feat: add docs for deletion requests and keycloak tasks #60

Merged
b12f merged 3 commits from feat/keycloak-and-deletion-docs into main 2023-11-18 21:35:22 +00:00
4 changed files with 135 additions and 0 deletions

61
docs/deletion-request.md Normal file
View file

@ -0,0 +1,61 @@
# Process for handling a deletion request
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
# Take note of user id in response from following command
sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email=<email-address>
# To avoid impersonification, we deactivate the account by resetting the password and email address
# Use user id from previous command, for example
sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/2ec6f173-3c10-4b82-9808-e2f2d393ff11/reset-password --realm pub.solar --set type=password --set value=<random-password> --no-merge
sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/2ec6f173-3c10-4b82-9808-e2f2d393ff11 --realm pub.solar --set email=<username>@deactivated.pub.solar
```
Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-user
### Nextcloud
```
ssh barkeeper@nachtigall.pub.solar
nextcloud-occ user:delete <username>
```
Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#user-commands-label
### Mastodon
```
ssh barkeeper@nachtigall.pub.solar
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
```
Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
### Forgejo
```
ssh barkeeper@nachtigall.pub.solar
sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
```
Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
### Matrix
```
ssh bartender@matrix.pub.solar -p 2020
curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
```
Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
### OpenBikeSensor
Not implemented, see: https://github.com/openbikesensor/portal/issues/95

View file

@ -0,0 +1,22 @@
# Process for getting a list of email addresses of all keycloak users
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar
sudo --user keycloak kcadm.sh get users \
-r pub.solar \
--offset 0 \
--limit 1000 \
--no-config \
--server http://localhost:8080 \
--realm master \
--user admin \
--password <admin password> \
> keycloak-user-list.json
jq -r '.[].email' < keycloak-user-list.json
```

View file

@ -0,0 +1,33 @@
# Process for resetting keycloak user passwords
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar
mkdir /tmp/keycloak-credential-reset
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids
for UUID in $(cat /tmp/keycloak-credential-reset/all-uuids); do
sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users/$UUID/credentials --realm pub.solar > /tmp/keycloak-credential-reset/$UUID
done
mkdir /tmp/keycloak-credential-reset/accounts-with-creds
find /tmp/keycloak-credential-reset -type f -size +3c -exec mv '{}' /tmp/keycloak-credential-reset/accounts-with-creds/ \;
rm -r /tmp/keycloak-credential-reset/accounts-with-creds/
find /tmp/keycloak-credential-reset/ -type f -exec basename '{}' \; > /tmp/keycloak-credential-reset/accounts-without-credentials
vim /tmp/keycloak-credential-reset/accounts-without-credentials
for UUID in $(cat /tmp/keycloak-credential-reset/accounts-without-credentials); do
sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/$UUID/reset-password --target-realm pub.solar --set type=password --set value=$(< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-32};echo;) --set temporary=true --no-merge
done
```

View file

@ -0,0 +1,19 @@
# Process for updating a keycloak realm via CLI
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar
sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin
sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar
sudo -u keycloak kcadm.sh update --config /tmp/kcadm.config realms/pub.solar -s browserFlow='Webauthn Browser'
sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar
```
Source: https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/