OpenJDK 21 support (#28518)

* OpenJDK 21 support

Closes #28517

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* x509 SAN UPN other name is not handled in JDK 21 (#904)

closes #29968

Signed-off-by: mposolda <mposolda@gmail.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
This commit is contained in:
Martin Bartoš 2024-06-03 14:17:28 +02:00 committed by GitHub
parent 8fefad5054
commit 262fc09edc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
32 changed files with 140 additions and 173 deletions

View file

@ -9,7 +9,7 @@ inputs:
jdk-version: jdk-version:
description: JDK version description: JDK version
required: false required: false
default: "17" default: "21"
runs: runs:
using: composite using: composite

View file

@ -9,7 +9,7 @@ inputs:
java-version: java-version:
description: The Java version that is going to be set up. description: The Java version that is going to be set up.
required: false required: false
default: "17" default: "21"
runs: runs:
using: composite using: composite

View file

@ -15,7 +15,7 @@ See `defaults/main.yml` for default values.
### Other ### Other
- `update_system_packages`: Whether to update the system packages. Defaults to `no`. - `update_system_packages`: Whether to update the system packages. Defaults to `no`.
- `install_java`: Whether to install OpenJDK on the system. Defaults to `yes`. - `install_java`: Whether to install OpenJDK on the system. Defaults to `yes`.
- `java_version`: Version of OpenJDK to be installed. Defaults to `17`. - `java_version`: Version of OpenJDK to be installed. Defaults to `21`.
## Example Playbook ## Example Playbook

View file

@ -4,4 +4,4 @@ ansible_ssh_user: ec2-user
kc_home: /opt/keycloak kc_home: /opt/keycloak
update_system_packages: no update_system_packages: no
install_java: yes install_java: yes
java_version: 17 java_version: 21

View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
dnf install -y java-17-openjdk-devel dnf install -y java-21-openjdk-devel
fips-mode-setup --enable --no-bootcfg fips-mode-setup --enable --no-bootcfg
fips-mode-setup --is-enabled fips-mode-setup --is-enabled
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@ -13,7 +13,7 @@ fi
echo "STRICT_OPTIONS: $STRICT_OPTIONS" echo "STRICT_OPTIONS: $STRICT_OPTIONS"
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips` TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips`
echo "Tests: $TESTS" echo "Tests: $TESTS"
export JAVA_HOME=/etc/alternatives/java_sdk_17 export JAVA_HOME=/etc/alternatives/java_sdk_21
set -o pipefail set -o pipefail
# Profile app-server-wildfly needs to be explicitly set for FIPS tests # Profile app-server-wildfly needs to be explicitly set for FIPS tests

View file

@ -1,13 +1,13 @@
#!/bin/bash #!/bin/bash
dnf install -y java-17-openjdk-devel crypto-policies-scripts dnf install -y java-21-openjdk-devel crypto-policies-scripts
fips-mode-setup --enable --no-bootcfg fips-mode-setup --enable --no-bootcfg
fips-mode-setup --is-enabled fips-mode-setup --is-enabled
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_17/conf/security/java.security echo "fips.provider.7=XMLDSig" >>/etc/alternatives/java_sdk_21/conf/security/java.security
export JAVA_HOME=/etc/alternatives/java_sdk_17 export JAVA_HOME=/etc/alternatives/java_sdk_21
# Build all dependent modules # Build all dependent modules
./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402 -DskipTests ./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402 -DskipTests

View file

@ -39,9 +39,9 @@ EOF
kdestroy kdestroy
fi fi
echo "Installing jdk-17 in the container" echo "Installing jdk-21 in the container"
dnf install -y java-17-openjdk-devel dnf install -y java-21-openjdk-devel
export JAVA_HOME=/etc/alternatives/java_sdk_17 export JAVA_HOME=/etc/alternatives/java_sdk_21
echo "Building quarkus keyclok server with SSSD integration" echo "Building quarkus keyclok server with SSSD integration"
./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus ./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus

View file

@ -272,7 +272,7 @@ jobs:
matrix: matrix:
os: [ubuntu-latest, windows-latest] os: [ubuntu-latest, windows-latest]
dist: [temurin] dist: [temurin]
version: [19] version: [17]
fail-fast: false fail-fast: false
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
@ -605,7 +605,7 @@ jobs:
name: Integration test setup name: Integration test setup
uses: ./.github/actions/integration-test-setup uses: ./.github/actions/integration-test-setup
with: with:
jdk-version: 17 jdk-version: 21
- name: Build adapter distributions - name: Build adapter distributions
run: ./mvnw install -DskipTests -f distribution/pom.xml run: ./mvnw install -DskipTests -f distribution/pom.xml

View file

@ -47,7 +47,7 @@ jobs:
uses: actions/setup-java@v4 uses: actions/setup-java@v4
with: with:
distribution: temurin distribution: temurin
java-version: 17 java-version: 21
check-latest: true check-latest: true
cache: maven cache: maven
@ -167,7 +167,7 @@ jobs:
uses: actions/setup-java@v4 uses: actions/setup-java@v4
with: with:
distribution: temurin distribution: temurin
java-version: 17 java-version: 21
- name: Start Keycloak server - name: Start Keycloak server
run: | run: |
@ -263,7 +263,7 @@ jobs:
uses: actions/setup-java@v4 uses: actions/setup-java@v4
with: with:
distribution: temurin distribution: temurin
java-version: 17 java-version: 21
- name: Start Keycloak server - name: Start Keycloak server
run: | run: |

View file

@ -94,7 +94,7 @@
<configuration> <configuration>
<target> <target>
<property name="plugin_classpath" refid="maven.plugin.classpath" /> <property name="plugin_classpath" refid="maven.plugin.classpath" />
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer"> <java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
<arg value="-o" /> <arg value="-o" />
<arg value="${jakarta-transformer-sources}" /> <arg value="${jakarta-transformer-sources}" />
<arg value="${jakarta-transformer-target}" /> <arg value="${jakarta-transformer-target}" />
@ -110,18 +110,12 @@
<dependency> <dependency>
<groupId>org.eclipse.transformer</groupId> <groupId>org.eclipse.transformer</groupId>
<artifactId>org.eclipse.transformer.cli</artifactId> <artifactId>org.eclipse.transformer.cli</artifactId>
<version>0.2.0</version> <version>0.5.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ant-contrib</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-contrib</artifactId> <artifactId>ant</artifactId>
<version>1.0b3</version> <version>1.10.14</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</plugin> </plugin>

View file

@ -104,7 +104,7 @@
<plugins> <plugins>
<plugin> <plugin>
<artifactId>maven-antrun-plugin</artifactId> <artifactId>maven-antrun-plugin</artifactId>
<version>3.0.0</version> <version>3.1.0</version>
<executions> <executions>
<execution> <execution>
<id>transform</id> <id>transform</id>
@ -115,7 +115,7 @@
<configuration> <configuration>
<target> <target>
<property name="plugin_classpath" refid="maven.plugin.classpath" /> <property name="plugin_classpath" refid="maven.plugin.classpath" />
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer"> <java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
<arg value="-o" /> <arg value="-o" />
<arg value="${jakarta-transformer-sources}" /> <arg value="${jakarta-transformer-sources}" />
<arg value="${jakarta-transformer-target}" /> <arg value="${jakarta-transformer-target}" />
@ -131,18 +131,12 @@
<dependency> <dependency>
<groupId>org.eclipse.transformer</groupId> <groupId>org.eclipse.transformer</groupId>
<artifactId>org.eclipse.transformer.cli</artifactId> <artifactId>org.eclipse.transformer.cli</artifactId>
<version>0.2.0</version> <version>0.5.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ant-contrib</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-contrib</artifactId> <artifactId>ant</artifactId>
<version>1.0b3</version> <version>1.10.14</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</plugin> </plugin>

View file

@ -44,7 +44,7 @@
<plugins> <plugins>
<plugin> <plugin>
<artifactId>maven-antrun-plugin</artifactId> <artifactId>maven-antrun-plugin</artifactId>
<version>3.0.0</version> <version>3.1.0</version>
<executions> <executions>
<execution> <execution>
<id>transform</id> <id>transform</id>
@ -55,7 +55,7 @@
<configuration> <configuration>
<target> <target>
<property name="plugin_classpath" refid="maven.plugin.classpath" /> <property name="plugin_classpath" refid="maven.plugin.classpath" />
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer"> <java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
<arg value="-o" /> <arg value="-o" />
<arg value="${jakarta-transformer-sources}" /> <arg value="${jakarta-transformer-sources}" />
<arg value="${jakarta-transformer-target}" /> <arg value="${jakarta-transformer-target}" />
@ -71,18 +71,12 @@
<dependency> <dependency>
<groupId>org.eclipse.transformer</groupId> <groupId>org.eclipse.transformer</groupId>
<artifactId>org.eclipse.transformer.cli</artifactId> <artifactId>org.eclipse.transformer.cli</artifactId>
<version>0.2.0</version> <version>0.5.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ant-contrib</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-contrib</artifactId> <artifactId>ant</artifactId>
<version>1.0b3</version> <version>1.10.14</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</plugin> </plugin>

View file

@ -149,34 +149,41 @@ public class BCUserIdentityExtractorProvider extends UserIdentityExtractorProvi
return obj; return obj;
} }
byte[] otherNameBytes = (byte[]) obj; // From Java 21, the 3rd entry can be present with the type-id as String and 4th entry with the value (either in String or byte format).
// See javadoc of X509Certificate.getSubjectAlternativeNames in Java 21. For the sake of simplicity, we just ignore those additional String entries and
// always parse it from byte (2nd entry) as we still need to support Java 17 and it is not reliable anyway that entries are present in Java 21.
if (obj instanceof byte[]) {
byte[] otherNameBytes = (byte[]) obj;
try { try {
ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes)); ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes));
ASN1Encodable asn1otherName = asn1Stream.readObject(); ASN1Encodable asn1otherName = asn1Stream.readObject();
asn1otherName = unwrap(asn1otherName); asn1otherName = unwrap(asn1otherName);
ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName); ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName);
if (asn1Sequence != null) { if (asn1Sequence != null) {
ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0); ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0);
ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid)); ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid));
tempOid = oid.getId(); tempOid = oid.getId();
ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1); ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1);
ASN1UTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded)); ASN1UTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
tempOtherName = principalName.getString(); tempOtherName = principalName.getString();
// We found UPN among the 'otherName' principal. We don't need to look other // We found UPN among the 'otherName' principal. We don't need to look other
if (UPN_OID.equals(tempOid)) { if (UPN_OID.equals(tempOid)) {
foundUpn = true; foundUpn = true;
break; break;
}
} }
}
} catch (Exception e) { } catch (Exception e) {
logger.error("Failed to parse subjectAltName", e); logger.error("Failed to parse subjectAltName", e);
}
} else {
logger.tracef("Ignoring the Subject alternative name entry. Entry number: %d, value: %s", i + 1, obj);
} }
} }

View file

@ -147,34 +147,41 @@ public class BCFIPSUserIdentityExtractorProvider extends UserIdentityExtractorP
return obj; return obj;
} }
byte[] otherNameBytes = (byte[]) obj; // From Java 21, the 3rd entry can be present with the type-id as String and 4th entry with the value (either in String or byte format).
// See javadoc of X509Certificate.getSubjectAlternativeNames in Java 21. For the sake of simplicity, we just ignore those additional String entries and
// always parse it from byte (2nd entry) as we still need to support Java 17 and it is not reliable anyway that entries are present in Java 21.
if (obj instanceof byte[]) {
byte[] otherNameBytes = (byte[]) obj;
try { try {
ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes)); ASN1InputStream asn1Stream = new ASN1InputStream(new ByteArrayInputStream(otherNameBytes));
ASN1Encodable asn1otherName = asn1Stream.readObject(); ASN1Encodable asn1otherName = asn1Stream.readObject();
asn1otherName = unwrap(asn1otherName); asn1otherName = unwrap(asn1otherName);
ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName); ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(asn1otherName);
if (asn1Sequence != null) { if (asn1Sequence != null) {
ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0); ASN1Encodable encodedOid = asn1Sequence.getObjectAt(0);
ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid)); ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(unwrap(encodedOid));
tempOid = oid.getId(); tempOid = oid.getId();
ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1); ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1);
DERUTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded)); DERUTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
tempOtherName = principalName.getString(); tempOtherName = principalName.getString();
// We found UPN among the 'otherName' principal. We don't need to look other // We found UPN among the 'otherName' principal. We don't need to look other
if (UPN_OID.equals(tempOid)) { if (UPN_OID.equals(tempOid)) {
foundUpn = true; foundUpn = true;
break; break;
}
} }
}
} catch (Exception e) { } catch (Exception e) {
logger.error("Failed to parse subjectAltName", e); logger.error("Failed to parse subjectAltName", e);
}
} else {
logger.tracef("Ignoring the Subject alternative name entry. Entry number: %d, value: %s", i + 1, obj);
} }
} }

View file

@ -1,6 +1,6 @@
## Building from source ## Building from source
Ensure you have JDK 17 (or newer) and Git installed Ensure you have JDK 21 (or newer) and Git installed
java -version java -version
git --version git --version

View file

@ -2,6 +2,14 @@
The Account Console v2 theme has been removed from {project_name}. This theme was deprecated in {project_name} 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme. The Account Console v2 theme has been removed from {project_name}. This theme was deprecated in {project_name} 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.
= Java 21 support
{project_name} now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions.
= Java 17 support is deprecated
OpenJDK 17 support is deprecated in {project_name}, and will be removed in a following release in favor of OpenJDK 21.
= Most of Java adapters removed = Most of Java adapters removed
As stated in the release notes of previous {project_name} version, the most of Java adapters are now removed from the {project_name} codebase and downloads pages. As stated in the release notes of previous {project_name} version, the most of Java adapters are now removed from the {project_name} codebase and downloads pages.

View file

@ -156,7 +156,7 @@ ipaapi:x:992:988:IPA Framework User:/:/sbin/nologin
{project_name} uses https://github.com/hypfvieh/dbus-java[DBus-Java] project to communicate at a low level with D-Bus and https://github.com/java-native-access/jna[JNA] to authenticate via Operating System Pluggable Authentication Modules (PAM). {project_name} uses https://github.com/hypfvieh/dbus-java[DBus-Java] project to communicate at a low level with D-Bus and https://github.com/java-native-access/jna[JNA] to authenticate via Operating System Pluggable Authentication Modules (PAM).
Although now {project_name} contains all the needed libraries to run the `SSSD` provider, JDK version 17 is needed. Therefore the `SSSD` provider will only be displayed when the host configuration is correct and JDK 17 is used to run {project_name}. Although now {project_name} contains all the needed libraries to run the `SSSD` provider, JDK version 21 is needed. Therefore the `SSSD` provider will only be displayed when the host configuration is correct and JDK 21 is used to run {project_name}.
==== Configuring a federated SSSD store ==== Configuring a federated SSSD store

View file

@ -13,7 +13,7 @@ summary="Get started with {project_name} on bare metal">
include::templates/hw-requirements.adoc[] include::templates/hw-requirements.adoc[]
Make sure you have https://openjdk.java.net/[OpenJDK 17] installed. Make sure you have https://openjdk.java.net/[OpenJDK 21] installed.
== Download {project_name} == Download {project_name}

View file

@ -52,7 +52,7 @@ You can create either `pkcs12` or `bcfks` keystore to be used for the {project_n
The `p12` (or `pkcs12`) keystore (and/or truststore) works well in BCFIPS non-approved mode. The `p12` (or `pkcs12`) keystore (and/or truststore) works well in BCFIPS non-approved mode.
PKCS12 keystore can be generated with OpenJDK 17 Java on RHEL 9 in the standard way. For instance, the following command can be used to generate the keystore: PKCS12 keystore can be generated with OpenJDK 21 Java on RHEL 9 in the standard way. For instance, the following command can be used to generate the keystore:
[source,bash] [source,bash]
---- ----
@ -269,7 +269,7 @@ the non-RHEL compatible platform or on the non-FIPS enabled platform, the FIPS c
If you are still restricted to running {project_name} on such a system, you can at least update your security providers configured in `java.security` file. This update does not amount to FIPS compliance, but If you are still restricted to running {project_name} on such a system, you can at least update your security providers configured in `java.security` file. This update does not amount to FIPS compliance, but
at least the setup is closer to it. It can be done by providing a custom security file with only an overridden list of security providers as described earlier. For a list of recommended providers, at least the setup is closer to it. It can be done by providing a custom security file with only an overridden list of security providers as described earlier. For a list of recommended providers,
see the https://access.redhat.com/documentation/en-us/openjdk/17/html/configuring_openjdk_17_on_rhel_with_fips/openjdk-default-fips-configuration[OpenJDK 17 documentation]. see the https://access.redhat.com/documentation/en-us/red_hat_build_of_openjdk/21/html/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips[OpenJDK 21 documentation].
You can check the {project_name} server log at startup to see if the correct security providers are used. TRACE logging should be enabled for crypto-related {project_name} packages as described in the Keycloak startup command earlier. You can check the {project_name} server log at startup to see if the correct security providers are used. TRACE logging should be enabled for crypto-related {project_name} packages as described in the Keycloak startup command earlier.

View file

@ -31,8 +31,6 @@
<description/> <description/>
<properties> <properties>
<ant.jvm.args>-Dnone</ant.jvm.args>
<jakarta-transformer-sources>${project.basedir}/../admin-client-jee/src</jakarta-transformer-sources> <jakarta-transformer-sources>${project.basedir}/../admin-client-jee/src</jakarta-transformer-sources>
<jakarta-transformer-target>${project.basedir}/src</jakarta-transformer-target> <jakarta-transformer-target>${project.basedir}/src</jakarta-transformer-target>
</properties> </properties>
@ -95,8 +93,7 @@
<configuration> <configuration>
<target> <target>
<property name="plugin_classpath" refid="maven.plugin.classpath"/> <property name="plugin_classpath" refid="maven.plugin.classpath"/>
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true"> <java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
<jvmarg value="${ant.jvm.args}"/>
<arg value="-o"/> <arg value="-o"/>
<arg value="${jakarta-transformer-sources}"/> <arg value="${jakarta-transformer-sources}"/>
<arg value="${jakarta-transformer-target}"/> <arg value="${jakarta-transformer-target}"/>
@ -122,18 +119,12 @@
<dependency> <dependency>
<groupId>org.eclipse.transformer</groupId> <groupId>org.eclipse.transformer</groupId>
<artifactId>org.eclipse.transformer.cli</artifactId> <artifactId>org.eclipse.transformer.cli</artifactId>
<version>0.2.0</version> <version>0.5.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ant-contrib</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-contrib</artifactId> <artifactId>ant</artifactId>
<version>1.0b3</version> <version>1.10.14</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</plugin> </plugin>
@ -154,17 +145,4 @@
</plugins> </plugins>
</build> </build>
<profiles>
<profile>
<id>jdk17+</id>
<activation>
<jdk>[17,)</jdk>
</activation>
<properties>
<!--For more information, see https://github.com/apache/ant/pull/200-->
<ant.jvm.args>-Djava.security.manager=allow</ant.jvm.args>
</properties>
</profile>
</profiles>
</project> </project>

View file

@ -1,7 +1,7 @@
FROM registry.access.redhat.com/ubi9 AS ubi-micro-build FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
ADD target/ubi-null.sh /tmp/ ADD target/ubi-null.sh /tmp/
RUN bash /tmp/ubi-null.sh java-17-openjdk-headless glibc-langpack-en RUN bash /tmp/ubi-null.sh java-21-openjdk-headless glibc-langpack-en
FROM registry.access.redhat.com/ubi9-micro FROM registry.access.redhat.com/ubi9-micro
ENV LANG en_US.UTF-8 ENV LANG en_US.UTF-8

View file

@ -17,7 +17,7 @@ RUN mv /tmp/keycloak/keycloak-* /opt/keycloak && mkdir -p /opt/keycloak/data
RUN chmod -R g+rwX /opt/keycloak RUN chmod -R g+rwX /opt/keycloak
ADD ubi-null.sh /tmp/ ADD ubi-null.sh /tmp/
RUN bash /tmp/ubi-null.sh java-17-openjdk-headless glibc-langpack-en findutils RUN bash /tmp/ubi-null.sh java-21-openjdk-headless glibc-langpack-en findutils
FROM registry.access.redhat.com/ubi9-micro FROM registry.access.redhat.com/ubi9-micro
ENV LANG en_US.UTF-8 ENV LANG en_US.UTF-8

View file

@ -50,7 +50,9 @@ public class XPathAttributeMapperTest {
assertThrows(RuntimeException.class, () -> testMapping("<Open>Foo</Close>", "//*")); assertThrows(RuntimeException.class, () -> testMapping("<Open>Foo</Close>", "//*"));
assertThat(actualException.getCause(), instanceOf(ParsingException.class)); assertThat(actualException.getCause(), instanceOf(ParsingException.class));
assertThrows(RuntimeException.class, () -> testMapping(XML_WITH_NAMESPACE, "//*[local-name()=$street]")); // it seems additional validation is added as 'TransformerException: Prefix must resolve to a namespace: unknownPrefix'
// is thrown before the XPath function resolver
assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=$street]"));
assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=myPrefix:add(1,2)]")); assertNull(testMapping(XML_WITH_NAMESPACE, "//*[local-name()=myPrefix:add(1,2)]"));
} }

View file

@ -786,7 +786,7 @@ mvn clean install -f crypto/fips1402 -Dorg.bouncycastle.fips.approved_only=true
### Integration tests ### Integration tests
On the FIPS enabled platform with FIPS enabled OpenJDK 17, you can run this to test against a Keycloak server on Quarkus On the FIPS enabled platform with FIPS enabled OpenJDK 21, you can run this to test against a Keycloak server on Quarkus
with FIPS 140-2 integration enabled with FIPS 140-2 integration enabled
``` ```

View file

@ -57,6 +57,7 @@
<jakarta.persistence-legacy.version>2.2.3</jakarta.persistence-legacy.version> <jakarta.persistence-legacy.version>2.2.3</jakarta.persistence-legacy.version>
<smallrye.jandex.version>3.0.5</smallrye.jandex.version> <smallrye.jandex.version>3.0.5</smallrye.jandex.version>
<commons.validator.version>1.8.0</commons.validator.version> <commons.validator.version>1.8.0</commons.validator.version>
<byte-buddy.version>1.14.13</byte-buddy.version>
<!--migration properties--> <!--migration properties-->
<migration.70.version>1.9.8.Final</migration.70.version> <migration.70.version>1.9.8.Final</migration.70.version>

View file

@ -81,6 +81,7 @@
<plugins> <plugins>
<plugin> <plugin>
<artifactId>maven-antrun-plugin</artifactId> <artifactId>maven-antrun-plugin</artifactId>
<version>3.1.0</version>
<executions> <executions>
<execution> <execution>
<id>transform</id> <id>transform</id>
@ -91,8 +92,7 @@
<configuration> <configuration>
<target> <target>
<property name="plugin_classpath" refid="maven.plugin.classpath" /> <property name="plugin_classpath" refid="maven.plugin.classpath" />
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true"> <java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
<jvmarg value="${ant.jvm.args}"/>
<arg value="-o" /> <arg value="-o" />
<arg value="${jakarta-transformer-sources}" /> <arg value="${jakarta-transformer-sources}" />
<arg value="${jakarta-transformer-target}/tmp" /> <arg value="${jakarta-transformer-target}/tmp" />
@ -115,18 +115,12 @@
<dependency> <dependency>
<groupId>org.eclipse.transformer</groupId> <groupId>org.eclipse.transformer</groupId>
<artifactId>org.eclipse.transformer.cli</artifactId> <artifactId>org.eclipse.transformer.cli</artifactId>
<version>0.2.0</version> <version>0.5.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ant-contrib</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-contrib</artifactId> <artifactId>ant</artifactId>
<version>1.0b3</version> <version>1.10.14</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</plugin> </plugin>

View file

@ -42,6 +42,7 @@
<plugins> <plugins>
<plugin> <plugin>
<artifactId>maven-antrun-plugin</artifactId> <artifactId>maven-antrun-plugin</artifactId>
<version>3.1.0</version>
<executions> <executions>
<execution> <execution>
<id>transform</id> <id>transform</id>
@ -52,8 +53,7 @@
<configuration> <configuration>
<target> <target>
<property name="plugin_classpath" refid="maven.plugin.classpath" /> <property name="plugin_classpath" refid="maven.plugin.classpath" />
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true"> <java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
<jvmarg value="${ant.jvm.args}"/>
<arg value="-o" /> <arg value="-o" />
<arg value="${jakarta-transformer-sources}" /> <arg value="${jakarta-transformer-sources}" />
<arg value="${jakarta-transformer-target}/tmp" /> <arg value="${jakarta-transformer-target}/tmp" />
@ -76,18 +76,12 @@
<dependency> <dependency>
<groupId>org.eclipse.transformer</groupId> <groupId>org.eclipse.transformer</groupId>
<artifactId>org.eclipse.transformer.cli</artifactId> <artifactId>org.eclipse.transformer.cli</artifactId>
<version>0.2.0</version> <version>0.5.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ant-contrib</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-contrib</artifactId> <artifactId>ant</artifactId>
<version>1.0b3</version> <version>1.10.14</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</plugin> </plugin>

View file

@ -96,7 +96,7 @@
<configuration> <configuration>
<target> <target>
<property name="plugin_classpath" refid="maven.plugin.classpath"/> <property name="plugin_classpath" refid="maven.plugin.classpath"/>
<java classname="org.eclipse.transformer.jakarta.JakartaTransformer" fork="true"> <java classname="org.eclipse.transformer.cli.JakartaTransformerCLI" fork="true">
<arg value="-o"/> <arg value="-o"/>
<arg value="${jakarta-transformer-sources}"/> <arg value="${jakarta-transformer-sources}"/>
<arg value="${jakarta-transformer-target}/tmp"/> <arg value="${jakarta-transformer-target}/tmp"/>
@ -119,18 +119,12 @@
<dependency> <dependency>
<groupId>org.eclipse.transformer</groupId> <groupId>org.eclipse.transformer</groupId>
<artifactId>org.eclipse.transformer.cli</artifactId> <artifactId>org.eclipse.transformer.cli</artifactId>
<version>0.2.0</version> <version>0.5.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>ant-contrib</groupId> <groupId>org.apache.ant</groupId>
<artifactId>ant-contrib</artifactId> <artifactId>ant</artifactId>
<version>1.0b3</version> <version>1.10.14</version>
<exclusions>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</plugin> </plugin>

View file

@ -797,7 +797,7 @@
<dependency> <dependency>
<groupId>net.bytebuddy</groupId> <groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId> <artifactId>byte-buddy</artifactId>
<version>1.12.18</version> <version>{byte-buddy.version}</version>
</dependency> </dependency>
</dependencies> </dependencies>
</profile> </profile>

View file

@ -16,6 +16,7 @@
*/ */
package org.keycloak.testsuite.pages; package org.keycloak.testsuite.pages;
import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
@ -64,7 +65,7 @@ public class OAuthGrantPage extends LanguageComboboxAwarePage {
} }
public List<String> getDisplayedGrants() { public List<String> getDisplayedGrants() {
List<String> table = new LinkedList<>(); List<String> table = new ArrayList<>();
WebElement divKcOauth = driver.findElement(By.id("kc-oauth")); WebElement divKcOauth = driver.findElement(By.id("kc-oauth"));
for (WebElement li : divKcOauth.findElements(By.tagName("li"))) { for (WebElement li : divKcOauth.findElements(By.tagName("li"))) {
WebElement span = li.findElement(By.tagName("span")); WebElement span = li.findElement(By.tagName("span"));

View file

@ -20,7 +20,6 @@ package org.keycloak.testsuite.x509;
import org.jboss.arquillian.drone.api.annotation.Drone; import org.jboss.arquillian.drone.api.annotation.Drone;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test; import org.junit.Test;
import org.keycloak.testsuite.util.HtmlUnitBrowser; import org.keycloak.testsuite.util.HtmlUnitBrowser;
import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebDriver;

View file

@ -1608,7 +1608,7 @@
<dependency> <dependency>
<groupId>net.bytebuddy</groupId> <groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId> <artifactId>byte-buddy</artifactId>
<version>1.12.18</version> <version>${byte-buddy.version}</version>
</dependency> </dependency>
<dependency> <dependency>