From 8c627fdb20435b565e18c384a927d4d59254ddfe Mon Sep 17 00:00:00 2001 From: Stefan Guilhen Date: Thu, 12 Mar 2020 15:08:06 -0300 Subject: [PATCH] [KEYCLOAK-13036] Fix KeycloakElytronCSVaultTest failures on IBM JDK - credential store is generated on the fly for the test, avoiding incompatibilities between implementations of keystores --- .../jboss/common/vault/credential-store.p12 | Bin 943 -> 0 bytes .../servers/auth-server/jboss/pom.xml | 1 - .../arquillian/annotation/EnableVault.java | 47 ++++++++++++++---- .../keycloak/testsuite/util/VaultUtils.java | 7 ++- 4 files changed, 43 insertions(+), 12 deletions(-) delete mode 100644 testsuite/integration-arquillian/servers/auth-server/jboss/common/vault/credential-store.p12 diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/vault/credential-store.p12 b/testsuite/integration-arquillian/servers/auth-server/jboss/common/vault/credential-store.p12 deleted file mode 100644 index ede88bdd7124664d2978215502775aa0bd3414e2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 943 zcmXqLVqVR}$ZXKWoWjPb)#lOmotKfFaX}MvC`%J_AW+yBh&@rItbkHxKw%?;CPof6 zZm2FEE=JY`MFs`P0!#}MS>g?14K&%fV5)$2NwbJdJtJ`Ni>d0&GWG!9jaDC4mv*@^ zGchw94q!3(GW)joc}wNx{vOKfmpZ;w`co@+*R4|Z@HI1Y>t|ma%Ct}3G^@E^vT(=O z`BD2;GiDezwiv|29mpwS7$g_KP{NSPPz)sFfn+X_E&#IP8M1+*l??hoULsJun4z2@ zpP`5$g&`S8rUL0yhCHC!OrUHIP*pOJOa-!w81xMk5f+FVim(WUWag$S7@C@!SXvqx z7?_w@0>gt*1ljAX3#tq%kOi0)WU{0iq+*6e&Yzv;D`Z4llMl1KeV=_uq2R#g>Oaxy>n zGBGn*H5y(uZ0s;dMmSl-Fib847!Dv`gF>c=Ug2V4W(o`!F63Y!K8-{j_F`G)kn;0E zfSIg^+9TiAyRo;SX{4|$C4hTX?7R8L);b$kzY)Iq(8eSFK+g61!9rTHA0o;(s_a~S z{n_Dt|7JTqHehA*`%hp~0d66@F{pVY3EF$tx);?&Sx^Ma+*EPS-Sl6g% Nmaster_ldap__bindCredential test_ldap__bindCredential admin-client-test_ldap__bindCredential - credential-store.p12 diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/annotation/EnableVault.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/annotation/EnableVault.java index 864737c2fd..fa4badc7f2 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/annotation/EnableVault.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/annotation/EnableVault.java @@ -29,29 +29,56 @@ import java.lang.annotation.Target; @Target({ElementType.TYPE}) public @interface EnableVault { + ; + enum PROVIDER_ID { - PLAINTEXT("files-plaintext", "/subsystem=keycloak-server/spi=vault/provider=files-plaintext/:add(enabled=true, " + - "properties={dir => \"${jboss.home.dir}/standalone/configuration/vault\"})"), + PLAINTEXT("files-plaintext", + new String[] { + "/subsystem=keycloak-server/spi=vault/provider=files-plaintext/:add(enabled=true, " + + "properties={dir => \"${jboss.home.dir}/standalone/configuration/vault\"})"}, + new String[] {}), + + ELYTRON_CS_KEYSTORE("elytron-cs-keystore", + new String[] { + // create and populate an elytron credential store on the fly. + "/subsystem=elytron/credential-store=test-cred-store:add(location=standalone/configuration/vault/cred-store.jceks, create=true," + + "relative-to=jboss.home.dir, credential-reference={clear-text => \"secretpwd1!\"})", + "/subsystem=elytron/credential-store=test-cred-store:add-alias(alias=master_smtp__key, secret-value=secure_master_smtp_secret)", + "/subsystem=elytron/credential-store=test-cred-store:add-alias(alias=test_smtp__key, secret-value=secure_test_smtp_secret)", + // create the elytron-cs-keystore provider (using the masked form of the credential store password. + "/subsystem=keycloak-server/spi=vault/provider=elytron-cs-keystore/:add(enabled=true, " + + "properties={location => \"${jboss.home.dir}/standalone/configuration/vault/cred-store.jceks\", " + + "secret => \"MASK-2RukbhkyMOXq1WzXkcUcuK;abcd9876;321\", keyStoreType => \"JCEKS\"})"}, + new String[] { + // remove the aliases from the credential store. + "/subsystem=elytron/credential-store=test-cred-store:remove-alias(alias=test_smtp__key)", + "/subsystem=elytron/credential-store=test-cred-store:remove-alias(alias=master_smtp__key)", + // remove the elytron credential store. + "/subsystem=elytron/credential-store=test-cred-store:remove" + }); - ELYTRON_CS_KEYSTORE("elytron-cs-keystore", "/subsystem=keycloak-server/spi=vault/provider=elytron-cs-keystore/:add(enabled=true, " + - "properties={location => \"${jboss.home.dir}/standalone/configuration/vault/credential-store.p12\", " + - "secret => \"MASK-3u2HNQaMogJJ8VP7J6gRIl;12345678;321\", keyStoreType => \"PKCS12\"})"); final String name; - final String cliInstallationCommand; + final String[] cliInstallationCommands; + final String[] cliRemovalCommands; - PROVIDER_ID(final String name, final String cliInstallationCommand) { + PROVIDER_ID(final String name, final String[] cliInstallationCommands, final String[] cliRemovalCommands) { this.name = name; - this.cliInstallationCommand = cliInstallationCommand; + this.cliInstallationCommands = cliInstallationCommands; + this.cliRemovalCommands = cliRemovalCommands; } public String getName() { return this.name; } - public String getCliInstallationCommand() { - return this.cliInstallationCommand; + public String[] getCliInstallationCommands() { + return this.cliInstallationCommands; + } + + public String[] getCliRemovalCommands() { + return this.cliRemovalCommands; } }; diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/VaultUtils.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/VaultUtils.java index 9c35343e80..4e393b516c 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/VaultUtils.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/VaultUtils.java @@ -40,7 +40,9 @@ public class VaultUtils { OnlineManagementClient client = AuthServerTestEnricher.getManagementClient(); // configure the selected provider and set it as the default vault provider. client.execute("/subsystem=keycloak-server/spi=vault/:add(default-provider=" + provider.getName() + ")"); - client.execute(provider.getCliInstallationCommand()); + for (String command : provider.getCliInstallationCommands()) { + client.execute(command); + } client.close(); } } @@ -50,6 +52,9 @@ public class VaultUtils { System.setProperty("keycloak.vault." + provider.getName() + ".provider.enabled", "false"); } else { OnlineManagementClient client = AuthServerTestEnricher.getManagementClient(); + for (String command : provider.getCliRemovalCommands()) { + client.execute(command); + } client.execute("/subsystem=keycloak-server/spi=vault/:remove"); client.close(); }