diff --git a/docs/guides/server/caching.adoc b/docs/guides/server/caching.adoc index 8a697cec56..2d0b3cf1e3 100644 --- a/docs/guides/server/caching.adoc +++ b/docs/guides/server/caching.adoc @@ -155,8 +155,8 @@ Once any of declared CLI parameters are present, it is expected there is no conf WARNING: Disabling security is not recommended in production! -In development or test environment, it is easier to start an unsecured Infinispan server. -For these use case, the CLI options `cache-remote-tls-enabled` disables the encryption (SSL) between {project_name} and Infinispan. +In a development or test environment, it is easier to start an unsecured Infinispan server. +For these use case, the CLI options `cache-remote-tls-enabled` disables the encryption (TLS) between {project_name} and Infinispan. {project_name} will fail to start if the Infinispan server is configured to accept only encrypted connections. The CLI options `cache-remote-username` and `cache-remote-password` are optional and, if not set, {project_name} will connect to the Infinispan server without presenting any credentials. diff --git a/quarkus/config-api/src/main/java/org/keycloak/config/CachingOptions.java b/quarkus/config-api/src/main/java/org/keycloak/config/CachingOptions.java index 69de261894..4bf09e6a30 100644 --- a/quarkus/config-api/src/main/java/org/keycloak/config/CachingOptions.java +++ b/quarkus/config-api/src/main/java/org/keycloak/config/CachingOptions.java @@ -110,16 +110,16 @@ public class CachingOptions { .category(OptionCategory.CACHE) .description(String.format("The username for the authentication to the remote server for the remote store. " + "It replaces the 'username' attribute of 'digest' tag of the configuration specified via XML file (see '%s' option.). " - + "If the option is specified, '%s' and '%s' are required as well and the related configuration in XML file should not be present.", - CACHE_CONFIG_FILE_PROPERTY, CACHE_REMOTE_HOST_PROPERTY, CACHE_REMOTE_PASSWORD_PROPERTY)) + + "If the option is specified, '%s' is required as well and the related configuration in XML file should not be present.", + CACHE_CONFIG_FILE_PROPERTY, CACHE_REMOTE_PASSWORD_PROPERTY)) .build(); public static final Option CACHE_REMOTE_PASSWORD = new OptionBuilder<>(CACHE_REMOTE_PASSWORD_PROPERTY, String.class) .category(OptionCategory.CACHE) .description(String.format("The password for the authentication to the remote server for the remote store. " + "It replaces the 'password' attribute of 'digest' tag of the configuration specified via XML file (see '%s' option.). " - + "If the option is specified, '%s' and '%s' are required as well and the related configuration in XML file should not be present.", - CACHE_CONFIG_FILE_PROPERTY, CACHE_REMOTE_HOST_PROPERTY, CACHE_REMOTE_USERNAME_PROPERTY)) + + "If the option is specified, '%s' is required as well and the related configuration in XML file should not be present.", + CACHE_CONFIG_FILE_PROPERTY, CACHE_REMOTE_USERNAME_PROPERTY)) .build(); public static final Option CACHE_METRICS_HISTOGRAMS_ENABLED = new OptionBuilder<>(CACHE_METRICS_HISTOGRAMS_ENABLED_PROPERTY, Boolean.class) @@ -129,7 +129,7 @@ public class CachingOptions { public static final Option CACHE_REMOTE_TLS_ENABLED = new OptionBuilder<>(CACHE_REMOTE_TLS_ENABLED_PROPERTY, Boolean.class) .category(OptionCategory.CACHE) - .description("Enable SSL support to communication with a secure remote Infinispan server. It is not recommended to disable in production!") + .description("Enable TLS support to communicate with a secured remote Infinispan server. Recommended to be enabled in production.") .defaultValue(Boolean.TRUE) .build(); } diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/CachingPropertyMappers.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/CachingPropertyMappers.java index 38bc0ba7f5..e8fe37d722 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/CachingPropertyMappers.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/CachingPropertyMappers.java @@ -6,6 +6,7 @@ import org.keycloak.quarkus.runtime.Environment; import io.smallrye.config.ConfigSourceInterceptorContext; import static java.util.Optional.of; +import static org.keycloak.quarkus.runtime.configuration.Configuration.getOptionalValue; import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption; import java.io.File; @@ -14,6 +15,8 @@ import java.util.Optional; final class CachingPropertyMappers { + private static final String REMOTE_HOST_SET = "remote host is set"; + private CachingPropertyMappers() { } @@ -52,12 +55,18 @@ final class CachingPropertyMappers { .paramLabel("hostname") .build(), fromOption(CachingOptions.CACHE_REMOTE_PORT) + .isEnabled(CachingPropertyMappers::remoteHostSet, CachingPropertyMappers.REMOTE_HOST_SET) .paramLabel("port") .build(), + fromOption(CachingOptions.CACHE_REMOTE_TLS_ENABLED) + .isEnabled(CachingPropertyMappers::remoteHostSet, CachingPropertyMappers.REMOTE_HOST_SET) + .build(), fromOption(CachingOptions.CACHE_REMOTE_USERNAME) + .isEnabled(CachingPropertyMappers::remoteHostSet, CachingPropertyMappers.REMOTE_HOST_SET) .paramLabel("username") .build(), fromOption(CachingOptions.CACHE_REMOTE_PASSWORD) + .isEnabled(CachingPropertyMappers::remoteHostSet, CachingPropertyMappers.REMOTE_HOST_SET) .paramLabel("password") .isMasked(true) .build(), @@ -69,6 +78,10 @@ final class CachingPropertyMappers { }; } + private static boolean remoteHostSet() { + return getOptionalValue(CachingOptions.CACHE_REMOTE_HOST_PROPERTY).isPresent(); + } + private static Optional resolveConfigFile(Optional value, ConfigSourceInterceptorContext context) { if ("local".equals(value.get())) { return of("cache-local.xml"); diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/storage/legacy/infinispan/CacheManagerFactory.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/storage/legacy/infinispan/CacheManagerFactory.java index edc6e51e37..da4db0ccf7 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/storage/legacy/infinispan/CacheManagerFactory.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/storage/legacy/infinispan/CacheManagerFactory.java @@ -148,7 +148,7 @@ public class CacheManagerFactory { private static boolean isRemoteAuthenticationEnabled() { return Configuration.getOptionalValue(CACHE_REMOTE_USERNAME_PROPERTY).isPresent() || - Configuration.getOptionalValue(CACHE_REMOTE_PASSWORD_PROPERTY).isEmpty(); + Configuration.getOptionalValue(CACHE_REMOTE_PASSWORD_PROPERTY).isPresent(); } private static SSLContext createSSLContext() { diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt index d40a287f06..efaf82d957 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt @@ -45,22 +45,6 @@ Cache: specified via XML file (see 'cache-config-file' option.). If the option is specified, 'cache-remote-username' and 'cache-remote-password' are required as well and the related configuration in XML file should not be present. ---cache-remote-password - The password for the authentication to the remote server for the remote store. - It replaces the 'password' attribute of 'digest' tag of the configuration - specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-username' are required as - well and the related configuration in XML file should not be present. ---cache-remote-port - The port of the remote server for the remote store configuration. It replaces - the 'port' attribute of 'remote-server' tag of the configuration specified - via XML file (see 'cache-config-file' option.). Default: 11222. ---cache-remote-username - The username for the authentication to the remote server for the remote store. - It replaces the 'username' attribute of 'digest' tag of the configuration - specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-password' are required as - well and the related configuration in XML file should not be present. --cache-stack Define the default stack to use for cluster communication and node discovery. This option only takes effect if 'cache' is set to 'ispn'. Default: udp. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt index f176ffd64f..5a8f839b32 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt @@ -52,18 +52,25 @@ Cache: The password for the authentication to the remote server for the remote store. It replaces the 'password' attribute of 'digest' tag of the configuration specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-username' are required as - well and the related configuration in XML file should not be present. + specified, 'cache-remote-username' is required as well and the related + configuration in XML file should not be present. Available only when remote + host is set. --cache-remote-port The port of the remote server for the remote store configuration. It replaces the 'port' attribute of 'remote-server' tag of the configuration specified - via XML file (see 'cache-config-file' option.). Default: 11222. + via XML file (see 'cache-config-file' option.). Default: 11222. Available + only when remote host is set. +--cache-remote-tls-enabled + Enable TLS support to communicate with a secured remote Infinispan server. + Recommended to be enabled in production. Default: true. Available only when + remote host is set. --cache-remote-username The username for the authentication to the remote server for the remote store. It replaces the 'username' attribute of 'digest' tag of the configuration specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-password' are required as - well and the related configuration in XML file should not be present. + specified, 'cache-remote-password' is required as well and the related + configuration in XML file should not be present. Available only when remote + host is set. --cache-stack Define the default stack to use for cluster communication and node discovery. This option only takes effect if 'cache' is set to 'ispn'. Default: udp. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt index 200ef6f956..55eda59a3b 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt @@ -46,22 +46,6 @@ Cache: specified via XML file (see 'cache-config-file' option.). If the option is specified, 'cache-remote-username' and 'cache-remote-password' are required as well and the related configuration in XML file should not be present. ---cache-remote-password - The password for the authentication to the remote server for the remote store. - It replaces the 'password' attribute of 'digest' tag of the configuration - specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-username' are required as - well and the related configuration in XML file should not be present. ---cache-remote-port - The port of the remote server for the remote store configuration. It replaces - the 'port' attribute of 'remote-server' tag of the configuration specified - via XML file (see 'cache-config-file' option.). Default: 11222. ---cache-remote-username - The username for the authentication to the remote server for the remote store. - It replaces the 'username' attribute of 'digest' tag of the configuration - specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-password' are required as - well and the related configuration in XML file should not be present. --cache-stack Define the default stack to use for cluster communication and node discovery. This option only takes effect if 'cache' is set to 'ispn'. Default: udp. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt index 53b8cc2a1f..57291b338b 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt @@ -53,18 +53,25 @@ Cache: The password for the authentication to the remote server for the remote store. It replaces the 'password' attribute of 'digest' tag of the configuration specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-username' are required as - well and the related configuration in XML file should not be present. + specified, 'cache-remote-username' is required as well and the related + configuration in XML file should not be present. Available only when remote + host is set. --cache-remote-port The port of the remote server for the remote store configuration. It replaces the 'port' attribute of 'remote-server' tag of the configuration specified - via XML file (see 'cache-config-file' option.). Default: 11222. + via XML file (see 'cache-config-file' option.). Default: 11222. Available + only when remote host is set. +--cache-remote-tls-enabled + Enable TLS support to communicate with a secured remote Infinispan server. + Recommended to be enabled in production. Default: true. Available only when + remote host is set. --cache-remote-username The username for the authentication to the remote server for the remote store. It replaces the 'username' attribute of 'digest' tag of the configuration specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-password' are required as - well and the related configuration in XML file should not be present. + specified, 'cache-remote-password' is required as well and the related + configuration in XML file should not be present. Available only when remote + host is set. --cache-stack Define the default stack to use for cluster communication and node discovery. This option only takes effect if 'cache' is set to 'ispn'. Default: udp. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt index b5410fb9d4..aa53712c09 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt @@ -46,22 +46,6 @@ Cache: specified via XML file (see 'cache-config-file' option.). If the option is specified, 'cache-remote-username' and 'cache-remote-password' are required as well and the related configuration in XML file should not be present. ---cache-remote-password - The password for the authentication to the remote server for the remote store. - It replaces the 'password' attribute of 'digest' tag of the configuration - specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-username' are required as - well and the related configuration in XML file should not be present. ---cache-remote-port - The port of the remote server for the remote store configuration. It replaces - the 'port' attribute of 'remote-server' tag of the configuration specified - via XML file (see 'cache-config-file' option.). Default: 11222. ---cache-remote-username - The username for the authentication to the remote server for the remote store. - It replaces the 'username' attribute of 'digest' tag of the configuration - specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-password' are required as - well and the related configuration in XML file should not be present. --cache-stack Define the default stack to use for cluster communication and node discovery. This option only takes effect if 'cache' is set to 'ispn'. Default: udp. diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt index 6474f67430..0daf64e89e 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt @@ -53,18 +53,25 @@ Cache: The password for the authentication to the remote server for the remote store. It replaces the 'password' attribute of 'digest' tag of the configuration specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-username' are required as - well and the related configuration in XML file should not be present. + specified, 'cache-remote-username' is required as well and the related + configuration in XML file should not be present. Available only when remote + host is set. --cache-remote-port The port of the remote server for the remote store configuration. It replaces the 'port' attribute of 'remote-server' tag of the configuration specified - via XML file (see 'cache-config-file' option.). Default: 11222. + via XML file (see 'cache-config-file' option.). Default: 11222. Available + only when remote host is set. +--cache-remote-tls-enabled + Enable TLS support to communicate with a secured remote Infinispan server. + Recommended to be enabled in production. Default: true. Available only when + remote host is set. --cache-remote-username The username for the authentication to the remote server for the remote store. It replaces the 'username' attribute of 'digest' tag of the configuration specified via XML file (see 'cache-config-file' option.). If the option is - specified, 'cache-remote-host' and 'cache-remote-password' are required as - well and the related configuration in XML file should not be present. + specified, 'cache-remote-password' is required as well and the related + configuration in XML file should not be present. Available only when remote + host is set. --cache-stack Define the default stack to use for cluster communication and node discovery. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.