mathieuancelin · April 8, 2020 12:07
diff --git a/otoroshi (2).json b/otoroshi (2).json
 {
    "clientId": "otoroshi",
    "name": "otoroshi",
    "description": "otoroshi",
    "rootUrl": "http://localhost:8080",
    "adminUrl": "http://localhost:8080/*",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": false,
    "clientAuthenticatorType": "client-x509",
    "redirectUris": [
        "http://localhost:8080/*",
        "http://privateapps.oto.tools:9999/*"
    ],
    "webOrigins": [
        "http://localhost:8080"
    ],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": true,
    "serviceAccountsEnabled": true,
    "authorizationServicesEnabled": true,
    "publicClient": false,
    "frontchannelLogout": false,
    "protocol": "openid-connect",
    "attributes": {
        "saml.assertion.signature": "false",
        "x509.subjectdn": "CN=oto",
        "saml.force.post.binding": "false",
        "saml.multivalued.roles": "false",
        "saml.encrypt": "false",
        "saml.server.signature": "false",
        "saml.server.signature.keyinfo.ext": "false",
        "exclude.session.state.from.auth.response": "false",
        "saml_force_name_id_format": "false",
        "saml.client.signature": "false",
        "tls.client.certificate.bound.access.tokens": "true",
        "saml.authnstatement": "false",
        "display.on.consent.screen": "false",
        "saml.onetimeuse.condition": "false"
    },
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": true,
    "nodeReRegistrationTimeout": -1,
    "protocolMappers": [
        {
            "name": "Client ID",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usersessionmodel-note-mapper",
            "consentRequired": false,
            "config": {
                "user.session.note": "clientId",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "clientId",
                "jsonType.label": "String"
            }
        },
        {
            "name": "Client Host",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usersessionmodel-note-mapper",
            "consentRequired": false,
            "config": {
                "user.session.note": "clientHost",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "clientHost",
                "jsonType.label": "String"
            }
        },
        {
            "name": "Client IP Address",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usersessionmodel-note-mapper",
            "consentRequired": false,
            "config": {
                "user.session.note": "clientAddress",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "clientAddress",
                "jsonType.label": "String"
            }
        }
    ],
    "defaultClientScopes": [
        "web-origins",
        "role_list",
        "roles",
        "profile",
        "email"
    ],
    "optionalClientScopes": [
        "address",
        "phone",
        "offline_access",
        "microprofile-jwt"
    ],
    "access": {
        "view": true,
        "configure": true,
        "manage": true
    }
 }
diff --git a/setup.sh b/setup.sh

 BASE=`pwd`

 rm -rf $BASE/keycloak-tls
 rm -rf $BASE/certs

 mkdir -p $BASE/certs

 cd certs

 openssl genrsa -out $BASE/certs/ca-keycloak.key 2048
 openssl rsa -in $BASE/certs/ca-keycloak.key -out $BASE/certs/ca-keycloak.key
 openssl req -new -x509 -sha256 -days 365 -key $BASE/certs/ca-keycloak.key -out $BASE/certs/ca-keycloak.cer -subj "/CN=keycloak-ca"

 openssl genrsa -out $BASE/certs/ca-client.key 2048
 openssl rsa -in $BASE/certs/ca-client.key -out $BASE/certs/ca-client.key
 openssl req -new -x509 -sha256 -days 365 -key $BASE/certs/ca-client.key -out $BASE/certs/ca-client.cer -subj "/CN=client-ca"

 openssl genrsa -out $BASE/certs/keycloak-server.key 2048
 openssl rsa -in $BASE/certs/keycloak-server.key -out $BASE/certs/keycloak-server.key
 openssl req -new -key $BASE/certs/keycloak-server.key -sha256 -out $BASE/certs/keycloak-server.csr -subj "/CN=localhost"
 openssl x509 -req -days 365 -sha256 -in $BASE/certs/keycloak-server.csr -CA $BASE/certs/ca-keycloak.cer -CAkey $BASE/certs/ca-keycloak.key -set_serial 1 -out $BASE/certs/keycloak-server.cer

 openssl genrsa -out $BASE/certs/izanami-client.key 2048
 openssl rsa -in $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.key
 openssl req -new -key $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.csr -subj "/CN=izanami"
 openssl x509 -req -days 365 -sha256 -in $BASE/certs/izanami-client.csr -CA $BASE/certs/ca-client.cer -CAkey $BASE/certs/ca-client.key -set_serial 2 -out $BASE/certs/izanami-client.cer

 openssl genrsa -out $BASE/certs/oto-client.key 2048
 openssl rsa -in $BASE/certs/oto-client.key -out $BASE/certs/oto-client.key
 openssl req -new -key $BASE/certs/oto-client.key -out $BASE/certs/oto-client.csr -subj "/CN=oto"
 openssl x509 -req -days 365 -sha256 -in $BASE/certs/oto-client.csr -CA $BASE/certs/ca-client.cer -CAkey $BASE/certs/ca-client.key -set_serial 2 -out $BASE/certs/oto-client.cer


 cd $BASE

 mkdir $BASE/keycloak-tls
 cp $BASE/certs/keycloak-server.cer $BASE/keycloak-tls/tls.crt
 cp $BASE/certs/keycloak-server.key $BASE/keycloak-tls/tls.key
 echo "" >> $BASE/keycloak-tls/tls.crt
 cat $BASE/certs/ca-keycloak.cer >> $BASE/keycloak-tls/tls.crt

 cp $BASE/certs/ca-client.key $BASE/keycloak-tls/ca-client.bundle
 echo "" >> $BASE/keycloak-tls/ca-client.bundle
 cat $BASE/certs/ca-client.cer >> $BASE/keycloak-tls/ca-client.bundle

 cd $BASE

 docker run -d -p 8080:8080 -p 8443:8443 \
  -v "$(pwd)/keycloak-tls/tls.crt:/etc/x509/https/tls.crt" \
  -v "$(pwd)/keycloak-tls/tls.key:/etc/x509/https/tls.key" \
  -v "$(pwd)/keycloak-tls/ca-client.bundle:/etc/x509/https/ca-client.bundle" \
  -e "X509_CA_BUNDLE=/etc/x509/https/ca-client.bundle" \
  -e "KEYCLOAK_USER=admin" \
  -e "KEYCLOAK_PASSWORD=password" \
  jboss/keycloak

 wait 30

 openssl s_client -connect localhost:8443 > tls-opt.txt # ne rend pas la main, il faut appuyer sur entrer
 curl -k -v https://localhost:8443 # works because of -f
 curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer # works because no client cert but good server CA
 curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer --key ./certs/keycloak-server.key --cert ./certs/keycloak-server.cer # fails
 curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer --key ./certs/izanami-client.key --cert ./certs/izanami-client.cer   # works

 docker kill $(docker ps -q) # WARNING kills everything
	{
	"clientId": "otoroshi",
	"name": "otoroshi",
	"description": "otoroshi",
	"rootUrl": "http://localhost:8080",
	"adminUrl": "http://localhost:8080/*",
	"surrogateAuthRequired": false,
	"enabled": true,
	"alwaysDisplayInConsole": false,
	"clientAuthenticatorType": "client-x509",
	"redirectUris": [
	"http://localhost:8080/*",
	"http://privateapps.oto.tools:9999/*"
	],
	"webOrigins": [
	"http://localhost:8080"
	],
	"notBefore": 0,
	"bearerOnly": false,
	"consentRequired": false,
	"standardFlowEnabled": true,
	"implicitFlowEnabled": false,
	"directAccessGrantsEnabled": true,
	"serviceAccountsEnabled": true,
	"authorizationServicesEnabled": true,
	"publicClient": false,
	"frontchannelLogout": false,
	"protocol": "openid-connect",
	"attributes": {
	"saml.assertion.signature": "false",
	"x509.subjectdn": "CN=oto",
	"saml.force.post.binding": "false",
	"saml.multivalued.roles": "false",
	"saml.encrypt": "false",
	"saml.server.signature": "false",
	"saml.server.signature.keyinfo.ext": "false",
	"exclude.session.state.from.auth.response": "false",
	"saml_force_name_id_format": "false",
	"saml.client.signature": "false",
	"tls.client.certificate.bound.access.tokens": "true",
	"saml.authnstatement": "false",
	"display.on.consent.screen": "false",
	"saml.onetimeuse.condition": "false"
	},
	"authenticationFlowBindingOverrides": {},
	"fullScopeAllowed": true,
	"nodeReRegistrationTimeout": -1,
	"protocolMappers": [
	{
	"name": "Client ID",
	"protocol": "openid-connect",
	"protocolMapper": "oidc-usersessionmodel-note-mapper",
	"consentRequired": false,
	"config": {
	"user.session.note": "clientId",
	"id.token.claim": "true",
	"access.token.claim": "true",
	"claim.name": "clientId",
	"jsonType.label": "String"
	}
	},
	{
	"name": "Client Host",
	"protocol": "openid-connect",
	"protocolMapper": "oidc-usersessionmodel-note-mapper",
	"consentRequired": false,
	"config": {
	"user.session.note": "clientHost",
	"id.token.claim": "true",
	"access.token.claim": "true",
	"claim.name": "clientHost",
	"jsonType.label": "String"
	}
	},
	{
	"name": "Client IP Address",
	"protocol": "openid-connect",
	"protocolMapper": "oidc-usersessionmodel-note-mapper",
	"consentRequired": false,
	"config": {
	"user.session.note": "clientAddress",
	"id.token.claim": "true",
	"access.token.claim": "true",
	"claim.name": "clientAddress",
	"jsonType.label": "String"
	}
	}
	],
	"defaultClientScopes": [
	"web-origins",
	"role_list",
	"roles",
	"profile",
	"email"
	],
	"optionalClientScopes": [
	"address",
	"phone",
	"offline_access",
	"microprofile-jwt"
	],
	"access": {
	"view": true,
	"configure": true,
	"manage": true
	}
	}

	BASE=`pwd`

	rm -rf $BASE/keycloak-tls
	rm -rf $BASE/certs

	mkdir -p $BASE/certs

	cd certs

	openssl genrsa -out $BASE/certs/ca-keycloak.key 2048
	openssl rsa -in $BASE/certs/ca-keycloak.key -out $BASE/certs/ca-keycloak.key
	openssl req -new -x509 -sha256 -days 365 -key $BASE/certs/ca-keycloak.key -out $BASE/certs/ca-keycloak.cer -subj "/CN=keycloak-ca"

	openssl genrsa -out $BASE/certs/ca-client.key 2048
	openssl rsa -in $BASE/certs/ca-client.key -out $BASE/certs/ca-client.key
	openssl req -new -x509 -sha256 -days 365 -key $BASE/certs/ca-client.key -out $BASE/certs/ca-client.cer -subj "/CN=client-ca"

	openssl genrsa -out $BASE/certs/keycloak-server.key 2048
	openssl rsa -in $BASE/certs/keycloak-server.key -out $BASE/certs/keycloak-server.key
	openssl req -new -key $BASE/certs/keycloak-server.key -sha256 -out $BASE/certs/keycloak-server.csr -subj "/CN=localhost"
	openssl x509 -req -days 365 -sha256 -in $BASE/certs/keycloak-server.csr -CA $BASE/certs/ca-keycloak.cer -CAkey $BASE/certs/ca-keycloak.key -set_serial 1 -out $BASE/certs/keycloak-server.cer

	openssl genrsa -out $BASE/certs/izanami-client.key 2048
	openssl rsa -in $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.key
	openssl req -new -key $BASE/certs/izanami-client.key -out $BASE/certs/izanami-client.csr -subj "/CN=izanami"
	openssl x509 -req -days 365 -sha256 -in $BASE/certs/izanami-client.csr -CA $BASE/certs/ca-client.cer -CAkey $BASE/certs/ca-client.key -set_serial 2 -out $BASE/certs/izanami-client.cer

	openssl genrsa -out $BASE/certs/oto-client.key 2048
	openssl rsa -in $BASE/certs/oto-client.key -out $BASE/certs/oto-client.key
	openssl req -new -key $BASE/certs/oto-client.key -out $BASE/certs/oto-client.csr -subj "/CN=oto"
	openssl x509 -req -days 365 -sha256 -in $BASE/certs/oto-client.csr -CA $BASE/certs/ca-client.cer -CAkey $BASE/certs/ca-client.key -set_serial 2 -out $BASE/certs/oto-client.cer


	cd $BASE

	mkdir $BASE/keycloak-tls
	cp $BASE/certs/keycloak-server.cer $BASE/keycloak-tls/tls.crt
	cp $BASE/certs/keycloak-server.key $BASE/keycloak-tls/tls.key
	echo "" >> $BASE/keycloak-tls/tls.crt
	cat $BASE/certs/ca-keycloak.cer >> $BASE/keycloak-tls/tls.crt

	cp $BASE/certs/ca-client.key $BASE/keycloak-tls/ca-client.bundle
	echo "" >> $BASE/keycloak-tls/ca-client.bundle
	cat $BASE/certs/ca-client.cer >> $BASE/keycloak-tls/ca-client.bundle

	cd $BASE

	docker run -d -p 8080:8080 -p 8443:8443 \
	-v "$(pwd)/keycloak-tls/tls.crt:/etc/x509/https/tls.crt" \
	-v "$(pwd)/keycloak-tls/tls.key:/etc/x509/https/tls.key" \
	-v "$(pwd)/keycloak-tls/ca-client.bundle:/etc/x509/https/ca-client.bundle" \
	-e "X509_CA_BUNDLE=/etc/x509/https/ca-client.bundle" \
	-e "KEYCLOAK_USER=admin" \
	-e "KEYCLOAK_PASSWORD=password" \
	jboss/keycloak

	wait 30

	openssl s_client -connect localhost:8443 > tls-opt.txt # ne rend pas la main, il faut appuyer sur entrer
	curl -k -v https://localhost:8443 # works because of -f
	curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer # works because no client cert but good server CA
	curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer --key ./certs/keycloak-server.key --cert ./certs/keycloak-server.cer # fails
	curl -v https://localhost:8443 --cacert ./certs/ca-keycloak.cer --key ./certs/izanami-client.key --cert ./certs/izanami-client.cer # works

	docker kill $(docker ps -q) # WARNING kills everything