\.tpl$"],
       "matchStrings": [
-        "# renovate: datasource=(?<datasource>[a-z-]+?)(?: lookupName=(?<lookupName>.+?))?(?: versioning=(?<versioning>[a-z-]+?))?\\sRUN install-[a-z]+? (?<depName>[a-z-]+?) (?<currentValue>.+?)\\s"
+        "# renovate: datasource=(?<datasource>[a-z-]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?\\s.+?_version: (?<currentValue>.+?)\\s",
+        "# renovate: datasource=(?<datasource>[a-z-]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?\\s.+?-version: (?<currentValue>.+?)\\s",
+        "# renovate: datasource=(?<datasource>[a-z-]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?\\simage: (?<currentValue>.+?)\\s",
+        "# renovate: datasource=(?<datasource>[a-z-]+?) depName=(?<depName>.+?) versioning=(?<versioning>.+?)\\s\\s*image: (?<currentValue>.*)",
+        "# renovate: datasource=(?<datasource>[a-z-]+?) depName=(?<depName>.+?) \\s\\s*image: (?<currentValue>.*)"
       ],
-      "versioningTemplate": "{{#if versioning}}{{versioning}}{{else}}semver{{/if}}"
+      "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}"
     }
   ],
   "prHourlyLimit": 10

package/src/commands.ts

@@ -0,0 +1,27 @@
+import KcAdminClient from '@keycloak/keycloak-admin-client';
+import {
+  AuditClient,
+  AuditedClientRepresentation,
+  AuditedUserRepresentation,
+} from '@continuoussecuritytooling/keycloak-auditor';
+import { Options, createClient } from '../lib/client.js';
+import { User, userListing, clientListing, Client } from '../lib/user.js';
+
+function kcClient(options: Options): Promise<KcAdminClient | AuditClient> {
+  return createClient({
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    rootUrl: options.rootUrl,
+    useAuditingEndpoint: options.useAuditingEndpoint,
+  });
+}
+
+export async function listUsers(options: Options): Promise<Array<User | AuditedUserRepresentation>> {
+  const users = await userListing(await kcClient(options));
+  return new Promise((resolve) => resolve(users));
+}
+
+export async function listClients(options: Options): Promise<Array<Client | AuditedClientRepresentation>> {
+  const clients = await clientListing(await kcClient(options));
+  return new Promise((resolve) => resolve(clients));
+}

package/src/config.ts

@@ -1,5 +1,4 @@
 import { assoc, pick, mergeAll, mergeDeepRight } from 'ramda';
-import Ajv from 'ajv';
 import path from 'path';
 import { fileURLToPath } from 'url';
 import fs from 'fs';
@@ -8,16 +7,15 @@ const schema = JSON.parse(
   fs.readFileSync(fileURLToPath(path.join(import.meta.url, '../../config/schema.json')), 'utf8')
 );
 
-const ajv = new Ajv.default();
-const ajvValidate = ajv.compile(schema);
-
 // import the config file
 function buildConfigFromFile(filePath) {
   if (!filePath) return {};
   const isAbsolutePath = filePath.charAt(0) === '/';
-  return JSON.parse(isAbsolutePath
-    ? fs.readFileSync(filePath, 'utf8')
-    : fs.readFileSync(fileURLToPath(path.join(import.meta.url, '../config', filePath)), 'utf8'));
+  return JSON.parse(
+    isAbsolutePath
+      ? fs.readFileSync(filePath, 'utf8')
+      : fs.readFileSync(fileURLToPath(path.join(import.meta.url, '../config', filePath)), 'utf8')
+  );
 }
 // build an object using the defaults in the schema
 function buildDefaults(schema, definitions) {
@@ -50,19 +48,9 @@ function buildEnvironmentVariablesConfig(schema) {
     }
   }, {});
 }
-
-function validate(data) {
-  const valid = ajvValidate(data);
-  if (valid) return true;
-  throw new Error(ajv.errorsText());
-}
-
 // merge the environment variables, config file values, and defaults
 const config = mergeAll(
-  mergeDeepRight(
-    buildDefaults(schema, schema.definitions),
-    buildConfigFromFile(process.env.CONFIG_FILE)
-  ),
+  mergeDeepRight(buildDefaults(schema, schema.definitions), buildConfigFromFile(process.env.CONFIG_FILE)),
   buildEnvironmentVariablesConfig(schema)
 );
 

package/config.json

@@ -1,9 +0,0 @@
-{ 
-    "url": "https://id.m13t.de",
-    "clientId": "admin-cli",
-    "clientSecret": "PWkJ98Atq36QFP5Z25YXJDWs4tvsGvkI",
-    "output": "webhook",
-    "webhookType": "teams",
-    "webhookUrl": "https://m13t4mgmt.webhook.office.com/webhookb2/02950819-c8ca-4c83-9751-808d801e8810@09f6f098-3af9-474c-a398-d17786fff1bf/IncomingWebhook/b06222e267a04255aaa32a341acb1749/a4f92b5b-01c7-40a8-91ff-0695e08d76ff",
-    "webhookMessage": "TEST"
-}