Resolved GH-11: unable to generate encryption key when DB URL is defined using configuration parameter instead of environment variable

Author: MLukman

Dockerfile

@@ -1,4 +1,4 @@
-ARG KEYCLOAK_VERSION=26.0.6
+ARG KEYCLOAK_VERSION=26.3.0
 
 ### Build provider keycloak-pii-data-encryption
 

README.md

@@ -20,7 +20,7 @@ cd Keycloak-PII-Data-Encryption-Provider
 Compile this provider into a JAR file using the following command. JDK 17 or above and Maven are required to be pre-installed on the machine. Make sure to match the `keycloak.version` parameter with the version of the target Keycloak.
 
 ```shell 
-mvn clean package -Dkeycloak.version=26.1.1
+mvn clean package -Dkeycloak.version=26.3.0
 ```
 
 Copy paste the packaged JAR file from inside `target` folder into Keycloak `providers` folder. Run `kc.sh build` command to get Keycloak to register this provider.
@@ -31,7 +31,7 @@ Use this method if this provider needs to be pre-packaged inside a custom Keyclo
 
 ```dockerfile
 # ARG defined before FROM in multi-staged Dockerfile is shared among the stages
-ARG KEYCLOAK_VERSION=26.1.1
+ARG KEYCLOAK_VERSION=26.3.0
 
 # Build the provider
 FROM maven:3.8.1-openjdk-17-slim AS keycloak-pii-data-encryption
@@ -58,11 +58,11 @@ RUN /opt/keycloak/bin/kc.sh build --db=mysql --features="declarative-ui" --spi-u
 
 ### Setting the encryption key
 
-This provider requires the encryption key to be provided via environment variable **`KC_PII_ENCKEY`** and it needs to be **at least 16 characters long**. There is, however, a default fallback that uses MD5 hash of environment variable `KC_DB_URL` if the encryption key is not provided. If you rely on this fallback and in the future need to migrate your Keycloak data into another databases that results in a different value of `KC_DB_URL`, you need to get the old value of `KC_DB_URL`, encode it using lowercased MD5 hash and set the value to the `KC_PII_ENCKEY` environment variable.
+This provider requires the encryption key to be provided via environment variable **`KC_PII_ENCKEY`** and it needs to be **at least 16 characters long**. If the encryption key is not provided, however, there is a default fallback that uses MD5 hash of the database JDBC URL, either using configuration parameter `db-url` or environment variable `KC_DB_URL`. If you rely on this fallback and in the future need to migrate your Keycloak data into another databases that results in a different value of JDBC URL, you need to get the old value of JDBC URL, encode it using lowercased MD5 hash and set the value to the `KC_PII_ENCKEY` environment variable.
 
 ### Enabling 'jpa-encrypted' user provider and 'declarative-ui' feature
 
-Starting with version 2.0, this provider requires the Keycloak instance to be either built or started with two flags:
+This provider requires the Keycloak instance to be either built or started with two flags:
 
 -  `--spi-user-provider=jpa-encrypted`
 - `--features="declarative-ui"`

pom.xml

@@ -3,14 +3,14 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>my.unifi.eset</groupId>
     <artifactId>keycloak-pii-data-encryption</artifactId>
-    <version>2.3</version>
+    <version>2.4</version>
     <packaging>jar</packaging>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <maven.compiler.release>17</maven.compiler.release>
         <maven.compiler.source>17</maven.compiler.source>
         <maven.compiler.target>17</maven.compiler.target>
-        <keycloak.version>24.0.0</keycloak.version>
+        <keycloak.version>26.3.0</keycloak.version>
         <netbeans.hint.jdkPlatform>JDK_17</netbeans.hint.jdkPlatform>
         <junit.jupiter.version>5.9.2</junit.jupiter.version>
         <surefire.version>3.5.2</surefire.version>
@@ -22,6 +22,12 @@
             <version>${keycloak.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-quarkus-server</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-surefire-plugin</artifactId>

src/main/java/my/unifi/eset/keycloak/piidataencryption/jpa/EncryptedUserAttributeEntity.java

@@ -45,7 +45,7 @@ public class EncryptedUserAttributeEntity {
     @Column(name = "NAME", length = 255)
     protected String name;
 
-    @Column(name = "VALUE", length = 1000)
+    @Column(name = "VALUE")
     protected String value;
 
     public EncryptedUserAttributeEntity() {

src/main/java/my/unifi/eset/keycloak/piidataencryption/listeners/EventListener.java

@@ -17,7 +17,6 @@
 package my.unifi.eset.keycloak.piidataencryption.listeners;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import my.unifi.eset.keycloak.piidataencryption.utils.LogicUtils;
 import jakarta.persistence.EntityManager;
@@ -27,7 +26,6 @@
 import org.keycloak.events.EventListenerProvider;
 import org.keycloak.events.EventType;
 import org.keycloak.events.admin.AdminEvent;
-import org.keycloak.events.admin.OperationType;
 import org.keycloak.events.admin.ResourceType;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.UserModel;
@@ -59,10 +57,6 @@ public EventListener(KeycloakSession session) {
     public void onEvent(Event event) {
         if (event.getType() == EventType.REGISTER || event.getType() == EventType.UPDATE_PROFILE) {
             UserModel user = session.users().getUserById(session.realms().getRealm(event.getRealmId()), event.getUserId());
-            if (!LogicUtils.isUserEncryptionEnabled(session, event.getRealmId())) {
-                logger.debugf("Event: USER_ENCRYPTION_SKIPPED, Realm: %s, User: %s", event.getRealmId(), user.getId());
-                return;
-            }
             encryptUserWithId(event.getRealmId(), user.getId());
         }
     }
@@ -75,27 +69,26 @@ public void onEvent(Event event) {
      */
     @Override
     public void onEvent(AdminEvent event, boolean bln) {
-        if (event.getResourceType() == ResourceType.USER) {
-            String userId = null;
-            if (event.getOperationType() == OperationType.CREATE) {
+        if (event.getResourceType() != ResourceType.USER) {
+            return;
+        }
+        String userId = switch (event.getOperationType()) {
+            case CREATE -> {
                 try {
-                    JsonNode json = (new ObjectMapper()).readTree(event.getRepresentation());
-                    String username = json.get("username").asText();
+                    String username = (new ObjectMapper()).readTree(event.getRepresentation()).get("username").asText();
                     UserModel user = session.users().getUserByUsername(session.realms().getRealm(event.getRealmId()), username);
-                    userId = user != null ? user.getId() : null;
+                    yield (user != null ? user.getId() : null);
                 } catch (JsonProcessingException ex) {
+                    yield null;
                 }
             }
-            if (event.getOperationType() == OperationType.UPDATE) {
-                userId = event.getResourcePath().split("/")[1];
-            }
-            if (userId != null) {
-                if (!LogicUtils.isUserEncryptionEnabled(session, event.getRealmId())) {
-                    logger.debugf("Event: USER_ENCRYPTION_SKIPPED, Realm: %s, User: %s", event.getRealmId(), userId);
-                    return;
-                }
-                encryptUserWithId(event.getRealmId(), userId);
-            }
+            case UPDATE ->
+                event.getResourcePath().split("/")[1];
+            default ->
+                null;
+        };
+        if (userId != null) {
+            encryptUserWithId(event.getRealmId(), userId);
         }
     }
 
@@ -104,14 +97,18 @@ public void close() {
     }
 
     private void encryptUserWithId(String realmId, String userId) {
-        logger.debugf("Event: USER_ENCRYPTION, Realm: %s, User: %s", realmId, userId);
-        EntityManager em = session.getProvider(JpaConnectionProvider.class).getEntityManager();
-        UserEntity userEntity = LogicUtils.getUserEntity(em, userId);
-        LogicUtils.encryptUserEntity(session, em, userEntity);
-        for (UserAttributeEntity uae : userEntity.getAttributes()) {
-            LogicUtils.encryptUserAttributeEntity(session, em, uae);
+        if (LogicUtils.isUserEncryptionEnabled(session, realmId)) {
+            logger.debugf("Event: USER_ENCRYPTION, Realm: %s, User: %s", realmId, userId);
+            EntityManager em = session.getProvider(JpaConnectionProvider.class).getEntityManager();
+            UserEntity userEntity = LogicUtils.getUserEntity(em, userId);
+            LogicUtils.encryptUserEntity(session, em, userEntity);
+            for (UserAttributeEntity uae : userEntity.getAttributes()) {
+                LogicUtils.encryptUserAttributeEntity(session, em, uae);
+            }
+            em.flush();
+        } else {
+            logger.debugf("Event: USER_ENCRYPTION_SKIPPED, Realm: %s, User: %s", realmId, userId);
         }
-        em.flush();
     }
 
 }

src/main/java/my/unifi/eset/keycloak/piidataencryption/utils/EncryptionUtils.java

@@ -33,6 +33,7 @@
 import javax.crypto.spec.SecretKeySpec;
 import org.apache.commons.lang3.ArrayUtils;
 import org.jboss.logging.Logger;
+import org.keycloak.quarkus.runtime.configuration.Configuration;
 
 /**
  * Provides encryption functionalities.
@@ -44,7 +45,7 @@ public final class EncryptionUtils {
     /**
      * Encryption algorithm to use.
      */
-    static String algorithm = "AES/CBC/PKCS5Padding";
+    static final String ALGORITHM = "AES/CBC/PKCS5Padding";
 
     /**
      * String to prefixed to encrypted value before it is stored in db to
@@ -67,7 +68,7 @@ public static String encryptValue(String value) {
             }
             byte[] iv = new byte[16];
             new SecureRandom().nextBytes(iv);
-            Cipher cipher = Cipher.getInstance(algorithm);
+            Cipher cipher = Cipher.getInstance(ALGORITHM);
             cipher.init(Cipher.ENCRYPT_MODE, getEncryptionKey(), new IvParameterSpec(iv));
             byte[] cipherText = cipher.doFinal(value.getBytes());
             return CIPHERTEXT_PREFIX + Base64.getEncoder().encodeToString(ArrayUtils.addAll(iv, cipherText));
@@ -95,7 +96,7 @@ public static String decryptValue(String value) {
             byte[] cipherTextWithIv = Base64.getDecoder().decode(value.substring(CIPHERTEXT_PREFIX.length()));
             byte[] iv = ArrayUtils.subarray(cipherTextWithIv, 0, 16);
             byte[] cipherText = ArrayUtils.subarray(cipherTextWithIv, 16, cipherTextWithIv.length);
-            Cipher cipher = Cipher.getInstance(algorithm);
+            Cipher cipher = Cipher.getInstance(ALGORITHM);
             cipher.init(Cipher.DECRYPT_MODE, getEncryptionKey(), new IvParameterSpec(iv));
             byte[] plainText = cipher.doFinal(cipherText);
             return new String(plainText);
@@ -121,8 +122,8 @@ public static boolean isEncryptedValue(String value) {
     }
 
     /**
-     * Gets encryption key from KC_PII_ENCKEY envvar, or generate one from
-     * KC_DB_URL envvar.
+     * Gets encryption key from KC_PII_ENCKEY environment variable, or generate
+     * one from the JDBC URL of the database.
      *
      * @return SecretKey
      * @throws NoSuchAlgorithmException
@@ -131,22 +132,19 @@ static synchronized SecretKey getEncryptionKey() throws NoSuchAlgorithmException
         if (key != null) {
             return key;
         }
-
         String rawkey = System.getenv("KC_PII_ENCKEY");
         if (rawkey == null || rawkey.isBlank()) {
             MessageDigest md = MessageDigest.getInstance("MD5");
-            md.update(System.getenv("KC_DB_URL").getBytes());
+            String dbUrl = Configuration.getRawValue("kc.db-url");
+            if (dbUrl == null || dbUrl.isBlank()) {
+                throw new IllegalArgumentException("Unable to generate encryption key from JDBC URL of the database. Please explicitly set the encryption key using KC_PII_ENCKEY environment variable.");
+            }
+            md.update(dbUrl.getBytes());
             rawkey = HexFormat.of().formatHex(md.digest()).toLowerCase();
-            Logger.getLogger(EncryptionUtils.class).warn("Encryption key generated using MD5 hash of KC_DB_URL. It is recommended to set this key as KC_PII_ENCKEY envvar.");
+            Logger.getLogger(EncryptionUtils.class).warn(String.format("Encryption key %s was generated using MD5 hash of JDBC URL of the database. It is recommended to set this key as KC_PII_ENCKEY environment variable.", rawkey));
         }
-
         SecretKeySpec genKey = new SecretKeySpec(rawkey.getBytes(), "AES");
-        try {
-            validateKey(genKey);
-        } catch (IllegalArgumentException e) {
-            throw e;
-        }
-
+        validateKey(genKey);
         return key = genKey;
     }
 
@@ -157,12 +155,12 @@ static synchronized SecretKey getEncryptionKey() throws NoSuchAlgorithmException
      */
     public static void validateKey(SecretKeySpec candidateKey) {
         try {
-            Cipher cipher = Cipher.getInstance(algorithm);
+            Cipher cipher = Cipher.getInstance(ALGORITHM);
             cipher.init(Cipher.ENCRYPT_MODE, candidateKey, new IvParameterSpec(new byte[16]));
             // Trivial encryption to validate
             cipher.doFinal("test".getBytes(StandardCharsets.UTF_8));
         } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
-            throw new IllegalArgumentException("Invalid encryption key for algorithm " + algorithm, e);
+            throw new IllegalArgumentException("Invalid encryption key for algorithm " + ALGORITHM, e);
         }
     }
 

src/main/java/my/unifi/eset/keycloak/piidataencryption/utils/LogicUtils.java

@@ -186,7 +186,7 @@ public static EncryptedUserAttributeEntity getEncryptedUserAttributeEntity(Entit
      *
      * @param ks KeycloakSession
      * @param em EntityManager
-     * @param realmId The realm ID
+     * @param realm The RealmModel to encrypt all of its users
      */
     public static void encryptExistingUserEntities(KeycloakSession ks, EntityManager em, RealmModel realm) {
         List<UserEntity> realmUsers = em.createQuery("SELECT u FROM UserEntity u WHERE u.realmId = :realmId", UserEntity.class).setParameter("realmId", realm.getId()).getResultList();

src/test/java/my/unifi/eset/keycloak/piidataencryption/utils/EncryptionUtilsTest.java

@@ -29,7 +29,6 @@
 
 import java.security.NoSuchAlgorithmException;
 
-import static my.unifi.eset.keycloak.piidataencryption.utils.EncryptionUtils.algorithm;
 import static org.junit.jupiter.api.Assertions.*;
 
 @ExtendWith(SystemStubsExtension.class)
@@ -74,8 +73,7 @@ void testWrongKeySize() {
             EncryptionUtils.getEncryptionKey();
         });
 
-        assertEquals("Invalid encryption key for algorithm " + algorithm, thrown.getMessage());
-
+        assertEquals("Invalid encryption key for algorithm " + EncryptionUtils.ALGORITHM, thrown.getMessage());
 
         environmentVariables.set(envVarKey, validEncKey);
         assertDoesNotThrow(() -> EncryptionUtils.getEncryptionKey(), "should work once the key is correct and not reuse the previous one");
@@ -98,8 +96,7 @@ void testValidateAnInvalidKey() {
             EncryptionUtils.validateKey(invalidKey);
         });
 
-        String expectedMessage = "Invalid encryption key for algorithm " + algorithm;
-        assertThrows(IllegalArgumentException.class, () -> EncryptionUtils.validateKey(invalidKey));
-        assert(thrown.getMessage().contains(expectedMessage));
+        String expectedMessage = "Invalid encryption key for algorithm " + EncryptionUtils.ALGORITHM;
+        assert (thrown.getMessage().contains(expectedMessage));
     }
 }