libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Remove Hashicorp Support

Browse source 
Closes #9144
This commit is contained in:
Pedro Igor 2023-01-13 09:32:24 -03:00 committed by Václav Muzikář
parent 79fa6bb3c9
commit 4d2f86202d
18 changed files with 82 additions and 283 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
quarkus/config-api/src/main/java/org/keycloak/config/VaultOptions.java
View file

@ -1,13 +1,11 @@
package org.keycloak.config;
import java.io.File;
import java.util.Map;
public class VaultOptions {
public enum Provider {
file,
hashicorp;
file;
}
public static final Option VAULT = new OptionBuilder<>("vault", Provider.class)
@ -21,23 +19,4 @@ public class VaultOptions {
.description("If set, secrets can be obtained by reading the content of files within the given directory.")
.build();
public static final Option VAULT_UNMAPPED = new OptionBuilder<>("vault-", String.class)
.category(OptionCategory.VAULT)
.description("Maps any vault option to their corresponding properties in quarkus-vault extension.")
.hidden()
.buildTime(true)
.build();
public static final Option VAULT_URL = new OptionBuilder<>("vault-url", String.class)
.category(OptionCategory.VAULT)
.description("The vault server url.")
.hidden()
.buildTime(true)
.build();
public static final Option VAULT_KV_PATHS = new OptionBuilder("vault-kv-paths", Map.class, String.class)
.category(OptionCategory.VAULT)
.description("A set of one or more key/value paths that should be used when looking up secrets.")
.hidden()
.build();
}

5
quarkus/deployment/pom.xml
View file

@ -101,11 +101,6 @@
<artifactId>rest-assured</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.quarkiverse.vault</groupId>
<artifactId>quarkus-vault-deployment</artifactId>
<version>${io.quarkiverse.vault.version}</version>
</dependency>
</dependencies>
<build>

5
quarkus/pom.xml
View file

@ -47,11 +47,6 @@
<sun.saaj-impl.version>1.4.1.SP1</sun.saaj-impl.version>
<org.jvnet.staxex.version>1.8.3</org.jvnet.staxex.version>
<!--
Quarkiverse dependency versions
-->
<io.quarkiverse.vault.version>2.0.0</io.quarkiverse.vault.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.plugin.version>3.8.1</maven.compiler.plugin.version>
<maven.compiler.release>11</maven.compiler.release>

5
quarkus/runtime/pom.xml
View file

@ -96,11 +96,6 @@
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron</artifactId>
</dependency>
<dependency>
<groupId>io.quarkiverse.vault</groupId>
<artifactId>quarkus-vault</artifactId>
<version>${io.quarkiverse.vault.version}</version>
</dependency>
<!-- CLI -->
<dependency>

11
quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/VaultPropertyMappers.java
View file

@ -17,17 +17,6 @@ final class VaultPropertyMappers {
fromOption(VaultOptions.VAULT_DIR)
.to("kc.spi-vault-file-dir")
.paramLabel("dir")
.build(),
fromOption(VaultOptions.VAULT_UNMAPPED)
.to("quarkus.vault.")
.build(),
fromOption(VaultOptions.VAULT_URL)
.to("quarkus.vault.url")
.paramLabel("paths")
.build(),
fromOption(VaultOptions.VAULT_KV_PATHS)
.to("kc.spi-vault-hashicorp-paths")
.paramLabel("paths")
.build()
};
}

67
quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/vault/QuarkusVaultProvider.java
View file

@ -1,67 +0,0 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.quarkus.runtime.vault;
import static org.keycloak.vault.DefaultVaultRawSecret.forBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.keycloak.vault.AbstractVaultProvider;
import org.keycloak.vault.VaultKeyResolver;
import org.keycloak.vault.VaultRawSecret;
import io.quarkus.vault.VaultKVSecretEngine;
public class QuarkusVaultProvider extends AbstractVaultProvider {
private VaultKVSecretEngine secretEngine;
private String[] kvPaths;
public QuarkusVaultProvider(VaultKVSecretEngine secretEngine, String[] kvPaths, String realm, List<VaultKeyResolver> keyResolvers) {
super(realm, keyResolvers);
this.secretEngine = secretEngine;
this.kvPaths = kvPaths;
}
@Override
protected VaultRawSecret obtainSecretInternal(String key) {
if (kvPaths == null) {
return forBuffer(Optional.empty());
}
for (String path : kvPaths) {
Map<String, String> secrets = secretEngine.readSecret(path);
String secret = secrets.get(key);
if (secret != null) {
return forBuffer(Optional.of(StandardCharsets.UTF_8.encode(CharBuffer.wrap(secret))));
}
}
return forBuffer(Optional.empty());
}
@Override
public void close() {
}
}

89
quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/vault/QuarkusVaultProviderFactory.java
View file

@ -1,89 +0,0 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.quarkus.runtime.vault;
import org.keycloak.Config;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.quarkus.runtime.configuration.Configuration;
import org.keycloak.vault.AbstractVaultProviderFactory;
import org.keycloak.vault.VaultProvider;
import io.quarkus.arc.Arc;
import io.quarkus.arc.InstanceHandle;
import io.quarkus.vault.VaultKVSecretEngine;
import io.quarkus.vault.runtime.VaultConfigHolder;
public class QuarkusVaultProviderFactory extends AbstractVaultProviderFactory implements EnvironmentDependentProviderFactory {
private String[] kvPaths;
private VaultKVSecretEngine secretEngine;
@Override
public VaultProvider create(KeycloakSession session) {
return new QuarkusVaultProvider(secretEngine, kvPaths, getRealmName(session), super.keyResolvers);
}
@Override
public void init(Config.Scope config) {
super.init(config);
kvPaths = config.getArray("paths");
}
@Override
public void postInit(KeycloakSessionFactory factory) {
InstanceHandle<VaultKVSecretEngine> engineInstance = Arc.container().instance(VaultKVSecretEngine.class);
if (engineInstance.isAvailable()) {
secretEngine = engineInstance.get();
}
InstanceHandle<VaultConfigHolder> configInstance = Arc.container().instance(VaultConfigHolder.class);
if (!configInstance.isAvailable() || configInstance.get().getVaultBootstrapConfig() == null) {
throw new RuntimeException("No configuration defined for hashicorp provider.");
}
}
@Override
public void close() {
}
@Override
public String getId() {
return "hashicorp";
}
@Override
public int order() {
return 10;
}
@Override
public boolean isSupported(Config.Scope config) {
return getId().equals(Configuration.getRawValue("kc.vault"));
}
@Override
public boolean isSupported() {
// in quarkus we do not use this method when installing providers
return false;
}
}

1
quarkus/runtime/src/main/resources/META-INF/services/org.keycloak.vault.VaultProviderFactory
View file

@ -1,2 +1 @@
org.keycloak.quarkus.runtime.vault.FilesPlainTextVaultProviderFactory
org.keycloak.quarkus.runtime.vault.QuarkusVaultProviderFactory

2
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt vendored
View file

@ -78,7 +78,7 @@ Metrics:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
Examples:

29
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt vendored
View file

@ -43,24 +43,25 @@ Transaction:
Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin2, docker,
impersonation, openshift-integration, scripts, token-exchange, web-authn,
client-policies, ciba, map-storage, par, declarative-user-profile,
dynamic-scopes, client-secret-rotation, step-up-authentication,
recovery-codes, update-email, js-adapter, preview.
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin2, docker,
impersonation, openshift-integration, scripts, token-exchange, web-authn,
client-policies, ciba, map-storage, par, declarative-user-profile,
dynamic-scopes, client-secret-rotation, step-up-authentication,
recovery-codes, update-email, js-adapter, preview.
Disables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
HTTP/TLS:
--http-relative-path <path>
Set the path relative to '/' for serving resources. Default: /.
Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /.
Health:
@ -77,7 +78,7 @@ Metrics:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
Examples:

4
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt vendored
View file

@ -164,7 +164,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
@ -221,4 +221,4 @@ Logging:
Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build
options.
options.

29
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt vendored
View file

@ -66,19 +66,19 @@ Transaction:
Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin2, docker,
impersonation, openshift-integration, scripts, token-exchange, web-authn,
client-policies, ciba, map-storage, par, declarative-user-profile,
dynamic-scopes, client-secret-rotation, step-up-authentication,
recovery-codes, update-email, js-adapter, preview.
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin2, docker,
impersonation, openshift-integration, scripts, token-exchange, web-authn,
client-policies, ciba, map-storage, par, declarative-user-profile,
dynamic-scopes, client-secret-rotation, step-up-authentication,
recovery-codes, update-email, js-adapter, preview.
Disables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
Hostname:
@ -113,7 +113,8 @@ HTTP/TLS:
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path>
Set the path relative to '/' for serving resources. Default: /.
Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /.
--https-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
@ -163,7 +164,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.

4
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt vendored
View file

@ -222,7 +222,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
@ -285,4 +285,4 @@ Security (Experimental):
Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build
options.
options.

26
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt vendored
View file

@ -124,19 +124,19 @@ Transaction:
Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
docker, impersonation, openshift-integration, scripts, token-exchange,
web-authn, client-policies, ciba, map-storage, par,
declarative-user-profile, dynamic-scopes, client-secret-rotation,
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
docker, impersonation, openshift-integration, scripts, token-exchange,
web-authn, client-policies, ciba, map-storage, par,
declarative-user-profile, dynamic-scopes, client-secret-rotation,
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
Disables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
Hostname:
@ -222,7 +222,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.

4
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt vendored
View file

@ -170,7 +170,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
@ -231,4 +231,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
configuration you have set when manually running the 'build' command.

31
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt vendored
View file

@ -72,19 +72,19 @@ Transaction:
Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin2, docker,
impersonation, openshift-integration, scripts, token-exchange, web-authn,
client-policies, ciba, map-storage, par, declarative-user-profile,
dynamic-scopes, client-secret-rotation, step-up-authentication,
recovery-codes, update-email, js-adapter, preview.
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin2, docker,
impersonation, openshift-integration, scripts, token-exchange, web-authn,
client-policies, ciba, map-storage, par, declarative-user-profile,
dynamic-scopes, client-secret-rotation, step-up-authentication,
recovery-codes, update-email, js-adapter, preview.
Disables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
Hostname:
@ -119,7 +119,8 @@ HTTP/TLS:
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path>
Set the path relative to '/' for serving resources. Default: /.
Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /.
--https-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
@ -169,7 +170,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
@ -230,4 +231,4 @@ By default, this command tries to update the server configuration by running a
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
configuration you have set when manually running the 'build' command.

4
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt vendored
View file

@ -228,7 +228,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
@ -295,4 +295,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
configuration you have set when manually running the 'build' command.

26
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt vendored
View file

@ -130,19 +130,19 @@ Transaction:
Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
docker, impersonation, openshift-integration, scripts, token-exchange,
web-authn, client-policies, ciba, map-storage, par,
declarative-user-profile, dynamic-scopes, client-secret-rotation,
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
docker, impersonation, openshift-integration, scripts, token-exchange,
web-authn, client-policies, ciba, map-storage, par,
declarative-user-profile, dynamic-scopes, client-secret-rotation,
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
Disables a set of one or more features. Possible values are: account-api,
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
ciba, client-policies, client-secret-rotation, declarative-user-profile,
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
Hostname:
@ -228,7 +228,7 @@ Proxy:
Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.