From 262fc09edc510104a1187c526382bc2fa4ff452e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Barto=C5=A1?= Date: Mon, 3 Jun 2024 14:17:28 +0200 Subject: [PATCH] OpenJDK 21 support (#28518) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * OpenJDK 21 support Closes #28517 Co-authored-by: Václav Muzikář Signed-off-by: Martin Bartoš * x509 SAN UPN other name is not handled in JDK 21 (#904) closes #29968 Signed-off-by: mposolda --------- Signed-off-by: Martin Bartoš Signed-off-by: mposolda Co-authored-by: Václav Muzikář Co-authored-by: Marek Posolda --- .../actions/integration-test-setup/action.yml | 2 +- .github/actions/java-setup/action.yml | 2 +- .../roles/keycloak_ec2_installer/README.md | 2 +- .../keycloak_ec2_installer/defaults/main.yml | 2 +- .github/scripts/run-fips-it.sh | 4 +- .github/scripts/run-fips-ut.sh | 6 +-- .github/scripts/run-ipa-tests.sh | 6 +-- .github/workflows/ci.yml | 4 +- .github/workflows/js-ci.yml | 6 +-- adapters/saml/core-jakarta/pom.xml | 16 ++---- adapters/saml/wildfly-elytron-jakarta/pom.xml | 18 +++---- .../wildfly/wildfly-jakarta-subsystem/pom.xml | 18 +++---- .../def/BCUserIdentityExtractorProvider.java | 47 ++++++++++-------- .../BCFIPSUserIdentityExtractorProvider.java | 49 +++++++++++-------- docs/building.md | 2 +- .../release_notes/topics/25_0_0.adoc | 10 +++- .../topics/user-federation/sssd.adoc | 4 +- .../getting-started/getting-started-zip.adoc | 2 +- docs/guides/server/fips.adoc | 8 +-- integration/admin-client/pom.xml | 32 ++---------- operator/Dockerfile | 2 +- quarkus/container/Dockerfile | 2 +- .../broker/saml/XPathAttributeMapperTest.java | 4 +- .../integration-arquillian/HOW-TO-RUN.md | 2 +- testsuite/integration-arquillian/pom.xml | 1 + .../undertow-adapter-saml-jakarta/pom.xml | 18 +++---- .../undertow-adapter-spi-jakarta/pom.xml | 18 +++---- .../test-apps/servlets-jakarta/pom.xml | 16 ++---- .../integration-arquillian/tests/base/pom.xml | 2 +- .../testsuite/pages/OAuthGrantPage.java | 3 +- .../X509BrowserLoginSubjectAltNameTest.java | 3 +- .../integration-arquillian/tests/pom.xml | 2 +- 32 files changed, 140 insertions(+), 173 deletions(-) diff --git a/.github/actions/integration-test-setup/action.yml b/.github/actions/integration-test-setup/action.yml index 9af8675344..d777e68bd8 100644 --- a/.github/actions/integration-test-setup/action.yml +++ b/.github/actions/integration-test-setup/action.yml @@ -9,7 +9,7 @@ inputs: jdk-version: description: JDK version required: false - default: "17" + default: "21" runs: using: composite diff --git a/.github/actions/java-setup/action.yml b/.github/actions/java-setup/action.yml index 35610afb38..4b1013ec9d 100644 --- a/.github/actions/java-setup/action.yml +++ b/.github/actions/java-setup/action.yml @@ -9,7 +9,7 @@ inputs: java-version: description: The Java version that is going to be set up. required: false - default: "17" + default: "21" runs: using: composite diff --git a/.github/scripts/ansible/roles/keycloak_ec2_installer/README.md b/.github/scripts/ansible/roles/keycloak_ec2_installer/README.md index c6d22f2a86..f683bb51d7 100644 --- a/.github/scripts/ansible/roles/keycloak_ec2_installer/README.md +++ b/.github/scripts/ansible/roles/keycloak_ec2_installer/README.md @@ -15,7 +15,7 @@ See `defaults/main.yml` for default values. ### Other - `update_system_packages`: Whether to update the system packages. Defaults to `no`. - `install_java`: Whether to install OpenJDK on the system. Defaults to `yes`. -- `java_version`: Version of OpenJDK to be installed. Defaults to `17`. +- `java_version`: Version of OpenJDK to be installed. Defaults to `21`. ## Example Playbook diff --git a/.github/scripts/ansible/roles/keycloak_ec2_installer/defaults/main.yml b/.github/scripts/ansible/roles/keycloak_ec2_installer/defaults/main.yml index 1017485f0a..1079802a0e 100644 --- a/.github/scripts/ansible/roles/keycloak_ec2_installer/defaults/main.yml +++ b/.github/scripts/ansible/roles/keycloak_ec2_installer/defaults/main.yml @@ -4,4 +4,4 @@ ansible_ssh_user: ec2-user kc_home: /opt/keycloak update_system_packages: no install_java: yes -java_version: 17 +java_version: 21 diff --git a/.github/scripts/run-fips-it.sh b/.github/scripts/run-fips-it.sh index cf3cabaffe..0a639e1b6c 100755 --- a/.github/scripts/run-fips-it.sh +++ b/.github/scripts/run-fips-it.sh @@ -1,6 +1,6 @@ #!/bin/bash -dnf install -y java-17-openjdk-devel +dnf install -y java-21-openjdk-devel fips-mode-setup --enable --no-bootcfg fips-mode-setup --is-enabled if [ $? -ne 0 ]; then @@ -13,7 +13,7 @@ fi echo "STRICT_OPTIONS: $STRICT_OPTIONS" TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips` echo "Tests: $TESTS" -export JAVA_HOME=/etc/alternatives/java_sdk_17 +export JAVA_HOME=/etc/alternatives/java_sdk_21 set -o pipefail # Profile app-server-wildfly needs to be explicitly set for FIPS tests diff --git a/.github/scripts/run-fips-ut.sh b/.github/scripts/run-fips-ut.sh index 0579caebe9..958d942e98 100755 --- a/.github/scripts/run-fips-ut.sh +++ b/.github/scripts/run-fips-ut.sh @@ -1,13 +1,13 @@ #!/bin/bash -dnf install -y java-17-openjdk-devel crypto-policies-scripts +dnf install -y java-21-openjdk-devel crypto-policies-scripts fips-mode-setup --enable --no-bootcfg fips-mode-setup --is-enabled if [ $? -ne 0 ]; then exit 1 fi -echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_17/conf/security/java.security -export JAVA_HOME=/etc/alternatives/java_sdk_17 +echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_21/conf/security/java.security +export JAVA_HOME=/etc/alternatives/java_sdk_21 # Build all dependent modules ./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402 -DskipTests diff --git a/.github/scripts/run-ipa-tests.sh b/.github/scripts/run-ipa-tests.sh index 34c784bb7f..0b3bd4d462 100755 --- a/.github/scripts/run-ipa-tests.sh +++ b/.github/scripts/run-ipa-tests.sh @@ -39,9 +39,9 @@ EOF kdestroy fi -echo "Installing jdk-17 in the container" -dnf install -y java-17-openjdk-devel -export JAVA_HOME=/etc/alternatives/java_sdk_17 +echo "Installing jdk-21 in the container" +dnf install -y java-21-openjdk-devel +export JAVA_HOME=/etc/alternatives/java_sdk_21 echo "Building quarkus keyclok server with SSSD integration" ./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d9bba2b95d..6982f6d2fd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -272,7 +272,7 @@ jobs: matrix: os: [ubuntu-latest, windows-latest] dist: [temurin] - version: [19] + version: [17] fail-fast: false runs-on: ${{ matrix.os }} steps: @@ -605,7 +605,7 @@ jobs: name: Integration test setup uses: ./.github/actions/integration-test-setup with: - jdk-version: 17 + jdk-version: 21 - name: Build adapter distributions run: ./mvnw install -DskipTests -f distribution/pom.xml diff --git a/.github/workflows/js-ci.yml b/.github/workflows/js-ci.yml index ea5c4c38dd..48c9f0b56f 100644 --- a/.github/workflows/js-ci.yml +++ b/.github/workflows/js-ci.yml @@ -47,7 +47,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: 17 + java-version: 21 check-latest: true cache: maven @@ -167,7 +167,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: 17 + java-version: 21 - name: Start Keycloak server run: | @@ -263,7 +263,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: 17 + java-version: 21 - name: Start Keycloak server run: | diff --git a/adapters/saml/core-jakarta/pom.xml b/adapters/saml/core-jakarta/pom.xml index a43da07073..e500be46da 100644 --- a/adapters/saml/core-jakarta/pom.xml +++ b/adapters/saml/core-jakarta/pom.xml @@ -94,7 +94,7 @@ - + @@ -110,18 +110,12 @@ org.eclipse.transformer org.eclipse.transformer.cli - 0.2.0 + 0.5.0 - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - + org.apache.ant + ant + 1.10.14 diff --git a/adapters/saml/wildfly-elytron-jakarta/pom.xml b/adapters/saml/wildfly-elytron-jakarta/pom.xml index d8d785b220..b509ff1698 100755 --- a/adapters/saml/wildfly-elytron-jakarta/pom.xml +++ b/adapters/saml/wildfly-elytron-jakarta/pom.xml @@ -104,7 +104,7 @@ maven-antrun-plugin - 3.0.0 + 3.1.0 transform @@ -115,7 +115,7 @@ - + @@ -131,18 +131,12 @@ org.eclipse.transformer org.eclipse.transformer.cli - 0.2.0 + 0.5.0 - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - + org.apache.ant + ant + 1.10.14 diff --git a/adapters/saml/wildfly/wildfly-jakarta-subsystem/pom.xml b/adapters/saml/wildfly/wildfly-jakarta-subsystem/pom.xml index 15e52a6415..821e6d2330 100755 --- a/adapters/saml/wildfly/wildfly-jakarta-subsystem/pom.xml +++ b/adapters/saml/wildfly/wildfly-jakarta-subsystem/pom.xml @@ -44,7 +44,7 @@ maven-antrun-plugin - 3.0.0 + 3.1.0 transform @@ -55,7 +55,7 @@ - + @@ -71,18 +71,12 @@ org.eclipse.transformer org.eclipse.transformer.cli - 0.2.0 + 0.5.0 - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - + org.apache.ant + ant + 1.10.14 diff --git a/crypto/default/src/main/java/org/keycloak/crypto/def/BCUserIdentityExtractorProvider.java b/crypto/default/src/main/java/org/keycloak/crypto/def/BCUserIdentityExtractorProvider.java index 13302ef4d9..5b17a69450 100644 --- a/crypto/default/src/main/java/org/keycloak/crypto/def/BCUserIdentityExtractorProvider.java +++ b/crypto/default/src/main/java/org/keycloak/crypto/def/BCUserIdentityExtractorProvider.java @@ -149,34 +149,41 @@ public class BCUserIdentityExtractorProvider extends UserIdentityExtractorProvi return obj; } - byte[] otherNameBytes = (byte[]) obj; + // From Java 21, the 3rd entry can be present with the type-id as String and 4th entry with the value (either in String or byte format). + // See javadoc of X509Certificate.getSubjectAlternativeNames in Java 21. For the sake of simplicity, we just ignore those additional String entries and + // always parse it from byte (2nd entry) as we still need to support Java 17 and it is not reliable anyway that entries are present in Java 21. + if (obj instanceof byte[]) { + byte[] otherNameBytes = (byte[]) obj; - try { - ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes)); - ASN1Encodable asn1otherName = asn1Stream.readObject(); - asn1otherName = unwrap(asn1otherName); + try { + ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes)); + ASN1Encodable asn1otherName = asn1Stream.readObject(); + asn1otherName = unwrap(asn1otherName); - ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName); + ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName); - if (asn1Sequence != null) { - ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0); - ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid)); - tempOid = oid.getId(); + if (asn1Sequence != null) { + ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0); + ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid)); + tempOid = oid.getId(); - ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1); - ASN1UTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded)); + ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1); + ASN1UTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded)); - tempOtherName = principalName.getString(); + tempOtherName = principalName.getString(); - // We found UPN among the 'otherName' principal. We don't need to look other - if (UPN_OID.equals(tempOid)) { - foundUpn = true; - break; + // We found UPN among the 'otherName' principal. We don't need to look other + if (UPN_OID.equals(tempOid)) { + foundUpn = true; + break; + } } - } - } catch (Exception e) { - logger.error("Failed to parse subjectAltName", e); + } catch (Exception e) { + logger.error("Failed to parse subjectAltName", e); + } + } else { + logger.tracef("Ignoring the Subject alternative name entry. Entry number: %d, value: %s", i + 1, obj); } } diff --git a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSUserIdentityExtractorProvider.java b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSUserIdentityExtractorProvider.java index 6cc13ad5db..4d09ce15a0 100644 --- a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSUserIdentityExtractorProvider.java +++ b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/BCFIPSUserIdentityExtractorProvider.java @@ -58,7 +58,7 @@ public class BCFIPSUserIdentityExtractorProvider extends UserIdentityExtractorP private ASN1ObjectIdentifier x500NameStyle; Function x500Name; - + public X500NameRDNExtractorBCProvider(String attrName, Function x500Name) { this.x500NameStyle = BCStyle.INSTANCE.attrNameToOID(attrName); this.x500Name = x500Name; @@ -147,34 +147,41 @@ public class BCFIPSUserIdentityExtractorProvider extends UserIdentityExtractorP return obj; } - byte[] otherNameBytes = (byte[]) obj; + // From Java 21, the 3rd entry can be present with the type-id as String and 4th entry with the value (either in String or byte format). + // See javadoc of X509Certificate.getSubjectAlternativeNames in Java 21. For the sake of simplicity, we just ignore those additional String entries and + // always parse it from byte (2nd entry) as we still need to support Java 17 and it is not reliable anyway that entries are present in Java 21. + if (obj instanceof byte[]) { + byte[] otherNameBytes = (byte[]) obj; - try { - ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes)); - ASN1Encodable asn1otherName = asn1Stream.readObject(); - asn1otherName = unwrap(asn1otherName); + try { + ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes)); + ASN1Encodable asn1otherName = asn1Stream.readObject(); + asn1otherName = unwrap(asn1otherName); - ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName); + ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName); - if (asn1Sequence != null) { - ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0); - ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid)); - tempOid = oid.getId(); + if (asn1Sequence != null) { + ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0); + ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid)); + tempOid = oid.getId(); - ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1); - DERUTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded)); + ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1); + DERUTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded)); - tempOtherName = principalName.getString(); + tempOtherName = principalName.getString(); - // We found UPN among the 'otherName' principal. We don't need to look other - if (UPN_OID.equals(tempOid)) { - foundUpn = true; - break; + // We found UPN among the 'otherName' principal. We don't need to look other + if (UPN_OID.equals(tempOid)) { + foundUpn = true; + break; + } } - } - } catch (Exception e) { - logger.error("Failed to parse subjectAltName", e); + } catch (Exception e) { + logger.error("Failed to parse subjectAltName", e); + } + } else { + logger.tracef("Ignoring the Subject alternative name entry. Entry number: %d, value: %s", i + 1, obj); } } diff --git a/docs/building.md b/docs/building.md index 2bb49bfa13..d1a09cd9e1 100644 --- a/docs/building.md +++ b/docs/building.md @@ -1,6 +1,6 @@ ## Building from source -Ensure you have JDK 17 (or newer) and Git installed +Ensure you have JDK 21 (or newer) and Git installed java -version git --version diff --git a/docs/documentation/release_notes/topics/25_0_0.adoc b/docs/documentation/release_notes/topics/25_0_0.adoc index f5e5207521..57539307c0 100644 --- a/docs/documentation/release_notes/topics/25_0_0.adoc +++ b/docs/documentation/release_notes/topics/25_0_0.adoc @@ -2,6 +2,14 @@ The Account Console v2 theme has been removed from {project_name}. This theme was deprecated in {project_name} 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme. += Java 21 support + +{project_name} now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions. + += Java 17 support is deprecated + +OpenJDK 17 support is deprecated in {project_name}, and will be removed in a following release in favor of OpenJDK 21. + = Most of Java adapters removed As stated in the release notes of previous {project_name} version, the most of Java adapters are now removed from the {project_name} codebase and downloads pages. @@ -216,4 +224,4 @@ For more details, see the link:{upgradingguide_link}[{upgradingguide_name}]. = Support for PostgreSQL 16 -The supported and tested databases now include PostgreSQL 16. \ No newline at end of file +The supported and tested databases now include PostgreSQL 16. diff --git a/docs/documentation/server_admin/topics/user-federation/sssd.adoc b/docs/documentation/server_admin/topics/user-federation/sssd.adoc index 56bd160016..6e94e4ae98 100644 --- a/docs/documentation/server_admin/topics/user-federation/sssd.adoc +++ b/docs/documentation/server_admin/topics/user-federation/sssd.adoc @@ -31,7 +31,7 @@ The https://quay.io/repository/freeipa/freeipa-server?tab=tags/[FreeIPA Containe -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server ---- + -The parameter `-h` with `server.freeipa.local` represents the FreeIPA/IdM server hostname. +The parameter `-h` with `server.freeipa.local` represents the FreeIPA/IdM server hostname. Change `YOUR_PASSWORD` to a password of your own. . After the container starts, change the `/etc/hosts` file to include: @@ -156,7 +156,7 @@ ipaapi:x:992:988:IPA Framework User:/:/sbin/nologin {project_name} uses https://github.com/hypfvieh/dbus-java[DBus-Java] project to communicate at a low level with D-Bus and https://github.com/java-native-access/jna[JNA] to authenticate via Operating System Pluggable Authentication Modules (PAM). -Although now {project_name} contains all the needed libraries to run the `SSSD` provider, JDK version 17 is needed. Therefore the `SSSD` provider will only be displayed when the host configuration is correct and JDK 17 is used to run {project_name}. +Although now {project_name} contains all the needed libraries to run the `SSSD` provider, JDK version 21 is needed. Therefore the `SSSD` provider will only be displayed when the host configuration is correct and JDK 21 is used to run {project_name}. ==== Configuring a federated SSSD store diff --git a/docs/guides/getting-started/getting-started-zip.adoc b/docs/guides/getting-started/getting-started-zip.adoc index c164bd9afc..efd8fa43b7 100644 --- a/docs/guides/getting-started/getting-started-zip.adoc +++ b/docs/guides/getting-started/getting-started-zip.adoc @@ -13,7 +13,7 @@ summary="Get started with {project_name} on bare metal"> include::templates/hw-requirements.adoc[] -Make sure you have https://openjdk.java.net/[OpenJDK 17] installed. +Make sure you have https://openjdk.java.net/[OpenJDK 21] installed. == Download {project_name} diff --git a/docs/guides/server/fips.adoc b/docs/guides/server/fips.adoc index 999d35dfbd..1597b1d03d 100644 --- a/docs/guides/server/fips.adoc +++ b/docs/guides/server/fips.adoc @@ -52,7 +52,7 @@ You can create either `pkcs12` or `bcfks` keystore to be used for the {project_n The `p12` (or `pkcs12`) keystore (and/or truststore) works well in BCFIPS non-approved mode. -PKCS12 keystore can be generated with OpenJDK 17 Java on RHEL 9 in the standard way. For instance, the following command can be used to generate the keystore: +PKCS12 keystore can be generated with OpenJDK 21 Java on RHEL 9 in the standard way. For instance, the following command can be used to generate the keystore: [source,bash] ---- @@ -180,7 +180,7 @@ available. Details are in the https://bugzilla.redhat.com/show_bug.cgi?id=205162 == Run the CLI on the FIPS host -If you want to run Client Registration CLI (`kcreg.sh|bat` script) or Admin CLI (`kcadm.sh|bat` script), +If you want to run Client Registration CLI (`kcreg.sh|bat` script) or Admin CLI (`kcadm.sh|bat` script), the CLI must also use the BouncyCastle FIPS dependencies instead of plain BouncyCastle dependencies. To achieve this, you may copy the jars to the CLI library folder and that is enough. CLI tool will automatically use BCFIPS dependencies instead of plain BC when it detects that corresponding BCFIPS jars are present (see above for the versions used). For example, use command such as the following before running the CLI: @@ -268,8 +268,8 @@ earlier. If you prefer to avoid this option, you can for instance ask all your u the non-RHEL compatible platform or on the non-FIPS enabled platform, the FIPS compliance cannot be strictly guaranteed and cannot be officially supported. If you are still restricted to running {project_name} on such a system, you can at least update your security providers configured in `java.security` file. This update does not amount to FIPS compliance, but -at least the setup is closer to it. It can be done by providing a custom security file with only an overridden list of security providers as described earlier. For a list of recommended providers, -see the https://access.redhat.com/documentation/en-us/openjdk/17/html/configuring_openjdk_17_on_rhel_with_fips/openjdk-default-fips-configuration[OpenJDK 17 documentation]. +at least the setup is closer to it. It can be done by providing a custom security file with only an overridden list of security providers as described earlier. For a list of recommended providers, +see the https://access.redhat.com/documentation/en-us/red_hat_build_of_openjdk/21/html/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips[OpenJDK 21 documentation]. You can check the {project_name} server log at startup to see if the correct security providers are used. TRACE logging should be enabled for crypto-related {project_name} packages as described in the Keycloak startup command earlier. diff --git a/integration/admin-client/pom.xml b/integration/admin-client/pom.xml index 5aae036ebd..2930ce99be 100755 --- a/integration/admin-client/pom.xml +++ b/integration/admin-client/pom.xml @@ -31,8 +31,6 @@ - -Dnone - ${project.basedir}/../admin-client-jee/src ${project.basedir}/src @@ -95,8 +93,7 @@ - - + @@ -122,18 +119,12 @@ org.eclipse.transformer org.eclipse.transformer.cli - 0.2.0 + 0.5.0 - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - + org.apache.ant + ant + 1.10.14 @@ -154,17 +145,4 @@ - - - jdk17+ - - [17,) - - - - -Djava.security.manager=allow - - - - diff --git a/operator/Dockerfile b/operator/Dockerfile index 93017bf576..c94ca97c47 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -1,7 +1,7 @@ FROM registry.access.redhat.com/ubi9 AS ubi-micro-build ADD target/ubi-null.sh /tmp/ -RUN bash /tmp/ubi-null.sh java-17-openjdk-headless glibc-langpack-en +RUN bash /tmp/ubi-null.sh java-21-openjdk-headless glibc-langpack-en FROM registry.access.redhat.com/ubi9-micro ENV LANG en_US.UTF-8 diff --git a/quarkus/container/Dockerfile b/quarkus/container/Dockerfile index 3e980da892..98fa3a202b 100644 --- a/quarkus/container/Dockerfile +++ b/quarkus/container/Dockerfile @@ -17,7 +17,7 @@ RUN mv /tmp/keycloak/keycloak-* /opt/keycloak && mkdir -p /opt/keycloak/data RUN chmod -R g+rwX /opt/keycloak ADD ubi-null.sh /tmp/ -RUN bash /tmp/ubi-null.sh java-17-openjdk-headless glibc-langpack-en findutils +RUN bash /tmp/ubi-null.sh java-21-openjdk-headless glibc-langpack-en findutils FROM registry.access.redhat.com/ubi9-micro ENV LANG en_US.UTF-8 diff --git a/services/src/test/java/org/keycloak/test/broker/saml/XPathAttributeMapperTest.java b/services/src/test/java/org/keycloak/test/broker/saml/XPathAttributeMapperTest.java index adf5cd105e..9b60a0a658 100644 --- a/services/src/test/java/org/keycloak/test/broker/saml/XPathAttributeMapperTest.java +++ b/services/src/test/java/org/keycloak/test/broker/saml/XPathAttributeMapperTest.java @@ -50,7 +50,9 @@ public class XPathAttributeMapperTest { assertThrows(RuntimeException.class, () -> testMapping("Foo", "//*")); assertThat(actualException.getCause(), instanceOf(ParsingException.class)); - assertThrows(RuntimeException.class, () -> testMapping(XML_WITH_NAMESPACE, "//*[local-name()=$street]")); + // it seems additional validation is added as 'TransformerException: Prefix must resolve to a namespace: unknownPrefix' + // is thrown before the XPath function resolver + assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=$street]")); assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=myPrefix:add(1,2)]")); } diff --git a/testsuite/integration-arquillian/HOW-TO-RUN.md b/testsuite/integration-arquillian/HOW-TO-RUN.md index 9366b286c8..50a1cae3fd 100644 --- a/testsuite/integration-arquillian/HOW-TO-RUN.md +++ b/testsuite/integration-arquillian/HOW-TO-RUN.md @@ -786,7 +786,7 @@ mvn clean install -f crypto/fips1402 -Dorg.bouncycastle.fips.approved_only=true ### Integration tests -On the FIPS enabled platform with FIPS enabled OpenJDK 17, you can run this to test against a Keycloak server on Quarkus +On the FIPS enabled platform with FIPS enabled OpenJDK 21, you can run this to test against a Keycloak server on Quarkus with FIPS 140-2 integration enabled ``` diff --git a/testsuite/integration-arquillian/pom.xml b/testsuite/integration-arquillian/pom.xml index 5e9fc6dae8..0fa1bc9385 100644 --- a/testsuite/integration-arquillian/pom.xml +++ b/testsuite/integration-arquillian/pom.xml @@ -57,6 +57,7 @@ 2.2.3 3.0.5 1.8.0 + 1.14.13 1.9.8.Final diff --git a/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-saml-jakarta/pom.xml b/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-saml-jakarta/pom.xml index 20060e8fd7..ac693279da 100644 --- a/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-saml-jakarta/pom.xml +++ b/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-saml-jakarta/pom.xml @@ -81,6 +81,7 @@ maven-antrun-plugin + 3.1.0 transform @@ -91,8 +92,7 @@ - - + @@ -115,18 +115,12 @@ org.eclipse.transformer org.eclipse.transformer.cli - 0.2.0 + 0.5.0 - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - + org.apache.ant + ant + 1.10.14 diff --git a/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-spi-jakarta/pom.xml b/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-spi-jakarta/pom.xml index 3fe965d904..32f2b71283 100644 --- a/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-spi-jakarta/pom.xml +++ b/testsuite/integration-arquillian/servers/adapter-spi/undertow-adapter-spi-jakarta/pom.xml @@ -42,6 +42,7 @@ maven-antrun-plugin + 3.1.0 transform @@ -52,8 +53,7 @@ - - + @@ -76,18 +76,12 @@ org.eclipse.transformer org.eclipse.transformer.cli - 0.2.0 + 0.5.0 - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - + org.apache.ant + ant + 1.10.14 diff --git a/testsuite/integration-arquillian/test-apps/servlets-jakarta/pom.xml b/testsuite/integration-arquillian/test-apps/servlets-jakarta/pom.xml index 92cff95593..5cec6336b4 100644 --- a/testsuite/integration-arquillian/test-apps/servlets-jakarta/pom.xml +++ b/testsuite/integration-arquillian/test-apps/servlets-jakarta/pom.xml @@ -96,7 +96,7 @@ - + @@ -119,18 +119,12 @@ org.eclipse.transformer org.eclipse.transformer.cli - 0.2.0 + 0.5.0 - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - + org.apache.ant + ant + 1.10.14 diff --git a/testsuite/integration-arquillian/tests/base/pom.xml b/testsuite/integration-arquillian/tests/base/pom.xml index a61c8b0592..d594b92670 100644 --- a/testsuite/integration-arquillian/tests/base/pom.xml +++ b/testsuite/integration-arquillian/tests/base/pom.xml @@ -797,7 +797,7 @@ net.bytebuddy byte-buddy - 1.12.18 + {byte-buddy.version} diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/OAuthGrantPage.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/OAuthGrantPage.java index 47dc36d116..778e45fb85 100755 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/OAuthGrantPage.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/OAuthGrantPage.java @@ -16,6 +16,7 @@ */ package org.keycloak.testsuite.pages; +import java.util.ArrayList; import java.util.Arrays; import java.util.LinkedList; import java.util.List; @@ -64,7 +65,7 @@ public class OAuthGrantPage extends LanguageComboboxAwarePage { } public List getDisplayedGrants() { - List table = new LinkedList<>(); + List table = new ArrayList<>(); WebElement divKcOauth = driver.findElement(By.id("kc-oauth")); for (WebElement li : divKcOauth.findElements(By.tagName("li"))) { WebElement span = li.findElement(By.tagName("span")); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginSubjectAltNameTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginSubjectAltNameTest.java index f1795e551c..3648f916bd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginSubjectAltNameTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginSubjectAltNameTest.java @@ -20,7 +20,6 @@ package org.keycloak.testsuite.x509; import org.jboss.arquillian.drone.api.annotation.Drone; import org.junit.Before; import org.junit.BeforeClass; -import org.junit.Ignore; import org.junit.Test; import org.keycloak.testsuite.util.HtmlUnitBrowser; import org.openqa.selenium.WebDriver; @@ -56,4 +55,4 @@ public class X509BrowserLoginSubjectAltNameTest extends AbstractX509Authenticati public void loginAsUserFromCertSANUpn() { x509BrowserLogin(createLoginSubjectAltNameOtherName2UserAttributeConfig(), userId, "test-user@localhost", "test_upn_name@localhost"); } -} \ No newline at end of file +} diff --git a/testsuite/integration-arquillian/tests/pom.xml b/testsuite/integration-arquillian/tests/pom.xml index d220bc4729..f0848455c6 100644 --- a/testsuite/integration-arquillian/tests/pom.xml +++ b/testsuite/integration-arquillian/tests/pom.xml @@ -1608,7 +1608,7 @@ net.bytebuddy byte-buddy - 1.12.18 + ${byte-buddy.version}