keycloak · ahus1 · Jul 2, 2024 · Aug 2, 2023 · Jun 28, 2024 · Jun 28, 2024
@@ -86,7 +86,11 @@ public class Encode
             case '@':
                continue;
          }
-         pathEncoding[i] = URLEncoder.encode(String.valueOf((char) i));
+         try {
+            pathEncoding[i] = URLEncoder.encode(String.valueOf((char) i), UTF_8);
+         } catch (UnsupportedEncodingException e) {
+            throw new RuntimeException(e);
+         }
       }
       pathEncoding[' '] = "%20";
       System.arraycopy(pathEncoding, 0, matrixParameterEncoding, 0, pathEncoding.length);
@@ -119,7 +123,11 @@ public class Encode
                queryNameValueEncoding[i] = "+";
                continue;
          }
-         queryNameValueEncoding[i] = URLEncoder.encode(String.valueOf((char) i));
+         try {
+            queryNameValueEncoding[i] = URLEncoder.encode(String.valueOf((char) i), UTF_8);
+         } catch (UnsupportedEncodingException e) {
+            throw new RuntimeException(e);
+         }
       }
 
       /*
@@ -157,7 +165,11 @@ public class Encode
                queryStringEncoding[i] = "%20";
                continue;
          }
-         queryStringEncoding[i] = URLEncoder.encode(String.valueOf((char) i));
+         try {
+            queryStringEncoding[i] = URLEncoder.encode(String.valueOf((char) i), UTF_8);
+         } catch (UnsupportedEncodingException e) {
+            throw new RuntimeException(e);
+         }
       }
 
      /*

@@ -31,7 +31,6 @@
 import java.lang.reflect.Type;
 import java.lang.reflect.TypeVariable;
 import java.lang.reflect.WildcardType;
-import java.security.AccessController;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -398,29 +397,29 @@ public static <T> T invokeMethod(boolean setAccessible, Method method,
 
     /**
      * Set the accessibility flag on the {@link AccessibleObject} as described in {@link
-     * AccessibleObject#setAccessible(boolean)} within the context of a {link PrivilegedAction}.
+     * AccessibleObject#setAccessible(boolean)}.
      *
      * @param <A> member the accessible object type
      * @param member the accessible object
      *
      * @return the accessible object after the accessible flag has been altered
      */
     public static <A extends AccessibleObject> A setAccessible(A member) {
-        AccessController.doPrivileged(new SetAccessiblePrivilegedAction(member));
+        member.setAccessible(true);
         return member;
     }
 
     /**
      * Set the accessibility flag on the {@link AccessibleObject} to false as described in {@link
-     * AccessibleObject#setAccessible(boolean)} within the context of a {link PrivilegedAction}.
+     * AccessibleObject#setAccessible(boolean)}.
      *
      * @param <A> member the accessible object type
      * @param member the accessible object
      *
      * @return the accessible object after the accessible flag has been altered
      */
     public static <A extends AccessibleObject> A unsetAccessible(A member) {
-        AccessController.doPrivileged(new UnSetAccessiblePrivilegedAction(member));
+        member.setAccessible(false);
         return member;
     }
 
@@ -987,7 +986,9 @@ public static boolean isPrimitive(Type type) {
      * @throws ClassNotFoundException
      * @throws IllegalAccessException
      * @throws InstantiationException
+     * @deprecated for removal in Keycloak 27
      */
+    @Deprecated(forRemoval = true)
     public static <T> T newInstance(final Class<T> fromClass) throws ClassNotFoundException, IllegalAccessException, InstantiationException {
         return newInstance(fromClass, fromClass.getName());
     }
@@ -1005,7 +1006,9 @@ public static <T> T newInstance(final Class<T> fromClass) throws ClassNotFoundEx
      * @throws ClassNotFoundException
      * @throws IllegalAccessException
      * @throws InstantiationException
+     * @deprecated for removal in Keycloak 27
      */
+    @Deprecated(forRemoval = true)
     public static <T> T newInstance(final Class<?> type, final String fullQualifiedName) throws ClassNotFoundException, IllegalAccessException, InstantiationException {
         return (T) classForName(fullQualifiedName, type.getClassLoader()).newInstance();
     }

@@ -22,7 +22,9 @@
 
 /**
  * A {@link java.security.PrivilegedAction} that calls {@link java.lang.reflect.AccessibleObject#setAccessible(boolean)}
+ * @deprecated for removal in Keycloak 27
  */
+@Deprecated(forRemoval = true)
 public class SetAccessiblePrivilegedAction implements PrivilegedAction<Void> {
 
     private final AccessibleObject member;

@@ -22,7 +22,9 @@
 
 /**
  * A {@link PrivilegedAction} that calls {@link AccessibleObject#setAccessible(boolean)}
+ * @deprecated for removal in Keycloak 27
  */
+@Deprecated(forRemoval = true)
 public class UnSetAccessiblePrivilegedAction implements PrivilegedAction<Void> {
 
     private final AccessibleObject member;

@@ -24,3 +24,16 @@ The default implementation performs a single network call per an event, and it w
 = Operator's default CPU and memory limits/requests
 
 In order to follow the best practices, the default CPU and memory limits/requests for the Operator were introduced. It affects both non-OLM and OLM installs. To override the default values for the OLM install, edit the `resources` section in the operator's https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md#resources[subscription].
+
+= Deprecations in `keycloak-common` module
+
+The following items have been deprecated for removal in upcoming {project_name} versions with no replacement:
+
+- `org.keycloak.common.util.reflections.Reflections.newInstance(java.lang.Class<T>)`
+- `org.keycloak.common.util.reflections.Reflections.newInstance(java.lang.Class<?>, java.lang.String)`
+- `org.keycloak.common.util.reflections.SetAccessiblePrivilegedAction`
+- `org.keycloak.common.util.reflections.UnSetAccessiblePrivilegedAction`
+
+= Consistent usage of UTF-8 charset for URL encoding
+
+`org.keycloak.common.util.Encode` now always uses the `UTF-8` charset for URL encoding instead relying implicitly on the `file.encoding` system property.
@@ -42,10 +42,10 @@
 import liquibase.structure.core.Table;
 import liquibase.util.StreamUtil;
 import org.jboss.logging.Logger;
-import org.keycloak.common.util.reflections.Reflections;
 import org.keycloak.connections.jpa.entityprovider.JpaEntityProvider;
 import org.keycloak.connections.jpa.updater.JpaUpdaterProvider;
 import org.keycloak.connections.jpa.updater.liquibase.conn.CustomChangeLogHistoryService;
+import org.keycloak.connections.jpa.updater.liquibase.conn.KeycloakLiquibase;
 import org.keycloak.connections.jpa.updater.liquibase.conn.LiquibaseConnectionProvider;
 import org.keycloak.connections.jpa.util.JpaUtils;
 import org.keycloak.models.KeycloakSession;
@@ -101,7 +101,7 @@ private void updateSynch(Connection connection, File file, String defaultSchema)
         Writer exportWriter = null;
         try {
             // Run update with keycloak master changelog first
-            Liquibase liquibase = getLiquibaseForKeycloakUpdate(connection, defaultSchema);
+            KeycloakLiquibase liquibase = getLiquibaseForKeycloakUpdate(connection, defaultSchema);
             if (file != null) {
                 exportWriter = new FileWriter(file);
             }
@@ -133,7 +133,7 @@ private void updateSynch(Connection connection, File file, String defaultSchema)
         }
     }
 
-    protected void updateChangeSet(Liquibase liquibase, Writer exportWriter) throws LiquibaseException, SQLException {
+    protected void updateChangeSet(KeycloakLiquibase liquibase, Writer exportWriter) throws LiquibaseException, SQLException {
         String changelog = liquibase.getChangeLogFile();
         Database database = liquibase.getDatabase();
         Table changelogTable = SnapshotGeneratorFactory.getInstance().getDatabaseChangeLogTable(new SnapshotControl(database, false, Table.class, Column.class), database);
@@ -235,7 +235,7 @@ protected Status validateSynch(final Connection connection, final String default
 
         try {
             // Validate with keycloak master changelog first
-            Liquibase liquibase = getLiquibaseForKeycloakUpdate(connection, defaultSchema);
+            KeycloakLiquibase liquibase = getLiquibaseForKeycloakUpdate(connection, defaultSchema);
 
             Status status = validateChangeSet(liquibase, liquibase.getChangeLogFile());
             if (status != Status.VALID) {
@@ -262,7 +262,7 @@ protected Status validateSynch(final Connection connection, final String default
         return Status.VALID;
     }
 
-    protected Status validateChangeSet(Liquibase liquibase, String changelog) throws LiquibaseException {
+    protected Status validateChangeSet(KeycloakLiquibase liquibase, String changelog) throws LiquibaseException {
         final Status result;
         List<ChangeSet> changeSets = getLiquibaseUnrunChangeSets(liquibase);
 
@@ -285,23 +285,21 @@ protected Status validateChangeSet(Liquibase liquibase, String changelog) throws
         return result;
     }
 
-    private void resetLiquibaseServices(Liquibase liquibase) {
-        Method resetServices = Reflections.findDeclaredMethod(Liquibase.class, "resetServices");
-        Reflections.invokeMethod(true, resetServices, liquibase);
-
+    private void resetLiquibaseServices(KeycloakLiquibase liquibase) {
+        liquibase.resetServices();
         ChangeLogHistoryServiceFactory.getInstance().register(new CustomChangeLogHistoryService());
     }
 
     private List<ChangeSet> getLiquibaseUnrunChangeSets(Liquibase liquibase) throws LiquibaseException {
         return liquibase.listUnrunChangeSets(null, new LabelExpression(), false);
     }
 
-    private Liquibase getLiquibaseForKeycloakUpdate(Connection connection, String defaultSchema) throws LiquibaseException {
+    private KeycloakLiquibase getLiquibaseForKeycloakUpdate(Connection connection, String defaultSchema) throws LiquibaseException {
         LiquibaseConnectionProvider liquibaseProvider = session.getProvider(LiquibaseConnectionProvider.class);
         return liquibaseProvider.getLiquibase(connection, defaultSchema);
     }
 
-    private Liquibase getLiquibaseForCustomProviderUpdate(Connection connection, String defaultSchema, String changelogLocation, ClassLoader classloader, String changelogTableName) throws LiquibaseException {
+    private KeycloakLiquibase getLiquibaseForCustomProviderUpdate(Connection connection, String defaultSchema, String changelogLocation, ClassLoader classloader, String changelogTableName) throws LiquibaseException {
         LiquibaseConnectionProvider liquibaseProvider = session.getProvider(LiquibaseConnectionProvider.class);
         return liquibaseProvider.getLiquibaseForCustomUpdate(connection, defaultSchema, changelogLocation, classloader, changelogTableName);
     }

@@ -17,7 +17,6 @@
 
 package org.keycloak.connections.jpa.updater.liquibase.conn;
 
-import liquibase.Liquibase;
 import liquibase.Scope;
 import liquibase.ScopeManager;
 import liquibase.ThreadLocalScopeManager;
@@ -114,7 +113,7 @@ public String getId() {
     }
 
     @Override
-    public Liquibase getLiquibase(Connection connection, String defaultSchema) throws LiquibaseException {
+    public KeycloakLiquibase getLiquibase(Connection connection, String defaultSchema) throws LiquibaseException {
         Database database = DatabaseFactory.getInstance().findCorrectDatabaseImplementation(new JdbcConnection(connection));
         if (defaultSchema != null) {
             database.setDefaultSchemaName(defaultSchema);
@@ -126,11 +125,11 @@ public Liquibase getLiquibase(Connection connection, String defaultSchema) throw
         logger.debugf("Using changelog file %s and changelogTableName %s", changelog, database.getDatabaseChangeLogTableName());
 
         ((AbstractJdbcDatabase) database).set(INDEX_CREATION_THRESHOLD_PARAM, indexCreationThreshold);
-        return new Liquibase(changelog, resourceAccessor, database);
+        return new KeycloakLiquibase(changelog, resourceAccessor, database);
     }
 
     @Override
-    public Liquibase getLiquibaseForCustomUpdate(Connection connection, String defaultSchema, String changelogLocation, ClassLoader classloader, String changelogTableName) throws LiquibaseException {
+    public KeycloakLiquibase getLiquibaseForCustomUpdate(Connection connection, String defaultSchema, String changelogLocation, ClassLoader classloader, String changelogTableName) throws LiquibaseException {
         Database database = DatabaseFactory.getInstance().findCorrectDatabaseImplementation(new JdbcConnection(connection));
         if (defaultSchema != null) {
             database.setDefaultSchemaName(defaultSchema);
@@ -141,7 +140,7 @@ public Liquibase getLiquibaseForCustomUpdate(Connection connection, String defau
 
         logger.debugf("Using changelog file %s and changelogTableName %s", changelogLocation, database.getDatabaseChangeLogTableName());
 
-        return new Liquibase(changelogLocation, resourceAccessor, database);
+        return new KeycloakLiquibase(changelogLocation, resourceAccessor, database);
     }
 
 }
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.connections.jpa.updater.liquibase.conn;
+
+import liquibase.Liquibase;
+import liquibase.database.Database;
+import liquibase.resource.ResourceAccessor;
+
+/**
+ * Custom subclass to expose protected liquibase API.
+ */
+public class KeycloakLiquibase extends Liquibase {
+
+    public KeycloakLiquibase(String changeLogFile, ResourceAccessor resourceAccessor, Database database) {
+        super(changeLogFile, resourceAccessor, database);
+    }
+
+    @Override
+    public void resetServices() {
+        // expose protected method for use without reflection
+        super.resetServices();
+    }
+}
@@ -17,7 +17,6 @@
 
 package org.keycloak.connections.jpa.updater.liquibase.conn;
 
-import liquibase.Liquibase;
 import liquibase.exception.LiquibaseException;
 import org.keycloak.provider.Provider;
 
@@ -28,8 +27,8 @@
  */
 public interface LiquibaseConnectionProvider extends Provider {
 
-    Liquibase getLiquibase(Connection connection, String defaultSchema) throws LiquibaseException;
+    KeycloakLiquibase getLiquibase(Connection connection, String defaultSchema) throws LiquibaseException;
 
-    Liquibase getLiquibaseForCustomUpdate(Connection connection, String defaultSchema, String changelogLocation, ClassLoader classloader, String changelogTableName) throws LiquibaseException;
+    KeycloakLiquibase getLiquibaseForCustomUpdate(Connection connection, String defaultSchema, String changelogLocation, ClassLoader classloader, String changelogTableName) throws LiquibaseException;
 
 }