fix: ensure that kc.config.args is omitted from show-config (#34461)

closes: #34460

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/ShowConfig.java

@@ -29,15 +29,12 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
-import java.util.function.BiConsumer;
-import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.StreamSupport;
 
 import org.keycloak.quarkus.runtime.Environment;
 import org.keycloak.quarkus.runtime.configuration.KeycloakConfigSourceProvider;
 import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
-import org.keycloak.quarkus.runtime.configuration.PersistedConfigSource;
 import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper;
 import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
 
@@ -52,8 +49,8 @@ import picocli.CommandLine.Parameters;
 public final class ShowConfig extends AbstractCommand implements Runnable {
 
     public static final String NAME = "show-config";
-    private static final List<String> ignoredPropertyKeys = List.of(
+    private static final List<String> allowedSystemPropertyKeys = List.of(
-            "kc.show.config", "kc.profile", "kc.quarkus-properties-enabled", "kc.home.dir");
+            "kc.version");
 
     @Parameters(
             paramLabel = "filter",
@@ -100,28 +97,6 @@ public final class ShowConfig extends AbstractCommand implements Runnable {
                 .filter(ShowConfig::filterByGroup)
                 .collect(Collectors.groupingBy(ShowConfig::groupProperties, Collectors.toSet()));
 
-        StreamSupport.stream(getPropertyNames().spliterator(), false)
-                .filter(new Predicate<String>() {
-                    @Override
-                    public boolean test(String s) {
-                        ConfigValue configValue = getConfigValue(s);
-
-                        if (configValue == null) {
-                            return false;
-                        }
-
-                        return PersistedConfigSource.NAME.equals(configValue.getConfigSourceName());
-                    }
-                })
-                .filter(ShowConfig::filterByGroup)
-                .collect(Collectors.groupingBy(ShowConfig::groupProperties, Collectors.toSet()))
-                .forEach(new BiConsumer<String, Set<String>>() {
-                    @Override
-                    public void accept(String group, Set<String> propertyNames) {
-                        properties.computeIfAbsent(group, name -> new HashSet<>()).addAll(propertyNames);
-                    }
-                });
-
         return properties;
     }
 
@@ -144,7 +119,11 @@ public final class ShowConfig extends AbstractCommand implements Runnable {
 
         PropertyMapper<?> mapper = PropertyMappers.getMapper(property);
 
-        if (mapper != null && mapper.isRunTime()) {
+        if (mapper == null) {
+            if (configValue.getSourceName().equals("SysPropConfigSource") && !allowedSystemPropertyKeys.contains(property)) {
+                return; // most system properties are internally used, and not relevant during show-config
+            }
+        } else if (mapper.isRunTime()) {
             value = getRuntimeProperty(property).orElse(value);
         }
 
@@ -154,10 +133,6 @@ public final class ShowConfig extends AbstractCommand implements Runnable {
     }
 
     private static String groupProperties(String property) {
-        if (property.startsWith("%")) {
-            return "%";
-        }
-
         int endIndex = property.indexOf('.');
 
         if (endIndex == -1) {
@@ -168,10 +143,8 @@ public final class ShowConfig extends AbstractCommand implements Runnable {
     }
 
     private static boolean filterByGroup(String property) {
-        return (property.startsWith(MicroProfileConfigProvider.NS_KEYCLOAK)
+        return property.startsWith(MicroProfileConfigProvider.NS_KEYCLOAK_PREFIX)
-                || property.startsWith(MicroProfileConfigProvider.NS_QUARKUS)
+                || property.startsWith(MicroProfileConfigProvider.NS_QUARKUS_PREFIX);
-                || property.startsWith("%"))
-                && !ignoredPropertyKeys.contains(property);
     }
 
     @Override

quarkus/runtime/src/test/java/or/keycloak/quarkus/runtime/cli/PicocliTest.java

@@ -222,6 +222,17 @@ public class PicocliTest extends AbstractConfigurationTest {
         assertThat(nonRunningPicocli.getErrString(), containsString("No trust store password provided"));
     }
     
+    @Test
+    public void testShowConfigHidesSystemProperties() {
+        setSystemProperty("kc.something", "password", () -> {
+            NonRunningPicocli nonRunningPicocli = pseudoLaunch("show-config");
+            // the command line should now show up within the output
+            assertThat(nonRunningPicocli.getOutString(), not(containsString("show-config")));
+            // arbitrary kc system properties should not show up either
+            assertThat(nonRunningPicocli.getOutString(), not(containsString("kc.something")));
+        });
+    }
+
     @Test
     public void failSingleParamWithSpace() {
         NonRunningPicocli nonRunningPicocli = pseudoLaunch("start", "--db postgres");