init keycloak provider

.github/workflows/build-release.yml

@@ -0,0 +1,92 @@
+name: build-release
+
+on: push
+
+env:
+  IMAGE_NAME: nxest/keycloak-encryption-provider
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+      - name: Build with Gradle
+        run: cd $GITHUB_WORKSPACE/password-encryption-provider && ./gradlew shadowJar
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '14'
+      - name: Build with Gradle
+        run: |
+          cd $GITHUB_WORKSPACE/password-encryption-provider-js
+          npm ci
+          npm run build
+          cd $GITHUB_WORKSPACE
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: build-artifacts
+          path: |
+            Dockerfile
+            README.md
+            password-encryption-provider-js/dist
+            password-encryption-provider-js/theme.properties
+            password-encryption-provider/build/libs
+
+  docker:
+    if: startsWith( github.ref, 'refs/tags/')
+    name: Push image
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: build-artifacts
+      - name: Display structure of downloaded files
+        run: ls -R
+
+      - name: Login to dockerhub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Setup qemu
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+
+      - name: Setup buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          version: latest
+
+      - name: Push to docker hub
+        run: |
+          # Strip git ref prefix from version
+          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+
+          # Strip "v" prefix from tag name
+          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
+
+          docker buildx build \
+            --tag $IMAGE_NAME:$VERSION \
+            --tag $IMAGE_NAME:lastest \
+            --platform linux/amd64,linux/arm64 \
+            -f Dockerfile ./ \
+            --push
+      - name: Docker Hub README
+        uses: peter-evans/dockerhub-description@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: $IMAGE_NAME

.gitignore

@@ -1,3 +1,113 @@
+######################
+# Project Specific
+######################
+*.zip
+*.tar.gz
+
+######################
+# Node
+######################
+/node/
+node_tmp/
+node_modules/
+npm-debug.log.*
+/.awcache/*
+dist/
+
+#####################
+# SASS
+######################
+.sass-cache/
+
+######################
+# Eclipse
+######################
+*.pydevproject
+.project
+.metadata
+tmp/
+tmp/**/*
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.classpath
+.settings/
+.loadpath
+.factorypath
+/src/main/resources/rebel.xml
+
+# External tool builders
+.externalToolBuilders/**
+
+
+# Locally stored "Eclipse launch configurations"
+*.launch
+
+
+# CDT-specific
+.cproject
+
+# PDT-specific
+.buildpath
+
+######################
+# Intellij
+######################
+.idea/
+out/
+*.iml
+*.iws
+*.ipr
+*.ids
+*.orig
+classes/
+
+######################
+# Visual Studio Code
+######################
+.vscode/
+
+######################
+# Maven
+######################
+/log/
+/target/
+
+######################
+# Gradle
+######################
+.gradle/
+/build/
+
+
+
+######################
+# Windows
+######################
+# Windows image file caches
+Thumbs.db
+
+# Folder config file
+Desktop.ini
+
+######################
+# Mac OSX
+######################
+.DS_Store
+
+# Files that might appear on external disk
+.Spotlight-V100
+.Trashes
+
+######################
+# ESLint
+######################
+.eslintcache
+# ignore module build dir
+*/build
+
 # Compiled class file
 *.class
 
@@ -19,5 +129,5 @@
 *.tar.gz
 *.rar
 
-# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+# virtual machine crash logs
 hs_err_pid*

Dockerfile

@@ -0,0 +1,5 @@
+FROM busybox:1.32
+ENV KEYCLOAK_HOME=/opt/jboss/keycloak
+ADD ./password-encryption-provider/build/libs/password-encryption-provider.jar $KEYCLOAK_HOME/standalone/deployments/
+ADD ./password-encryption-provider-js/dist/password-encryption-provider.js $KEYCLOAK_HOME/themes/base/login/resources/js/
+ADD ./password-encryption-provider-js/theme.properties $KEYCLOAK_HOME/themes/base/login/

README.md

@@ -1,2 +1,47 @@
-# keycloak-password-encryption-provider
-A keycloak password encryption provider.
+# keycloak-password-encryption
+
+## 基本功能
+
+实现 keycloak 登录密码加密传输。
+
+## 实现基本原理
+
+- 前端 js 获取 keycloak 可用的公钥，然后使用该公钥对 password 字段数据进行加密。
+- 后端使用 CredentialProvider 拦截登录信息，使用私钥对 password 进行解密。
+
+## 如何使用
+
+### 编译 provider&部署 jar
+
+```shell
+gradle shadowJar
+```
+
+编译后会在 build/libs 文件夹下生成 keycloak-password-provider.jar，将该 jar 包 cp 到{keycloak home}/standalone/deployments/ 路径下。
+
+### 编译 js&部署 js
+
+```shell
+cd /password-encryption-provider-js
+npm install
+npm run build
+```
+
+编译后，会在/password-encryption-provider-js/login/resources/js/ 文件夹下生成 password-encryption-provider.js，将该 js 文件 cp 到{keycloak home}/themes/base/login/resources/js/路径下。
+
+然后，将“scripts=js/password-encryption-provider.js”cp 到{keycloak home}/themes/base/login/theme.properties 文件内。
+
+## 已适配 Keycloak 版本
+
+当前源码中所使用版本为 Keycloak-12.0.3 版本，如果使用其他版本的 Keycloak 其他版本，只需在修改/password-encryption-provider/build.gradle 中 keycloak 版本，重新编译即可。
+
+### 已适配版本
+
+- 10.0.2
+- 12.0.2
+- 12.0.3
+
+## 局限性
+
+- 仅仅实现了登陆密码加密传输
+- 添加密码&修改密码未实现加密传输

password-encryption-provider-js/index.js

@@ -0,0 +1,4 @@
+// jose = require('node-jose');
+// jwksDownloader = require('./src/jwks-downloader');
+// browserFormPwdEncrypt = require('./src/browser-form-pwd-encryptor');
+require('./src/password-events-register');