@continuoussecuritytooling/keycloak-reporter 0.6.0 → 0.7.0

package/.eslintrc.cjs

@@ -2,13 +2,14 @@
 module.exports = {
   env: {
     node: true,
-    commonjs: true
+    commonjs: true,
   },
   extends: ['eslint:recommended', 'plugin:@typescript-eslint/recommended'],
   parser: '@typescript-eslint/parser',
   plugins: ['@typescript-eslint'],
   root: true,
   rules: {
-    quotes: [2, 'single', { avoidEscape: true }]
-  }
+    quotes: [2, 'single', { avoidEscape: true }],
+    'comma-dangle': ['error', 'only-multiline'],
+  },
 };

package/.github/workflows/pipeline.yml

@@ -6,6 +6,8 @@ on:
   push:
     branches:
       - develop
+    tags:
+      - '*'
 
 jobs:
   build:
@@ -23,7 +25,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: 'Use Node.js ${{ matrix.node_version }}'
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '${{ matrix.node_version }}'
       - name: npm build and test
@@ -53,7 +55,7 @@ jobs:
           check-latest: true
 
       - name: Helm Chart Testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.0
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -92,7 +94,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: 'Use Node.js ${{ matrix.node_version }}'
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '${{ matrix.node_version }}'
       - name: Install Java
@@ -131,24 +133,38 @@ jobs:
       - end2end
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
-        # TODO: Support Node 16+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '16'
+          # renovate: datasource=docker depName=node
+          node-version: '18'
       - name: 'Build Package'
         run: |
           npm run clean
           npm run build
-      - name: Buildah Action
+
+      - name: Write version vars
+        run: |
+          BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
+          VERSION=${GITHUB_REF_NAME#v}
+          echo Version: $VERSION
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "APP_VERSION=$VERSION" >> $GITHUB_ENV
+          echo "BUILD_DATE=$BUILD_DATE" >> $GITHUB_ENV
+
+      - name: Build Container Image
         id: build-image
         uses: redhat-actions/buildah-build@v2
         with:
           image: continuoussecuritytooling/keycloak-reporting-cli
-          tags: 'v1 ${{ github.sha }}'
+          tags: 'rc_build ${{ github.sha }}'
           containerfiles: |
             ./Dockerfile
+          build-args: |
+            BUILD_DATE=${{env.BUILD_DATE}}
+            APP_VERSION=${{env.APP_VERSION}}
+
       - name: Push To Docker Hub
-        id: push-to-dockerhub
+        id: push-to-dockerhub-preview
         uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ steps.build-image.outputs.image }}
@@ -156,4 +172,15 @@ jobs:
           registry: registry.hub.docker.com
           username: continuoussecuritytooling
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
-        if: github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/main'
+        if: github.ref == 'refs/heads/develop'
+
+      - name: Push To Docker Hub
+        id: push-to-dockerhub-tagged
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: latest ${VERSION}
+          registry: registry.hub.docker.com
+          username: continuoussecuritytooling
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+        if: github.ref_type == 'tag'

package/.github/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
           python-version: '3.9'
           check-latest: true
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.0
 
       - name: Run chart-testing (lint)
         run: ct lint --config .ct.yaml 

package/.prettierrc

@@ -1,6 +1,6 @@
 {
   "semi": true,
-  "trailingComma": "none",
+  "trailingComma": "es5",
   "singleQuote": true,
-  "printWidth": 80
+  "printWidth": 120
 }

package/Dockerfile

@@ -1,6 +1,15 @@
 FROM node:18
 
-LABEL org.opencontainers.image.source https://github.com/ContinuousSecurityTooling/keycloak-reporter
+ARG BUILD_DATE
+ARG APP_VERSION
+
+LABEL org.opencontainers.image.authors='Martin Reinhardt (martin@m13t.de)' \
+    org.opencontainers.image.created=$BUILD_DATE \
+    org.opencontainers.image.version=$APP_VERSION \
+    org.opencontainers.image.url='https://hub.docker.com/r/continuoussecuritytooling/keycloak-reporting-cli' \
+    org.opencontainers.image.documentation='https://github.com/ContinuousSecurityTooling/keycloak-reporter' \
+    org.opencontainers.image.source='https://github.com/ContinuousSecurityTooling/keycloak-reporter.git' \
+    org.opencontainers.image.licenses='MIT'
 
 ENV CONFIG_FILE=/app/config.json
 
@@ -11,6 +20,11 @@ WORKDIR /app
 RUN cd /app && npm install --omit=dev &&\
     chown -R 1000:2000 /app
 
+# apt update
+RUN apt-get update && apt-get -y upgrade &&\
+  # clean up to slim image
+  apt-get clean autoclean && apt-get autoremove --yes && rm -rf /var/lib/{apt,dpkg,cache,log}/
+
 USER 1000
 
 ENTRYPOINT ["/app/docker_entrypoint.sh"]

package/README.md

@@ -1,5 +1,6 @@
 # Keycloak Reporter
 
+Keycloak user and client reporting tool for automated regular access checks.
 
 [![License](https://img.shields.io/github/license/ContinuousSecurityTooling/keycloak-reporter.svg)](LICENSE)
 [![CI](https://github.com/ContinuousSecurityTooling/keycloak-reporter/actions/workflows/pipeline.yml/badge.svg)](https://github.com/ContinuousSecurityTooling/keycloak-reporter/actions/workflows/pipeline.yml)
@@ -7,8 +8,8 @@
 [![npm downloads](https://img.shields.io/npm/dm/@continuoussecuritytooling%2Fkeycloak-reporter.svg)](https://www.npmjs.com/package/@continuoussecuritytooling/keycloak-reporter)
 [![Docker Stars](https://img.shields.io/docker/stars/continuoussecuritytooling/keycloak-reporting-cli.svg)](https://hub.docker.com/r/continuoussecuritytooling/keycloak-reporting-cli/)
 [![Known Vulnerabilities](https://snyk.io/test/github/ContinuousSecurityTooling/keycloak-reporter/badge.svg)](https://snyk.io/test/github/ContinuousSecurityTooling/keycloak-reporter)
-
 [![Docker Stars](https://img.shields.io/docker/stars/continuoussecuritytooling/keycloak-reporting-cli.svg)](https://hub.docker.com/r/continuoussecuritytooling/keycloak-reporting-cli/)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/keycloak-reporter)](https://artifacthub.io/packages/helm/keycloak-reporter/keycloak-reporter)
 
 ## Usage
 
@@ -58,10 +59,10 @@ Valid commands are:
 
 ### Helm
 
-To install the Helm Chart use the OCI Package:
+To install the Helm Chart use the [OCI Package Registry](https://github.com/orgs/CloudTooling/packages):
 
 ```
-helm install keycloak-reporter oci://cloudtooling/helm-charts
+helm install keycloak-reporter oci://ghcr.io/cloudtooling/helm-charts
 ```
 
 ### Config file

package/artifacthub-repo.yml

@@ -0,0 +1,6 @@
+# Artifact Hub repository metadata file
+# Used to become verified publisher and more - https://artifacthub.io/docs/topics/repositories/#verified-publisher
+repositoryID: 7283911f-50c6-484a-961c-36546321ef56
+owners:
+  - name: hypery2k
+    email: martin@m13t.de

package/charts/keycloak-reporter/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: keycloak-reporter
-description: A Helm chart for Kubernetes
+description: Keycloak user and client reporting tool for automated regular access checks.
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,15 +15,21 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 # renovate: datasource=github-tags depName=ContinuousSecurityTooling/keycloak-reporter
-appVersion: "0.6.0"
+appVersion: '0.6.0'
 maintainers:
   # Martin Reinhardt
   - name: hypery2k
     email: martin@m13t.de
+annotations:
+  artifacthub.io/links: |
+    - name: GitHub
+      url: https://github.com/ContinuousSecurityTooling/keycloak-reporter
+    - name: Keycloak Auditor
+      url: https://github.com/ContinuousSecurityTooling/keycloak-auditor

package/charts/keycloak-reporter/README.md

@@ -1,8 +1,8 @@
 # keycloak-reporter
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.0](https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.0](https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square)
 
-A Helm chart for Kubernetes
+Keycloak user and client reporting tool for automated regular access checks.
 
 ## Maintainers
 
@@ -15,32 +15,23 @@ A Helm chart for Kubernetes
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| cronjobs.clients | string | `"0 0 1 */3 *"` |  |
-| cronjobs.users | string | `"0 0 1 */3 *"` |  |
-| env | object | `{}` |  |
+| cronjobs | map | `{"clients":"0 0 1 */3 *","users":"0 0 1 */3 *"}` | Cron configuration |
+| env | map | `{}` | additonal environment variables |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"continuoussecuritytooling/keycloak-reporting-cli"` |  |
+| image.tag | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
-| keycloak.config.clientId | string | `""` |  |
-| keycloak.config.clientSecret | string | `""` |  |
-| keycloak.config.output | string | `"webhook"` |  |
-| keycloak.config.url | string | `""` |  |
+| keycloak | map | `{"config":{"clientId":"","clientSecret":"","output":"webhook","url":"","useAuditingEndpoint":false,"webhookMessage":"","webhookType":"","webhookUrl":""},"volumes":{"reports":""}}` | Keycloak configuration |
 | keycloak.config.webhookMessage | string | `""` | optional message for the webhook post |
-| keycloak.config.webhookType | string | `""` |  |
-| keycloak.config.webhookUrl | string | `""` |  |
-| keycloak.volumes.reports | string | `""` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
 | replicaCount | int | `1` |  |
-| resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
 | tolerations | list | `[]` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2)
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)

package/charts/keycloak-reporter/values.yaml

@@ -8,7 +8,7 @@ image:
   repository: continuoussecuritytooling/keycloak-reporting-cli
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  #tag: "latest"
+  tag: ""
 
 imagePullSecrets: []
 nameOverride: ''
@@ -51,6 +51,7 @@ keycloak:
     output: 'webhook'
     webhookType: ''
     webhookUrl: ''
+    useAuditingEndpoint: false
     # -- optional message for the webhook post
     webhookMessage: ''
   volumes:

package/cli.ts

@@ -4,15 +4,8 @@ import { writeFileSync } from 'node:fs';
 import path from 'path';
 import yargs from 'yargs/yargs';
 import { hideBin } from 'yargs/helpers';
-import {
-  listUsers,
-  listClients,
-  Options,
-  convertJSON2CSV,
-  post2Webhook
-} from './index.js';
+import { listUsers, listClients, Options, convertJSON2CSV, post2Webhook } from './index.js';
 import config from './src/config.js';
-
 class WebhookConfig {
   type: string;
   url: string;
@@ -31,13 +24,34 @@ class ReportConfig {
   directory: string;
 }
 
-async function convert(
-  format: string,
-  output: string,
-  reports: ReportConfig,
-  config: WebhookConfig,
-  json: object
-) {
+function getKeycloakConfig(config, argv): Options {
+  return {
+    clientId: config.clientId ? config.clientId : (argv.clientId as string),
+    clientSecret: config.clientSecret ? config.clientSecret : (argv.clientSecret as string),
+    rootUrl: config.url ? config.url : (argv.url as string),
+    useAuditingEndpoint: argv.useAuditingEndpoint == true || config.useAuditingEndpoint.toLowerCase() == 'true',
+  };
+}
+
+function convertData(config, argv, name: string, title: string, json: object) {
+  convert(
+    config.format ? config.format : (argv.format as string),
+    config.output ? config.output : (argv.output as string),
+    {
+      name,
+      directory: argv.reports ? (argv.reports as string) : config.reports,
+    },
+    new WebhookConfig(
+      config.webhookType ? config.webhookType : (argv.webhookType as string),
+      config.webhookUrl ? config.webhookUrl : (argv.webhookUrl as string),
+      title,
+      config.webhookMessage ? config.webhookMessage : (argv.webhookMessage as string)
+    ),
+    json
+  );
+}
+
+async function convert(format: string, output: string, reports: ReportConfig, config: WebhookConfig, json: object) {
   let outputContent: string;
   switch (format) {
     case 'csv':
@@ -52,24 +66,20 @@ async function convert(
     writeFileSync(
       path.join(
         `${reports.directory}`,
-        `${reports.name}_${date.getFullYear()}-${
-          date.getMonth() + 1
-        }-${date.getDate()}.${format.toLowerCase()}`
+        `${reports.name}_${date.getFullYear()}-${date.getMonth() + 1}-${date.getDate()}.${format.toLowerCase()}`
       ),
       outputContent
     );
   }
   switch (output) {
     case 'webhook':
+      if (!config.url) {
+        console.error('No valid Webhook URL given');
+        throw new Error('Please provide a valid --webhookUrl parameter');
+      }
       try {
         console.log(`Sending report via webhook to ${config.type} ....`);
-        await post2Webhook(
-          config.type,
-          config.url,
-          config.title,
-          outputContent,
-          config.message
-        );
+        await post2Webhook(config.type, config.url, config.title, outputContent, config.message);
         console.log('Done sending.');
       } catch (e) {
         switch (e.code || e.message) {
@@ -80,10 +90,7 @@ async function convert(
             console.error('Invalid Slack Webhook Payload. Check your params.');
             throw new Error('Invalid Slack Payload');
           default:
-            console.error(
-              `Error during sending webhook.(${e?.code})`,
-              e?.original
-            );
+            console.error(`Error during sending webhook.(${e?.code})`, e?.original);
             throw e;
         }
       }
@@ -101,32 +108,8 @@ yargs(hideBin(process.argv))
     // eslint-disable-next-line @typescript-eslint/no-empty-function
     () => {},
     async (argv) => {
-      const users = await listUsers(<Options>{
-        clientId: config.clientId ? config.clientId : (argv.clientId as string),
-        clientSecret: config.clientSecret
-          ? config.clientSecret
-          : (argv.clientSecret as string),
-        rootUrl: config.url ? config.url : (argv.url as string)
-      });
-      await convert(
-        config.format ? config.format : (argv.format as string),
-        config.output ? config.output : (argv.output as string),
-        {
-          name: 'user_listing',
-          directory: argv.reports ? (argv.reports as string) : config.reports
-        },
-        new WebhookConfig(
-          config.webhookType
-            ? config.webhookType
-            : (argv.webhookType as string),
-          config.webhookUrl ? config.webhookUrl : (argv.webhookUrl as string),
-          'User Listing',
-          config.webhookMessage
-            ? config.webhookMessage
-            : (argv.webhookMessage as string)
-        ),
-        users
-      );
+      const users = await listUsers(getKeycloakConfig(config, argv));
+      convertData(config, argv, 'user_listing', 'User Listing', users);
     }
   )
   .command(
@@ -135,65 +118,47 @@ yargs(hideBin(process.argv))
     // eslint-disable-next-line @typescript-eslint/no-empty-function
     () => {},
     async (argv) => {
-      const clients = await listClients(<Options>{
-        clientId: config.clientId ? config.clientId : (argv.clientId as string),
-        clientSecret: config.clientSecret
-          ? config.clientSecret
-          : (argv.clientSecret as string),
-        rootUrl: config.url ? config.url : (argv.url as string)
-      });
-      await convert(
-        config.format ? config.format : (argv.format as string),
-        config.output ? config.output : (argv.output as string),
-        {
-          name: 'client_listing',
-          directory: argv.reports ? (argv.reports as string) : config.reports
-        },
-        new WebhookConfig(
-          config.webhookType
-            ? config.webhookType
-            : (argv.webhookType as string),
-          config.webhookUrl ? config.webhookUrl : (argv.webhookUrl as string),
-          'Client Listing',
-          config.webhookMessage
-            ? config.webhookMessage
-            : (argv.webhookMessage as string)
-        ),
-        clients
-      );
+      const clients = await listClients(getKeycloakConfig(config, argv));
+      convertData(config, argv, 'client_listing', 'Client Listing', clients);
     }
   )
   .option('format', {
     alias: 'f',
     type: 'string',
     default: 'json',
-    description: 'output format, e.g. JSON|CSV'
+    description: 'output format, e.g. JSON|CSV',
   })
   .option('output', {
     alias: 'o',
     type: 'string',
     default: 'stdout',
-    description: 'output channel'
+    description: 'output channel',
   })
   .option('webhookType', {
     alias: 'w',
     type: 'string',
     default: 'slack',
-    description: 'Webhook Type'
+    description: 'Webhook Type',
   })
   .option('webhookMessage', {
     alias: 'm',
     type: 'string',
-    description: 'Webhook Message'
+    description: 'Webhook Message',
   })
   .option('webhookUrl', {
     alias: 't',
     type: 'string',
-    description: 'Webhook URL'
+    description: 'Webhook URL',
   })
   .option('reports', {
     alias: 'r',
     type: 'string',
-    description: 'Reports directory'
+    description: 'Reports directory',
+  })
+  .option('useAuditingEndpoint', {
+    alias: 'a',
+    type: 'boolean',
+    default: false,
+    description: 'use auditior rest endpoint',
   })
   .parse();

package/config/schema.json

@@ -60,6 +60,11 @@
     "reports": {
       "type": "string",
       "description": "Reports directory"
+    },
+    "useAuditingEndpoint": {
+      "type": "boolean",
+      "default": "false",
+      "description": "Enable usage of keycloak reporter auditing endpoint"
     }
   }
-}
+}

package/index.ts

@@ -1,4 +1,4 @@
-export { listUsers, listClients } from './src/cli.js';
+export { listUsers, listClients } from './src/commands.js';
 export { Options } from './lib/client.js';
 export { convertJSON2CSV } from './lib/convert.js';
 export { post2Webhook } from './lib/output.js';

package/lib/client.ts

@@ -1,21 +1,20 @@
-import { Issuer } from 'openid-client';
 import KcAdminClient from '@keycloak/keycloak-admin-client';
-
-// Token refresh interval 60 seconds
-const TOKEN_REFRESH = 60;
+import { AuditClient } from '@continuoussecuritytooling/keycloak-auditor';
 
 export interface Options {
   clientId: string;
   clientSecret: string;
   rootUrl: string;
+  useAuditingEndpoint: boolean;
 }
 
-export async function createClient(options: Options): Promise<KcAdminClient> {
-  const kcAdminClient = new KcAdminClient({
-    baseUrl: options.rootUrl,
-    realmName: 'master',
-  });
-
+export async function createClient(options: Options): Promise<KcAdminClient | AuditClient> {
+  const kcAdminClient = options.useAuditingEndpoint
+    ? new AuditClient(options.rootUrl, 'master')
+    : new KcAdminClient({
+        baseUrl: options.rootUrl,
+        realmName: 'master',
+      });
   try {
     // client login
     await kcAdminClient.auth({
@@ -24,35 +23,9 @@ export async function createClient(options: Options): Promise<KcAdminClient> {
       grantType: 'client_credentials',
     });
   } catch (e) {
-    console.error(
-      'Check Client Config:',
-      e.response ? e.response.data.error_description : e
-    );
+    console.error('Check Client Config:', e.response ? e.response.data.error_description : e);
     return Promise.reject();
   }
 
-  const keycloakIssuer = await Issuer.discover(
-    `${options.rootUrl}/realms/master`
-  );
-
-  const client = new keycloakIssuer.Client({
-    client_id: options.clientId,
-    token_endpoint_auth_method: 'none', // to send only client_id in the header
-  });
-
-  // Use the grant type 'password'
-  const tokenSet = await client.grant({
-    client_id: options.clientId,
-    client_secret: options.clientSecret,
-    grant_type: 'client_credentials',
-  });
-
-  /*
-  // TODO: FIXME - Periodically using refresh_token grant flow to get new access token here
-  setInterval(async () => {
-    const refreshToken = tokenSet.refresh_token;
-    kcAdminClient.setAccessToken((await client.refresh(refreshToken)).access_token);
-  }, TOKEN_REFRESH * 1000); */
-
   return new Promise((resolve) => resolve(kcAdminClient));
 }

package/lib/output.ts

@@ -29,7 +29,7 @@ export async function post2Webhook(
           {
             contentType: 'application/vnd.microsoft.card.adaptive',
             content: {
-              $schema: 'http://adaptivecards.io/schemas/adaptive-card.json',
+              $schema: 'https://adaptivecards.io/schemas/adaptive-card.json',
               type: 'AdaptiveCard',
               version: '1.2',
               body: [
@@ -68,7 +68,7 @@ export async function post2Webhook(
                       }
                     ],
                     $schema:
-                      'http://adaptivecards.io/schemas/adaptive-card.json'
+                      'https://adaptivecards.io/schemas/adaptive-card.json'
                   }
                 }
               ]