Skip to content

Commit 1a7c698

Browse files
Jan Lieskovskypskopek
Jan Lieskovsky
authored and
pskopek
committed
[CIAM-690] keycloak.sh -- Add support for RH-SSO 7.5.0,
when retrieving PEM certificate of the signing key of the realm Signed-off-by: Jan Lieskovsky <[email protected]>
1 parent b260d3d commit 1a7c698

File tree

1 file changed

+42
-12
lines changed

1 file changed

+42
-12
lines changed

modules/eap/setup/eap/modules/added/keycloak.sh

Lines changed: 42 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -724,14 +724,44 @@ function configure_subsystem() {
724724
deployments=
725725
redirect_path=
726726

727-
# We need it to be retrieved prior to iterate the web deployments, needed by CLI
728-
if [ -n "$token" ]; then
727+
# We need it to be retrieved prior to iterate the web deployments, needed by CLI
728+
if [ -n "$token" ]; then
729+
### CIAM-690 -- Start of RH-SSO add-on:
730+
### -----------------------------------
731+
### Add support for RH-SSO 7.5
732+
733+
realm_signing_key_certificate="xx"
734+
# SSO Server 7.0
735+
realm_certificate_url="${sso_service}/admin/realms/${SSO_REALM}"
736+
response=$(${CURL} -H "Accept: application/json" -H "Authorization: Bearer ${token}" "${realm_certificate_url}")
737+
if ! grep -q '"certificate":' <<< "${response}"; then
738+
# SSO Server 7.1+
739+
realm_certificate_url="${sso_service}/admin/realms/${SSO_REALM}/keys"
740+
response=$(${CURL} -H "Accept: application/json" -H "Authorization: Bearer ${token}" "${realm_certificate_url}")
741+
if ! grep -q '"certificate":' <<< "${response}"; then
742+
echo "Failed to retrieve signing key PEM certificate of the ${SSO_REALM}"
743+
exit 1
744+
else
745+
# SSO Server 7.1 up to 7.4
746+
if ! grep -q '"use":"SIG"' <<< "${response}"; then
747+
realm_signing_key_certificate=$(grep -Po '(?<="certificate":")[^"]*' <<< "${response}")
748+
# SSO Server 7.5+
749+
else
750+
realm_signing_key_certificate=$(grep -Po '(?<="certificate":")[^"]*(?=","use":"SIG")' <<< "${response}")
751+
fi
752+
fi
729753
# SSO Server 7.0
730-
realm_certificate=$($CURL -H "Accept: application/json" -H "Authorization: Bearer ${token}" ${sso_service}/admin/realms/${SSO_REALM} | grep -Po '(?<="certificate":")[^"]*')
731-
if [ -z "$realm_certificate" ]; then
732-
#SSO Server 7.1
733-
realm_certificate=$($CURL -H "Accept: application/json" -H "Authorization: Bearer ${token}" ${sso_service}/admin/realms/${SSO_REALM}/keys | grep -Po '(?<="certificate":")[^"]*')
754+
else
755+
realm_signing_key_certificate=$(grep -Po '(?<="certificate":")[^"]*' <<< "${response}")
756+
fi
757+
758+
if [ "x${realm_signing_key_certificate}x" == "xx" ]; then
759+
echo "Failed to retrieve signing key PEM certificate of the ${SSO_REALM}"
760+
exit 1
734761
fi
762+
763+
### CIAM-690 -- End of RH-SSO add-on
764+
### --------------------------------
735765
fi
736766

737767
for f in $files
@@ -822,7 +852,7 @@ function configure_subsystem() {
822852
entity_id=${module_name}
823853
fi
824854
if [ $auth_method == ${SAML} ]; then
825-
if [ -n "$realm_certificate" ]; then
855+
if [ -n "$realm_signing_key_certificate" ]; then
826856
validate_signature=true
827857
if [ -n "$SSO_SAML_VALIDATE_SIGNATURE" ]; then
828858
validate_signature="$SSO_SAML_VALIDATE_SIGNATURE"
@@ -839,9 +869,9 @@ function configure_subsystem() {
839869
SingleLogoutService={validateRequestSignature=${validate_signature},validateResponseSignature=${validate_signature},signRequest=true,\
840870
signResponse=true,requestBinding=POST,responseBinding=POST, postBindingUrl=${SSO_URL}/realms/${SSO_REALM}/protocol/saml,\
841871
redirectBindingUrl=${SSO_URL}/realms/${SSO_REALM}/protocol/saml})"
842-
if [ -n "$realm_certificate" ]; then
872+
if [ -n "$realm_signing_key_certificate" ]; then
843873
cli="$cli
844-
/subsystem=keycloak-saml/secure-deployment=${f}/SP=${entity_id}/IDP=idp/Key=Key:add(signing=true,CertificatePem=\"${realm_certificate}\")"
874+
/subsystem=keycloak-saml/secure-deployment=${f}/SP=${entity_id}/IDP=idp/Key=Key:add(signing=true,CertificatePem=\"${realm_signing_key_certificate}\")"
845875
fi
846876
if [ -n "$SSO_SAML_KEYSTORE" ] && [ -n "$SSO_SAML_KEYSTORE_DIR" ]; then
847877
cli="$cli
@@ -929,8 +959,8 @@ function configure_subsystem() {
929959

930960
subsystem=$(echo "${subsystem}" | sed "s|##KEYCLOAK_DEPLOYMENT_SUBSYSTEM##|${deployments}|" )
931961

932-
if [ -n "$realm_certificate" ]; then
933-
keys="<Keys><Key signing=\"true\" ><CertificatePem>${realm_certificate}</CertificatePem></Key></Keys>"
962+
if [ -n "$realm_signing_key_certificate" ]; then
963+
keys="<Keys><Key signing=\"true\" ><CertificatePem>${realm_signing_key_certificate}</CertificatePem></Key></Keys>"
934964
subsystem=$(echo "${subsystem}" | sed "s|<!-- ##KEYCLOAK_REALM_CERTIFICATE## -->|${keys}|g")
935965

936966
validate_signature=true
@@ -1132,4 +1162,4 @@ function query_routes_from_service() {
11321162
fi
11331163
fi
11341164
fi
1135-
}
1165+
}

0 commit comments

Comments
 (0)