Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add a reload period for https material #32715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vmuzikar merged 1 commit into from
Sep 13, 2024
Merged

Add a reload period for https material #32715

vmuzikar merged 1 commit into from
Sep 13, 2024

Conversation

@shawkins
Copy link
Contributor

@shawkins shawkins commented Sep 6, 2024
edited
Loading

closes: #23771

This is split into two commits. The first is a light refactoring of the propertymapper logic (cc @pedroigor @vmuzikar @mabartos) - this can be separated to another pr if needed. The major thing that the feature commit depends upon is the ability for a transformer to be able to unset a value - if we don't do this, the next best thing we can do is to map the disabling value (-1) to an effectively infinite interval.

Testing of this new option is cumbersome - when trying a failing test with a value less than 30s, the result is a "hung" vm that will fail to shutdown as expected. A succeeding test will need to wait a minimum of 30 seconds and do some file manipulations that aren't currently straight-forward with the distribution tests.

This will probably need to be rebased given some logging mapping changes just went in, I'll do that after some initial feedback.

@shawkins shawkins requested review from a team as code owners September 6, 2024 14:46
This was referenced Sep 6, 2024
Closed
Closed
Closed
Closed
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Sep 6, 2024
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

keycloak-github-bot bot commented Sep 6, 2024

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.WebAuthnRegisterAndLoginTest#registerUserSuccess

Keycloak CI - WebAuthn IT (chrome)

java.lang.AssertionError: Event expected
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertNotNull(Assert.java:713)
	at org.keycloak.testsuite.AssertEvents.poll(AssertEvents.java:87)
...

Report flaky test

org.keycloak.testsuite.saml.ArtifactBindingWithResolutionServiceTest#testReceiveArtifactLoginFullWithPost

Keycloak CI - Base IT (6)

jakarta.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:250)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.DefaultEntityExtractorFactory$3.extractEntity(DefaultEntityExtractorFactory.java:41)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:136)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:103)
...

Report flaky test

org.keycloak.testsuite.forms.BrowserButtonsTest#clickRefreshButtonOnRegisterPage

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected RegisterPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=3e2daa30-864f-4284-9391-b70a04b5bb0e&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#testWithOTPAndRecoveryCodesAtLevel2

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Event expected
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertNotNull(Assert.java:713)
	at org.keycloak.testsuite.AssertEvents.poll(AssertEvents.java:87)
...

Report flaky test

org.keycloak.testsuite.forms.RegisterTest#registerUserNotContainsUsernamePasswordPolicy

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected RegisterPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=9a8991ee-66be-4ffe-b64c-ad288d117b7f&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWrongEmail

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected LoginPasswordResetPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=0fa863dd-cf27-436b-9a8f-b23856f222d3&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordDisabledUser

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected LoginPasswordResetPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=ec44850b-c895-4ced-baa6-d95337e4445f&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordMissingUsername

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected LoginPasswordResetPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=71fd92b8-5559-4d3c-aa21-2a23cb2acc01&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordTwice

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected LoginPasswordResetPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=de78b72d-149a-4a38-82a6-8f818054eee4&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordExpiredCodeAndAuthSession

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected LoginPasswordResetPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=3e7506f8-37e8-4aea-b10e-2f709453cbfc&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

@mabartos
Copy link
Contributor

mabartos commented Sep 7, 2024

@shawkins nice work! Haven't had a chance to look at it closer, but I'd vote to separate the PM improvements into a different PR.

@shawkins shawkins marked this pull request as draft September 7, 2024 15:32
@shawkins
Copy link
Contributor Author

shawkins commented Sep 7, 2024

@shawkins nice work! Haven't had a chance to look at it closer, but I'd vote to separate the PM improvements into a different PR.

Created #32725 and marked this as a draft for now.

vmuzikar
vmuzikar reviewed Sep 9, 2024
View reviewed changes
Copy link
Contributor

@vmuzikar vmuzikar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be good to get to 26, however I'd postone the PM changes until after the release.

@shawkins
Copy link
Contributor Author

shawkins commented Sep 9, 2024

This would be good to get to 26, however I'd postone the PM changes until after the release.

To avoid adding yet another option I can either keep the convention of mapping -1 to another value, which would need to be something effectively infinite yet still supported by quarkus / vertx - or just get rid of the -1 convention and let users always set their perferred period. Which do you prefer?

@vmuzikar
Copy link
Contributor

vmuzikar commented Sep 11, 2024

To avoid adding yet another option I can either keep the convention of mapping -1 to another value, which would need to be something effectively infinite yet still supported by quarkus / vertx - or just get rid of the -1 convention and let users always set their perferred period. Which do you prefer?

I'd maybe rather consider getting rid off the 1h default, that would also align it with Quarkus. WDYT?

@ahus1
Copy link
Contributor

ahus1 commented Sep 11, 2024

I was the one who first suggested to have an automatic reload in the parent issue. If that is more difficult to maintain / not well-aligned with Quarkus, I'm ok to drop it. Dropping it would require users to actively configure it what I wanted to avoid.

@shawkins shawkins marked this pull request as ready for review September 11, 2024 20:15
@shawkins
Copy link
Contributor Author

shawkins commented Sep 11, 2024

After looking at the old logic again, this preserves the single property approach and that uses -1 to map to no reload. If this seems too risky, then I vote that we drop the default of 1h.

This was referenced Sep 11, 2024
Closed
Closed
Closed
Closed
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Sep 11, 2024
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

keycloak-github-bot bot commented Sep 11, 2024

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.registration.passwordless.PwdLessPubKeySignRegTest#publicKeySignaturesRSA

Keycloak CI - WebAuthn IT (chrome)

java.lang.AssertionError: Expected RegisterPage but was Sign in to test (https://localhost:8543/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=test-app&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fmaster%2Fapp%2Fauth&state=38c6200f-c2c1-4b03-a596-99a4d8936055&scope=openid)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:47)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

ahus1
ahus1 previously approved these changes Sep 12, 2024
View reviewed changes
Copy link
Contributor

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this change, looks good to me.

mabartos
mabartos reviewed Sep 12, 2024
View reviewed changes
Copy link
Contributor

@mabartos mabartos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shawkins Thanks for the PR! One thing in a review comment.

  • IMO some comprehensive tests are not needed - we can rely on Quarkus
  • (optional) As the option accepts String, it'd be good to verify invalid input - at least if the Quarkus ex is properly propagated?
  • Perhaps good thing would be mention it in Configuring TLS guide. Provide more context and the benefits of it.

@shawkins WDYT?

quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java Outdated
.defaultValue("1h")
.build();

public static final Option<String> HTTPS_CERTIFICATES_RELOAD_PERIOD_INTERNAL = new OptionBuilder<>("https-certificates-reload-period-internal", String.class)
Copy link
Contributor

@mabartos mabartos Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shawkins I think it's not necessary to have it here, right?

Copy link
Contributor Author

@shawkins shawkins Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not - I was temporarly going to try another approach that didn't touch the property mappers, but abandoned that.

vmuzikar
vmuzikar reviewed Sep 12, 2024
View reviewed changes
Copy link
Contributor

@vmuzikar vmuzikar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shawkins Thank you, the changes LGTM now. The only thing I'm missing is some mention in the TLS docs, as mentioned by @mabartos.

@shawkins
Copy link
Contributor Author

shawkins commented Sep 12, 2024

@shawkins Thanks for the PR! One thing in a review comment.

  • IMO some comprehensive tests are not needed - we can rely on Quarkus
  • (optional) As the option accepts String, it'd be good to verify invalid input - at least if the Quarkus ex is properly propagated?

See the PR description, this creates a container that does not get successfully shutdown. I can look into that more if desired.

  • Perhaps good thing would be mention it in Configuring TLS guide. Provide more context and the benefits of it.

Will do.

@mabartos
Copy link
Contributor

mabartos commented Sep 12, 2024

See the PR description, this creates a container that does not get successfully shutdown. I can look into that more if desired.

@shawkins To clarify things: so, I assume it's related only to the tests? Otherwise, it's a bigger issue. But as I see the option description, these 30s are also mentioned, so? Wondering whether we should be more defensive and provide some validator at least for the 30s?

As the option accepts String, it'd be good to verify invalid input - at least if the Quarkus ex is properly propagated?

I thought more about what will happen in the case when some arbitrary String is provided - like reload-period=wrong.

@shawkins
Copy link
Contributor Author

shawkins commented Sep 12, 2024

@shawkins To clarify things: so, I assume it's related only to the tests? Otherwise, it's a bigger issue.

The failing test I tried was for a value less than 30s, I'll retest from the cli. I'd opt for a follow-on issue to address this though.

But as I see the option description, these 30s are also mentioned, so? Wondering whether we should be more defensive and provide some validator at least for the 30s?

Ideally that should not be necessary. Other than getting a little earlier feedback we shouldn't be adding much value with validation on our side - also quarkus durations support a non-standard format, so we'd need to account for that as well.

I thought more about what will happen in the case when some arbitrary String is provided - like reload-period=wrong.

There will be a quarkus level exception resolving the value to a duration:

ERROR: Failed to start server in (development) mode
ERROR: One or more configuration errors have prevented the application from starting. The errors are:
  - SRCFG00039: The config property quarkus.http.ssl.certificate.reload-period with the config value "wrong" threw an Exception whilst being converted java.time.format.DateTimeParseException: Text cannot be parsed to a Duration

At least from the cli that terminated correctly.

@shawkins
Copy link
Contributor Author

shawkins commented Sep 12, 2024

The failing test I tried was for a value less than 30s, I'll retest from the cli. I'd opt for a follow-on issue to address this though.

Unfortunately after emitting:

2024-09-12 08:22:45,719 ERROR [io.quarkus.vertx.core.runtime.VertxCoreRecorder] (vert.x-eventloop-thread-10) Uncaught exception received by Vert.x: java.lang.IllegalArgumentException: Unable to configure TLS reloading - The reload period cannot be less than 30 seconds
	at io.quarkus.vertx.http.runtime.options.TlsCertificateReloader.initCertReloadingAction(TlsCertificateReloader.java:80)
	at io.quarkus.vertx.http.runtime.VertxHttpRecorder$WebDeploymentVerticle$3.handle(VertxHttpRecorder.java:1298)
	at io.quarkus.vertx.http.runtime.VertxHttpRecorder$WebDeploymentVerticle$3.handle(VertxHttpRecorder.java:1266)

The cli hangs. Control c from the terminal window doesn't work, but issuing a kill does. I'll see if this is reproducible with just quarkus and open an upstream issue.

So it will be clear to the user what is wrong, but the usability is terrible. How does everyone want to proceed with that?

@mabartos
Copy link
Contributor

mabartos commented Sep 12, 2024
edited
Loading

The cli hangs. ... So it will be clear to the user what is wrong, but the usability is terrible. How does everyone want to proceed with that?

@shawkins Yep, as I said, I'd vote to have an additional validator for the Duration (IMO, it should be enough as it's the accept value for the property). Just mimic the Quarkus exception to have it in front of Quarkus until the time the issue is fixed on their side. I don't want to block this PR due to that.

After fixing the stuff on their side, we can remove the validator. WDYT?

NOTE: Maybe as the recorder is invoked on the IO thread, the exception is not properly propagated or handled?

This was referenced Sep 12, 2024
Closed
Closed
Closed
@shawkins
Copy link
Contributor Author

shawkins commented Sep 12, 2024

After fixing the stuff on their side, we can remove the validator. WDYT?

My preferred options:

  • not add additional validation on our side and just live with the the usability issue for a corner case
  • just choose a simpler principled approach - have our property be ...reload-period-minutes so that it's not even possible to specify a value less than 30 seconds.

@vmuzikar
Copy link
Contributor

vmuzikar commented Sep 12, 2024

  • just choose a simpler principled approach - have our property be ...reload-period-minutes so that it's not even possible to specify a value less than 30 seconds.

As long as we properly fail and exit on other invalid values (0, negative etc.), this works for me too.

Otherwise I'd vote for to keep it simple on our side:

  • not add additional validation on our side and just live with the the usability issue for a corner case

@mabartos
Copy link
Contributor

mabartos commented Sep 12, 2024
edited
Loading

just choose a simpler principled approach - have our property be ...reload-period-minutes so that it's not even possible to specify a value less than 30 seconds.

I would not do it. In that case, we'd just lose the nice config ability to set Duration, or just 1h, 1d,... only because of bug like this.

not add additional validation on our side and just live with the the usability issue for a corner case

Ok, if the usability issue is related only to the corner case, works for me. But, I would not hesitate to more emphasize the restriction (more than 30s) in the docs - until the issue is properly solved.

@shawkins
Copy link
Contributor Author

shawkins commented Sep 12, 2024

Logged quarkusio/quarkus#43247 for the short reload hanging.

Sounds like the concensus is not to do additional validation.

But, I would not hesitate to more emphasize the restriction (more than 30s) in the docs - until the issue is properly solved.

It does mention that restriction in the option description and in the docs. Are you wanting it to call out the quarkus bug specifically?

mabartos
mabartos approved these changes Sep 13, 2024
View reviewed changes
Copy link
Contributor

@mabartos mabartos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shawkins I see the bug is fixed on the Quarkus side and be backported, so the current approach looks good to me! Not necessary emphasize the restriction more.

LGTM, thanks!

@vmuzikar vmuzikar merged commit f0bf290 into keycloak:main Sep 13, 2024
keshavprashantdeshpande pushed a commit to keshavprashantdeshpande/keycloak that referenced this pull request Sep 20, 2024
@shawkins @keshavprashantdeshpande
fix: add a reload period property (keycloak#32715)
747ed11 
closes: keycloak#23771

Signed-off-by: Steve Hawkins <[email protected]>
@kfox1111 kfox1111 mentioned this pull request Jan 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vmuzikar vmuzikar vmuzikar approved these changes

@mabartos mabartos mabartos approved these changes

@ahus1 ahus1 ahus1 left review comments

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

flaky-test team/cloud-native

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Automatically hot reload TLS certificates when https-certificate-file or https-certificate-key-file changes on disk

4 participants

@shawkins @mabartos @vmuzikar @ahus1