From cb418b0bfce8fd97b3e187580d5c23da0d857571 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=A1clav=20Muzik=C3=A1=C5=99?= Date: Fri, 16 Aug 2024 11:41:34 +0200 Subject: [PATCH] Upgrade to Quarkus 3.13.2 (#31678) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Upgrade to Quarkus 3.13.2 Closes #31676 Signed-off-by: Václav Muzikář Co-authored-by: Peter Zaoral Co-authored-by: Martin Bartoš --- .../topics/changes/changes-26_0_0.adoc | 10 +++- operator/pom.xml | 2 +- pom.xml | 16 +++--- .../java/org/keycloak/config/HttpOptions.java | 4 +- .../quarkus/deployment/KeycloakProcessor.java | 11 +++-- .../runtime/cli/PropertyException.java | 4 ++ .../quarkus/runtime/cli/command/Build.java | 4 +- .../configuration/ConfigArgsConfigSource.java | 8 +-- .../KeycloakPropertiesConfigSource.java | 16 +++++- .../configuration/PersistedConfigSource.java | 9 ++-- .../QuarkusPropertiesConfigSource.java | 5 +- .../mappers/HttpPropertyMappers.java | 49 +++++++++++++++++++ .../src/main/resources/application.properties | 2 +- .../src/main/resources/application.properties | 4 +- quarkus/tests/integration/pom.xml | 1 + .../keycloak/it/cli/dist/FipsDistTest.java | 12 ++++- ...mandDistTest.testStartDevHelp.approved.txt | 6 +-- ...dDistTest.testStartDevHelpAll.approved.txt | 6 +-- ...CommandDistTest.testStartHelp.approved.txt | 6 +-- ...mandDistTest.testStartHelpAll.approved.txt | 6 +-- ...stTest.testStartOptimizedHelp.approved.txt | 6 +-- ...est.testStartOptimizedHelpAll.approved.txt | 6 +-- .../email/DefaultEmailSenderProvider.java | 5 +- 23 files changed, 146 insertions(+), 52 deletions(-) diff --git a/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc index d74fa1823fb..d7f507213cb 100644 --- a/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc @@ -136,6 +136,14 @@ This endpoint supports filters and pagination. = CLI import placeholder replacement -The CLI command `kc.[sh|bat] import` now has placeholder replacement enabled. Previously placeholder replacement was only enabled for realm import at startup. +The CLI command `kc.[sh|bat] import` now has placeholder replacement enabled. Previously placeholder replacement was only enabled for realm import at startup. If you wish to disable placeholder replacement for the `import` command, add the system property `-Dkeycloak.migration.replace-placeholders=false` + += Keystore and trust store default format change + +{project_name} now determines the format of the keystore and trust store based on the file extension. If the file extension is `.p12`, `.pkcs12` or `.pfx`, the format is PKCS12. If the file extension is `.jks`, `.keystore` or `.truststore`, the format is JKS. If the file extension is `.pem`, `.crt` or `.key`, the format is PEM. + +You can still override automatic detection by specifying the `https-key-store-type` and `https-trust-store-type` explicitly. The same applies to the management interface and its `https-management-key-store-type`. Restrictions for the FIPS strict mode stay unchanged. + +NOTE: The `+spi-truststore-file-*+` options and the truststore related options `+https-trust-store-*+` are deprecated, we strongly recommend to use System Truststore. For more details refer to the relevant https://www.keycloak.org/server/keycloak-truststore[guide]. diff --git a/operator/pom.xml b/operator/pom.xml index 6d4b6cc1f48..f37ab5b4437 100644 --- a/operator/pom.xml +++ b/operator/pom.xml @@ -165,7 +165,7 @@ - true + true diff --git a/pom.xml b/pom.xml index b5f81e0b6ec..a5919edbf83 100644 --- a/pom.xml +++ b/pom.xml @@ -51,8 +51,8 @@ jboss-snapshots-repository https://s01.oss.sonatype.org/content/repositories/snapshots/ - 3.8.5 - 3.8.5 + 3.13.2 + 3.13.2 ${timestamp} @@ -111,7 +111,7 @@ 2.0.0.Final 1.2.17 4.7.7.Final - 6.2.7.Final + 6.2.9.Final ${resteasy.version} 20240325.1 2.0.6 @@ -124,7 +124,7 @@ ${undertow-legacy.version} 2.2.24.Final 2.3.2.Final - 2.2.3.Final + 2.5.0.Final 1.9.0.Final 6.0.3 1.5.4.Final-format-001 @@ -148,7 +148,7 @@ 1.3.3 1.1 - 4.25.1 + 4.27.0 1.0.2.Final 2.0.0.Final 4.1.2 @@ -159,12 +159,12 @@ 16 16.1 2.3.1 - 42.7.2 + 42.7.3 10.11 - 3.3.3 + 3.4.0 2022-latest - 12.4.2.jre11 + 12.6.3.jre11 19.3 23.3.0.23.09 diff --git a/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java b/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java index 8020f893899..f8d8883342c 100644 --- a/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java +++ b/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java @@ -87,7 +87,7 @@ public class HttpOptions { public static final Option HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class) .category(OptionCategory.HTTP) .description("The type of the key store file. " + - "If not given, the type is automatically detected based on the file name. " + + "If not given, the type is automatically detected based on the file extension. " + "If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.") .build(); @@ -106,7 +106,7 @@ public class HttpOptions { public static final Option HTTPS_TRUST_STORE_TYPE = new OptionBuilder<>("https-trust-store-type", String.class) .category(OptionCategory.HTTP) .description("The type of the trust store file. " + - "If not given, the type is automatically detected based on the file name. " + + "If not given, the type is automatically detected based on the file extension. " + "If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.") .deprecated("Use the System Truststore instead, see the docs for details.") .build(); diff --git a/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java b/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java index b24d7cdddd6..d8958d79bc6 100644 --- a/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java +++ b/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java @@ -22,7 +22,6 @@ import io.quarkus.agroal.spi.JdbcDataSourceBuildItem; import io.quarkus.agroal.spi.JdbcDriverBuildItem; import io.quarkus.arc.deployment.AnnotationsTransformerBuildItem; import io.quarkus.arc.deployment.BuildTimeConditionBuildItem; -import io.quarkus.arc.processor.AnnotationsTransformer; import io.quarkus.bootstrap.logging.InitialConfigurator; import io.quarkus.datasource.deployment.spi.DevServicesDatasourceResultBuildItem; import io.quarkus.deployment.IsDevelopment; @@ -50,10 +49,12 @@ import io.quarkus.vertx.http.deployment.RouteBuildItem; import io.smallrye.config.ConfigValue; import org.eclipse.microprofile.health.Readiness; import org.hibernate.cfg.AvailableSettings; +import org.hibernate.jpa.boot.spi.PersistenceUnitDescriptor; import org.hibernate.jpa.boot.internal.ParsedPersistenceXmlDescriptor; import org.hibernate.jpa.boot.internal.PersistenceXmlParser; import org.jboss.jandex.AnnotationInstance; import org.jboss.jandex.AnnotationTarget; +import org.jboss.jandex.AnnotationTransformation; import org.jboss.jandex.ClassInfo; import org.jboss.jandex.DotName; import org.jboss.jandex.IndexView; @@ -318,7 +319,7 @@ class KeycloakProcessor { List userManagedEntities = new ArrayList<>(); for (PersistenceXmlDescriptorBuildItem item : descriptors) { - ParsedPersistenceXmlDescriptor descriptor = item.getDescriptor(); + ParsedPersistenceXmlDescriptor descriptor = (ParsedPersistenceXmlDescriptor) item.getDescriptor(); if ("keycloak-default".equals(descriptor.getName())) { defaultUnitDescriptor = descriptor; @@ -469,7 +470,7 @@ class KeycloakProcessor { Map preConfiguredProviders, Spi spi) { descriptors.stream() .map(PersistenceXmlDescriptorBuildItem::getDescriptor) - .map(ParsedPersistenceXmlDescriptor::getName) + .map(PersistenceUnitDescriptor::getName) .filter(Predicate.not("keycloak-default"::equals)).forEach((String unitName) -> { NamedJpaConnectionProviderFactory factory = new NamedJpaConnectionProviderFactory(); @@ -625,9 +626,9 @@ class KeycloakProcessor { // bean without the @Readiness annotation so it won't be used as a health check on it's own. @BuildStep AnnotationsTransformerBuildItem disableDefaultDataSourceHealthCheck() { - return new AnnotationsTransformerBuildItem(AnnotationsTransformer.appliedToClass() + return new AnnotationsTransformerBuildItem(AnnotationTransformation.forClasses() .whenClass(c -> c.name().equals(DotName.createSimple(DataSourceHealthCheck.class))) - .thenTransform(t -> t.remove( + .transform(t -> t.remove( a -> a.name().equals(DotName.createSimple(Readiness.class))))); } diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java index 6b7bbadece6..fc493a93d16 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/PropertyException.java @@ -23,4 +23,8 @@ public class PropertyException extends RuntimeException { super(message); } + public PropertyException(String message, Throwable throwable) { + super(message, throwable); + } + } diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java index a4be7f0e386..fc5bb63b349 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java @@ -23,6 +23,7 @@ import static org.keycloak.quarkus.runtime.Environment.isDevProfile; import static org.keycloak.quarkus.runtime.cli.Picocli.println; import static org.keycloak.quarkus.runtime.configuration.ConfigArgsConfigSource.getAllCliArgs; +import io.quarkus.runtime.LaunchMode; import org.keycloak.config.OptionCategory; import org.keycloak.quarkus.runtime.Environment; import org.keycloak.quarkus.runtime.Messages; @@ -31,7 +32,6 @@ import org.keycloak.quarkus.runtime.configuration.Configuration; import io.quarkus.bootstrap.runner.QuarkusEntryPoint; import io.quarkus.bootstrap.runner.RunnerClassLoader; -import io.quarkus.runtime.configuration.ProfileManager; import io.smallrye.config.ConfigValue; import picocli.CommandLine; import picocli.CommandLine.Command; @@ -131,7 +131,7 @@ public final class Build extends AbstractCommand implements Runnable { } private void cleanTempResources() { - if (!ProfileManager.getLaunchMode().isDevOrTest()) { + if (!LaunchMode.current().isDevOrTest()) { // only needed for dev/testing purposes getHomePath().resolve("quarkus-artifact.properties").toFile().delete(); } diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java index 721e38e6ed4..f131bdf3140 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java @@ -30,6 +30,7 @@ import java.util.function.BiConsumer; import java.util.function.Consumer; import java.util.regex.Pattern; +import io.smallrye.config.ConfigValue; import io.smallrye.config.PropertiesConfigSource; import org.keycloak.quarkus.runtime.cli.command.Main; @@ -91,15 +92,14 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource { } @Override - public String getValue(String propertyName) { - Map properties = getProperties(); - String value = properties.get(propertyName); + public ConfigValue getConfigValue(String propertyName) { + ConfigValue value = super.getConfigValue(propertyName); if (value != null) { return value; } - return properties.get(propertyName.replace(OPTION_PART_SEPARATOR_CHAR, '.')); + return super.getConfigValue(propertyName.replace(OPTION_PART_SEPARATOR_CHAR, '.')); } private static Map parseArguments() { diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java index a91feda9a1d..e09069bf906 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java @@ -63,7 +63,21 @@ public class KeycloakPropertiesConfigSource extends AbstractLocationConfigSource @Override protected ConfigSource loadConfigSource(URL url, int ordinal) throws IOException { - return new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal); + // a workaround for https://github.com/smallrye/smallrye-config/issues/1207 + // replace by the following line when fixed: + // return new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal); + var cs = new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal) { + private String name; + @Override + public String getName() { + return name; + } + public void setName(String name) { + this.name = name; + } + }; + cs.setName(url.toString()); + return cs; } public static class InClassPath extends KeycloakPropertiesConfigSource implements ConfigSourceProvider { diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java index ede35466acf..688846cdd61 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java @@ -32,6 +32,7 @@ import java.util.function.Supplier; import java.util.zip.ZipEntry; import java.util.zip.ZipInputStream; +import io.smallrye.config.ConfigValue; import io.smallrye.config.PropertiesConfigSource; import org.keycloak.quarkus.runtime.Environment; @@ -54,7 +55,7 @@ public final class PersistedConfigSource extends PropertiesConfigSource { private static final ThreadLocal ENABLED = ThreadLocal.withInitial(() -> true); private PersistedConfigSource() { - super(readProperties(), "", 200); + super(readProperties(), NAME, 200); } public static PersistedConfigSource getInstance() { @@ -67,15 +68,15 @@ public final class PersistedConfigSource extends PropertiesConfigSource { } @Override - public String getValue(String propertyName) { + public ConfigValue getConfigValue(String propertyName) { if (isEnabled()) { - String value = super.getValue(propertyName); + ConfigValue value = super.getConfigValue(propertyName); if (value != null) { return value; } - return super.getValue(propertyName.replace(Configuration.OPTION_PART_SEPARATOR_CHAR, '.')); + return super.getConfigValue(propertyName.replace(Configuration.OPTION_PART_SEPARATOR_CHAR, '.')); } return null; diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java index b04878816ba..d433739540d 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java @@ -57,7 +57,10 @@ public final class QuarkusPropertiesConfigSource extends AbstractLocationConfigS return false; } - return NAME.equals(value.getConfigSourceName()); + // workaround for https://github.com/smallrye/smallrye-config/issues/1207 + // replace by the following line when fixed: + // return NAME.equals(value.getConfigSourceName()); + return value.getConfigSourceName() != null && value.getConfigSourceName().endsWith(FILE_NAME); } public static Path getConfigurationFile() { diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java index 944d033fe60..439f90d3768 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java @@ -1,5 +1,7 @@ package org.keycloak.quarkus.runtime.configuration.mappers; +import io.quarkus.vertx.http.runtime.CertificateConfig; +import io.quarkus.vertx.http.runtime.options.TlsUtils; import io.smallrye.config.ConfigSourceInterceptorContext; import org.keycloak.common.crypto.FipsMode; @@ -11,6 +13,7 @@ import org.keycloak.quarkus.runtime.cli.PropertyException; import org.keycloak.quarkus.runtime.configuration.Configuration; import java.io.File; +import java.io.IOException; import java.nio.file.Paths; import java.util.Optional; import java.util.function.BiFunction; @@ -127,6 +130,52 @@ public final class HttpPropertyMappers { public static void validateConfig() { boolean enabled = isHttpEnabled(Configuration.getOptionalKcValue(HttpOptions.HTTP_ENABLED.getKey())); + boolean trustStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_FILE.getKey()).isPresent(); + boolean keyStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_FILE.getKey()).isPresent(); + + if (trustStoreFile) { + CertificateConfig config = new CertificateConfig(); + + config.trustStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_FILE.getKey()).map(Paths::get); + config.trustStorePassword = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_PASSWORD.getKey()); + config.trustStoreFileType = Configuration.getOptionalKcValue(HttpOptions.HTTPS_TRUST_STORE_TYPE.getKey()); + config.trustStoreProvider = Configuration.getOptionalValue("quarkus.http.ssl.certificate.trust-store-provider"); + config.trustStoreCertAlias = Configuration.getOptionalValue("quarkus.http.ssl.certificate.trust-store-cert-alias"); + config.trustStoreFiles = Optional.empty(); + + try { + TlsUtils.computeTrustOptions(config, config.trustStorePassword); + } catch (IOException e) { + throw new PropertyException("Failed to load 'https-trust-store' material.", e); + } catch (IllegalArgumentException e) { + throw new PropertyException("Unable to determine 'https-trust-store-type' automatically. " + + "Adjust the file extension or specify the property.", e); + } + } + + if (keyStoreFile) { + CertificateConfig config = new CertificateConfig(); + + config.keyStoreFile = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_FILE.getKey()).map(Paths::get); + config.keyStorePassword = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_PASSWORD.getKey()); + config.keyStoreFileType = Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_TYPE.getKey()); + config.keyStoreProvider = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-provider"); + config.keyStoreAlias = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-alias"); + config.keyStoreAliasPassword = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-alias-password"); + config.keyStoreAliasPasswordKey = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-alias-password-key"); + config.keyStoreKeyAlias = Configuration.getOptionalValue("quarkus.http.ssl.certificate.key-store-key-alias"); + config.keyFiles = Optional.empty(); + config.files = Optional.empty(); + + try { + TlsUtils.computeKeyStoreOptions(config, config.keyStorePassword, config.keyStoreAliasPassword); + } catch (IOException e) { + throw new PropertyException("Failed to load 'https-key-store' material.", e); + } catch (IllegalArgumentException e) { + throw new PropertyException("Unable to determine 'https-key-store-type' automatically. " + + "Adjust the file extension or specify the property.", e); + } + } if (!enabled) { Optional value = Configuration.getOptionalKcValue(HttpOptions.HTTPS_CERTIFICATE_FILE.getKey()); diff --git a/quarkus/runtime/src/main/resources/application.properties b/quarkus/runtime/src/main/resources/application.properties index 06e86ee212b..ed44b1c173c 100644 --- a/quarkus/runtime/src/main/resources/application.properties +++ b/quarkus/runtime/src/main/resources/application.properties @@ -18,7 +18,7 @@ quarkus.transaction-manager.default-transaction-timeout=300 quarkus.arc.ignored-split-packages=org.keycloak.* # No need to generate dependencies list -quarkus.package.include-dependency-list=false +quarkus.package.jar.include-dependency-list=false # we do not want running dev services in distribution quarkus.devservices.enabled=false diff --git a/quarkus/server/src/main/resources/application.properties b/quarkus/server/src/main/resources/application.properties index a679430a979..8936b963767 100644 --- a/quarkus/server/src/main/resources/application.properties +++ b/quarkus/server/src/main/resources/application.properties @@ -1,7 +1,7 @@ # Inherit all configuration from the default runtime settings and sets those specific to the distribution quarkus.package.output-name=keycloak -quarkus.package.type=mutable-jar +quarkus.package.jar.type=mutable-jar quarkus.package.output-directory=lib -quarkus.package.user-providers-directory=../providers +quarkus.package.jar.user-providers-directory=../providers quarkus.package.main-class=keycloak \ No newline at end of file diff --git a/quarkus/tests/integration/pom.xml b/quarkus/tests/integration/pom.xml index bd2901ffa0d..df7b4c9bc7c 100644 --- a/quarkus/tests/integration/pom.xml +++ b/quarkus/tests/integration/pom.xml @@ -117,6 +117,7 @@ -Djdk.net.hosts.file=${project.build.testOutputDirectory}/hosts_file -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError --add-opens=java.base/java.security=ALL-UNNAMED -Djava.util.concurrent.ForkJoinPool.common.threadFactory=io.quarkus.bootstrap.forkjoin.QuarkusForkJoinWorkerThreadFactory ${kc.quarkus.tests.dist} + org.jboss.logmanager.LogManager diff --git a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java index 26786c0281e..cf16e198e3d 100644 --- a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java +++ b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java @@ -147,9 +147,19 @@ public class FipsDistTest { RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class); Path truststorePath = rawDist.getDistPath().resolve("conf").resolve("server.keystore").toAbsolutePath(); - // https-trust-store-type should be automatically set to pkcs12 in fips-mode=non-strict CLIResult cliResult = dist.run("--verbose", "start", "--fips-mode=non-strict", "--https-key-store-password=passwordpassword", "--https-trust-store-file=" + truststorePath, "--https-trust-store-password=passwordpassword"); + cliResult.assertError("Unable to determine 'https-trust-store-type' automatically. Adjust the file extension or specify the property."); + + dist.stop(); + + dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.p12")); + + rawDist = dist.unwrap(RawKeycloakDistribution.class); + truststorePath = rawDist.getDistPath().resolve("conf").resolve("server.p12").toAbsolutePath(); + + cliResult = dist.run("--verbose", "start", "--fips-mode=non-strict", "--https-key-store-password=passwordpassword", + "--https-trust-store-file=" + truststorePath, "--https-trust-store-password=passwordpassword"); cliResult.assertStarted(); }); } diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt index f22a75ecaf1..e04de0ed5a0 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt @@ -165,8 +165,8 @@ HTTP(S): The password of the key store file. Default: password. --https-key-store-type The type of the key store file. If not given, the type is automatically - detected based on the file name. If 'fips-mode' is set to 'strict' and no - value is set, it defaults to 'BCFKS'. + detected based on the file extension. If 'fips-mode' is set to 'strict' and + no value is set, it defaults to 'BCFKS'. --https-port The used HTTPS port. Default: 8443. --https-protocols The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. @@ -179,7 +179,7 @@ HTTP(S): instead, see the docs for details. --https-trust-store-type DEPRECATED. The type of the trust store file. If not given, the type is - automatically detected based on the file name. If 'fips-mode' is set to + automatically detected based on the file extension. If 'fips-mode' is set to 'strict' and no value is set, it defaults to 'BCFKS'. Use the System Truststore instead, see the docs for details. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt index 219e41e586c..f38f8bc5667 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt @@ -237,8 +237,8 @@ HTTP(S): The password of the key store file. Default: password. --https-key-store-type The type of the key store file. If not given, the type is automatically - detected based on the file name. If 'fips-mode' is set to 'strict' and no - value is set, it defaults to 'BCFKS'. + detected based on the file extension. If 'fips-mode' is set to 'strict' and + no value is set, it defaults to 'BCFKS'. --https-port The used HTTPS port. Default: 8443. --https-protocols The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. @@ -251,7 +251,7 @@ HTTP(S): instead, see the docs for details. --https-trust-store-type DEPRECATED. The type of the trust store file. If not given, the type is - automatically detected based on the file name. If 'fips-mode' is set to + automatically detected based on the file extension. If 'fips-mode' is set to 'strict' and no value is set, it defaults to 'BCFKS'. Use the System Truststore instead, see the docs for details. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt index 057aab2d755..9fbadc571ad 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt @@ -166,8 +166,8 @@ HTTP(S): The password of the key store file. Default: password. --https-key-store-type The type of the key store file. If not given, the type is automatically - detected based on the file name. If 'fips-mode' is set to 'strict' and no - value is set, it defaults to 'BCFKS'. + detected based on the file extension. If 'fips-mode' is set to 'strict' and + no value is set, it defaults to 'BCFKS'. --https-port The used HTTPS port. Default: 8443. --https-protocols The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. @@ -180,7 +180,7 @@ HTTP(S): instead, see the docs for details. --https-trust-store-type DEPRECATED. The type of the trust store file. If not given, the type is - automatically detected based on the file name. If 'fips-mode' is set to + automatically detected based on the file extension. If 'fips-mode' is set to 'strict' and no value is set, it defaults to 'BCFKS'. Use the System Truststore instead, see the docs for details. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt index 3e2150f6ed9..f02608e8ca7 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt @@ -238,8 +238,8 @@ HTTP(S): The password of the key store file. Default: password. --https-key-store-type The type of the key store file. If not given, the type is automatically - detected based on the file name. If 'fips-mode' is set to 'strict' and no - value is set, it defaults to 'BCFKS'. + detected based on the file extension. If 'fips-mode' is set to 'strict' and + no value is set, it defaults to 'BCFKS'. --https-port The used HTTPS port. Default: 8443. --https-protocols The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. @@ -252,7 +252,7 @@ HTTP(S): instead, see the docs for details. --https-trust-store-type DEPRECATED. The type of the trust store file. If not given, the type is - automatically detected based on the file name. If 'fips-mode' is set to + automatically detected based on the file extension. If 'fips-mode' is set to 'strict' and no value is set, it defaults to 'BCFKS'. Use the System Truststore instead, see the docs for details. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt index 16d3d9d476e..935e0c9149f 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt @@ -145,8 +145,8 @@ HTTP(S): The password of the key store file. Default: password. --https-key-store-type The type of the key store file. If not given, the type is automatically - detected based on the file name. If 'fips-mode' is set to 'strict' and no - value is set, it defaults to 'BCFKS'. + detected based on the file extension. If 'fips-mode' is set to 'strict' and + no value is set, it defaults to 'BCFKS'. --https-port The used HTTPS port. Default: 8443. --https-protocols The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. @@ -159,7 +159,7 @@ HTTP(S): instead, see the docs for details. --https-trust-store-type DEPRECATED. The type of the trust store file. If not given, the type is - automatically detected based on the file name. If 'fips-mode' is set to + automatically detected based on the file extension. If 'fips-mode' is set to 'strict' and no value is set, it defaults to 'BCFKS'. Use the System Truststore instead, see the docs for details. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt index 2c4149899b9..317ffda597a 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt @@ -217,8 +217,8 @@ HTTP(S): The password of the key store file. Default: password. --https-key-store-type The type of the key store file. If not given, the type is automatically - detected based on the file name. If 'fips-mode' is set to 'strict' and no - value is set, it defaults to 'BCFKS'. + detected based on the file extension. If 'fips-mode' is set to 'strict' and + no value is set, it defaults to 'BCFKS'. --https-port The used HTTPS port. Default: 8443. --https-protocols The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. @@ -231,7 +231,7 @@ HTTP(S): instead, see the docs for details. --https-trust-store-type DEPRECATED. The type of the trust store file. If not given, the type is - automatically detected based on the file name. If 'fips-mode' is set to + automatically detected based on the file extension. If 'fips-mode' is set to 'strict' and no value is set, it defaults to 'BCFKS'. Use the System Truststore instead, see the docs for details. diff --git a/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java b/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java index 41609a5ead9..9b6f20b68ba 100644 --- a/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java +++ b/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java @@ -192,7 +192,10 @@ public class DefaultEmailSenderProvider implements EmailSenderProvider { props.put("mail.smtp.ssl.socketFactory", factory); if (configurator.getProvider().getPolicy() == HostnameVerificationPolicy.ANY) { props.setProperty("mail.smtp.ssl.trust", "*"); - props.put("mail.smtp.ssl.checkserveridentity", Boolean.FALSE.toString()); + props.put("mail.smtp.ssl.checkserveridentity", Boolean.FALSE.toString()); // this should be the default but seems to be impl specific, so set it explicitly just to be sure + } + else { + props.put("mail.smtp.ssl.checkserveridentity", Boolean.TRUE.toString()); } } }