Remove Hashicorp Support

Closes #9144
This commit is contained in:
Pedro Igor 2023-01-13 09:32:24 -03:00 committed by Václav Muzikář
parent 79fa6bb3c9
commit 4d2f86202d
18 changed files with 82 additions and 283 deletions

View file

@ -1,13 +1,11 @@
package org.keycloak.config; package org.keycloak.config;
import java.io.File; import java.io.File;
import java.util.Map;
public class VaultOptions { public class VaultOptions {
public enum Provider { public enum Provider {
file, file;
hashicorp;
} }
public static final Option VAULT = new OptionBuilder<>("vault", Provider.class) public static final Option VAULT = new OptionBuilder<>("vault", Provider.class)
@ -21,23 +19,4 @@ public class VaultOptions {
.description("If set, secrets can be obtained by reading the content of files within the given directory.") .description("If set, secrets can be obtained by reading the content of files within the given directory.")
.build(); .build();
public static final Option VAULT_UNMAPPED = new OptionBuilder<>("vault-", String.class)
.category(OptionCategory.VAULT)
.description("Maps any vault option to their corresponding properties in quarkus-vault extension.")
.hidden()
.buildTime(true)
.build();
public static final Option VAULT_URL = new OptionBuilder<>("vault-url", String.class)
.category(OptionCategory.VAULT)
.description("The vault server url.")
.hidden()
.buildTime(true)
.build();
public static final Option VAULT_KV_PATHS = new OptionBuilder("vault-kv-paths", Map.class, String.class)
.category(OptionCategory.VAULT)
.description("A set of one or more key/value paths that should be used when looking up secrets.")
.hidden()
.build();
} }

View file

@ -101,11 +101,6 @@
<artifactId>rest-assured</artifactId> <artifactId>rest-assured</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>io.quarkiverse.vault</groupId>
<artifactId>quarkus-vault-deployment</artifactId>
<version>${io.quarkiverse.vault.version}</version>
</dependency>
</dependencies> </dependencies>
<build> <build>

View file

@ -47,11 +47,6 @@
<sun.saaj-impl.version>1.4.1.SP1</sun.saaj-impl.version> <sun.saaj-impl.version>1.4.1.SP1</sun.saaj-impl.version>
<org.jvnet.staxex.version>1.8.3</org.jvnet.staxex.version> <org.jvnet.staxex.version>1.8.3</org.jvnet.staxex.version>
<!--
Quarkiverse dependency versions
-->
<io.quarkiverse.vault.version>2.0.0</io.quarkiverse.vault.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.plugin.version>3.8.1</maven.compiler.plugin.version> <maven.compiler.plugin.version>3.8.1</maven.compiler.plugin.version>
<maven.compiler.release>11</maven.compiler.release> <maven.compiler.release>11</maven.compiler.release>

View file

@ -96,11 +96,6 @@
<groupId>org.wildfly.security</groupId> <groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron</artifactId> <artifactId>wildfly-elytron</artifactId>
</dependency> </dependency>
<dependency>
<groupId>io.quarkiverse.vault</groupId>
<artifactId>quarkus-vault</artifactId>
<version>${io.quarkiverse.vault.version}</version>
</dependency>
<!-- CLI --> <!-- CLI -->
<dependency> <dependency>

View file

@ -17,17 +17,6 @@ final class VaultPropertyMappers {
fromOption(VaultOptions.VAULT_DIR) fromOption(VaultOptions.VAULT_DIR)
.to("kc.spi-vault-file-dir") .to("kc.spi-vault-file-dir")
.paramLabel("dir") .paramLabel("dir")
.build(),
fromOption(VaultOptions.VAULT_UNMAPPED)
.to("quarkus.vault.")
.build(),
fromOption(VaultOptions.VAULT_URL)
.to("quarkus.vault.url")
.paramLabel("paths")
.build(),
fromOption(VaultOptions.VAULT_KV_PATHS)
.to("kc.spi-vault-hashicorp-paths")
.paramLabel("paths")
.build() .build()
}; };
} }

View file

@ -1,67 +0,0 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.quarkus.runtime.vault;
import static org.keycloak.vault.DefaultVaultRawSecret.forBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.keycloak.vault.AbstractVaultProvider;
import org.keycloak.vault.VaultKeyResolver;
import org.keycloak.vault.VaultRawSecret;
import io.quarkus.vault.VaultKVSecretEngine;
public class QuarkusVaultProvider extends AbstractVaultProvider {
private VaultKVSecretEngine secretEngine;
private String[] kvPaths;
public QuarkusVaultProvider(VaultKVSecretEngine secretEngine, String[] kvPaths, String realm, List<VaultKeyResolver> keyResolvers) {
super(realm, keyResolvers);
this.secretEngine = secretEngine;
this.kvPaths = kvPaths;
}
@Override
protected VaultRawSecret obtainSecretInternal(String key) {
if (kvPaths == null) {
return forBuffer(Optional.empty());
}
for (String path : kvPaths) {
Map<String, String> secrets = secretEngine.readSecret(path);
String secret = secrets.get(key);
if (secret != null) {
return forBuffer(Optional.of(StandardCharsets.UTF_8.encode(CharBuffer.wrap(secret))));
}
}
return forBuffer(Optional.empty());
}
@Override
public void close() {
}
}

View file

@ -1,89 +0,0 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.quarkus.runtime.vault;
import org.keycloak.Config;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.quarkus.runtime.configuration.Configuration;
import org.keycloak.vault.AbstractVaultProviderFactory;
import org.keycloak.vault.VaultProvider;
import io.quarkus.arc.Arc;
import io.quarkus.arc.InstanceHandle;
import io.quarkus.vault.VaultKVSecretEngine;
import io.quarkus.vault.runtime.VaultConfigHolder;
public class QuarkusVaultProviderFactory extends AbstractVaultProviderFactory implements EnvironmentDependentProviderFactory {
private String[] kvPaths;
private VaultKVSecretEngine secretEngine;
@Override
public VaultProvider create(KeycloakSession session) {
return new QuarkusVaultProvider(secretEngine, kvPaths, getRealmName(session), super.keyResolvers);
}
@Override
public void init(Config.Scope config) {
super.init(config);
kvPaths = config.getArray("paths");
}
@Override
public void postInit(KeycloakSessionFactory factory) {
InstanceHandle<VaultKVSecretEngine> engineInstance = Arc.container().instance(VaultKVSecretEngine.class);
if (engineInstance.isAvailable()) {
secretEngine = engineInstance.get();
}
InstanceHandle<VaultConfigHolder> configInstance = Arc.container().instance(VaultConfigHolder.class);
if (!configInstance.isAvailable() || configInstance.get().getVaultBootstrapConfig() == null) {
throw new RuntimeException("No configuration defined for hashicorp provider.");
}
}
@Override
public void close() {
}
@Override
public String getId() {
return "hashicorp";
}
@Override
public int order() {
return 10;
}
@Override
public boolean isSupported(Config.Scope config) {
return getId().equals(Configuration.getRawValue("kc.vault"));
}
@Override
public boolean isSupported() {
// in quarkus we do not use this method when installing providers
return false;
}
}

View file

@ -1,2 +1 @@
org.keycloak.quarkus.runtime.vault.FilesPlainTextVaultProviderFactory org.keycloak.quarkus.runtime.vault.FilesPlainTextVaultProviderFactory
org.keycloak.quarkus.runtime.vault.QuarkusVaultProviderFactory

View file

@ -78,7 +78,7 @@ Metrics:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
Examples: Examples:

View file

@ -43,24 +43,25 @@ Transaction:
Feature: Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization, --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin2, docker, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
impersonation, openshift-integration, scripts, token-exchange, web-authn, ciba, client-policies, client-secret-rotation, declarative-user-profile,
client-policies, ciba, map-storage, par, declarative-user-profile, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
dynamic-scopes, client-secret-rotation, step-up-authentication, openshift-integration, par, preview, recovery-codes, scripts,
recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization, Disables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin2, docker, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
impersonation, openshift-integration, scripts, token-exchange, web-authn, ciba, client-policies, client-secret-rotation, declarative-user-profile,
client-policies, ciba, map-storage, par, declarative-user-profile, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
dynamic-scopes, client-secret-rotation, step-up-authentication, openshift-integration, par, preview, recovery-codes, scripts,
recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
HTTP/TLS: HTTP/TLS:
--http-relative-path <path> --http-relative-path <path>
Set the path relative to '/' for serving resources. Default: /. Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /.
Health: Health:
@ -77,7 +78,7 @@ Metrics:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
Examples: Examples:

View file

@ -164,7 +164,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.

View file

@ -66,19 +66,19 @@ Transaction:
Feature: Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization, --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin2, docker, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
impersonation, openshift-integration, scripts, token-exchange, web-authn, ciba, client-policies, client-secret-rotation, declarative-user-profile,
client-policies, ciba, map-storage, par, declarative-user-profile, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
dynamic-scopes, client-secret-rotation, step-up-authentication, openshift-integration, par, preview, recovery-codes, scripts,
recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization, Disables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin2, docker, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
impersonation, openshift-integration, scripts, token-exchange, web-authn, ciba, client-policies, client-secret-rotation, declarative-user-profile,
client-policies, ciba, map-storage, par, declarative-user-profile, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
dynamic-scopes, client-secret-rotation, step-up-authentication, openshift-integration, par, preview, recovery-codes, scripts,
recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
Hostname: Hostname:
@ -113,7 +113,8 @@ HTTP/TLS:
--http-host <host> The used HTTP Host. Default: 0.0.0.0. --http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080. --http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path> --http-relative-path <path>
Set the path relative to '/' for serving resources. Default: /. Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /.
--https-certificate-file <file> --https-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format. The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file> --https-certificate-key-file <file>
@ -163,7 +164,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.

View file

@ -222,7 +222,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.

View file

@ -124,19 +124,19 @@ Transaction:
Feature: Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization, --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
docker, impersonation, openshift-integration, scripts, token-exchange, ciba, client-policies, client-secret-rotation, declarative-user-profile,
web-authn, client-policies, ciba, map-storage, par, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
declarative-user-profile, dynamic-scopes, client-secret-rotation, openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization, Disables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
docker, impersonation, openshift-integration, scripts, token-exchange, ciba, client-policies, client-secret-rotation, declarative-user-profile,
web-authn, client-policies, ciba, map-storage, par, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
declarative-user-profile, dynamic-scopes, client-secret-rotation, openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
Hostname: Hostname:
@ -222,7 +222,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.

View file

@ -170,7 +170,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.

View file

@ -72,19 +72,19 @@ Transaction:
Feature: Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization, --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin2, docker, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
impersonation, openshift-integration, scripts, token-exchange, web-authn, ciba, client-policies, client-secret-rotation, declarative-user-profile,
client-policies, ciba, map-storage, par, declarative-user-profile, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
dynamic-scopes, client-secret-rotation, step-up-authentication, openshift-integration, par, preview, recovery-codes, scripts,
recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization, Disables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin2, docker, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
impersonation, openshift-integration, scripts, token-exchange, web-authn, ciba, client-policies, client-secret-rotation, declarative-user-profile,
client-policies, ciba, map-storage, par, declarative-user-profile, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
dynamic-scopes, client-secret-rotation, step-up-authentication, openshift-integration, par, preview, recovery-codes, scripts,
recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
Hostname: Hostname:
@ -119,7 +119,8 @@ HTTP/TLS:
--http-host <host> The used HTTP Host. Default: 0.0.0.0. --http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080. --http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path> --http-relative-path <path>
Set the path relative to '/' for serving resources. Default: /. Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /.
--https-certificate-file <file> --https-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format. The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file> --https-certificate-key-file <file>
@ -169,7 +170,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.

View file

@ -228,7 +228,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.

View file

@ -130,19 +130,19 @@ Transaction:
Feature: Feature:
--features <feature> Enables a set of one or more features. Possible values are: authorization, --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
docker, impersonation, openshift-integration, scripts, token-exchange, ciba, client-policies, client-secret-rotation, declarative-user-profile,
web-authn, client-policies, ciba, map-storage, par, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
declarative-user-profile, dynamic-scopes, client-secret-rotation, openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: authorization, Disables a set of one or more features. Possible values are: account-api,
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
docker, impersonation, openshift-integration, scripts, token-exchange, ciba, client-policies, client-secret-rotation, declarative-user-profile,
web-authn, client-policies, ciba, map-storage, par, docker, dynamic-scopes, impersonation, js-adapter, map-storage,
declarative-user-profile, dynamic-scopes, client-secret-rotation, openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, recovery-codes, update-email, js-adapter, preview. step-up-authentication, token-exchange, update-email, web-authn.
Hostname: Hostname:
@ -228,7 +228,7 @@ Proxy:
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp. --vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory. given directory.