✨ Keycloak: Configuration to support multiple certificates in Election Event#2587
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds multi-certificate (CA bundle) support for X.509 voter certificate authentication per election event, including import/export of CA bundles, Keycloak realm attribute management to toggle certificate login, and improved audit/electoral-log reporting for certificate auth events.
Changes:
- Add certificate authorities export (PEM bundle) as a new task/action and include CA bundles in election event export/import.
- Introduce Keycloak realm attribute updates (e.g.,
voter-certificate-policy) and update voting portal login theme to conditionally show the certificate IDP. - Extend Electoral Log support to record certificate authority import/delete events and enrich Keycloak login event details for certificate-based logins.
Reviewed changes
Copilot reviewed 104 out of 106 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/windmill/src/types/tasks.rs | Add new task type for CA export. |
| packages/windmill/src/types/documents.rs | Add CERTIFICATES document type. |
| packages/windmill/src/tasks/mod.rs | Register new CA export task module. |
| packages/windmill/src/tasks/export_election_event.rs | Add include_certificates export option. |
| packages/windmill/src/tasks/export_certificate_authority.rs | New Celery task to export CA PEM bundle to S3/documents. |
| packages/windmill/src/services/import/import_election_event.rs | Import CA PEM bundles from election event export. |
| packages/windmill/src/services/export/export_election_event.rs | Optionally include CA PEM bundle in export ZIP. |
| packages/windmill/src/services/electoral_log.rs | Add posting of certificate auth events. |
| packages/windmill/src/services/certificate_authority.rs | Clarify PEM marker comment. |
| packages/windmill/src/services/celery_app.rs | Register/route new CA export Celery task. |
| packages/windmill/src/services/ballot_styles/ballot_publication.rs | Fix status clone usage. |
| packages/windmill/src/postgres/certificate_authority.rs | Support bulk delete + PEM fetch by ids; transaction-based reads. |
| packages/voting-portal/src/gql/graphql.ts | Update generated GraphQL types for CA bulk delete/export + realm attributes update. |
| packages/voting-portal/graphql.schema.json | Schema snapshot updates for new/changed actions/types. |
| packages/ui-core/src/types/ElectionEventPresentation.ts | Rename voter cert policy enum + field. |
| packages/step-cli/src/graphql/schema.json | Schema snapshot updates for new/changed actions/types. |
| packages/step-cli/src/commands/export_election_event.rs | Always include certificates in CLI election event export. |
| packages/sequent-core/src/types/keycloak.rs | Add constants for realm attribute + certificate IDP alias. |
| packages/sequent-core/src/services/keycloak/realm_attributes.rs | New Keycloak realm attribute update helper. |
| packages/sequent-core/src/services/keycloak/realm.rs | Add Keycloak-style secret generator + minor rename fix. |
| packages/sequent-core/src/services/keycloak/mod.rs | Export new realm_attributes module. |
| packages/sequent-core/src/ballot.rs | Rename voter cert policy types. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/theme.properties | Remove mtlsLoginUrl theme property usage. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_tl.properties | Update/add certificate auth error/button strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_nl.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_nl.properties | Add Dutch voting-portal cert login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_gl.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_gl.properties | Add Galician voting-portal cert login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_fr.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_fr.properties | Add French voting-portal cert login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_eu.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_eu.properties | Add Basque voting-portal cert login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_es.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_es.properties | Add Spanish voting-portal cert login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_en.properties | Replace voting-portal cert login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_cat.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/messages/messages_cat.properties | Add Catalan voting-portal cert login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/login.ftl | Filter/show certificate IDP based on realm attr. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/login-x509-info.ftl | Remove old X509 info template. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.voting-portal/login/error.ftl | Redesign error page markup/back link. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/resources/css/custom.css | Add styling for new error page + social provider button. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_tl.properties | Update Tagalog admin-portal login labels. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_nl.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_nl.properties | Add Dutch admin-portal login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_gl.properties | Update Galician admin-portal login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_fr.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_fr.properties | Add French admin-portal login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_eu.properties | Update Basque admin-portal login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_es.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_es.properties | Add Spanish admin-portal login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_en.properties | Update English admin-portal login labels. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_cat.properties.license | Add SPDX license file. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/login/messages/messages_cat.properties | Add Catalan admin-portal login strings. |
| packages/keycloak-extensions/sequent-theme/src/main/resources/theme/sequent.admin-portal/account/messages/messages_eu.properties | Remove HTML entity from back link text. |
| packages/keycloak-extensions/message-otp-authenticator/src/main/java/sequent/keycloak/authenticator/Utils.java | Add shared constants for cert login event details/deny codes. |
| packages/keycloak-extensions/custom-event-listener/src/main/java/sequent/keycloak/custom_event_listener/CustomEventListenerProvider.java | Include certificate detail fields in LOGIN/LOGIN_ERROR bodies. |
| packages/keycloak-extensions/conditional-authenticators/src/main/java/sequent/keycloak/conditional_authenticators/X509UserResolutionAuthenticatorFactory.java | New factory for extended X509 authenticator. |
| packages/keycloak-extensions/conditional-authenticators/src/main/java/sequent/keycloak/conditional_authenticators/X509UserResolutionAuthenticator.java | Set deny-type when user resolution fails. |
| packages/keycloak-extensions/conditional-authenticators/src/main/java/sequent/keycloak/conditional_authenticators/X509CertClassifierAuthenticator.java | Record cert details + deny-type when cert missing/unparseable. |
| packages/keycloak-extensions/conditional-authenticators/src/main/java/sequent/keycloak/conditional_authenticators/ConditionalAuthNoteAuthenticatorFactory.java | Add regex matching config option. |
| packages/keycloak-extensions/conditional-authenticators/src/main/java/sequent/keycloak/conditional_authenticators/ConditionalAuthNoteAuthenticator.java | Implement regex matching with syntax error handling. |
| packages/harvest/src/routes/realm_attributes.rs | New route to update Keycloak realm attributes (authorized). |
| packages/harvest/src/routes/mod.rs | Register new routes (CA export + realm attributes). |
| packages/harvest/src/routes/import_certificate_authority.rs | Log CA imports to electoral log; policy rename. |
| packages/harvest/src/routes/get_certificate_authorities_pem.rs | Use transaction for PEM bundle retrieval. |
| packages/harvest/src/routes/export_certificate_authority.rs | New route/action to trigger CA bundle export task. |
| packages/harvest/src/routes/delete_certificate_authority.rs | Bulk delete CAs + electoral log events + return deleted_count. |
| packages/harvest/src/main.rs | Mount new routes. |
| packages/graphql.schema.json | Workspace schema snapshot updates for new/changed actions/types. |
| packages/electoral-log/src/messages/statement.rs | Add statement type/body for CA import/delete events. |
| packages/electoral-log/src/messages/newtypes.rs | Add newtypes for CA event action + subject DN list. |
| packages/electoral-log/src/messages/message.rs | Add message builder for CA events. |
| packages/ballot-verifier/src/gql/graphql.ts | Update generated GraphQL types for new/changed actions/types. |
| packages/ballot-verifier/graphql.schema.json | Schema snapshot updates for new/changed actions/types. |
| packages/admin-portal/src/types/tasksExecution.ts | Add task enum value for CA export. |
| packages/admin-portal/src/translations/tl.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/translations/nl.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/translations/gl.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/translations/fr.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/translations/eu.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/translations/es.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/translations/en.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/translations/cat.ts | Add CA export/UI strings + policy key rename. |
| packages/admin-portal/src/resources/ElectionEvent/ElectionEventTabs.tsx | Show CA tab based on renamed policy. |
| packages/admin-portal/src/resources/ElectionEvent/EditElectionEventDataForm.tsx | Add realm attribute update mutation + policy rename. |
| packages/admin-portal/src/resources/ElectionEvent/EditElectionEventCAs.tsx | Add CA export (single/bulk/all) UI + bulk delete UI. |
| packages/admin-portal/src/queries/UpdateRealmAttributes.ts | New GraphQL mutation for realm attributes action. |
| packages/admin-portal/src/queries/ExportCertificateAuthority.ts | New GraphQL mutation for CA export action. |
| packages/admin-portal/src/queries/DeleteCertificateAuthority.ts | Update delete mutation to accept ids and return count. |
| packages/admin-portal/src/gql/graphql.ts | Update generated GraphQL types for new/changed actions/types. |
| packages/admin-portal/src/gql/gql.ts | Update typed documents registry for new/changed mutations. |
| packages/admin-portal/src/components/election-event/export-data/ExportElectionEventDrawer.tsx | Add “Certificates” checkbox and pass include_certificates. |
| packages/admin-portal/graphql.schema.json | Schema snapshot updates for new/changed actions/types. |
| hasura/metadata/actions.yaml | Add Hasura actions: update_realm_attributes + export_certificate_authority. |
| hasura/metadata/actions.graphql | Add action definitions + update CA delete + export options. |
| docs/docusaurus/docs/07-developers/10-tutorials/08-x509-adding-ca-certificates.md | Update CA import instructions + permissions. |
| docs/docusaurus/docs/07-developers/10-tutorials/07-x509-voter-certificate-authentication.md | Update X.509 login docs (remove mtls button references). |
| docs/docusaurus/docs/07-developers/06-keycloak/x509_client_cert_architecture.md | Document new IDP-based certificate login approach. |
| docs/docusaurus/docs/07-developers/06-keycloak/x509_cert_login_events.md | New doc describing cert-login electoral log events. |
| .devcontainer/keycloak-nginx/keycloak-mtls.conf.template | Remove restart redirect/error_page mtls button logic. |
| .devcontainer/docker-compose.yml | Remove KC_MTLS_LOGIN_URL from env. |
| .devcontainer/docker-compose-remote.yml | Remove KC_MTLS_LOGIN_URL from env. |
| .devcontainer/devcontainer.json | Remove proto3 extension from recommended list. |
| .devcontainer/.env.development | Remove KC_MTLS_LOGIN_URL documentation/config. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 110 out of 113 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+127
to
+133
| <#assign visibleProviders = social.providers?filter(p -> p.alias != 'digital-certificates' || (realm.attributes['voter-certificate-policy']!'disabled') == 'enabled')> | ||
| <#if realm.password && visibleProviders?has_content> | ||
| <div id="kc-social-providers" class="${properties.kcFormSocialAccountSectionClass!}"> | ||
| <hr/> | ||
| <h4>${msg("identity-provider-login-label")}</h4> | ||
|
|
||
| <ul class="${properties.kcFormSocialAccountListClass!} <#if social.providers?size gt 3>${properties.kcFormSocialAccountListGridClass!}</#if>"> | ||
| <#list social.providers as p> | ||
| <#list visibleProviders as p> | ||
| <hr/> | ||
| <h4>${msg("identity-provider-login-label")}</h4> | ||
| <ul class="${properties.kcFormSocialAccountListClass!} <#if visibleProviders?size gt 3>${properties.kcFormSocialAccountListGridClass!}</#if>"> |
There was a problem hiding this comment.
social.providers is used with ?filter without checking it exists (previous template guarded with social.providers??). If Keycloak renders this section with no social providers, this can throw a FreeMarker error and break the login page. Also, the <hr/>, <h4>, and <ul> are inside the #list, so they will be duplicated for each provider; the heading/list wrapper should be rendered once around all <li> entries.
xalsina-sequent
approved these changes
Apr 21, 2026
Contributor
There was a problem hiding this comment.
Please review this changes are not from another version.
Findeton
pushed a commit
that referenced
this pull request
Apr 22, 2026
…n Event (#2587) Parent issue: sequentech/meta#11110 --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Findeton
pushed a commit
that referenced
this pull request
Apr 30, 2026
…n Event (#2587) Parent issue: sequentech/meta#11110 --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Parent issue: https://github.com/sequentech/meta/issues/11110