Add MTLS Auth Support

.devcontainer/devcontainer.json

@@ -16,5 +16,13 @@
 	"forwardPorts": [
 		7233,
 		8233
-	]
+	],
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"mathiasfrohlich.Kotlin",
+				"redhat.fabric8-analytics"
+			]
+		}
+	}
 }

README.md

@@ -57,22 +57,26 @@ You can configure the listener using one of the following methods:
 
 Use the following command-line parameters:
 
-| Parameter                                           |
-|-----------------------------------------------------|
-| --spi-events-listener-temporal-server=temporal:7233 |
-| --spi-events-listener-temporal-namespace=default    |
-| --spi-events-listener-temporal-task-queue=keycloak  |
+| Parameter                                                           |
+| ------------------------------------------------------------------- |
+| --spi-events-listener-temporal-server=temporal:7233                 |
+| --spi-events-listener-temporal-namespace=default                    |
+| --spi-events-listener-temporal-task-queue=keycloak                  |
+| --spi-events-listener-temporal-client-cert=/etc/client-cert.crt     |
+| --spi-events-listener-temporal-client-cert-key=/etc/client-cert.key |
 
 
 ### Option 2: Environment Variables
 
 Alternatively, you can set these environmental variables:
 
-| Variable                                   | Value         |
-|--------------------------------------------|---------------|
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_SERVER     | temporal:7233 |
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_NAMESPACE  | default       |
-| KC_SPI_EVENTS_LISTENER_TEMPORAL_TASK_QUEUE | keycloak      |
+| Variable                                        | Value                |
+| ----------------------------------------------- | -------------------- |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_SERVER          | temporal:7233        |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_NAMESPACE       | default              |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_TASK_QUEUE      | keycloak             |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_CLIENT_CERT     | /etc/client-cert.crt |
+| KC_SPI_EVENTS_LISTENER_TEMPORAL_CLIENT_CERT_KEY | /etc/client-cert.key |
 
 # License
 This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.

pom.xml

@@ -46,13 +46,15 @@
                 <version>1.9.23</version>
                 <executions>
                     <execution>
+                        <?m2e execute onConfiguration,onIncremental?>
                         <id>compile</id>
                         <phase>compile</phase>
                         <goals>
                             <goal>compile</goal>
                         </goals>
                     </execution>
                     <execution>
+                        <?m2e execute onConfiguration,onIncremental?>
                         <id>test-compile</id>
                         <phase>test-compile</phase>
                         <goals>

src/main/kotlin/app/infinityflow/keycloak/events/TemporalEventListenerProviderFactory.kt

@@ -2,8 +2,10 @@ package app.infinityflow.keycloak.events
 
 import io.temporal.client.WorkflowClient
 import io.temporal.client.WorkflowClientOptions
+import io.temporal.serviceclient.SimpleSslContextBuilder
 import io.temporal.serviceclient.WorkflowServiceStubs
 import io.temporal.serviceclient.WorkflowServiceStubsOptions
+import java.io.FileInputStream
 import org.jboss.logging.Logger
 import org.keycloak.Config
 import org.keycloak.events.EventListenerProvider
@@ -14,14 +16,15 @@ import org.keycloak.models.KeycloakSessionFactory
 class TemporalEventListenerProviderFactory : EventListenerProviderFactory {
     private val _logger = Logger.getLogger(TemporalEventListenerProviderFactory::class.java)
     private var _workflowClient: WorkflowClient? = null
-    private var _server = ""
-    private var _namespace = ""
-    private var _taskQueue = ""
-
+    private var _server = "localhost:7233"
+    private var _namespace = "default"
+    private var _taskQueue = "keycloak"
+    private var _clientCert = ""
+    private var _clientCertKey = ""
 
     override fun create(session: KeycloakSession?): EventListenerProvider {
         if (_logger.isDebugEnabled) {
-            _logger.debugf("Creating %s", TemporalEventListenerProvider::class)
+        _logger.debugf("Creating %s", TemporalEventListenerProvider::class)
         }
         return TemporalEventListenerProvider(_workflowClient!!, _taskQueue)
     }
@@ -31,37 +34,44 @@ class TemporalEventListenerProviderFactory : EventListenerProviderFactory {
             _logger.debugf("Initializing %s", TemporalEventListenerProviderFactory::class)
         }
 
-        _server = config?.get("server") ?: "localhost:7233"
-        _namespace = config?.get("namespace") ?: "default"
-        _taskQueue = config?.get("task-queue") ?: "keycloak"
+        _server = config?.get("server") ?: _server
+        _namespace = config?.get("namespace") ?: _namespace
+        _taskQueue = config?.get("task-queue") ?: _taskQueue
+        _clientCert = config?.get("client-cert") ?: _clientCert
+        _clientCertKey = config?.get("client-cert-key") ?: _clientCertKey
 
-        val workflowServiceStubsOptions = WorkflowServiceStubsOptions
-            .newBuilder()
+        val workflowServiceStubsOptionsBuilder = WorkflowServiceStubsOptions.newBuilder()
             .setTarget(_server)
-            .build()
-        val workflowServiceStubs = WorkflowServiceStubs
-            .newServiceStubs(workflowServiceStubsOptions)
-        _workflowClient = WorkflowClient
-            .newInstance(workflowServiceStubs, WorkflowClientOptions
-                .newBuilder()
-                .setNamespace(_namespace)
-                .build())
+
+        if (_clientCert.isNotEmpty() && _clientCertKey.isNotEmpty()) {
+            FileInputStream(_clientCert).use { certInputStream ->
+                FileInputStream(_clientCertKey).use { keyInputStream ->
+                    val sslContext = SimpleSslContextBuilder.forPKCS8(certInputStream, keyInputStream).build()
+                    workflowServiceStubsOptionsBuilder.setSslContext(sslContext)
+                }
+            }
+        }
+
+        val workflowServiceStubs = WorkflowServiceStubs.newServiceStubs(workflowServiceStubsOptionsBuilder.build())
+
+        _workflowClient = WorkflowClient.newInstance(workflowServiceStubs, WorkflowClientOptions.newBuilder()
+            .setNamespace(_namespace)
+            .build())
     }
 
     override fun postInit(factory: KeycloakSessionFactory?) {
         if (_logger.isDebugEnabled) {
-            _logger.debugf("Global Initialization %s", TemporalEventListenerProviderFactory::class)
+            _logger.debugf("Global Initialization %s", TemporalEventListenerProviderFactory::class.java)
         }
     }
 
     override fun close() {
         if (_logger.isDebugEnabled) {
             _logger.debugf("Closing %s", TemporalEventListenerProviderFactory::class)
         }
+
         _workflowClient = null
     }
 
-    override fun getId(): String {
-        return "temporal"
-    }
+    override fun getId(): String = "temporal"
 }

src/test/kotlin/app/infinityflow/keycloak/events/tests/TestScope.kt

@@ -7,7 +7,9 @@ class TestScope : Scope {
     private val _map: Map<String, String> = mapOf(
         "server" to "localhost:7233",
         "task-queue" to "default",
-        "namespace" to "default"
+        "namespace" to "default",
+        "client-cert" to "",
+        "client-cert-key" to ""
     )
 
     override fun get(p0: String?): String {