Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: fail to start if the admin user can't be added #31207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shawkins merged 1 commit into from
Jul 18, 2024
Merged

fix: fail to start if the admin user can't be added #31207

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 10 additions & 23 deletions quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/Help.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,10 +157,14 @@ private void configureUsageMessage(CommandLine.Model.CommandSpec commandSpec) {
}

private boolean isVisible(OptionSpec option) {
if (option.description().length == 0) {
// do not show options without a description
if (option.description().length == 0 || option.hidden()) {
// do not show options without a description nor hidden
return false;
}

if (ALL_OPTIONS) {
return true;
}

String optionName = undecorateDuplicitOptionName(option.longestName());

Expand All @@ -172,30 +176,13 @@ private boolean isVisible(OptionSpec option) {

if (mapper == null) {
final var disabledMapper = PropertyMappers.getDisabledMapper(optionName);
final var isDisabledMapper = disabledMapper.isPresent();


// Show disabled mappers, which do not have a description when they're enabled
final var isEnabledWhenEmpty = isDisabledMapper && disabledMapper.get().getEnabledWhen().isEmpty();
if (isEnabledWhenEmpty) {
return true;
}

if (ALL_OPTIONS && isDisabledMapper) {
return true;
}

// only filter mapped options, defaults to the hidden marker
return !option.hidden() && !isDisabledMapper;
}

boolean isUnsupportedOption = !PropertyMappers.isSupported(mapper);

if (isUnsupportedOption) {
// unsupported options removed from help if all options are not requested
return !option.hidden() && ALL_OPTIONS;
return disabledMapper.flatMap(PropertyMapper::getEnabledWhen).isEmpty();
}

return !option.hidden();
// unsupported options removed from help if all options are not requested
return PropertyMappers.isSupported(mapper);
}

public static void setAllOptions(boolean allOptions) {
Expand Down
7 changes: 6 additions & 1 deletion ...runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/BootstrapAdminService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,12 @@
package org.keycloak.quarkus.runtime.cli.command;

import org.keycloak.common.util.IoUtils;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.quarkus.runtime.cli.PropertyException;
import org.keycloak.quarkus.runtime.integration.jaxrs.QuarkusKeycloakApplication;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.resources.KeycloakApplication;

import picocli.CommandLine.ArgGroup;
import picocli.CommandLine.Command;
Expand Down Expand Up @@ -97,7 +100,9 @@ private String getFromEnv(String envVar) {
@Override
public void onStart(QuarkusKeycloakApplication application) {
//BootstrapAdmin bootstrap = spec.commandLine().getParent().getCommand();
application.createTemporaryMasterRealmAdminService(clientId, clientSecret, /*bootstrap.expiration,*/ null);
KeycloakSessionFactory sessionFactory = KeycloakApplication.getSessionFactory();
KeycloakModelUtils.runJobInTransaction(sessionFactory, session -> application
.createTemporaryMasterRealmAdminService(clientId, clientSecret, /* bootstrap.expiration, */ session));
}

}
7 changes: 6 additions & 1 deletion ...us/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/BootstrapAdminUser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,12 @@
package org.keycloak.quarkus.runtime.cli.command;

import org.keycloak.common.util.IoUtils;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.quarkus.runtime.cli.PropertyException;
import org.keycloak.quarkus.runtime.integration.jaxrs.QuarkusKeycloakApplication;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.resources.KeycloakApplication;

import picocli.CommandLine.ArgGroup;
import picocli.CommandLine.Command;
Expand Down Expand Up @@ -97,7 +100,9 @@ private String getFromEnv(String envVar) {
@Override
public void onStart(QuarkusKeycloakApplication application) {
//BootstrapAdmin bootstrap = spec.commandLine().getParent().getCommand();
application.createTemporaryMasterRealmAdminUser(username, password, /*bootstrap.expiration,*/ null);
KeycloakSessionFactory sessionFactory = KeycloakApplication.getSessionFactory();
KeycloakModelUtils.runJobInTransaction(sessionFactory, session -> application
.createTemporaryMasterRealmAdminUser(username, password, /* bootstrap.expiration, */ session));
}

}
1 change: 1 addition & 0 deletions ...ime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/PropertyMappers.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ private PropertyMappers(){}
MAPPERS.addAll(ExportPropertyMappers.getMappers());
MAPPERS.addAll(ImportPropertyMappers.getMappers());
MAPPERS.addAll(TruststorePropertyMappers.getMappers());
MAPPERS.addAll(BootstrapAdminPropertyMappers.getMappers());
}

public static ConfigValue getValue(ConfigSourceInterceptorContext context, String name) {
Expand Down
29 changes: 4 additions & 25 deletions .../main/java/org/keycloak/quarkus/runtime/integration/jaxrs/QuarkusKeycloakApplication.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,33 +98,12 @@ protected void createTemporaryAdmin(KeycloakSession session) {
}
}

public void createTemporaryMasterRealmAdminUser(String adminUserName, String adminPassword, /*Integer adminExpiration,*/ KeycloakSession existingSession) {
KeycloakSessionTask task = session -> {
new ApplianceBootstrap(session).createTemporaryMasterRealmAdminUser(adminUserName, adminPassword /*, adminExpiration*/, false);
};

runAdminTask(adminUserName, existingSession, task);
}

public void createTemporaryMasterRealmAdminService(String clientId, String clientSecret, /*Integer adminExpiration,*/ KeycloakSession existingSession) {
KeycloakSessionTask task = session -> {
new ApplianceBootstrap(session).createTemporaryMasterRealmAdminService(clientId, clientSecret /*, adminExpiration*/);
};

runAdminTask(clientId, existingSession, task);
public void createTemporaryMasterRealmAdminUser(String adminUserName, String adminPassword, /*Integer adminExpiration,*/ KeycloakSession session) {
new ApplianceBootstrap(session).createTemporaryMasterRealmAdminUser(adminUserName, adminPassword /*, adminExpiration*/, false);
}

private void runAdminTask(String adminUserName, KeycloakSession existingSession, KeycloakSessionTask task) {
try {
if (existingSession == null) {
KeycloakSessionFactory sessionFactory = KeycloakApplication.getSessionFactory();
KeycloakModelUtils.runJobInTransaction(sessionFactory, task);
} else {
task.run(existingSession);
}
} catch (Throwable t) {
ServicesLogger.LOGGER.addUserFailed(t, adminUserName, Config.getAdminRealm());
}
public void createTemporaryMasterRealmAdminService(String clientId, String clientSecret, /*Integer adminExpiration,*/ KeycloakSession session) {
new ApplianceBootstrap(session).createTemporaryMasterRealmAdminService(clientId, clientSecret /*, adminExpiration*/);
}

private String getEnvOrProp(String envKey, String propKey) {
Expand Down
7 changes: 7 additions & 0 deletions quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/BootstrapAdminDistTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,13 @@ void failEnvNotSet(LaunchResult result) {
void createAdmin(LaunchResult result) {
assertTrue(result.getErrorOutput().isEmpty(), result.getErrorOutput());
}

@Test
@Launch({ "start-dev", "--bootstrap-admin-password=MY_PASSWORD" })
void createAdminWithCliOptions(LaunchResult result) {
assertTrue(result.getErrorOutput().isEmpty(), result.getErrorOutput());
result.getOutput().contains("Created temporary admin user with username temp-admin");
}

@Test
@Launch({ "bootstrap-admin", "service", "--no-prompt" })
Expand Down
19 changes: 4 additions & 15 deletions quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,30 +48,19 @@ void testFipsNonApprovedMode(KeycloakDistribution dist) {
}

@Test
void testFipsApprovedModePasswordFails(KeycloakDistribution dist) {
void testFipsApprovedMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.setEnvVar("KC_BOOTSTRAP_ADMIN_USERNAME", "admin");
dist.setEnvVar("KC_BOOTSTRAP_ADMIN_PASSWORD", "admin");

CLIResult cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertStarted();
cliResult.assertMessage(
"org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits");
cliResult.assertMessage("password must be at least 112 bits");
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(" + BCFIPS_VERSION + " Approved Mode, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
});
}

@Test
void testFipsApprovedModePasswordSucceeds(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.setEnvVar("KC_BOOTSTRAP_ADMIN_USERNAME", "admin");

dist.setEnvVar("KC_BOOTSTRAP_ADMIN_PASSWORD", "adminadminadmin");

CLIResult cliResult = dist.run("start", "--fips-mode=strict");
cliResult = dist.run("start", "--fips-mode=strict");
cliResult.assertStarted();
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(" + BCFIPS_VERSION + " Approved Mode, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
cliResult.assertMessage("Created temporary admin user with username admin");
});
}
Expand Down
8 changes: 1 addition & 7 deletions ...eycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,16 +171,10 @@ Logging:
DEPRECATED. Set the format for the GELF timestamp field. Uses Java
SimpleDateFormat pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Available only
when GELF is activated.
--log-gelf-version <version>
The GELF version to be used. Possible values are: 1.0, 1.1. Default: 1.1.
Available only when GELF is activated.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
--log-syslog-app-name <name>
The app name used when formatting the message in RFC5424 format. Default:
keycloak. Available only when Syslog is activated.
--log-syslog-endpoint <host:port>
The IP address and port of the syslog server. Default: localhost:514.
Available only when Syslog is activated.
Expand Down Expand Up @@ -217,4 +211,4 @@ Export:
--users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50.
export times. Default: 50.
8 changes: 1 addition & 7 deletions ...eycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,16 +171,10 @@ Logging:
DEPRECATED. Set the format for the GELF timestamp field. Uses Java
SimpleDateFormat pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Available only
when GELF is activated.
--log-gelf-version <version>
The GELF version to be used. Possible values are: 1.0, 1.1. Default: 1.1.
Available only when GELF is activated.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
--log-syslog-app-name <name>
The app name used when formatting the message in RFC5424 format. Default:
keycloak. Available only when Syslog is activated.
--log-syslog-endpoint <host:port>
The IP address and port of the syslog server. Default: localhost:514.
Available only when Syslog is activated.
Expand Down Expand Up @@ -211,4 +205,4 @@ Import:
--file <file> Set the path to a file that will be read.
--override <true|false>
Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true.
ignored. Default: true.
12 changes: 1 addition & 11 deletions ...cloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,10 +191,6 @@ Hostname v1 (Deprecated):
headers to allow internal and external applications. If all applications use
the public URL this option should be enabled. Default: false. Available only
when hostname:v1 feature is enabled.
--hostname-strict-https <true|false>
DEPRECATED. Forces frontend URLs to use the 'https' scheme. If set to false,
the HTTP scheme is inferred from requests. Default: true. Available only
when hostname:v1 feature is enabled.
--hostname-url <url> DEPRECATED. Set the base URL for frontend URLs, including scheme, host, port
and path. Available only when hostname:v1 feature is enabled.

Expand Down Expand Up @@ -385,16 +381,10 @@ Logging:
DEPRECATED. Set the format for the GELF timestamp field. Uses Java
SimpleDateFormat pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Available only
when GELF is activated.
--log-gelf-version <version>
The GELF version to be used. Possible values are: 1.0, 1.1. Default: 1.1.
Available only when GELF is activated.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
--log-syslog-app-name <name>
The app name used when formatting the message in RFC5424 format. Default:
keycloak. Available only when Syslog is activated.
--log-syslog-endpoint <host:port>
The IP address and port of the syslog server. Default: localhost:514.
Available only when Syslog is activated.
Expand Down Expand Up @@ -431,4 +421,4 @@ Security:
Do NOT start the server using this command when deploying to production.

Use 'kc.sh start-dev --help-all' to list all available options, including build
options.
options.
12 changes: 1 addition & 11 deletions ...keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,10 +192,6 @@ Hostname v1 (Deprecated):
headers to allow internal and external applications. If all applications use
the public URL this option should be enabled. Default: false. Available only
when hostname:v1 feature is enabled.
--hostname-strict-https <true|false>
DEPRECATED. Forces frontend URLs to use the 'https' scheme. If set to false,
the HTTP scheme is inferred from requests. Default: true. Available only
when hostname:v1 feature is enabled.
--hostname-url <url> DEPRECATED. Set the base URL for frontend URLs, including scheme, host, port
and path. Available only when hostname:v1 feature is enabled.

Expand Down Expand Up @@ -386,16 +382,10 @@ Logging:
DEPRECATED. Set the format for the GELF timestamp field. Uses Java
SimpleDateFormat pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Available only
when GELF is activated.
--log-gelf-version <version>
The GELF version to be used. Possible values are: 1.0, 1.1. Default: 1.1.
Available only when GELF is activated.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
--log-syslog-app-name <name>
The app name used when formatting the message in RFC5424 format. Default:
keycloak. Available only when Syslog is activated.
--log-syslog-endpoint <host:port>
The IP address and port of the syslog server. Default: localhost:514.
Available only when Syslog is activated.
Expand Down Expand Up @@ -436,4 +426,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized'

By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
configuration you have set when manually running the 'build' command.
12 changes: 1 addition & 11 deletions ...it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,10 +177,6 @@ Hostname v1 (Deprecated):
headers to allow internal and external applications. If all applications use
the public URL this option should be enabled. Default: false. Available only
when hostname:v1 feature is enabled.
--hostname-strict-https <true|false>
DEPRECATED. Forces frontend URLs to use the 'https' scheme. If set to false,
the HTTP scheme is inferred from requests. Default: true. Available only
when hostname:v1 feature is enabled.
--hostname-url <url> DEPRECATED. Set the base URL for frontend URLs, including scheme, host, port
and path. Available only when hostname:v1 feature is enabled.

Expand Down Expand Up @@ -337,16 +333,10 @@ Logging:
DEPRECATED. Set the format for the GELF timestamp field. Uses Java
SimpleDateFormat pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Available only
when GELF is activated.
--log-gelf-version <version>
The GELF version to be used. Possible values are: 1.0, 1.1. Default: 1.1.
Available only when GELF is activated.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
--log-syslog-app-name <name>
The app name used when formatting the message in RFC5424 format. Default:
keycloak. Available only when Syslog is activated.
--log-syslog-endpoint <host:port>
The IP address and port of the syslog server. Default: localhost:514.
Available only when Syslog is activated.
Expand Down Expand Up @@ -378,4 +368,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized'

By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
configuration you have set when manually running the 'build' command.