KEYCLOAK-19858 Add Tests to check that no credentials are leaking when using CLI commands. Also: Tests for Help Command output using Golden master technique

.gitattributes

@@ -18,3 +18,5 @@
 *.eot binary
 *.otf binary
 *.woff binary
+# See https://github.com/approvals/ApprovalTests.Java#approved-file-artifacts (used in golden testing for help output of quarkus based dist)
+*.approved.* binary

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/Environment.java

@@ -83,12 +83,6 @@ public final class Environment {
     }
 
     public static String getCommand() {
-        String homeDir = getHomeDir();
-
-        if (homeDir == null) {
-            return "java -jar $KEYCLOAK_HOME/lib/quarkus-run.jar";
-        }
-
         if (isWindows()) {
             return "kc.bat";
         }
@@ -183,6 +177,6 @@ public final class Environment {
     }
 
     public static boolean isDistribution() {
-        return Environment.getCommand().startsWith("kc.");
+        return getHomeDir() != null;
     }
 }

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java

@@ -47,7 +47,7 @@ import picocli.CommandLine.Mixin;
         },
         footerHeading = "Examples:",
         footer = "  Optimize the server based on a profile configuration:%n%n"
-                + "      $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} --profile=prod ${COMMAND-NAME}%n%n"
+                + "      $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} --profile=prod ${COMMAND-NAME} %n%n"
                 + "  Change database settings:%n%n"
                 + "      $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} ${COMMAND-NAME} --db=postgres [--db-url][--db-username][--db-password]%n%n"
                 + "  Enable a feature:%n%n"

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Main.java

@@ -70,6 +70,8 @@ public final class Main {
 
     public static final String PROFILE_SHORT_NAME = "-pf";
     public static final String PROFILE_LONG_NAME = "--profile";
+    public static final String CONFIG_FILE_SHORT_NAME = "-cf";
+    public static final String CONFIG_FILE_LONG_NAME = "--config-file";
 
     @CommandLine.Spec
     CommandLine.Model.CommandSpec spec;
@@ -103,7 +105,7 @@ public final class Main {
         Environment.setProfile(profile);
     }
 
-    @Option(names = { "-cf", "--config-file" },
+    @Option(names = { CONFIG_FILE_SHORT_NAME, CONFIG_FILE_LONG_NAME },
             arity = "1",
             description = "Set the path to a configuration file. By default, configuration properties are read from the \"keycloak.properties\" file in the \"conf\" directory.",
             paramLabel = "file")

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/ShowConfig.java

@@ -45,6 +45,7 @@ import picocli.CommandLine.Parameters;
         description = "%nPrint out the current configuration.")
 public final class ShowConfig extends AbstractCommand implements Runnable {
 
+    public static final String NAME = "show-config";
     @Parameters(
             paramLabel = "filter",
             defaultValue = "none",

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java

@@ -34,8 +34,6 @@ import java.util.function.BiConsumer;
 import java.util.function.Predicate;
 import java.util.regex.Pattern;
 
-import org.jboss.logging.Logger;
-
 import io.smallrye.config.PropertiesConfigSource;
 
 import org.keycloak.quarkus.runtime.cli.Picocli;
@@ -53,8 +51,6 @@ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
  */
 public class ConfigArgsConfigSource extends PropertiesConfigSource {
 
-    private static final Logger log = Logger.getLogger(ConfigArgsConfigSource.class);
-
     public static final String CLI_ARGS = "kc.config.args";
     private static final String ARG_SEPARATOR = ";;";
     private static final Pattern ARG_SPLIT = Pattern.compile(";;");
@@ -120,7 +116,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
         String rawArgs = getRawConfigArgs();
         
         if (rawArgs == null || "".equals(rawArgs.trim())) {
-            log.trace("No command-line arguments provided");
             return Collections.emptyMap();
         }
 
@@ -131,7 +126,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
             public void accept(String key, String value) {
                 key = NS_KEYCLOAK_PREFIX + key.substring(2);
 
-                log.tracef("Adding property [%s=%s] from command-line", key, value);
                 properties.put(key, value);
 
                 String mappedPropertyName = getMappedPropertyName(key);
@@ -171,7 +165,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
         String rawArgs = getRawConfigArgs();
 
         if (rawArgs == null || "".equals(rawArgs.trim())) {
-            log.trace("No command-line arguments provided");
             return;
         }
 

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/Configuration.java

@@ -29,6 +29,7 @@ import io.smallrye.config.ConfigValue;
 import io.smallrye.config.SmallRyeConfig;
 import io.smallrye.config.SmallRyeConfigProviderResolver;
 
+import org.eclipse.microprofile.config.spi.ConfigProviderResolver;
 import org.eclipse.microprofile.config.spi.ConfigSource;
 import org.keycloak.quarkus.runtime.Environment;
 import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper;
@@ -39,17 +40,12 @@ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
  */
 public final class Configuration {
 
-    private static volatile SmallRyeConfig CONFIG;
-
     private Configuration() {
 
     }
 
     public static synchronized SmallRyeConfig getConfig() {
-        if (CONFIG == null) {
+        return (SmallRyeConfig) ConfigProviderResolver.instance().getConfig();
-            CONFIG = (SmallRyeConfig) SmallRyeConfigProviderResolver.instance().getConfig();
-        }
-        return CONFIG;
     }
 
     public static Optional<String> getBuildTimeProperty(String name) {

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakConfigSourceProvider.java

@@ -63,6 +63,9 @@ public class KeycloakConfigSourceProvider implements ConfigSourceProvider {
 
     @Override
     public Iterable<ConfigSource> getConfigSources(ClassLoader forClassLoader) {
+        if(Environment.isTestLaunchMode()) {
+            reload();
+        }
         return CONFIG_SOURCES;
     }
 }

quarkus/runtime/src/test/java/org/keycloak/quarkus/runtime/configuration/test/ConfigurationTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * Copyright 2021 Red Hat, Inc. and/or its affiliates
  * and other contributors as indicated by the @author tags.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-package org.keycloak.provider.quarkus;
+package org.keycloak.quarkus.runtime.configuration.test;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;

quarkus/tests/integration/pom.xml

@@ -32,6 +32,11 @@
     <artifactId>keycloak-quarkus-integration-tests</artifactId>
     <packaging>jar</packaging>
 
+    <properties>
+        <kc.quarkus.tests.dist>raw</kc.quarkus.tests.dist>
+        <approvaltests.version>12.3.2</approvaltests.version>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>org.keycloak</groupId>
@@ -64,6 +69,11 @@
             <groupId>org.testcontainers</groupId>
             <artifactId>junit-jupiter</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.approvaltests</groupId>
+            <artifactId>approvaltests</artifactId>
+            <version>${approvaltests.version}</version>
+        </dependency>
     </dependencies>
 
     <build>
@@ -72,12 +82,9 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
-                    <systemProperties>
+                    <systemPropertyVariables>
-                        <property>
+                        <kc.quarkus.tests.dist>${kc.quarkus.tests.dist}</kc.quarkus.tests.dist>
-                            <name>kc.quarkus.tests.dist</name>
+                    </systemPropertyVariables>
-                            <value>${kc.quarkus.tests.dist}</value>
-                        </property>
-                    </systemProperties>
                 </configuration>
             </plugin>
         </plugins>

quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/CLIResult.java

@@ -19,22 +19,14 @@ package org.keycloak.it.junit5.extension;
 
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.util.Arrays;
 import java.util.List;
-
+import org.approvaltests.Approvals;
-import org.keycloak.quarkus.runtime.cli.Picocli;
-
 import io.quarkus.test.junit.main.LaunchResult;
-import picocli.CommandLine;
 
 public interface CLIResult extends LaunchResult {
 
-    static Object create(List<String> outputStream, List<String> errStream, int exitCode, boolean distribution) {
+    static Object create(List<String> outputStream, List<String> errStream, int exitCode) {
         return new CLIResult() {
             @Override
             public List<String> getOutputStream() {
@@ -50,16 +42,9 @@ public interface CLIResult extends LaunchResult {
             public int exitCode() {
                 return exitCode;
             }
-
-            @Override
-            public boolean isDistribution() {
-                return distribution;
-            }
         };
     }
 
-    boolean isDistribution();
-
     default void assertStarted() {
         assertFalse(getOutput().contains("The delayed handler's queue was overrun and log record(s) were lost (Did you forget to configure logging?)"), () -> "The standard Output:\n" + getOutput() + "should not contain a warning about log queue overrun.");
         assertTrue(getOutput().contains("Listening on:"), () -> "The standard output:\n" + getOutput() + "does include \"Listening on:\"");
@@ -81,31 +66,10 @@ public interface CLIResult extends LaunchResult {
                 () -> "The Error Output:\n " + getErrorOutput() + "\ndoesn't contains " + msg);
     }
 
-    default void assertHelp(String command) {
+    default void assertHelp() {
-        if (command == null) {
+        try {
-            fail("No command provided");
+            Approvals.verify(getOutput());
-        }
+        } catch (Exception cause) {
-
-        CommandLine cmd = Picocli.createCommandLine(Arrays.asList(command, "--help"));
-
-        if (isDistribution()) {
-            cmd.setCommandName("kc.sh");
-        }
-
-        try (
-                ByteArrayOutputStream outStream = new ByteArrayOutputStream();
-                PrintStream printStream = new PrintStream(outStream, true)
-        ) {
-            if ("kc.sh".equals(command)) {
-                cmd.usage(printStream);
-            } else {
-                cmd.getSubcommands().get(command).usage(printStream);
-            }
-
-            // not very reliable, we should be comparing the output with some static reference to the help message.
-            assertTrue(getOutput().trim().equals(outStream.toString().trim()),
-                    () -> "The Output:\n " + getOutput() + "\ndoesnt't contains " + outStream.toString().trim());
-        } catch (IOException cause) {
             throw new RuntimeException("Failed to assert help", cause);
         }
     }

quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/CLITestExtension.java

@@ -20,10 +20,15 @@ package org.keycloak.it.junit5.extension;
 import static org.keycloak.it.junit5.extension.DistributionTest.ReInstall.BEFORE_ALL;
 import static org.keycloak.it.junit5.extension.DistributionType.RAW;
 import static org.keycloak.quarkus.runtime.Environment.forceTestLaunchMode;
+import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_LONG_NAME;
+import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_SHORT_NAME;
 
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import java.util.regex.Pattern;
+
+import io.quarkus.runtime.configuration.QuarkusConfigFactory;
 import org.junit.jupiter.api.extension.ExtensionContext;
 import org.junit.jupiter.api.extension.ParameterContext;
 import org.junit.jupiter.api.extension.ParameterResolutionException;
@@ -35,17 +40,29 @@ import org.keycloak.quarkus.runtime.cli.command.StartDev;
 import io.quarkus.test.junit.QuarkusMainTestExtension;
 import io.quarkus.test.junit.main.Launch;
 import io.quarkus.test.junit.main.LaunchResult;
+import org.keycloak.quarkus.runtime.configuration.KeycloakPropertiesConfigSource;
 
 public class CLITestExtension extends QuarkusMainTestExtension {
 
+    private static final String KEY_VALUE_SEPARATOR = "[= ]";
     private KeycloakDistribution dist;
 
     @Override
     public void beforeEach(ExtensionContext context) throws Exception {
         DistributionTest distConfig = getDistributionConfig(context);
+        Launch launch = context.getRequiredTestMethod().getAnnotation(Launch.class);
+
+        if (launch != null) {
+            for (String arg : launch.value()) {
+                if (arg.contains(CONFIG_FILE_SHORT_NAME) || arg.contains(CONFIG_FILE_LONG_NAME)) {
+                    Pattern kvSeparator = Pattern.compile(KEY_VALUE_SEPARATOR);
+                    String[] cfKeyValue = kvSeparator.split(arg);
+                    System.setProperty(KeycloakPropertiesConfigSource.KEYCLOAK_CONFIG_FILE_PROP, cfKeyValue[1]);
+                }
+            }
+        }
 
         if (distConfig != null) {
-            Launch launch = context.getRequiredTestMethod().getAnnotation(Launch.class);
 
             if (launch != null) {
                 if (dist == null) {
@@ -70,19 +87,15 @@ public class CLITestExtension extends QuarkusMainTestExtension {
         }
 
         super.afterEach(context);
+        reset();
     }
 
-    @Override
+    private void reset() {
-    public void afterAll(ExtensionContext context) throws Exception {
+        QuarkusConfigFactory.setConfig(null);
-        if (dist != null) {
+        //remove the config file property if set, and also the profile, to not have side effects in other tests.
-            // just to make sure the server is stopped after all tests
+        System.getProperties().remove(KeycloakPropertiesConfigSource.KEYCLOAK_CONFIG_FILE_PROP);
-            dist.stop();
+        System.getProperties().remove(Environment.PROFILE);
-        }
+        System.getProperties().remove("quarkus.profile");
-        super.afterAll(context);
-    }
-
-    private KeycloakDistribution createDistribution(DistributionTest config) {
-        return DistributionType.getCurrent().orElse(RAW).newInstance(config);
     }
 
     @Override
@@ -100,6 +113,19 @@ public class CLITestExtension extends QuarkusMainTestExtension {
         super.beforeAll(context);
     }
 
+    @Override
+    public void afterAll(ExtensionContext context) throws Exception {
+        if (dist != null) {
+            // just to make sure the server is stopped after all tests
+            dist.stop();
+        }
+        super.afterAll(context);
+    }
+
+    private KeycloakDistribution createDistribution(DistributionTest config) {
+        return DistributionType.getCurrent().orElse(RAW).newInstance(config);
+    }
+
     @Override
     public Object resolveParameter(ParameterContext parameterContext, ExtensionContext context)
             throws ParameterResolutionException {
@@ -123,10 +149,10 @@ public class CLITestExtension extends QuarkusMainTestExtension {
                 exitCode = result.exitCode();
             }
 
-            return CLIResult.create(outputStream, errStream, exitCode, isDistribution);
+            return CLIResult.create(outputStream, errStream, exitCode);
         }
 
-        // for now, not support for manual launching using QuarkusMainLauncher
+        // for now, no support for manual launching using QuarkusMainLauncher
         throw new RuntimeException("Parameter type [" + type + "] not supported");
     }
 

quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/RawDistOnly.java

@@ -22,10 +22,11 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import org.junit.jupiter.api.condition.EnabledIfSystemProperty;
-import org.junit.jupiter.api.extension.ExtendWith;
 
 /**
- * {@link RawDistOnly} is used to signal that the annotated tests class is only enabled when running tests using the {@link DistributionType#RAW}.
+ * {@link RawDistOnly} is used to signal that the annotated test class
+ * is only enabled when running tests using the {@link DistributionType#RAW}
+ * or running tests in whitebox mode in the same jvm using {@link CLITest}
  */
 @Target(ElementType.TYPE)
 @Retention(RetentionPolicy.RUNTIME)

quarkus/tests/integration/src/main/java/org/keycloak/it/utils/RawKeycloakDistribution.java

@@ -43,15 +43,12 @@ import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 import org.apache.commons.io.FileUtils;
-import org.jboss.logging.Logger;
 
 import io.quarkus.bootstrap.util.ZipUtils;
 import org.keycloak.common.Version;
 
 public final class RawKeycloakDistribution implements KeycloakDistribution {
 
-    private static final Logger LOGGER = Logger.getLogger(RawKeycloakDistribution.class);
-
     private Process keycloak;
     private int exitCode = -1;
     private final Path distPath;
@@ -164,7 +161,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
                 connection.connect();
 
                 if (connection.getResponseCode() == 200) {
-                    LOGGER.infof("Keycloak is ready at %s", contextRoot);
                     break;
                 }
             } catch (Exception ignore) {

quarkus/tests/integration/src/test/java/org/keycloak/it/cli/HelpCommandTest.java

@@ -17,14 +17,15 @@
 
 package org.keycloak.it.cli;
 
-import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.keycloak.it.junit5.extension.CLIResult;
 import org.keycloak.it.junit5.extension.CLITest;
-import org.keycloak.quarkus.runtime.cli.command.Main;
+import org.keycloak.quarkus.runtime.cli.command.Build;
 
 import io.quarkus.test.junit.main.Launch;
 import io.quarkus.test.junit.main.LaunchResult;
+import org.keycloak.quarkus.runtime.cli.command.Start;
+import org.keycloak.quarkus.runtime.cli.command.StartDev;
 
 @CLITest
 public class HelpCommandTest {
@@ -33,34 +34,56 @@ public class HelpCommandTest {
     @Launch({})
     void testDefaultToHelp(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
-        cliResult.assertHelp("kc.sh");
+        cliResult.assertHelp();
     }
 
     @Test
     @Launch({ "--help" })
-    void testHelpCommand(LaunchResult result) {
+    void testHelp(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
-        cliResult.assertHelp("kc.sh");
+        cliResult.assertHelp();
     }
 
     @Test
-    @Launch({ "start", "--help" })
+    @Launch({ "-h" })
-    void testStartHelpCommand(LaunchResult result) {
+    void testHelpShort(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
-        cliResult.assertHelp("start");
+        cliResult.assertHelp();
     }
 
     @Test
-    @Launch({ "start-dev", "--help" })
+    @Launch({ Start.NAME, "--help" })
-    void testStartDevCommand(LaunchResult result) {
+    void testStartHelp(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
-        cliResult.assertHelp("start-dev");
+        cliResult.assertHelp();
     }
 
     @Test
-    @Launch({ "build", "--help" })
+    @Launch({ StartDev.NAME, "--help" })
-    void testBuildCommand(LaunchResult result) {
+    void testStartDevHelp(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
-        cliResult.assertHelp("build");
+        cliResult.assertHelp();
     }
+
+    @Test
+    @Launch({ StartDev.NAME, "--help-all" })
+    void testStartDevHelpAll(LaunchResult result) {
+        CLIResult cliResult = (CLIResult) result;
+        cliResult.assertHelp();
+    }
+
+    @Test
+    @Launch({ Build.NAME, "--help" })
+    void testBuildHelp(LaunchResult result) {
+        CLIResult cliResult = (CLIResult) result;
+        cliResult.assertHelp();
+    }
+
+    @Test
+    @Launch({ Build.NAME, "--help-all" })
+    void testBuildHelpAll(LaunchResult result) {
+        CLIResult cliResult = (CLIResult) result;
+        cliResult.assertHelp();
+    }
+
 }

quarkus/tests/integration/src/test/java/org/keycloak/it/cli/PackageSettings.java

@@ -0,0 +1,17 @@
+package org.keycloak.it.cli;
+
+import org.keycloak.it.junit5.extension.CLITestExtension;
+
+/**
+ * Used to specify the output directory for the received / to-be-approved outputs of this packages tests.
+ * In our case they should be stored under resources/clitest/approvals or resources/rawdist/approvals depending
+ * on the runtype of the tests (@DistributionTest in Raw mode, or @CLITest, leading to either using "kc.sh"
+ * or "java -jar $KEYCLOAK_HOME/lib/quarkus-run.jar" as command in the usage output).
+ *
+ * Note: Creates the directories if they don't exist yet.
+ * **/
+public class PackageSettings {
+
+    public String UseApprovalSubdirectory = "approvals/cli/help";
+    public String ApprovalBaseDirectory = "../resources";
+}

quarkus/tests/integration/src/test/java/org/keycloak/it/cli/ShowConfigCommandTest.java

@@ -23,19 +23,23 @@ import org.keycloak.it.junit5.extension.CLITest;
 
 import io.quarkus.test.junit.main.Launch;
 import io.quarkus.test.junit.main.LaunchResult;
+import org.keycloak.quarkus.runtime.cli.command.ShowConfig;
+import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
+
+import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_LONG_NAME;
 
 @CLITest
-class ShowConfigCommandTest {
+public class ShowConfigCommandTest {
 
     @Test
-    @Launch({ "show-config" })
+    @Launch({ ShowConfig.NAME })
     void testShowConfigCommandShowsRuntimeConfig(LaunchResult result) {
         Assertions.assertTrue(result.getOutput()
                 .contains("Runtime Configuration"));
     }
 
     @Test
-    @Launch({ "show-config", "all" })
+    @Launch({ ShowConfig.NAME, "all" })
     void testShowConfigCommandWithAllShowsAllProfiles(LaunchResult result) {
         Assertions.assertTrue(result.getOutput()
                 .contains("Runtime Configuration"));
@@ -44,4 +48,17 @@ class ShowConfigCommandTest {
         Assertions.assertTrue(result.getOutput()
                 .contains("Profile \"import_export\" Configuration"));
     }
+
+    @Test
+    @Launch({ CONFIG_FILE_LONG_NAME+"=src/test/resources/ShowConfigCommandTest/keycloak.properties", ShowConfig.NAME, "all" })
+    void testShowConfigCommandHidesCredentialsInProfiles(LaunchResult result) {
+        String output = result.getOutput();
+        Assertions.assertFalse(output.contains("testpw1"));
+        Assertions.assertFalse(output.contains("testpw2"));
+        Assertions.assertFalse(output.contains("testpw3"));
+        Assertions.assertTrue(output.contains("kc.db.password =  " + PropertyMappers.VALUE_MASK));
+        Assertions.assertTrue(output.contains("%dev.kc.db.password =  " + PropertyMappers.VALUE_MASK));
+        Assertions.assertTrue(output.contains("%dev.kc.https.key-store.password =  " + PropertyMappers.VALUE_MASK));
+        Assertions.assertTrue(output.contains("%import_export.kc.db.password =  " + PropertyMappers.VALUE_MASK));
+    }
 }

quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HelpCommandDistTest.java

@@ -19,7 +19,9 @@ package org.keycloak.it.cli.dist;
 
 import org.keycloak.it.cli.HelpCommandTest;
 import org.keycloak.it.junit5.extension.DistributionTest;
+import org.keycloak.it.junit5.extension.RawDistOnly;
 
 @DistributionTest
+@RawDistOnly(reason = "Verifying the help message output doesn't need long spin-up of docker dist tests.")
 public class HelpCommandDistTest extends HelpCommandTest {
 }

quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/StartCommandDistTest.java

@@ -22,10 +22,12 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import org.junit.jupiter.api.Test;
 import org.keycloak.it.cli.StartCommandTest;
+import org.keycloak.it.junit5.extension.CLIResult;
 import org.keycloak.it.junit5.extension.DistributionTest;
 
 import io.quarkus.test.junit.main.Launch;
 import io.quarkus.test.junit.main.LaunchResult;
+import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
 
 @DistributionTest
 public class StartCommandDistTest extends StartCommandTest {
@@ -44,4 +46,12 @@ public class StartCommandDistTest extends StartCommandTest {
         assertTrue(result.getErrorOutput().contains("ERROR: Strict hostname resolution configured but no hostname was set"),
                 () -> "The Output:\n" + result.getOutput() + "doesn't contains the expected string.");
     }
+
+    @Test
+    @Launch({ "start", "--auto-build", "--db-password=secret", "--https-key-store-password=secret"})
+    void testStartWithAutoBuildDoesntShowCredentialsInConsole(LaunchResult result) {
+        CLIResult cliResult = (CLIResult) result;
+        assertTrue(cliResult.getOutput().contains("--db-password=" + PropertyMappers.VALUE_MASK));
+        assertTrue(cliResult.getOutput().contains("--https-key-store-password=" + PropertyMappers.VALUE_MASK));
+    }
 }

quarkus/tests/integration/src/test/resources/ShowConfigCommandTest/keycloak.properties

@@ -0,0 +1,48 @@
+# Default and non-production grade database vendor
+db=h2-file
+db.username = sa
+db.password = keycloak
+
+# Insecure requests are disabled by default
+http.enabled=false
+
+# Metrics and healthcheck are disabled by default
+metrics.enabled=false
+
+# Basic settings for running in production. Change accordingly before deploying the server.
+# Database
+#%prod.db=postgres
+#%prod.db.username=keycloak
+#%prod.db.password=password
+#%prod.db.url=jdbc:postgresql://localhost/keycloak
+# Observability
+#%prod.metrics.enabled=true
+# HTTP
+#%prod.spi.hostname.frontend-url=https://localhost:8443
+#%prod.https.certificate.file=${kc.home.dir}conf/server.crt.pem
+#%prod.https.certificate.key-file=${kc.home.dir}conf/server.key.pem
+#%prod.proxy=reencrypt
+#%prod.hostname=myhostname
+
+# Default, and insecure, and non-production grade configuration for the development profile
+%dev.http.enabled=true
+%dev.hostname.strict=false
+%dev.db.password=testpw1
+%dev.hostname.strict-https=false
+%dev.cluster=local
+%dev.spi.theme.cache-themes=false
+%dev.spi.theme.cache-templates=false
+%dev.spi.theme.static-max-age=-1
+%dev.https.key-store.password=testpw2
+
+# The default configuration when running in import or export mode
+%import_export.http.enabled=true
+%import_export.db.password=testpw3
+%import_export.hostname.strict=false
+%import_export.hostname.strict-https=false
+%import_export.cluster=local
+
+# Logging configuration. INFO is the default level for most of the categories
+#quarkus.log.level = DEBUG
+quarkus.log.category."org.jboss.resteasy.resteasy_jaxrs.i18n".level=WARN
+quarkus.log.category."org.infinispan.transaction.lookup.JBossStandaloneJTAManagerLookup".level=WARN

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testBuildHelp.approved.txt

@@ -0,0 +1,136 @@
+Creates a new and optimized server image.
+
+Usage:
+
+kc.sh build [OPTIONS]
+
+Creates a new and optimized server image based on the configuration options
+passed to this command. Once created, the configuration will be persisted and
+read during startup without having to pass them over again.
+
+Some configuration options require this command to be executed in order to
+actually change a configuration. For instance
+
+- Change database vendor
+- Enable/disable features
+- Enable/Disable providers or set a default
+
+Consider running this command before running the server in production for an
+optimal runtime.
+
+Options:
+
+-h, --help           This help message.
+--help-all           This same help message but with additional options.
+
+Cluster:
+
+--cache <type>       Defines the cache mechanism for high-availability. By default, a 'ispn' cache
+                       is used to create a cluster between multiple server nodes. A 'local' cache
+                       disables clustering and is intended for development and testing purposes.
+                       Default: ispn.
+--cache-config-file <file>
+                     Defines the file from which cache configuration should be loaded from.
+--cache-stack <stack>
+                     Define the default stack to use for cluster communication and node discovery.
+                       This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
+
+Database:
+
+--db <vendor>        The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
+                       mssql-2012, mysql, oracle, postgres, postgres-95
+
+Feature:
+
+--features-account2 <enabled|disabled>
+                     Enables the ACCOUNT2 feature.
+--features-account_api <enabled|disabled>
+                     Enables the ACCOUNT_API feature.
+--features-admin2 <enabled|disabled>
+                     Enables the ADMIN2 feature.
+--features-admin_fine_grained_authz <enabled|disabled>
+                     Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
+--features-authorization <enabled|disabled>
+                     Enables the AUTHORIZATION feature.
+--features-ciba <enabled|disabled>
+                     Enables the CIBA feature.
+--features-client_policies <enabled|disabled>
+                     Enables the CLIENT_POLICIES feature.
+--features-declarative_user_profile <enabled|disabled>
+                     Enables the DECLARATIVE_USER_PROFILE feature.
+--features-docker <enabled|disabled>
+                     Enables the DOCKER feature.
+--features-impersonation <enabled|disabled>
+                     Enables the IMPERSONATION feature.
+--features-map_storage <enabled|disabled>
+                     Enables the MAP_STORAGE feature.
+--features-openshift_integration <enabled|disabled>
+                     Enables the OPENSHIFT_INTEGRATION feature.
+--features-par <enabled|disabled>
+                     Enables the PAR feature.
+--features-scripts <enabled|disabled>
+                     Enables the SCRIPTS feature.
+--features-token_exchange <enabled|disabled>
+                     Enables the TOKEN_EXCHANGE feature.
+--features-upload_scripts <enabled|disabled>
+                     Enables the UPLOAD_SCRIPTS feature.
+--features-web_authn <enabled|disabled>
+                     Enables the WEB_AUTHN feature.
+-ft, --features <preview>
+                     Enables all tech preview features.
+
+HTTP/TLS:
+
+--http-relative-path <path>
+                     Set the path relative to '/' for serving resources. Default: /.
+
+Metrics:
+
+--metrics-enabled <true|false>
+                     If the server should expose metrics and healthcheck. If enabled, metrics are
+                       available at the '/metrics' endpoint and healthcheck at the '/health'
+                       endpoint. Default: false.
+
+Vault:
+
+--vault-file-path <dir>
+                     If set, secrets can be obtained by reading the content of files within the
+                       given path.
+--vault-hashicorp-paths <paths>
+                     A set of one or more paths that should be used when looking up secrets.
+
+Examples:
+
+  Optimize the server based on a profile configuration:
+
+      $ kc.sh --profile=prod build
+
+  Change database settings:
+
+      $ kc.sh build --db=postgres [--db-url][--db-username][--db-password]
+
+  Enable a feature:
+
+      $ kc.sh build --features-<feature_name>=[enabled|disabled]
+
+  Or alternatively, enable all tech preview features:
+
+      $ kc.sh build --features=preview
+
+  Enable metrics:
+
+      $ kc.sh build --metrics-enabled=true
+
+  Change the relative path:
+
+      $ kc.sh build --http-relative-path=/auth
+
+You can also use the "--auto-build" option when starting the server to avoid
+running this command every time you change a configuration:
+
+    $ kc.sh start --auto-build <OPTIONS>
+
+By doing that you have an additional overhead when the server is starting.
+
+Use 'kc.sh build --help-all' to list all available options, including the start
+options.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testBuildHelpAll.approved.txt

@@ -0,0 +1,213 @@
+Creates a new and optimized server image.
+
+Usage:
+
+kc.sh build [OPTIONS]
+
+Creates a new and optimized server image based on the configuration options
+passed to this command. Once created, the configuration will be persisted and
+read during startup without having to pass them over again.
+
+Some configuration options require this command to be executed in order to
+actually change a configuration. For instance
+
+- Change database vendor
+- Enable/disable features
+- Enable/Disable providers or set a default
+
+Consider running this command before running the server in production for an
+optimal runtime.
+
+Options:
+
+-h, --help           This help message.
+--help-all           This same help message but with additional options.
+
+Cluster:
+
+--cache <type>       Defines the cache mechanism for high-availability. By default, a 'ispn' cache
+                       is used to create a cluster between multiple server nodes. A 'local' cache
+                       disables clustering and is intended for development and testing purposes.
+                       Default: ispn.
+--cache-config-file <file>
+                     Defines the file from which cache configuration should be loaded from.
+--cache-stack <stack>
+                     Define the default stack to use for cluster communication and node discovery.
+                       This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
+
+Database:
+
+--db <vendor>        The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
+                       mssql-2012, mysql, oracle, postgres, postgres-95
+--db-password <password>
+                     The password of the database user.
+--db-pool-initial-size <size>
+                     The initial size of the connection pool.
+--db-pool-max-size <size>
+                     The maximum size of the connection pool. Default: 100.
+--db-pool-min-size <size>
+                     The minimal size of the connection pool.
+--db-schema <schema> The database schema to be used.
+--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
+                       selected database vendor. For instance, if using 'postgres', the default
+                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
+--db-url-database <dbname>
+                     Sets the database name of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-host <hostname>
+                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-properties <properties>
+                     Sets the properties of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-username <username>
+                     The username of the database user.
+
+Feature:
+
+--features-account2 <enabled|disabled>
+                     Enables the ACCOUNT2 feature.
+--features-account_api <enabled|disabled>
+                     Enables the ACCOUNT_API feature.
+--features-admin2 <enabled|disabled>
+                     Enables the ADMIN2 feature.
+--features-admin_fine_grained_authz <enabled|disabled>
+                     Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
+--features-authorization <enabled|disabled>
+                     Enables the AUTHORIZATION feature.
+--features-ciba <enabled|disabled>
+                     Enables the CIBA feature.
+--features-client_policies <enabled|disabled>
+                     Enables the CLIENT_POLICIES feature.
+--features-declarative_user_profile <enabled|disabled>
+                     Enables the DECLARATIVE_USER_PROFILE feature.
+--features-docker <enabled|disabled>
+                     Enables the DOCKER feature.
+--features-impersonation <enabled|disabled>
+                     Enables the IMPERSONATION feature.
+--features-map_storage <enabled|disabled>
+                     Enables the MAP_STORAGE feature.
+--features-openshift_integration <enabled|disabled>
+                     Enables the OPENSHIFT_INTEGRATION feature.
+--features-par <enabled|disabled>
+                     Enables the PAR feature.
+--features-scripts <enabled|disabled>
+                     Enables the SCRIPTS feature.
+--features-token_exchange <enabled|disabled>
+                     Enables the TOKEN_EXCHANGE feature.
+--features-upload_scripts <enabled|disabled>
+                     Enables the UPLOAD_SCRIPTS feature.
+--features-web_authn <enabled|disabled>
+                     Enables the WEB_AUTHN feature.
+-ft, --features <preview>
+                     Enables all tech preview features.
+
+Hostname:
+
+--hostname <hostname>
+                     Hostname for the Keycloak server.
+--hostname-admin <url>
+                     Overrides the hostname for the admin console and APIs.
+--hostname-path <path>
+                     This should be set if proxy uses a different context-path for Keycloak.
+--hostname-strict <true|false>
+                     Disables dynamically resolving the hostname from request headers. Should
+                       always be set to true in production, unless proxy verifies the Host header.
+                       Default: true.
+--hostname-strict-backchannel <true|false>
+                     By default backchannel URLs are dynamically resolved from request headers to
+                       allow internal an external applications. If all applications use the public
+                       URL this option should be enabled. Default: false.
+
+HTTP/TLS:
+
+--http-enabled <true|false>
+                     Enables the HTTP listener. Default: false.
+--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
+--http-port <port>   The used HTTP port. Default: 8080.
+--http-relative-path <path>
+                     Set the path relative to '/' for serving resources. Default: /.
+--https-certificate-file <file>
+                     The file path to a server certificate or certificate chain in PEM format.
+--https-certificate-key-file <file>
+                     The file path to a private key in PEM format.
+--https-cipher-suites <ciphers>
+                     The cipher suites to use. If none is given, a reasonable default is selected.
+--https-client-auth <auth>
+                     Configures the server to require/request client authentication. Possible
+                       Values: none, request, required. Default: none.
+--https-key-store-file <file>
+                     The key store which holds the certificate information instead of specifying
+                       separate files.
+--https-key-store-password <password>
+                     The password of the key store file. Default: password.
+--https-key-store-type <type>
+                     The type of the key store file. If not given, the type is automatically
+                       detected based on the file name.
+--https-port <port>  The used HTTPS port. Default: 8443.
+--https-protocols <protocols>
+                     The list of protocols to explicitly enable.
+--https-trust-store-file <file>
+                     The trust store which holds the certificate information of the certificates to
+                       trust.
+--https-trust-store-password <password>
+                     The password of the trust store file.
+--https-trust-store-type <type>
+                     The type of the trust store file. If not given, the type is automatically
+                       detected based on the file name.
+
+Metrics:
+
+--metrics-enabled <true|false>
+                     If the server should expose metrics and healthcheck. If enabled, metrics are
+                       available at the '/metrics' endpoint and healthcheck at the '/health'
+                       endpoint. Default: false.
+
+Proxy:
+
+--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
+                       Possible values are: none,edge,reencrypt,passthrough Default: none.
+
+Vault:
+
+--vault-file-path <dir>
+                     If set, secrets can be obtained by reading the content of files within the
+                       given path.
+--vault-hashicorp-paths <paths>
+                     A set of one or more paths that should be used when looking up secrets.
+
+Examples:
+
+  Optimize the server based on a profile configuration:
+
+      $ kc.sh --profile=prod build
+
+  Change database settings:
+
+      $ kc.sh build --db=postgres [--db-url][--db-username][--db-password]
+
+  Enable a feature:
+
+      $ kc.sh build --features-<feature_name>=[enabled|disabled]
+
+  Or alternatively, enable all tech preview features:
+
+      $ kc.sh build --features=preview
+
+  Enable metrics:
+
+      $ kc.sh build --metrics-enabled=true
+
+  Change the relative path:
+
+      $ kc.sh build --http-relative-path=/auth
+
+You can also use the "--auto-build" option when starting the server to avoid
+running this command every time you change a configuration:
+
+    $ kc.sh start --auto-build <OPTIONS>
+
+By doing that you have an additional overhead when the server is starting.
+
+Use 'kc.sh build --help-all' to list all available options, including the start
+options.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testDefaultToHelp.approved.txt

@@ -0,0 +1,59 @@
+Keycloak - Open Source Identity and Access Management
+
+Find more information at: https://www.keycloak.org/docs/latest
+
+Usage:
+
+kc.sh [OPTIONS] [COMMAND]
+
+Use this command-line tool to manage your Keycloak cluster.
+Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
+"./kc.sh") to execute from the current folder.
+
+Options:
+
+-cf, --config-file <file>
+                     Set the path to a configuration file. By default, configuration properties are
+                       read from the "keycloak.properties" file in the "conf" directory.
+-D<key>=<value> <sysProps>
+                     Set a Java system property
+-h, --help           This help message.
+-pf, --profile <profile>
+                     Set the profile. Use 'dev' profile to enable development mode.
+-v, --verbose        Print out error details when running this command.
+-V, --version        Show version information
+
+Commands:
+
+  build                   Creates a new and optimized server image.
+  start                   Start the server.
+  start-dev               Start the server in development mode.
+  export                  Export data from realms to a file or directory.
+  import                  Import data from a directory or a file.
+  show-config             Print out the current configuration.
+  tools                   %nUtilities for use and interaction with the server.
+    completion            Generate bash/zsh completion script for kc.sh.
+
+Examples:
+
+  Start the server in development mode for local development or testing:
+
+      $ kc.sh start-dev
+
+  Building an optimized server runtime:
+
+      $ kc.sh build <OPTIONS>
+
+  Start the server in production mode:
+
+      $ kc.sh start <OPTIONS>
+
+  Enable auto-completion to bash/zsh:
+
+      $ source <(kc.sh tools completion)
+
+  Please, take a look at the documentation for more details before deploying in
+production.
+
+Use "kc.sh start --help" for the available options when starting the server.
+Use "kc.sh <command> --help" for more information about other commands.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testHelp.approved.txt

@@ -0,0 +1,59 @@
+Keycloak - Open Source Identity and Access Management
+
+Find more information at: https://www.keycloak.org/docs/latest
+
+Usage:
+
+kc.sh [OPTIONS] [COMMAND]
+
+Use this command-line tool to manage your Keycloak cluster.
+Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
+"./kc.sh") to execute from the current folder.
+
+Options:
+
+-cf, --config-file <file>
+                     Set the path to a configuration file. By default, configuration properties are
+                       read from the "keycloak.properties" file in the "conf" directory.
+-D<key>=<value> <sysProps>
+                     Set a Java system property
+-h, --help           This help message.
+-pf, --profile <profile>
+                     Set the profile. Use 'dev' profile to enable development mode.
+-v, --verbose        Print out error details when running this command.
+-V, --version        Show version information
+
+Commands:
+
+  build                   Creates a new and optimized server image.
+  start                   Start the server.
+  start-dev               Start the server in development mode.
+  export                  Export data from realms to a file or directory.
+  import                  Import data from a directory or a file.
+  show-config             Print out the current configuration.
+  tools                   %nUtilities for use and interaction with the server.
+    completion            Generate bash/zsh completion script for kc.sh.
+
+Examples:
+
+  Start the server in development mode for local development or testing:
+
+      $ kc.sh start-dev
+
+  Building an optimized server runtime:
+
+      $ kc.sh build <OPTIONS>
+
+  Start the server in production mode:
+
+      $ kc.sh start <OPTIONS>
+
+  Enable auto-completion to bash/zsh:
+
+      $ source <(kc.sh tools completion)
+
+  Please, take a look at the documentation for more details before deploying in
+production.
+
+Use "kc.sh start --help" for the available options when starting the server.
+Use "kc.sh <command> --help" for more information about other commands.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testHelpShort.approved.txt

@@ -0,0 +1,59 @@
+Keycloak - Open Source Identity and Access Management
+
+Find more information at: https://www.keycloak.org/docs/latest
+
+Usage:
+
+kc.sh [OPTIONS] [COMMAND]
+
+Use this command-line tool to manage your Keycloak cluster.
+Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
+"./kc.sh") to execute from the current folder.
+
+Options:
+
+-cf, --config-file <file>
+                     Set the path to a configuration file. By default, configuration properties are
+                       read from the "keycloak.properties" file in the "conf" directory.
+-D<key>=<value> <sysProps>
+                     Set a Java system property
+-h, --help           This help message.
+-pf, --profile <profile>
+                     Set the profile. Use 'dev' profile to enable development mode.
+-v, --verbose        Print out error details when running this command.
+-V, --version        Show version information
+
+Commands:
+
+  build                   Creates a new and optimized server image.
+  start                   Start the server.
+  start-dev               Start the server in development mode.
+  export                  Export data from realms to a file or directory.
+  import                  Import data from a directory or a file.
+  show-config             Print out the current configuration.
+  tools                   %nUtilities for use and interaction with the server.
+    completion            Generate bash/zsh completion script for kc.sh.
+
+Examples:
+
+  Start the server in development mode for local development or testing:
+
+      $ kc.sh start-dev
+
+  Building an optimized server runtime:
+
+      $ kc.sh build <OPTIONS>
+
+  Start the server in production mode:
+
+      $ kc.sh start <OPTIONS>
+
+  Enable auto-completion to bash/zsh:
+
+      $ source <(kc.sh tools completion)
+
+  Please, take a look at the documentation for more details before deploying in
+production.
+
+Use "kc.sh start --help" for the available options when starting the server.
+Use "kc.sh <command> --help" for more information about other commands.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testStartDevHelp.approved.txt

@@ -0,0 +1,101 @@
+Start the server in development mode.
+
+Usage:
+
+kc.sh start-dev [OPTIONS]
+
+Use this command if you want to run the server locally for development or
+testing purposes.
+
+Options:
+
+-h, --help           This help message.
+--help-all           This same help message but with additional options.
+
+Database:
+
+--db-password <password>
+                     The password of the database user.
+--db-pool-initial-size <size>
+                     The initial size of the connection pool.
+--db-pool-max-size <size>
+                     The maximum size of the connection pool. Default: 100.
+--db-pool-min-size <size>
+                     The minimal size of the connection pool.
+--db-schema <schema> The database schema to be used.
+--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
+                       selected database vendor. For instance, if using 'postgres', the default
+                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
+--db-url-database <dbname>
+                     Sets the database name of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-host <hostname>
+                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-properties <properties>
+                     Sets the properties of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-username <username>
+                     The username of the database user.
+
+Hostname:
+
+--hostname <hostname>
+                     Hostname for the Keycloak server.
+--hostname-admin <url>
+                     Overrides the hostname for the admin console and APIs.
+--hostname-path <path>
+                     This should be set if proxy uses a different context-path for Keycloak.
+--hostname-strict <true|false>
+                     Disables dynamically resolving the hostname from request headers. Should
+                       always be set to true in production, unless proxy verifies the Host header.
+                       Default: true.
+--hostname-strict-backchannel <true|false>
+                     By default backchannel URLs are dynamically resolved from request headers to
+                       allow internal an external applications. If all applications use the public
+                       URL this option should be enabled. Default: false.
+
+HTTP/TLS:
+
+--http-enabled <true|false>
+                     Enables the HTTP listener. Default: false.
+--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
+--http-port <port>   The used HTTP port. Default: 8080.
+--https-certificate-file <file>
+                     The file path to a server certificate or certificate chain in PEM format.
+--https-certificate-key-file <file>
+                     The file path to a private key in PEM format.
+--https-cipher-suites <ciphers>
+                     The cipher suites to use. If none is given, a reasonable default is selected.
+--https-client-auth <auth>
+                     Configures the server to require/request client authentication. Possible
+                       Values: none, request, required. Default: none.
+--https-key-store-file <file>
+                     The key store which holds the certificate information instead of specifying
+                       separate files.
+--https-key-store-password <password>
+                     The password of the key store file. Default: password.
+--https-key-store-type <type>
+                     The type of the key store file. If not given, the type is automatically
+                       detected based on the file name.
+--https-port <port>  The used HTTPS port. Default: 8443.
+--https-protocols <protocols>
+                     The list of protocols to explicitly enable.
+--https-trust-store-file <file>
+                     The trust store which holds the certificate information of the certificates to
+                       trust.
+--https-trust-store-password <password>
+                     The password of the trust store file.
+--https-trust-store-type <type>
+                     The type of the trust store file. If not given, the type is automatically
+                       detected based on the file name.
+
+Proxy:
+
+--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
+                       Possible values are: none,edge,reencrypt,passthrough Default: none.
+
+Do NOT start the server using this command when deploying to production.
+
+Use 'kc.sh start-dev --help-all' to list all available options, including build
+options.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testStartDevHelpAll.approved.txt

@@ -0,0 +1,171 @@
+Start the server in development mode.
+
+Usage:
+
+kc.sh start-dev [OPTIONS]
+
+Use this command if you want to run the server locally for development or
+testing purposes.
+
+Options:
+
+-h, --help           This help message.
+--help-all           This same help message but with additional options.
+
+Cluster:
+
+--cache <type>       Defines the cache mechanism for high-availability. By default, a 'ispn' cache
+                       is used to create a cluster between multiple server nodes. A 'local' cache
+                       disables clustering and is intended for development and testing purposes.
+                       Default: ispn.
+--cache-config-file <file>
+                     Defines the file from which cache configuration should be loaded from.
+--cache-stack <stack>
+                     Define the default stack to use for cluster communication and node discovery.
+                       This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
+
+Database:
+
+--db <vendor>        The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
+                       mssql-2012, mysql, oracle, postgres, postgres-95
+--db-password <password>
+                     The password of the database user.
+--db-pool-initial-size <size>
+                     The initial size of the connection pool.
+--db-pool-max-size <size>
+                     The maximum size of the connection pool. Default: 100.
+--db-pool-min-size <size>
+                     The minimal size of the connection pool.
+--db-schema <schema> The database schema to be used.
+--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
+                       selected database vendor. For instance, if using 'postgres', the default
+                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
+--db-url-database <dbname>
+                     Sets the database name of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-host <hostname>
+                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-properties <properties>
+                     Sets the properties of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-username <username>
+                     The username of the database user.
+
+Feature:
+
+--features-account2 <enabled|disabled>
+                     Enables the ACCOUNT2 feature.
+--features-account_api <enabled|disabled>
+                     Enables the ACCOUNT_API feature.
+--features-admin2 <enabled|disabled>
+                     Enables the ADMIN2 feature.
+--features-admin_fine_grained_authz <enabled|disabled>
+                     Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
+--features-authorization <enabled|disabled>
+                     Enables the AUTHORIZATION feature.
+--features-ciba <enabled|disabled>
+                     Enables the CIBA feature.
+--features-client_policies <enabled|disabled>
+                     Enables the CLIENT_POLICIES feature.
+--features-declarative_user_profile <enabled|disabled>
+                     Enables the DECLARATIVE_USER_PROFILE feature.
+--features-docker <enabled|disabled>
+                     Enables the DOCKER feature.
+--features-impersonation <enabled|disabled>
+                     Enables the IMPERSONATION feature.
+--features-map_storage <enabled|disabled>
+                     Enables the MAP_STORAGE feature.
+--features-openshift_integration <enabled|disabled>
+                     Enables the OPENSHIFT_INTEGRATION feature.
+--features-par <enabled|disabled>
+                     Enables the PAR feature.
+--features-scripts <enabled|disabled>
+                     Enables the SCRIPTS feature.
+--features-token_exchange <enabled|disabled>
+                     Enables the TOKEN_EXCHANGE feature.
+--features-upload_scripts <enabled|disabled>
+                     Enables the UPLOAD_SCRIPTS feature.
+--features-web_authn <enabled|disabled>
+                     Enables the WEB_AUTHN feature.
+-ft, --features <preview>
+                     Enables all tech preview features.
+
+Hostname:
+
+--hostname <hostname>
+                     Hostname for the Keycloak server.
+--hostname-admin <url>
+                     Overrides the hostname for the admin console and APIs.
+--hostname-path <path>
+                     This should be set if proxy uses a different context-path for Keycloak.
+--hostname-strict <true|false>
+                     Disables dynamically resolving the hostname from request headers. Should
+                       always be set to true in production, unless proxy verifies the Host header.
+                       Default: true.
+--hostname-strict-backchannel <true|false>
+                     By default backchannel URLs are dynamically resolved from request headers to
+                       allow internal an external applications. If all applications use the public
+                       URL this option should be enabled. Default: false.
+
+HTTP/TLS:
+
+--http-enabled <true|false>
+                     Enables the HTTP listener. Default: false.
+--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
+--http-port <port>   The used HTTP port. Default: 8080.
+--http-relative-path <path>
+                     Set the path relative to '/' for serving resources. Default: /.
+--https-certificate-file <file>
+                     The file path to a server certificate or certificate chain in PEM format.
+--https-certificate-key-file <file>
+                     The file path to a private key in PEM format.
+--https-cipher-suites <ciphers>
+                     The cipher suites to use. If none is given, a reasonable default is selected.
+--https-client-auth <auth>
+                     Configures the server to require/request client authentication. Possible
+                       Values: none, request, required. Default: none.
+--https-key-store-file <file>
+                     The key store which holds the certificate information instead of specifying
+                       separate files.
+--https-key-store-password <password>
+                     The password of the key store file. Default: password.
+--https-key-store-type <type>
+                     The type of the key store file. If not given, the type is automatically
+                       detected based on the file name.
+--https-port <port>  The used HTTPS port. Default: 8443.
+--https-protocols <protocols>
+                     The list of protocols to explicitly enable.
+--https-trust-store-file <file>
+                     The trust store which holds the certificate information of the certificates to
+                       trust.
+--https-trust-store-password <password>
+                     The password of the trust store file.
+--https-trust-store-type <type>
+                     The type of the trust store file. If not given, the type is automatically
+                       detected based on the file name.
+
+Metrics:
+
+--metrics-enabled <true|false>
+                     If the server should expose metrics and healthcheck. If enabled, metrics are
+                       available at the '/metrics' endpoint and healthcheck at the '/health'
+                       endpoint. Default: false.
+
+Proxy:
+
+--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
+                       Possible values are: none,edge,reencrypt,passthrough Default: none.
+
+Vault:
+
+--vault-file-path <dir>
+                     If set, secrets can be obtained by reading the content of files within the
+                       given path.
+--vault-hashicorp-paths <paths>
+                     A set of one or more paths that should be used when looking up secrets.
+
+Do NOT start the server using this command when deploying to production.
+
+Use 'kc.sh start-dev --help-all' to list all available options, including build
+options.

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/approvals/cli/help/HelpCommandTest.testStartHelp.approved.txt

@@ -0,0 +1,107 @@
+Start the server.
+
+Usage:
+
+kc.sh start [OPTIONS]
+
+Use this command to run the server in production.
+
+Options:
+
+-b, --auto-build     Automatically detects whether the server configuration changed and a new
+                       server image must be built prior to starting the server. This option
+                       provides an alternative to manually running the 'build' prior to starting
+                       the server. Use this configuration carefully in production as it might
+                       impact the startup time.
+-h, --help           This help message.
+
+Database:
+
+--db-password <password>
+                     The password of the database user.
+--db-pool-initial-size <size>
+                     The initial size of the connection pool.
+--db-pool-max-size <size>
+                     The maximum size of the connection pool. Default: 100.
+--db-pool-min-size <size>
+                     The minimal size of the connection pool.
+--db-schema <schema> The database schema to be used.
+--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
+                       selected database vendor. For instance, if using 'postgres', the default
+                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
+--db-url-database <dbname>
+                     Sets the database name of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-host <hostname>
+                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-url-properties <properties>
+                     Sets the properties of the default JDBC URL of the chosen vendor. If the
+                       `db-url` option is set, this option is ignored.
+--db-username <username>
+                     The username of the database user.
+
+Hostname:
+
+--hostname <hostname>
+                     Hostname for the Keycloak server.
+--hostname-admin <url>
+                     Overrides the hostname for the admin console and APIs.
+--hostname-path <path>
+                     This should be set if proxy uses a different context-path for Keycloak.
+--hostname-strict <true|false>
+                     Disables dynamically resolving the hostname from request headers. Should
+                       always be set to true in production, unless proxy verifies the Host header.
+                       Default: true.
+--hostname-strict-backchannel <true|false>
+                     By default backchannel URLs are dynamically resolved from request headers to
+                       allow internal an external applications. If all applications use the public
+                       URL this option should be enabled. Default: false.
+
+HTTP/TLS:
+
+--http-enabled <true|false>
+                     Enables the HTTP listener. Default: false.
+--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
+--http-port <port>   The used HTTP port. Default: 8080.
+--https-certificate-file <file>
+                     The file path to a server certificate or certificate chain in PEM format.
+--https-certificate-key-file <file>
+                     The file path to a private key in PEM format.
+--https-cipher-suites <ciphers>
+                     The cipher suites to use. If none is given, a reasonable default is selected.
+--https-client-auth <auth>
+                     Configures the server to require/request client authentication. Possible
+                       Values: none, request, required. Default: none.
+--https-key-store-file <file>
+                     The key store which holds the certificate information instead of specifying
+                       separate files.
+--https-key-store-password <password>
+                     The password of the key store file. Default: password.
+--https-key-store-type <type>
+                     The type of the key store file. If not given, the type is automatically
+                       detected based on the file name.
+--https-port <port>  The used HTTPS port. Default: 8443.
+--https-protocols <protocols>
+                     The list of protocols to explicitly enable.
+--https-trust-store-file <file>
+                     The trust store which holds the certificate information of the certificates to
+                       trust.
+--https-trust-store-password <password>
+                     The password of the trust store file.
+--https-trust-store-type <type>
+                     The type of the trust store file. If not given, the type is automatically
+                       detected based on the file name.
+
+Proxy:
+
+--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
+                       Possible values are: none,edge,reencrypt,passthrough Default: none.
+
+You may use the "--auto-build" option when starting the server to avoid running
+the "build" command everytime you need to change a static property:
+
+      $ kc.sh start --auto-build <OPTIONS>
+
+By doing that you have an additional overhead when the server is starting. Run
+"kc.sh build -h" for more details.