From dfa27b9f0f980f7a5753e1a3cfd259462704e802 Mon Sep 17 00:00:00 2001
From: vramik <vramik@redhat.com>
Date: Tue, 5 Jan 2021 00:31:35 +0100
Subject: [PATCH] KEYCLOAK-14856 fix migration, add ssl for migration server

---
 .../jboss/common/ant/configure.xml            | 19 +++++++---
 .../jboss-cli/keycloak-server-subsystem.cli   |  8 -----
 .../jboss/common/jboss-cli/truststore.cli     |  8 +++++
 .../servers/migration/pom.xml                 | 36 +++++++++++++++++++
 .../arquillian/AuthServerTestEnricher.java    |  9 ++---
 5 files changed, 62 insertions(+), 18 deletions(-)
 create mode 100644 testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/truststore.cli

diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/ant/configure.xml b/testsuite/integration-arquillian/servers/auth-server/jboss/common/ant/configure.xml
index d97f0cc99e..edc2758ace 100644
--- a/testsuite/integration-arquillian/servers/auth-server/jboss/common/ant/configure.xml
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/ant/configure.xml
@@ -60,13 +60,15 @@
     </target>
 
     <target name="scenario-standalone-generate" depends="io-worker-threads,
-                                                         inject-provider-and-truststore,
+                                                         inject-provider,
+                                                         inject-truststore,
                                                          log-level">
         <echo>cli scripts for standalone prepared</echo>
     </target>
 
     <target name="scenario-cluster-generate" depends="io-worker-threads, 
-                                                      inject-provider-and-truststore, 
+                                                      inject-provider,
+                                                      inject-truststore,
                                                       undertow-subsystem-cluster,
                                                       ispn-cache-owners,
                                                       log-level">
@@ -74,7 +76,8 @@
     </target>
 
     <target name="scenario-crossdc-generate" depends="io-worker-threads, 
-                                                      inject-provider-and-truststore, 
+                                                      inject-provider,
+                                                      inject-truststore,
                                                       cross-dc-setup,
                                                       log-level">
         <echo>cli scripts for crossdc prepared</echo>
@@ -92,7 +95,7 @@
         </copy>
     </target>
 
-    <target name="inject-provider-and-truststore">
+    <target name="inject-provider">
         <copy todir="${cli.tmp.dir}">
             <resources>
                 <file file="${common.resources}/jboss-cli/keycloak-server-subsystem.cli"/>
@@ -100,6 +103,14 @@
         </copy>
     </target>
 
+    <target name="inject-truststore">
+        <copy todir="${cli.tmp.dir}">
+            <resources>
+                <file file="${common.resources}/jboss-cli/truststore.cli"/>
+            </resources>
+        </copy>
+    </target>
+
     <target name="set-manual-migration-strategy">
         <copy todir="${cli.tmp.dir}">
             <resources>
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/keycloak-server-subsystem.cli b/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/keycloak-server-subsystem.cli
index 3362d7b189..7f4bb64a1e 100644
--- a/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/keycloak-server-subsystem.cli
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/keycloak-server-subsystem.cli
@@ -1,13 +1,5 @@
 
 echo *** Updating keycloak-server subsystem ***
-echo ** Adding truststore spi**
-/subsystem=keycloak-server/spi=truststore/:add
-/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true,properties={ \
-    file => "${auth.server.truststore:${jboss.home.dir}/standalone/configuration/keycloak.truststore}", \
-    password => "${auth.server.truststore.password:secret}", \
-    hostname-verification-policy => "WILDCARD", \
-    disabled => "false"})
-
 echo ** Adding login-protocol spi **
 /subsystem=keycloak-server/spi=login-protocol/:add
 /subsystem=keycloak-server/spi=login-protocol/provider=saml/:add(enabled=true,properties={knownProtocols => "[\"http=${auth.server.http.port}\",\"https=${auth.server.https.port}\"]"})
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/truststore.cli b/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/truststore.cli
new file mode 100644
index 0000000000..d6ead8c8da
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/truststore.cli
@@ -0,0 +1,8 @@
+
+echo ** Adding truststore spi**
+/subsystem=keycloak-server/spi=truststore/:add
+/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true,properties={ \
+    file => "${auth.server.truststore:${jboss.home.dir}/standalone/configuration/keycloak.truststore}", \
+    password => "${auth.server.truststore.password:secret}", \
+    hostname-verification-policy => "WILDCARD", \
+    disabled => "false"})
diff --git a/testsuite/integration-arquillian/servers/migration/pom.xml b/testsuite/integration-arquillian/servers/migration/pom.xml
index 6f1a1f90be..0482175248 100644
--- a/testsuite/integration-arquillian/servers/migration/pom.xml
+++ b/testsuite/integration-arquillian/servers/migration/pom.xml
@@ -130,6 +130,30 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <artifactId>maven-resources-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>copy-keystore</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${auth.server.home}/standalone/configuration</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${common.resources}/keystore</directory>
+                                    <includes>
+                                        <include>keycloak.jks</include>
+                                        <include>keycloak.truststore</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-antrun-plugin</artifactId>
@@ -157,6 +181,18 @@
                             </target>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>inject-truststore</id>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                        <configuration>
+                            <target>
+                                <ant antfile="${common.resources}/ant/configure.xml" target="inject-truststore" />
+                            </target>
+                        </configuration>
+                    </execution>
                     <execution>
                         <id>ant-apply-prepared-clis</id>
                         <phase>process-resources</phase>
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java
index 2146aadf9c..b8e0760c76 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java
@@ -370,6 +370,7 @@ public class AuthServerTestEnricher {
         if (suiteContext.isAuthServerMigrationEnabled()) {
             log.info("\n\n### Starting keycloak " + System.getProperty("migrated.auth.server.version", "- previous") + " ###\n\n");
             startContainerEvent.fire(new StartContainer(suiteContext.getMigratedAuthServerInfo().getArquillianContainer()));
+            initializeTLS(suiteContext.getMigratedAuthServerInfo());
         }
     }
 
@@ -411,8 +412,6 @@ public class AuthServerTestEnricher {
         //frontend-only (either load-balancer or auth-server)
         log.debug("Starting auth server before suite");
 
-        setJsseSecurityProviderForOutboundSslConnectionsOfElytronClient();
-
         try {
             startContainerEvent.fire(new StartContainer(suiteContext.getAuthServerInfo().getArquillianContainer()));
         } catch (Exception e) {
@@ -550,10 +549,8 @@ public class AuthServerTestEnricher {
     public static void initializeTLS(ContainerInfo containerInfo) {
         if (ServerURLs.AUTH_SERVER_SSL_REQUIRED && containerInfo.isJBossBased()) {
             log.infof("\n\n### Setting up TLS for %s ##\n\n", containerInfo);
-            try {
-                OnlineManagementClient client = getManagementClient(containerInfo);
+            try (OnlineManagementClient client = getManagementClient(containerInfo)) {
                 AuthServerTestEnricher.enableTLS(client);
-                client.close();
             } catch (Exception e) {
                 log.warn("Failed to set up TLS for container '" + containerInfo.getQualifier() + "'. This may lead to unexpected behavior unless the test" +
                         " sets it up manually", e);
@@ -584,7 +581,7 @@ public class AuthServerTestEnricher {
      *  the platform providers for respective property.
      *
      */
-    public static void setJsseSecurityProviderForOutboundSslConnectionsOfElytronClient() {
+    public static void setJsseSecurityProviderForOutboundSslConnectionsOfElytronClient(@Observes(precedence = 100) StartSuiteContainers event) {
         log.info(
             "Determining the JSSE security provider to use for outbound " +
             "SSL/TLS connections of the Elytron client..."