libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Promote FIPS 140-2 to supported in Keycloak 22

Browse source 
closes #17234
This commit is contained in:
mposolda 2023-04-06 13:14:48 +02:00 committed by Marek Posolda
parent 087d1a3be8
commit 863d28e232
19 changed files with 95 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/src/main/java/org/keycloak/common/Profile.java
View file

@ -89,7 +89,7 @@ public class Profile {
JS_ADAPTER("Host keycloak.js and keycloak-authz.js through the Keycloak sever", Type.DEFAULT),
FIPS("FIPS 140-2 mode", Type.PREVIEW_DISABLED_BY_DEFAULT);
FIPS("FIPS 140-2 mode", Type.DISABLED_BY_DEFAULT);
private final Type type;
private String label;

2
common/src/test/java/org/keycloak/common/ProfileTest.java
View file

@ -76,7 +76,7 @@ public class ProfileTest {
disabledFeatutes.add(Profile.Feature.KERBEROS);
}
assertEquals(profile.getDisabledFeatures(), disabledFeatutes);
assertEquals(profile.getPreviewFeatures(), Profile.Feature.FIPS, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL);
assertEquals(profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL);
}
@Test

3
docs/documentation/release_notes/index.adoc
View file

@ -16,6 +16,9 @@ include::topics/templates/release-header.adoc[]
== {project_name_full} 22.0.0
include::topics/22_0_0.adoc[leveloffset=2]
== {project_name_full} 21.1.0
include::topics/21_1_0.adoc[leveloffset=2]
== {project_name_full} 21.0.0
include::topics/21_0_0.adoc[leveloffset=2]

3
docs/documentation/release_notes/topics/21_1_0.adoc Normal file
View file

@ -0,0 +1,3 @@
= FIPS 140-2 support
FIPS 140-2 support in Keycloak, which was preview in the previous release, is now promoted to be officially supported.

2
docs/guides/server/fips.adoc
View file

@ -10,8 +10,6 @@ includedOptions="">
The Federal Information Processing Standard Publication 140-2, (FIPS 140-2), is a U.S. government computer security standard used to approve cryptographic modules. Keycloak supports to
run in FIPS 140-2 compliant mode. In this case, Keycloak will use only FIPS approved cryptography algorithms for it's functionality.
NOTE: FIPS 140-2 is supported only as a preview feature in Keycloak for now.
To run in FIPS 140-2, Keycloak should run on a FIPS 140-2 enabled system. This requirement usually assumes RHEL or Fedora where FIPS was enabled during installation.
See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#assembly_installing-the-system-in-fips-mode_security-hardening[RHEL documentation]
for the details. When the system is in FIPS mode, it makes sure that the underlying OpenJDK is in FIPS mode as well and would use only

2
quarkus/config-api/src/main/java/org/keycloak/config/OptionCategory.java
View file

@ -14,7 +14,7 @@ public enum OptionCategory {
PROXY("Proxy", 90, ConfigSupportLevel.SUPPORTED),
VAULT("Vault", 100, ConfigSupportLevel.SUPPORTED),
LOGGING("Logging", 110, ConfigSupportLevel.SUPPORTED),
SECURITY("Security", 120, ConfigSupportLevel.PREVIEW),
SECURITY("Security", 120, ConfigSupportLevel.SUPPORTED),
EXPORT("Export", 130, ConfigSupportLevel.SUPPORTED),
IMPORT("Import", 140, ConfigSupportLevel.SUPPORTED),
GENERAL("General", 999, ConfigSupportLevel.SUPPORTED);

7
quarkus/config-api/src/main/java/org/keycloak/config/SecurityOptions.java
View file

@ -2,7 +2,8 @@ package org.keycloak.config;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import org.keycloak.common.Profile;
import org.keycloak.common.crypto.FipsMode;
public class SecurityOptions {
@ -11,7 +12,9 @@ public class SecurityOptions {
.category(OptionCategory.SECURITY)
.expectedValues(SecurityOptions::getFipsModeValues)
.buildTime(true)
.description("Sets the FIPS mode. If '" + FipsMode.NON_STRICT + "' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set '" + FipsMode.STRICT + "' to run on approved mode.")
.description("Sets the FIPS mode. If '" + FipsMode.NON_STRICT + "' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set '" + FipsMode.STRICT + "' to run on approved mode. "
+ "This option defaults to '" + FipsMode.DISABLED + "' when '" + Profile.Feature.FIPS.getKey() + "' feature is disabled, which is by default. "
+ "This option defaults to '" + FipsMode.NON_STRICT + "' when '" + Profile.Feature.FIPS.getKey() + "' feature is enabled.")
.defaultValue(FipsMode.DISABLED)
.build();

4
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FeaturesDistTest.java vendored
View file

@ -55,9 +55,7 @@ public class FeaturesDistTest {
public void testEnablePreviewFeaturesAndFips(LaunchResult result) {
CLIResult cliResult = (CLIResult) result;
String previewFeaturesWithFipsIncluded = PREVIEW_FEATURES_EXPECTED_LOG.replace("declarative-user-profile", "declarative-user-profile, fips");
assertThat(result.getOutput(), CoreMatchers.allOf(
containsString(previewFeaturesWithFipsIncluded)));
assertPreviewFeaturesEnabled(cliResult);
cliResult.assertError("Failed to configure FIPS.");
}

3
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FipsDistTest.java vendored
View file

@ -38,7 +38,8 @@ public class FipsDistTest {
runOnFipsEnabledDistribution(dist, () -> {
CLIResult cliResult = dist.run("start");
cliResult.assertStarted();
cliResult.assertMessageWasShownExactlyNumberOfTimes("Preview features enabled: fips", 2);
// Not shown as FIPS is not a preview anymore
cliResult.assertMessageWasShownExactlyNumberOfTimes("Preview features enabled: fips", 0);
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(BCFIPS version 1.000203, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
});

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt vendored
View file

@ -80,6 +80,15 @@ Vault:
--vault <provider> Enables a vault provider. Possible values are: file.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Examples:
Change the database vendor:

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt vendored
View file

@ -80,6 +80,15 @@ Vault:
--vault <provider> Enables a vault provider. Possible values are: file.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Examples:
Change the database vendor:

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt vendored
View file

@ -222,6 +222,15 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt vendored
View file

@ -220,6 +220,15 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.
Use 'kc.bat start-dev --help-all' to list all available options, including

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt vendored
View file

@ -285,11 +285,14 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Preview):
Security:
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: non-strict, strict. Default: disabled.
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt vendored
View file

@ -283,11 +283,14 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Preview):
Security:
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: non-strict, strict. Default: disabled.
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt vendored
View file

@ -228,6 +228,15 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt vendored
View file

@ -226,6 +226,15 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt vendored
View file

@ -291,11 +291,14 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Preview):
Security:
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: non-strict, strict. Default: disabled.
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the

9
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt vendored
View file

@ -289,11 +289,14 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Preview):
Security:
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: non-strict, strict. Default: disabled.
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the