Manage elytron configuration if configured for JDK-17

Closes https://github.com/keycloak/keycloak/issues/20385
2023-06-02 18:11:39 +02:00 · 2023-06-02 18:11:39 +02:00 · d80094793b
commit d80094793b
parent d89679e62d
1 changed files with 27 additions and 8 deletions
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AppServerTestEnricher.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AppServerTestEnricher.java
@ -30,13 +30,13 @@ import org.jboss.logging.Logger;
 import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
 import org.keycloak.testsuite.arquillian.annotation.AppServerContainers;
 import org.keycloak.testsuite.arquillian.containers.SelfManagedAppContainerLifecycle;
-import org.keycloak.testsuite.utils.arquillian.ContainerConstants;
 import org.wildfly.extras.creaper.commands.web.AddConnector;
 import org.wildfly.extras.creaper.commands.web.AddConnectorSslConfig;
 import org.wildfly.extras.creaper.core.CommandFailedException;
 import org.wildfly.extras.creaper.core.ManagementClient;
 import org.wildfly.extras.creaper.core.online.CliException;
 import org.wildfly.extras.creaper.core.online.ManagementProtocol;
+import org.wildfly.extras.creaper.core.online.ModelNodeResult;
 import org.wildfly.extras.creaper.core.online.OnlineManagementClient;
 import org.wildfly.extras.creaper.core.online.OnlineOptions;
 import org.wildfly.extras.creaper.core.online.operations.Address;
@ -214,7 +214,26 @@ public class AppServerTestEnricher {
        Administration administration = new Administration(client);
        Operations operations = new Operations(client);

-        if(!operations.exists(Address.coreService("management").and("security-realm", "UndertowRealm"))) {
+        boolean isElytronConfigured = false;
+        try {
+            // check if the eap is configured to use elytron
+            ModelNodeResult result = operations.readAttribute(Address.subsystem("undertow")
+                    .and("server", "default-server").and("https-listener", "https"), "ssl-context");
+            if (!result.isFailed() && result.hasDefinedValue()) {
+                isElytronConfigured = true;
+            }
+        } catch (IOException e) {
+            log.debug("Error reading 'ssl-context' attribute in undertow, assuming not elytron", e);
+        }
+
+        if (isElytronConfigured && !operations.exists(Address.subsystem("elytron").and("server-ssl-context", "KCSslContext"))) {
+            client.execute("/subsystem=elytron/key-store=KCKeyStore:add(path=adapter.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)");
+            client.execute("/subsystem=elytron/key-manager=KCKeyManager:add(key-store=KCKeyStore,credential-reference={clear-text=secret,algorithm=PKIX})");
+            client.execute("/subsystem=elytron/key-store=KCTrustStore:add(relative-to=jboss.server.config.dir,path=keycloak.truststore,credential-reference={clear-text=secret},type=JKS)");
+            client.execute("/subsystem=elytron/trust-manager=KCTrustManager:add(key-store=KCTrustStore)");
+            client.execute("/subsystem=elytron/server-ssl-context=KCSslContext:add(key-manager=KCKeyManager,trust-manager=KCTrustManager)");
+            client.execute("/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=KCSslContext)");
+        } else if (!operations.exists(Address.coreService("management").and("security-realm", "UndertowRealm"))) {
            client.execute("/core-service=management/security-realm=UndertowRealm:add()");
            client.execute("/core-service=management/security-realm=UndertowRealm/server-identity=ssl:add(keystore-relative-to=jboss.server.config.dir,keystore-password=secret,keystore-path=adapter.jks");
        }
@ -244,7 +263,7 @@ public class AppServerTestEnricher {
                    client.execute("/subsystem=web/connector=https/configuration=ssl:write-attribute(name=cipher-suite, value=\"SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA\")");
                }
            }
-        } else {
+        } else if (!isElytronConfigured) {
            removeHttpsListener(client, administration);
            addHttpsListenerAppServer(client);
        }
@ -275,16 +294,16 @@ public class AppServerTestEnricher {

        ContainerController controller = containerConrollerInstance.get();

+        if (controller.isStarted(testContext.getAppServerInfo().getQualifier())) {
+            log.info("Stopping app server: " + testContext.getAppServerInfo().getQualifier());
+            controller.stop(testContext.getAppServerInfo().getQualifier());
+        }
+
        // remove tmp folder for JBoss based app servers for proper clean-up
        if (isJBossBased()) {
            final File tmpFolder = Paths.get(System.getProperty("app.server.home"), "standalone-test", "tmp").toFile();
            FileUtils.deleteDirectory(tmpFolder);
        }
-
-        if (controller.isStarted(testContext.getAppServerInfo().getQualifier())) {
-            log.info("Stopping app server: " + testContext.getAppServerInfo().getQualifier());
-            controller.stop(testContext.getAppServerInfo().getQualifier());
-        }
    }

    /**