diff --git a/docs/ingress-controllers.md b/docs/ingress-controllers.md index 584d5e9..1e94625 100644 --- a/docs/ingress-controllers.md +++ b/docs/ingress-controllers.md @@ -16,7 +16,7 @@ spec: virtualhost: fqdn: keycloak.127-0-0-121.nip.io tls: - secretName: keycloak-external + secretName: keycloak-server-cert clientValidation: caSecret: client-ca optionalClientCertificate: true @@ -57,7 +57,7 @@ spec: protocol: HTTPS tls: mode: OPTIONAL_MUTUAL - credentialName: keycloak-external + credentialName: keycloak-server-cert hosts: - "*" ``` @@ -68,7 +68,7 @@ spec: To configure a client with the X509 authenticator, create a new client with the following settings: 1. In the "General settings" step, fill in: - - Set the Client ID name, for example: `x509test` + - Set the Client ID name, for example: `xfcc-client` 2. In the "Capabilicy config" step, fill in: - Client Authentication: On - Select "Service accounts roles" @@ -82,7 +82,7 @@ Enable the X509 authenticator: Make an HTTP request with the client certificate: ```console -$ http --cert certs/x509client.pem --cert-key certs/x509client-key.pem --verify certs/ca.pem --form POST https://keycloak.127-0-0-1.nip.io:8443/realms/master/protocol/openid-connect/token grant_type=client_credentials client_id=x509test +$ http --cert target/certs/client.pem --cert-key target/certs/client-key.pem --verify target/certs/server-ca.pem --form POST https://keycloak.127.0.0.1.nip.io:8443/realms/xfcc/protocol/openid-connect/token grant_type=client_credentials client_id=xfcc-client HTTP/1.1 200 OK cache-control: no-store content-length: 1412 diff --git a/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookup.java b/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookup.java index c81a97c..d50dbed 100644 --- a/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookup.java +++ b/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookup.java @@ -17,6 +17,9 @@ import org.keycloak.http.HttpRequest; import org.keycloak.services.x509.X509ClientCertificateLookup; +/** + * Extracts the client certificate chain from the HTTP request forwarded by Envoy. + */ public class EnvoyProxySslClientCertificateLookup implements X509ClientCertificateLookup { protected final static String XFCC_HEADER = "x-forwarded-client-cert"; @@ -30,10 +33,10 @@ public void close() { /** * Extracts the client certificate chain from the HTTP request forwarded by Envoy. * - * The Envoy XFCC header value is a comma (“,”) separated string. + * The Envoy XFCC header value is a comma (",") separated string. * Each substring is an XFCC element, which holds information added by a single proxy. - * Each XFCC element is a semicolon (“;”) separated list of key-value pairs. - * Each key-value pair is separated by an equal sign (“=”). + * Each XFCC element is a semicolon (";") separated list of key-value pairs. + * Each key-value pair is separated by an equal sign ("="). * * Example: * @@ -44,7 +47,6 @@ public void close() { * 1. Cert - The entire client certificate in URL encoded PEM format. * 2. Chain - The entire client certificate chain (including the leaf certificate) in URL encoded PEM format. * - * * For Envoy documentation, see * https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert * @@ -89,8 +91,10 @@ public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws Gen return certs; } + /** + * Decodes the URL encoded value and removes enclosing quotes if present. + */ private String decodeValue(String value) { - // Remove enclosing quotes if present. if (value.startsWith("\"") && value.endsWith("\"")) { value = value.substring(1, value.length() - 1); } diff --git a/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookupFactory.java b/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookupFactory.java index 2f1c781..b4499a4 100644 --- a/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookupFactory.java +++ b/src/main/java/io/github/nordix/keycloak/services/x509/EnvoyProxySslClientCertificateLookupFactory.java @@ -14,6 +14,9 @@ import org.keycloak.services.x509.X509ClientCertificateLookup; import org.keycloak.services.x509.X509ClientCertificateLookupFactory; +/** + * Factory for creating EnvoyProxySslClientCertificateLookup instances. + */ public class EnvoyProxySslClientCertificateLookupFactory implements X509ClientCertificateLookupFactory { private final static String PROVIDER = "envoy"; diff --git a/src/test/java/io/github/nordix/keycloak/services/x509/DockerComposeExtension.java b/src/test/java/io/github/nordix/keycloak/services/x509/DockerComposeExtension.java index 01581f0..0d72d5f 100644 --- a/src/test/java/io/github/nordix/keycloak/services/x509/DockerComposeExtension.java +++ b/src/test/java/io/github/nordix/keycloak/services/x509/DockerComposeExtension.java @@ -16,6 +16,9 @@ import org.jboss.logging.Logger; import org.junit.jupiter.api.extension.AfterAllCallback; +/** + * JUnit extension for starting and stopping Docker Compose. + */ public class DockerComposeExtension implements BeforeAllCallback, AfterAllCallback { private static final String DOCKER_COMPOSE_UP = "docker compose up --force-recreate --detach"; @@ -32,7 +35,7 @@ public class DockerComposeExtension implements BeforeAllCallback, AfterAllCallba @Override public void beforeAll(ExtensionContext context) throws Exception { run(DOCKER_COMPOSE_UP, "Failed to start Docker Compose."); - logger.info("Use the following command to see the logs \"docker compose logs -f\""); + logger.info("To see logs, run 'docker compose logs -f'"); } @Override