KEYCLOAK-19858 Add Tests to check that no credentials are leaking when using CLI commands. Also: Tests for Help Command output using Golden master technique
This commit is contained in:
parent
93853e9dc4
commit
f2abfecca1
28 changed files with 1118 additions and 111 deletions
2
.gitattributes
vendored
2
.gitattributes
vendored
|
@ -18,3 +18,5 @@
|
||||||
*.eot binary
|
*.eot binary
|
||||||
*.otf binary
|
*.otf binary
|
||||||
*.woff binary
|
*.woff binary
|
||||||
|
# See https://github.com/approvals/ApprovalTests.Java#approved-file-artifacts (used in golden testing for help output of quarkus based dist)
|
||||||
|
*.approved.* binary
|
||||||
|
|
|
@ -83,12 +83,6 @@ public final class Environment {
|
||||||
}
|
}
|
||||||
|
|
||||||
public static String getCommand() {
|
public static String getCommand() {
|
||||||
String homeDir = getHomeDir();
|
|
||||||
|
|
||||||
if (homeDir == null) {
|
|
||||||
return "java -jar $KEYCLOAK_HOME/lib/quarkus-run.jar";
|
|
||||||
}
|
|
||||||
|
|
||||||
if (isWindows()) {
|
if (isWindows()) {
|
||||||
return "kc.bat";
|
return "kc.bat";
|
||||||
}
|
}
|
||||||
|
@ -183,6 +177,6 @@ public final class Environment {
|
||||||
}
|
}
|
||||||
|
|
||||||
public static boolean isDistribution() {
|
public static boolean isDistribution() {
|
||||||
return Environment.getCommand().startsWith("kc.");
|
return getHomeDir() != null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -47,7 +47,7 @@ import picocli.CommandLine.Mixin;
|
||||||
},
|
},
|
||||||
footerHeading = "Examples:",
|
footerHeading = "Examples:",
|
||||||
footer = " Optimize the server based on a profile configuration:%n%n"
|
footer = " Optimize the server based on a profile configuration:%n%n"
|
||||||
+ " $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} --profile=prod ${COMMAND-NAME}%n%n"
|
+ " $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} --profile=prod ${COMMAND-NAME} %n%n"
|
||||||
+ " Change database settings:%n%n"
|
+ " Change database settings:%n%n"
|
||||||
+ " $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} ${COMMAND-NAME} --db=postgres [--db-url][--db-username][--db-password]%n%n"
|
+ " $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} ${COMMAND-NAME} --db=postgres [--db-url][--db-username][--db-password]%n%n"
|
||||||
+ " Enable a feature:%n%n"
|
+ " Enable a feature:%n%n"
|
||||||
|
|
|
@ -70,6 +70,8 @@ public final class Main {
|
||||||
|
|
||||||
public static final String PROFILE_SHORT_NAME = "-pf";
|
public static final String PROFILE_SHORT_NAME = "-pf";
|
||||||
public static final String PROFILE_LONG_NAME = "--profile";
|
public static final String PROFILE_LONG_NAME = "--profile";
|
||||||
|
public static final String CONFIG_FILE_SHORT_NAME = "-cf";
|
||||||
|
public static final String CONFIG_FILE_LONG_NAME = "--config-file";
|
||||||
|
|
||||||
@CommandLine.Spec
|
@CommandLine.Spec
|
||||||
CommandLine.Model.CommandSpec spec;
|
CommandLine.Model.CommandSpec spec;
|
||||||
|
@ -103,7 +105,7 @@ public final class Main {
|
||||||
Environment.setProfile(profile);
|
Environment.setProfile(profile);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Option(names = { "-cf", "--config-file" },
|
@Option(names = { CONFIG_FILE_SHORT_NAME, CONFIG_FILE_LONG_NAME },
|
||||||
arity = "1",
|
arity = "1",
|
||||||
description = "Set the path to a configuration file. By default, configuration properties are read from the \"keycloak.properties\" file in the \"conf\" directory.",
|
description = "Set the path to a configuration file. By default, configuration properties are read from the \"keycloak.properties\" file in the \"conf\" directory.",
|
||||||
paramLabel = "file")
|
paramLabel = "file")
|
||||||
|
|
|
@ -45,6 +45,7 @@ import picocli.CommandLine.Parameters;
|
||||||
description = "%nPrint out the current configuration.")
|
description = "%nPrint out the current configuration.")
|
||||||
public final class ShowConfig extends AbstractCommand implements Runnable {
|
public final class ShowConfig extends AbstractCommand implements Runnable {
|
||||||
|
|
||||||
|
public static final String NAME = "show-config";
|
||||||
@Parameters(
|
@Parameters(
|
||||||
paramLabel = "filter",
|
paramLabel = "filter",
|
||||||
defaultValue = "none",
|
defaultValue = "none",
|
||||||
|
|
|
@ -34,8 +34,6 @@ import java.util.function.BiConsumer;
|
||||||
import java.util.function.Predicate;
|
import java.util.function.Predicate;
|
||||||
import java.util.regex.Pattern;
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
import org.jboss.logging.Logger;
|
|
||||||
|
|
||||||
import io.smallrye.config.PropertiesConfigSource;
|
import io.smallrye.config.PropertiesConfigSource;
|
||||||
|
|
||||||
import org.keycloak.quarkus.runtime.cli.Picocli;
|
import org.keycloak.quarkus.runtime.cli.Picocli;
|
||||||
|
@ -53,8 +51,6 @@ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
||||||
*/
|
*/
|
||||||
public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
||||||
|
|
||||||
private static final Logger log = Logger.getLogger(ConfigArgsConfigSource.class);
|
|
||||||
|
|
||||||
public static final String CLI_ARGS = "kc.config.args";
|
public static final String CLI_ARGS = "kc.config.args";
|
||||||
private static final String ARG_SEPARATOR = ";;";
|
private static final String ARG_SEPARATOR = ";;";
|
||||||
private static final Pattern ARG_SPLIT = Pattern.compile(";;");
|
private static final Pattern ARG_SPLIT = Pattern.compile(";;");
|
||||||
|
@ -120,7 +116,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
||||||
String rawArgs = getRawConfigArgs();
|
String rawArgs = getRawConfigArgs();
|
||||||
|
|
||||||
if (rawArgs == null || "".equals(rawArgs.trim())) {
|
if (rawArgs == null || "".equals(rawArgs.trim())) {
|
||||||
log.trace("No command-line arguments provided");
|
|
||||||
return Collections.emptyMap();
|
return Collections.emptyMap();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -131,7 +126,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
||||||
public void accept(String key, String value) {
|
public void accept(String key, String value) {
|
||||||
key = NS_KEYCLOAK_PREFIX + key.substring(2);
|
key = NS_KEYCLOAK_PREFIX + key.substring(2);
|
||||||
|
|
||||||
log.tracef("Adding property [%s=%s] from command-line", key, value);
|
|
||||||
properties.put(key, value);
|
properties.put(key, value);
|
||||||
|
|
||||||
String mappedPropertyName = getMappedPropertyName(key);
|
String mappedPropertyName = getMappedPropertyName(key);
|
||||||
|
@ -171,7 +165,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
||||||
String rawArgs = getRawConfigArgs();
|
String rawArgs = getRawConfigArgs();
|
||||||
|
|
||||||
if (rawArgs == null || "".equals(rawArgs.trim())) {
|
if (rawArgs == null || "".equals(rawArgs.trim())) {
|
||||||
log.trace("No command-line arguments provided");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -29,6 +29,7 @@ import io.smallrye.config.ConfigValue;
|
||||||
import io.smallrye.config.SmallRyeConfig;
|
import io.smallrye.config.SmallRyeConfig;
|
||||||
import io.smallrye.config.SmallRyeConfigProviderResolver;
|
import io.smallrye.config.SmallRyeConfigProviderResolver;
|
||||||
|
|
||||||
|
import org.eclipse.microprofile.config.spi.ConfigProviderResolver;
|
||||||
import org.eclipse.microprofile.config.spi.ConfigSource;
|
import org.eclipse.microprofile.config.spi.ConfigSource;
|
||||||
import org.keycloak.quarkus.runtime.Environment;
|
import org.keycloak.quarkus.runtime.Environment;
|
||||||
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper;
|
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper;
|
||||||
|
@ -39,17 +40,12 @@ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
||||||
*/
|
*/
|
||||||
public final class Configuration {
|
public final class Configuration {
|
||||||
|
|
||||||
private static volatile SmallRyeConfig CONFIG;
|
|
||||||
|
|
||||||
private Configuration() {
|
private Configuration() {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static synchronized SmallRyeConfig getConfig() {
|
public static synchronized SmallRyeConfig getConfig() {
|
||||||
if (CONFIG == null) {
|
return (SmallRyeConfig) ConfigProviderResolver.instance().getConfig();
|
||||||
CONFIG = (SmallRyeConfig) SmallRyeConfigProviderResolver.instance().getConfig();
|
|
||||||
}
|
|
||||||
return CONFIG;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static Optional<String> getBuildTimeProperty(String name) {
|
public static Optional<String> getBuildTimeProperty(String name) {
|
||||||
|
|
|
@ -63,6 +63,9 @@ public class KeycloakConfigSourceProvider implements ConfigSourceProvider {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Iterable<ConfigSource> getConfigSources(ClassLoader forClassLoader) {
|
public Iterable<ConfigSource> getConfigSources(ClassLoader forClassLoader) {
|
||||||
|
if(Environment.isTestLaunchMode()) {
|
||||||
|
reload();
|
||||||
|
}
|
||||||
return CONFIG_SOURCES;
|
return CONFIG_SOURCES;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2020 Red Hat, Inc. and/or its affiliates
|
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||||
* and other contributors as indicated by the @author tags.
|
* and other contributors as indicated by the @author tags.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package org.keycloak.provider.quarkus;
|
package org.keycloak.quarkus.runtime.configuration.test;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.assertTrue;
|
import static org.junit.Assert.assertTrue;
|
|
@ -32,6 +32,11 @@
|
||||||
<artifactId>keycloak-quarkus-integration-tests</artifactId>
|
<artifactId>keycloak-quarkus-integration-tests</artifactId>
|
||||||
<packaging>jar</packaging>
|
<packaging>jar</packaging>
|
||||||
|
|
||||||
|
<properties>
|
||||||
|
<kc.quarkus.tests.dist>raw</kc.quarkus.tests.dist>
|
||||||
|
<approvaltests.version>12.3.2</approvaltests.version>
|
||||||
|
</properties>
|
||||||
|
|
||||||
<dependencies>
|
<dependencies>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.keycloak</groupId>
|
<groupId>org.keycloak</groupId>
|
||||||
|
@ -64,6 +69,11 @@
|
||||||
<groupId>org.testcontainers</groupId>
|
<groupId>org.testcontainers</groupId>
|
||||||
<artifactId>junit-jupiter</artifactId>
|
<artifactId>junit-jupiter</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>com.approvaltests</groupId>
|
||||||
|
<artifactId>approvaltests</artifactId>
|
||||||
|
<version>${approvaltests.version}</version>
|
||||||
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
|
|
||||||
<build>
|
<build>
|
||||||
|
@ -72,12 +82,9 @@
|
||||||
<groupId>org.apache.maven.plugins</groupId>
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
<artifactId>maven-surefire-plugin</artifactId>
|
<artifactId>maven-surefire-plugin</artifactId>
|
||||||
<configuration>
|
<configuration>
|
||||||
<systemProperties>
|
<systemPropertyVariables>
|
||||||
<property>
|
<kc.quarkus.tests.dist>${kc.quarkus.tests.dist}</kc.quarkus.tests.dist>
|
||||||
<name>kc.quarkus.tests.dist</name>
|
</systemPropertyVariables>
|
||||||
<value>${kc.quarkus.tests.dist}</value>
|
|
||||||
</property>
|
|
||||||
</systemProperties>
|
|
||||||
</configuration>
|
</configuration>
|
||||||
</plugin>
|
</plugin>
|
||||||
</plugins>
|
</plugins>
|
||||||
|
|
|
@ -19,22 +19,14 @@ package org.keycloak.it.junit5.extension;
|
||||||
|
|
||||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||||
import static org.junit.jupiter.api.Assertions.fail;
|
|
||||||
|
|
||||||
import java.io.ByteArrayOutputStream;
|
|
||||||
import java.io.IOException;
|
|
||||||
import java.io.PrintStream;
|
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import org.approvaltests.Approvals;
|
||||||
import org.keycloak.quarkus.runtime.cli.Picocli;
|
|
||||||
|
|
||||||
import io.quarkus.test.junit.main.LaunchResult;
|
import io.quarkus.test.junit.main.LaunchResult;
|
||||||
import picocli.CommandLine;
|
|
||||||
|
|
||||||
public interface CLIResult extends LaunchResult {
|
public interface CLIResult extends LaunchResult {
|
||||||
|
|
||||||
static Object create(List<String> outputStream, List<String> errStream, int exitCode, boolean distribution) {
|
static Object create(List<String> outputStream, List<String> errStream, int exitCode) {
|
||||||
return new CLIResult() {
|
return new CLIResult() {
|
||||||
@Override
|
@Override
|
||||||
public List<String> getOutputStream() {
|
public List<String> getOutputStream() {
|
||||||
|
@ -50,16 +42,9 @@ public interface CLIResult extends LaunchResult {
|
||||||
public int exitCode() {
|
public int exitCode() {
|
||||||
return exitCode;
|
return exitCode;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean isDistribution() {
|
|
||||||
return distribution;
|
|
||||||
}
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean isDistribution();
|
|
||||||
|
|
||||||
default void assertStarted() {
|
default void assertStarted() {
|
||||||
assertFalse(getOutput().contains("The delayed handler's queue was overrun and log record(s) were lost (Did you forget to configure logging?)"), () -> "The standard Output:\n" + getOutput() + "should not contain a warning about log queue overrun.");
|
assertFalse(getOutput().contains("The delayed handler's queue was overrun and log record(s) were lost (Did you forget to configure logging?)"), () -> "The standard Output:\n" + getOutput() + "should not contain a warning about log queue overrun.");
|
||||||
assertTrue(getOutput().contains("Listening on:"), () -> "The standard output:\n" + getOutput() + "does include \"Listening on:\"");
|
assertTrue(getOutput().contains("Listening on:"), () -> "The standard output:\n" + getOutput() + "does include \"Listening on:\"");
|
||||||
|
@ -81,31 +66,10 @@ public interface CLIResult extends LaunchResult {
|
||||||
() -> "The Error Output:\n " + getErrorOutput() + "\ndoesn't contains " + msg);
|
() -> "The Error Output:\n " + getErrorOutput() + "\ndoesn't contains " + msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
default void assertHelp(String command) {
|
default void assertHelp() {
|
||||||
if (command == null) {
|
try {
|
||||||
fail("No command provided");
|
Approvals.verify(getOutput());
|
||||||
}
|
} catch (Exception cause) {
|
||||||
|
|
||||||
CommandLine cmd = Picocli.createCommandLine(Arrays.asList(command, "--help"));
|
|
||||||
|
|
||||||
if (isDistribution()) {
|
|
||||||
cmd.setCommandName("kc.sh");
|
|
||||||
}
|
|
||||||
|
|
||||||
try (
|
|
||||||
ByteArrayOutputStream outStream = new ByteArrayOutputStream();
|
|
||||||
PrintStream printStream = new PrintStream(outStream, true)
|
|
||||||
) {
|
|
||||||
if ("kc.sh".equals(command)) {
|
|
||||||
cmd.usage(printStream);
|
|
||||||
} else {
|
|
||||||
cmd.getSubcommands().get(command).usage(printStream);
|
|
||||||
}
|
|
||||||
|
|
||||||
// not very reliable, we should be comparing the output with some static reference to the help message.
|
|
||||||
assertTrue(getOutput().trim().equals(outStream.toString().trim()),
|
|
||||||
() -> "The Output:\n " + getOutput() + "\ndoesnt't contains " + outStream.toString().trim());
|
|
||||||
} catch (IOException cause) {
|
|
||||||
throw new RuntimeException("Failed to assert help", cause);
|
throw new RuntimeException("Failed to assert help", cause);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,10 +20,15 @@ package org.keycloak.it.junit5.extension;
|
||||||
import static org.keycloak.it.junit5.extension.DistributionTest.ReInstall.BEFORE_ALL;
|
import static org.keycloak.it.junit5.extension.DistributionTest.ReInstall.BEFORE_ALL;
|
||||||
import static org.keycloak.it.junit5.extension.DistributionType.RAW;
|
import static org.keycloak.it.junit5.extension.DistributionType.RAW;
|
||||||
import static org.keycloak.quarkus.runtime.Environment.forceTestLaunchMode;
|
import static org.keycloak.quarkus.runtime.Environment.forceTestLaunchMode;
|
||||||
|
import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_LONG_NAME;
|
||||||
|
import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_SHORT_NAME;
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import io.quarkus.runtime.configuration.QuarkusConfigFactory;
|
||||||
import org.junit.jupiter.api.extension.ExtensionContext;
|
import org.junit.jupiter.api.extension.ExtensionContext;
|
||||||
import org.junit.jupiter.api.extension.ParameterContext;
|
import org.junit.jupiter.api.extension.ParameterContext;
|
||||||
import org.junit.jupiter.api.extension.ParameterResolutionException;
|
import org.junit.jupiter.api.extension.ParameterResolutionException;
|
||||||
|
@ -35,17 +40,29 @@ import org.keycloak.quarkus.runtime.cli.command.StartDev;
|
||||||
import io.quarkus.test.junit.QuarkusMainTestExtension;
|
import io.quarkus.test.junit.QuarkusMainTestExtension;
|
||||||
import io.quarkus.test.junit.main.Launch;
|
import io.quarkus.test.junit.main.Launch;
|
||||||
import io.quarkus.test.junit.main.LaunchResult;
|
import io.quarkus.test.junit.main.LaunchResult;
|
||||||
|
import org.keycloak.quarkus.runtime.configuration.KeycloakPropertiesConfigSource;
|
||||||
|
|
||||||
public class CLITestExtension extends QuarkusMainTestExtension {
|
public class CLITestExtension extends QuarkusMainTestExtension {
|
||||||
|
|
||||||
|
private static final String KEY_VALUE_SEPARATOR = "[= ]";
|
||||||
private KeycloakDistribution dist;
|
private KeycloakDistribution dist;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void beforeEach(ExtensionContext context) throws Exception {
|
public void beforeEach(ExtensionContext context) throws Exception {
|
||||||
DistributionTest distConfig = getDistributionConfig(context);
|
DistributionTest distConfig = getDistributionConfig(context);
|
||||||
|
Launch launch = context.getRequiredTestMethod().getAnnotation(Launch.class);
|
||||||
|
|
||||||
|
if (launch != null) {
|
||||||
|
for (String arg : launch.value()) {
|
||||||
|
if (arg.contains(CONFIG_FILE_SHORT_NAME) || arg.contains(CONFIG_FILE_LONG_NAME)) {
|
||||||
|
Pattern kvSeparator = Pattern.compile(KEY_VALUE_SEPARATOR);
|
||||||
|
String[] cfKeyValue = kvSeparator.split(arg);
|
||||||
|
System.setProperty(KeycloakPropertiesConfigSource.KEYCLOAK_CONFIG_FILE_PROP, cfKeyValue[1]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (distConfig != null) {
|
if (distConfig != null) {
|
||||||
Launch launch = context.getRequiredTestMethod().getAnnotation(Launch.class);
|
|
||||||
|
|
||||||
if (launch != null) {
|
if (launch != null) {
|
||||||
if (dist == null) {
|
if (dist == null) {
|
||||||
|
@ -70,19 +87,15 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
||||||
}
|
}
|
||||||
|
|
||||||
super.afterEach(context);
|
super.afterEach(context);
|
||||||
|
reset();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
private void reset() {
|
||||||
public void afterAll(ExtensionContext context) throws Exception {
|
QuarkusConfigFactory.setConfig(null);
|
||||||
if (dist != null) {
|
//remove the config file property if set, and also the profile, to not have side effects in other tests.
|
||||||
// just to make sure the server is stopped after all tests
|
System.getProperties().remove(KeycloakPropertiesConfigSource.KEYCLOAK_CONFIG_FILE_PROP);
|
||||||
dist.stop();
|
System.getProperties().remove(Environment.PROFILE);
|
||||||
}
|
System.getProperties().remove("quarkus.profile");
|
||||||
super.afterAll(context);
|
|
||||||
}
|
|
||||||
|
|
||||||
private KeycloakDistribution createDistribution(DistributionTest config) {
|
|
||||||
return DistributionType.getCurrent().orElse(RAW).newInstance(config);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -100,6 +113,19 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
||||||
super.beforeAll(context);
|
super.beforeAll(context);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void afterAll(ExtensionContext context) throws Exception {
|
||||||
|
if (dist != null) {
|
||||||
|
// just to make sure the server is stopped after all tests
|
||||||
|
dist.stop();
|
||||||
|
}
|
||||||
|
super.afterAll(context);
|
||||||
|
}
|
||||||
|
|
||||||
|
private KeycloakDistribution createDistribution(DistributionTest config) {
|
||||||
|
return DistributionType.getCurrent().orElse(RAW).newInstance(config);
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Object resolveParameter(ParameterContext parameterContext, ExtensionContext context)
|
public Object resolveParameter(ParameterContext parameterContext, ExtensionContext context)
|
||||||
throws ParameterResolutionException {
|
throws ParameterResolutionException {
|
||||||
|
@ -123,10 +149,10 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
||||||
exitCode = result.exitCode();
|
exitCode = result.exitCode();
|
||||||
}
|
}
|
||||||
|
|
||||||
return CLIResult.create(outputStream, errStream, exitCode, isDistribution);
|
return CLIResult.create(outputStream, errStream, exitCode);
|
||||||
}
|
}
|
||||||
|
|
||||||
// for now, not support for manual launching using QuarkusMainLauncher
|
// for now, no support for manual launching using QuarkusMainLauncher
|
||||||
throw new RuntimeException("Parameter type [" + type + "] not supported");
|
throw new RuntimeException("Parameter type [" + type + "] not supported");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -22,10 +22,11 @@ import java.lang.annotation.Retention;
|
||||||
import java.lang.annotation.RetentionPolicy;
|
import java.lang.annotation.RetentionPolicy;
|
||||||
import java.lang.annotation.Target;
|
import java.lang.annotation.Target;
|
||||||
import org.junit.jupiter.api.condition.EnabledIfSystemProperty;
|
import org.junit.jupiter.api.condition.EnabledIfSystemProperty;
|
||||||
import org.junit.jupiter.api.extension.ExtendWith;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* {@link RawDistOnly} is used to signal that the annotated tests class is only enabled when running tests using the {@link DistributionType#RAW}.
|
* {@link RawDistOnly} is used to signal that the annotated test class
|
||||||
|
* is only enabled when running tests using the {@link DistributionType#RAW}
|
||||||
|
* or running tests in whitebox mode in the same jvm using {@link CLITest}
|
||||||
*/
|
*/
|
||||||
@Target(ElementType.TYPE)
|
@Target(ElementType.TYPE)
|
||||||
@Retention(RetentionPolicy.RUNTIME)
|
@Retention(RetentionPolicy.RUNTIME)
|
||||||
|
|
|
@ -43,15 +43,12 @@ import javax.net.ssl.SSLSocketFactory;
|
||||||
import javax.net.ssl.TrustManager;
|
import javax.net.ssl.TrustManager;
|
||||||
import javax.net.ssl.X509TrustManager;
|
import javax.net.ssl.X509TrustManager;
|
||||||
import org.apache.commons.io.FileUtils;
|
import org.apache.commons.io.FileUtils;
|
||||||
import org.jboss.logging.Logger;
|
|
||||||
|
|
||||||
import io.quarkus.bootstrap.util.ZipUtils;
|
import io.quarkus.bootstrap.util.ZipUtils;
|
||||||
import org.keycloak.common.Version;
|
import org.keycloak.common.Version;
|
||||||
|
|
||||||
public final class RawKeycloakDistribution implements KeycloakDistribution {
|
public final class RawKeycloakDistribution implements KeycloakDistribution {
|
||||||
|
|
||||||
private static final Logger LOGGER = Logger.getLogger(RawKeycloakDistribution.class);
|
|
||||||
|
|
||||||
private Process keycloak;
|
private Process keycloak;
|
||||||
private int exitCode = -1;
|
private int exitCode = -1;
|
||||||
private final Path distPath;
|
private final Path distPath;
|
||||||
|
@ -164,7 +161,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
||||||
connection.connect();
|
connection.connect();
|
||||||
|
|
||||||
if (connection.getResponseCode() == 200) {
|
if (connection.getResponseCode() == 200) {
|
||||||
LOGGER.infof("Keycloak is ready at %s", contextRoot);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
} catch (Exception ignore) {
|
} catch (Exception ignore) {
|
||||||
|
|
|
@ -17,14 +17,15 @@
|
||||||
|
|
||||||
package org.keycloak.it.cli;
|
package org.keycloak.it.cli;
|
||||||
|
|
||||||
import org.junit.jupiter.api.Assertions;
|
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.keycloak.it.junit5.extension.CLIResult;
|
import org.keycloak.it.junit5.extension.CLIResult;
|
||||||
import org.keycloak.it.junit5.extension.CLITest;
|
import org.keycloak.it.junit5.extension.CLITest;
|
||||||
import org.keycloak.quarkus.runtime.cli.command.Main;
|
import org.keycloak.quarkus.runtime.cli.command.Build;
|
||||||
|
|
||||||
import io.quarkus.test.junit.main.Launch;
|
import io.quarkus.test.junit.main.Launch;
|
||||||
import io.quarkus.test.junit.main.LaunchResult;
|
import io.quarkus.test.junit.main.LaunchResult;
|
||||||
|
import org.keycloak.quarkus.runtime.cli.command.Start;
|
||||||
|
import org.keycloak.quarkus.runtime.cli.command.StartDev;
|
||||||
|
|
||||||
@CLITest
|
@CLITest
|
||||||
public class HelpCommandTest {
|
public class HelpCommandTest {
|
||||||
|
@ -33,34 +34,56 @@ public class HelpCommandTest {
|
||||||
@Launch({})
|
@Launch({})
|
||||||
void testDefaultToHelp(LaunchResult result) {
|
void testDefaultToHelp(LaunchResult result) {
|
||||||
CLIResult cliResult = (CLIResult) result;
|
CLIResult cliResult = (CLIResult) result;
|
||||||
cliResult.assertHelp("kc.sh");
|
cliResult.assertHelp();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "--help" })
|
@Launch({ "--help" })
|
||||||
void testHelpCommand(LaunchResult result) {
|
void testHelp(LaunchResult result) {
|
||||||
CLIResult cliResult = (CLIResult) result;
|
CLIResult cliResult = (CLIResult) result;
|
||||||
cliResult.assertHelp("kc.sh");
|
cliResult.assertHelp();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "start", "--help" })
|
@Launch({ "-h" })
|
||||||
void testStartHelpCommand(LaunchResult result) {
|
void testHelpShort(LaunchResult result) {
|
||||||
CLIResult cliResult = (CLIResult) result;
|
CLIResult cliResult = (CLIResult) result;
|
||||||
cliResult.assertHelp("start");
|
cliResult.assertHelp();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "start-dev", "--help" })
|
@Launch({ Start.NAME, "--help" })
|
||||||
void testStartDevCommand(LaunchResult result) {
|
void testStartHelp(LaunchResult result) {
|
||||||
CLIResult cliResult = (CLIResult) result;
|
CLIResult cliResult = (CLIResult) result;
|
||||||
cliResult.assertHelp("start-dev");
|
cliResult.assertHelp();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "build", "--help" })
|
@Launch({ StartDev.NAME, "--help" })
|
||||||
void testBuildCommand(LaunchResult result) {
|
void testStartDevHelp(LaunchResult result) {
|
||||||
CLIResult cliResult = (CLIResult) result;
|
CLIResult cliResult = (CLIResult) result;
|
||||||
cliResult.assertHelp("build");
|
cliResult.assertHelp();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@Launch({ StartDev.NAME, "--help-all" })
|
||||||
|
void testStartDevHelpAll(LaunchResult result) {
|
||||||
|
CLIResult cliResult = (CLIResult) result;
|
||||||
|
cliResult.assertHelp();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@Launch({ Build.NAME, "--help" })
|
||||||
|
void testBuildHelp(LaunchResult result) {
|
||||||
|
CLIResult cliResult = (CLIResult) result;
|
||||||
|
cliResult.assertHelp();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@Launch({ Build.NAME, "--help-all" })
|
||||||
|
void testBuildHelpAll(LaunchResult result) {
|
||||||
|
CLIResult cliResult = (CLIResult) result;
|
||||||
|
cliResult.assertHelp();
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
package org.keycloak.it.cli;
|
||||||
|
|
||||||
|
import org.keycloak.it.junit5.extension.CLITestExtension;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Used to specify the output directory for the received / to-be-approved outputs of this packages tests.
|
||||||
|
* In our case they should be stored under resources/clitest/approvals or resources/rawdist/approvals depending
|
||||||
|
* on the runtype of the tests (@DistributionTest in Raw mode, or @CLITest, leading to either using "kc.sh"
|
||||||
|
* or "java -jar $KEYCLOAK_HOME/lib/quarkus-run.jar" as command in the usage output).
|
||||||
|
*
|
||||||
|
* Note: Creates the directories if they don't exist yet.
|
||||||
|
* **/
|
||||||
|
public class PackageSettings {
|
||||||
|
|
||||||
|
public String UseApprovalSubdirectory = "approvals/cli/help";
|
||||||
|
public String ApprovalBaseDirectory = "../resources";
|
||||||
|
}
|
|
@ -23,19 +23,23 @@ import org.keycloak.it.junit5.extension.CLITest;
|
||||||
|
|
||||||
import io.quarkus.test.junit.main.Launch;
|
import io.quarkus.test.junit.main.Launch;
|
||||||
import io.quarkus.test.junit.main.LaunchResult;
|
import io.quarkus.test.junit.main.LaunchResult;
|
||||||
|
import org.keycloak.quarkus.runtime.cli.command.ShowConfig;
|
||||||
|
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
||||||
|
|
||||||
|
import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_LONG_NAME;
|
||||||
|
|
||||||
@CLITest
|
@CLITest
|
||||||
class ShowConfigCommandTest {
|
public class ShowConfigCommandTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "show-config" })
|
@Launch({ ShowConfig.NAME })
|
||||||
void testShowConfigCommandShowsRuntimeConfig(LaunchResult result) {
|
void testShowConfigCommandShowsRuntimeConfig(LaunchResult result) {
|
||||||
Assertions.assertTrue(result.getOutput()
|
Assertions.assertTrue(result.getOutput()
|
||||||
.contains("Runtime Configuration"));
|
.contains("Runtime Configuration"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Launch({ "show-config", "all" })
|
@Launch({ ShowConfig.NAME, "all" })
|
||||||
void testShowConfigCommandWithAllShowsAllProfiles(LaunchResult result) {
|
void testShowConfigCommandWithAllShowsAllProfiles(LaunchResult result) {
|
||||||
Assertions.assertTrue(result.getOutput()
|
Assertions.assertTrue(result.getOutput()
|
||||||
.contains("Runtime Configuration"));
|
.contains("Runtime Configuration"));
|
||||||
|
@ -44,4 +48,17 @@ class ShowConfigCommandTest {
|
||||||
Assertions.assertTrue(result.getOutput()
|
Assertions.assertTrue(result.getOutput()
|
||||||
.contains("Profile \"import_export\" Configuration"));
|
.contains("Profile \"import_export\" Configuration"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@Launch({ CONFIG_FILE_LONG_NAME+"=src/test/resources/ShowConfigCommandTest/keycloak.properties", ShowConfig.NAME, "all" })
|
||||||
|
void testShowConfigCommandHidesCredentialsInProfiles(LaunchResult result) {
|
||||||
|
String output = result.getOutput();
|
||||||
|
Assertions.assertFalse(output.contains("testpw1"));
|
||||||
|
Assertions.assertFalse(output.contains("testpw2"));
|
||||||
|
Assertions.assertFalse(output.contains("testpw3"));
|
||||||
|
Assertions.assertTrue(output.contains("kc.db.password = " + PropertyMappers.VALUE_MASK));
|
||||||
|
Assertions.assertTrue(output.contains("%dev.kc.db.password = " + PropertyMappers.VALUE_MASK));
|
||||||
|
Assertions.assertTrue(output.contains("%dev.kc.https.key-store.password = " + PropertyMappers.VALUE_MASK));
|
||||||
|
Assertions.assertTrue(output.contains("%import_export.kc.db.password = " + PropertyMappers.VALUE_MASK));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,7 +19,9 @@ package org.keycloak.it.cli.dist;
|
||||||
|
|
||||||
import org.keycloak.it.cli.HelpCommandTest;
|
import org.keycloak.it.cli.HelpCommandTest;
|
||||||
import org.keycloak.it.junit5.extension.DistributionTest;
|
import org.keycloak.it.junit5.extension.DistributionTest;
|
||||||
|
import org.keycloak.it.junit5.extension.RawDistOnly;
|
||||||
|
|
||||||
@DistributionTest
|
@DistributionTest
|
||||||
|
@RawDistOnly(reason = "Verifying the help message output doesn't need long spin-up of docker dist tests.")
|
||||||
public class HelpCommandDistTest extends HelpCommandTest {
|
public class HelpCommandDistTest extends HelpCommandTest {
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,10 +22,12 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||||
|
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.keycloak.it.cli.StartCommandTest;
|
import org.keycloak.it.cli.StartCommandTest;
|
||||||
|
import org.keycloak.it.junit5.extension.CLIResult;
|
||||||
import org.keycloak.it.junit5.extension.DistributionTest;
|
import org.keycloak.it.junit5.extension.DistributionTest;
|
||||||
|
|
||||||
import io.quarkus.test.junit.main.Launch;
|
import io.quarkus.test.junit.main.Launch;
|
||||||
import io.quarkus.test.junit.main.LaunchResult;
|
import io.quarkus.test.junit.main.LaunchResult;
|
||||||
|
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
||||||
|
|
||||||
@DistributionTest
|
@DistributionTest
|
||||||
public class StartCommandDistTest extends StartCommandTest {
|
public class StartCommandDistTest extends StartCommandTest {
|
||||||
|
@ -44,4 +46,12 @@ public class StartCommandDistTest extends StartCommandTest {
|
||||||
assertTrue(result.getErrorOutput().contains("ERROR: Strict hostname resolution configured but no hostname was set"),
|
assertTrue(result.getErrorOutput().contains("ERROR: Strict hostname resolution configured but no hostname was set"),
|
||||||
() -> "The Output:\n" + result.getOutput() + "doesn't contains the expected string.");
|
() -> "The Output:\n" + result.getOutput() + "doesn't contains the expected string.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@Launch({ "start", "--auto-build", "--db-password=secret", "--https-key-store-password=secret"})
|
||||||
|
void testStartWithAutoBuildDoesntShowCredentialsInConsole(LaunchResult result) {
|
||||||
|
CLIResult cliResult = (CLIResult) result;
|
||||||
|
assertTrue(cliResult.getOutput().contains("--db-password=" + PropertyMappers.VALUE_MASK));
|
||||||
|
assertTrue(cliResult.getOutput().contains("--https-key-store-password=" + PropertyMappers.VALUE_MASK));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
# Default and non-production grade database vendor
|
||||||
|
db=h2-file
|
||||||
|
db.username = sa
|
||||||
|
db.password = keycloak
|
||||||
|
|
||||||
|
# Insecure requests are disabled by default
|
||||||
|
http.enabled=false
|
||||||
|
|
||||||
|
# Metrics and healthcheck are disabled by default
|
||||||
|
metrics.enabled=false
|
||||||
|
|
||||||
|
# Basic settings for running in production. Change accordingly before deploying the server.
|
||||||
|
# Database
|
||||||
|
#%prod.db=postgres
|
||||||
|
#%prod.db.username=keycloak
|
||||||
|
#%prod.db.password=password
|
||||||
|
#%prod.db.url=jdbc:postgresql://localhost/keycloak
|
||||||
|
# Observability
|
||||||
|
#%prod.metrics.enabled=true
|
||||||
|
# HTTP
|
||||||
|
#%prod.spi.hostname.frontend-url=https://localhost:8443
|
||||||
|
#%prod.https.certificate.file=${kc.home.dir}conf/server.crt.pem
|
||||||
|
#%prod.https.certificate.key-file=${kc.home.dir}conf/server.key.pem
|
||||||
|
#%prod.proxy=reencrypt
|
||||||
|
#%prod.hostname=myhostname
|
||||||
|
|
||||||
|
# Default, and insecure, and non-production grade configuration for the development profile
|
||||||
|
%dev.http.enabled=true
|
||||||
|
%dev.hostname.strict=false
|
||||||
|
%dev.db.password=testpw1
|
||||||
|
%dev.hostname.strict-https=false
|
||||||
|
%dev.cluster=local
|
||||||
|
%dev.spi.theme.cache-themes=false
|
||||||
|
%dev.spi.theme.cache-templates=false
|
||||||
|
%dev.spi.theme.static-max-age=-1
|
||||||
|
%dev.https.key-store.password=testpw2
|
||||||
|
|
||||||
|
# The default configuration when running in import or export mode
|
||||||
|
%import_export.http.enabled=true
|
||||||
|
%import_export.db.password=testpw3
|
||||||
|
%import_export.hostname.strict=false
|
||||||
|
%import_export.hostname.strict-https=false
|
||||||
|
%import_export.cluster=local
|
||||||
|
|
||||||
|
# Logging configuration. INFO is the default level for most of the categories
|
||||||
|
#quarkus.log.level = DEBUG
|
||||||
|
quarkus.log.category."org.jboss.resteasy.resteasy_jaxrs.i18n".level=WARN
|
||||||
|
quarkus.log.category."org.infinispan.transaction.lookup.JBossStandaloneJTAManagerLookup".level=WARN
|
|
@ -0,0 +1,136 @@
|
||||||
|
Creates a new and optimized server image.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh build [OPTIONS]
|
||||||
|
|
||||||
|
Creates a new and optimized server image based on the configuration options
|
||||||
|
passed to this command. Once created, the configuration will be persisted and
|
||||||
|
read during startup without having to pass them over again.
|
||||||
|
|
||||||
|
Some configuration options require this command to be executed in order to
|
||||||
|
actually change a configuration. For instance
|
||||||
|
|
||||||
|
- Change database vendor
|
||||||
|
- Enable/disable features
|
||||||
|
- Enable/Disable providers or set a default
|
||||||
|
|
||||||
|
Consider running this command before running the server in production for an
|
||||||
|
optimal runtime.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-h, --help This help message.
|
||||||
|
--help-all This same help message but with additional options.
|
||||||
|
|
||||||
|
Cluster:
|
||||||
|
|
||||||
|
--cache <type> Defines the cache mechanism for high-availability. By default, a 'ispn' cache
|
||||||
|
is used to create a cluster between multiple server nodes. A 'local' cache
|
||||||
|
disables clustering and is intended for development and testing purposes.
|
||||||
|
Default: ispn.
|
||||||
|
--cache-config-file <file>
|
||||||
|
Defines the file from which cache configuration should be loaded from.
|
||||||
|
--cache-stack <stack>
|
||||||
|
Define the default stack to use for cluster communication and node discovery.
|
||||||
|
This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
|
||||||
|
|
||||||
|
Database:
|
||||||
|
|
||||||
|
--db <vendor> The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
|
||||||
|
mssql-2012, mysql, oracle, postgres, postgres-95
|
||||||
|
|
||||||
|
Feature:
|
||||||
|
|
||||||
|
--features-account2 <enabled|disabled>
|
||||||
|
Enables the ACCOUNT2 feature.
|
||||||
|
--features-account_api <enabled|disabled>
|
||||||
|
Enables the ACCOUNT_API feature.
|
||||||
|
--features-admin2 <enabled|disabled>
|
||||||
|
Enables the ADMIN2 feature.
|
||||||
|
--features-admin_fine_grained_authz <enabled|disabled>
|
||||||
|
Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
|
||||||
|
--features-authorization <enabled|disabled>
|
||||||
|
Enables the AUTHORIZATION feature.
|
||||||
|
--features-ciba <enabled|disabled>
|
||||||
|
Enables the CIBA feature.
|
||||||
|
--features-client_policies <enabled|disabled>
|
||||||
|
Enables the CLIENT_POLICIES feature.
|
||||||
|
--features-declarative_user_profile <enabled|disabled>
|
||||||
|
Enables the DECLARATIVE_USER_PROFILE feature.
|
||||||
|
--features-docker <enabled|disabled>
|
||||||
|
Enables the DOCKER feature.
|
||||||
|
--features-impersonation <enabled|disabled>
|
||||||
|
Enables the IMPERSONATION feature.
|
||||||
|
--features-map_storage <enabled|disabled>
|
||||||
|
Enables the MAP_STORAGE feature.
|
||||||
|
--features-openshift_integration <enabled|disabled>
|
||||||
|
Enables the OPENSHIFT_INTEGRATION feature.
|
||||||
|
--features-par <enabled|disabled>
|
||||||
|
Enables the PAR feature.
|
||||||
|
--features-scripts <enabled|disabled>
|
||||||
|
Enables the SCRIPTS feature.
|
||||||
|
--features-token_exchange <enabled|disabled>
|
||||||
|
Enables the TOKEN_EXCHANGE feature.
|
||||||
|
--features-upload_scripts <enabled|disabled>
|
||||||
|
Enables the UPLOAD_SCRIPTS feature.
|
||||||
|
--features-web_authn <enabled|disabled>
|
||||||
|
Enables the WEB_AUTHN feature.
|
||||||
|
-ft, --features <preview>
|
||||||
|
Enables all tech preview features.
|
||||||
|
|
||||||
|
HTTP/TLS:
|
||||||
|
|
||||||
|
--http-relative-path <path>
|
||||||
|
Set the path relative to '/' for serving resources. Default: /.
|
||||||
|
|
||||||
|
Metrics:
|
||||||
|
|
||||||
|
--metrics-enabled <true|false>
|
||||||
|
If the server should expose metrics and healthcheck. If enabled, metrics are
|
||||||
|
available at the '/metrics' endpoint and healthcheck at the '/health'
|
||||||
|
endpoint. Default: false.
|
||||||
|
|
||||||
|
Vault:
|
||||||
|
|
||||||
|
--vault-file-path <dir>
|
||||||
|
If set, secrets can be obtained by reading the content of files within the
|
||||||
|
given path.
|
||||||
|
--vault-hashicorp-paths <paths>
|
||||||
|
A set of one or more paths that should be used when looking up secrets.
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
Optimize the server based on a profile configuration:
|
||||||
|
|
||||||
|
$ kc.sh --profile=prod build
|
||||||
|
|
||||||
|
Change database settings:
|
||||||
|
|
||||||
|
$ kc.sh build --db=postgres [--db-url][--db-username][--db-password]
|
||||||
|
|
||||||
|
Enable a feature:
|
||||||
|
|
||||||
|
$ kc.sh build --features-<feature_name>=[enabled|disabled]
|
||||||
|
|
||||||
|
Or alternatively, enable all tech preview features:
|
||||||
|
|
||||||
|
$ kc.sh build --features=preview
|
||||||
|
|
||||||
|
Enable metrics:
|
||||||
|
|
||||||
|
$ kc.sh build --metrics-enabled=true
|
||||||
|
|
||||||
|
Change the relative path:
|
||||||
|
|
||||||
|
$ kc.sh build --http-relative-path=/auth
|
||||||
|
|
||||||
|
You can also use the "--auto-build" option when starting the server to avoid
|
||||||
|
running this command every time you change a configuration:
|
||||||
|
|
||||||
|
$ kc.sh start --auto-build <OPTIONS>
|
||||||
|
|
||||||
|
By doing that you have an additional overhead when the server is starting.
|
||||||
|
|
||||||
|
Use 'kc.sh build --help-all' to list all available options, including the start
|
||||||
|
options.
|
|
@ -0,0 +1,213 @@
|
||||||
|
Creates a new and optimized server image.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh build [OPTIONS]
|
||||||
|
|
||||||
|
Creates a new and optimized server image based on the configuration options
|
||||||
|
passed to this command. Once created, the configuration will be persisted and
|
||||||
|
read during startup without having to pass them over again.
|
||||||
|
|
||||||
|
Some configuration options require this command to be executed in order to
|
||||||
|
actually change a configuration. For instance
|
||||||
|
|
||||||
|
- Change database vendor
|
||||||
|
- Enable/disable features
|
||||||
|
- Enable/Disable providers or set a default
|
||||||
|
|
||||||
|
Consider running this command before running the server in production for an
|
||||||
|
optimal runtime.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-h, --help This help message.
|
||||||
|
--help-all This same help message but with additional options.
|
||||||
|
|
||||||
|
Cluster:
|
||||||
|
|
||||||
|
--cache <type> Defines the cache mechanism for high-availability. By default, a 'ispn' cache
|
||||||
|
is used to create a cluster between multiple server nodes. A 'local' cache
|
||||||
|
disables clustering and is intended for development and testing purposes.
|
||||||
|
Default: ispn.
|
||||||
|
--cache-config-file <file>
|
||||||
|
Defines the file from which cache configuration should be loaded from.
|
||||||
|
--cache-stack <stack>
|
||||||
|
Define the default stack to use for cluster communication and node discovery.
|
||||||
|
This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
|
||||||
|
|
||||||
|
Database:
|
||||||
|
|
||||||
|
--db <vendor> The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
|
||||||
|
mssql-2012, mysql, oracle, postgres, postgres-95
|
||||||
|
--db-password <password>
|
||||||
|
The password of the database user.
|
||||||
|
--db-pool-initial-size <size>
|
||||||
|
The initial size of the connection pool.
|
||||||
|
--db-pool-max-size <size>
|
||||||
|
The maximum size of the connection pool. Default: 100.
|
||||||
|
--db-pool-min-size <size>
|
||||||
|
The minimal size of the connection pool.
|
||||||
|
--db-schema <schema> The database schema to be used.
|
||||||
|
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||||
|
selected database vendor. For instance, if using 'postgres', the default
|
||||||
|
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||||
|
--db-url-database <dbname>
|
||||||
|
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-host <hostname>
|
||||||
|
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-properties <properties>
|
||||||
|
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-username <username>
|
||||||
|
The username of the database user.
|
||||||
|
|
||||||
|
Feature:
|
||||||
|
|
||||||
|
--features-account2 <enabled|disabled>
|
||||||
|
Enables the ACCOUNT2 feature.
|
||||||
|
--features-account_api <enabled|disabled>
|
||||||
|
Enables the ACCOUNT_API feature.
|
||||||
|
--features-admin2 <enabled|disabled>
|
||||||
|
Enables the ADMIN2 feature.
|
||||||
|
--features-admin_fine_grained_authz <enabled|disabled>
|
||||||
|
Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
|
||||||
|
--features-authorization <enabled|disabled>
|
||||||
|
Enables the AUTHORIZATION feature.
|
||||||
|
--features-ciba <enabled|disabled>
|
||||||
|
Enables the CIBA feature.
|
||||||
|
--features-client_policies <enabled|disabled>
|
||||||
|
Enables the CLIENT_POLICIES feature.
|
||||||
|
--features-declarative_user_profile <enabled|disabled>
|
||||||
|
Enables the DECLARATIVE_USER_PROFILE feature.
|
||||||
|
--features-docker <enabled|disabled>
|
||||||
|
Enables the DOCKER feature.
|
||||||
|
--features-impersonation <enabled|disabled>
|
||||||
|
Enables the IMPERSONATION feature.
|
||||||
|
--features-map_storage <enabled|disabled>
|
||||||
|
Enables the MAP_STORAGE feature.
|
||||||
|
--features-openshift_integration <enabled|disabled>
|
||||||
|
Enables the OPENSHIFT_INTEGRATION feature.
|
||||||
|
--features-par <enabled|disabled>
|
||||||
|
Enables the PAR feature.
|
||||||
|
--features-scripts <enabled|disabled>
|
||||||
|
Enables the SCRIPTS feature.
|
||||||
|
--features-token_exchange <enabled|disabled>
|
||||||
|
Enables the TOKEN_EXCHANGE feature.
|
||||||
|
--features-upload_scripts <enabled|disabled>
|
||||||
|
Enables the UPLOAD_SCRIPTS feature.
|
||||||
|
--features-web_authn <enabled|disabled>
|
||||||
|
Enables the WEB_AUTHN feature.
|
||||||
|
-ft, --features <preview>
|
||||||
|
Enables all tech preview features.
|
||||||
|
|
||||||
|
Hostname:
|
||||||
|
|
||||||
|
--hostname <hostname>
|
||||||
|
Hostname for the Keycloak server.
|
||||||
|
--hostname-admin <url>
|
||||||
|
Overrides the hostname for the admin console and APIs.
|
||||||
|
--hostname-path <path>
|
||||||
|
This should be set if proxy uses a different context-path for Keycloak.
|
||||||
|
--hostname-strict <true|false>
|
||||||
|
Disables dynamically resolving the hostname from request headers. Should
|
||||||
|
always be set to true in production, unless proxy verifies the Host header.
|
||||||
|
Default: true.
|
||||||
|
--hostname-strict-backchannel <true|false>
|
||||||
|
By default backchannel URLs are dynamically resolved from request headers to
|
||||||
|
allow internal an external applications. If all applications use the public
|
||||||
|
URL this option should be enabled. Default: false.
|
||||||
|
|
||||||
|
HTTP/TLS:
|
||||||
|
|
||||||
|
--http-enabled <true|false>
|
||||||
|
Enables the HTTP listener. Default: false.
|
||||||
|
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||||
|
--http-port <port> The used HTTP port. Default: 8080.
|
||||||
|
--http-relative-path <path>
|
||||||
|
Set the path relative to '/' for serving resources. Default: /.
|
||||||
|
--https-certificate-file <file>
|
||||||
|
The file path to a server certificate or certificate chain in PEM format.
|
||||||
|
--https-certificate-key-file <file>
|
||||||
|
The file path to a private key in PEM format.
|
||||||
|
--https-cipher-suites <ciphers>
|
||||||
|
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||||
|
--https-client-auth <auth>
|
||||||
|
Configures the server to require/request client authentication. Possible
|
||||||
|
Values: none, request, required. Default: none.
|
||||||
|
--https-key-store-file <file>
|
||||||
|
The key store which holds the certificate information instead of specifying
|
||||||
|
separate files.
|
||||||
|
--https-key-store-password <password>
|
||||||
|
The password of the key store file. Default: password.
|
||||||
|
--https-key-store-type <type>
|
||||||
|
The type of the key store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
|
--https-protocols <protocols>
|
||||||
|
The list of protocols to explicitly enable.
|
||||||
|
--https-trust-store-file <file>
|
||||||
|
The trust store which holds the certificate information of the certificates to
|
||||||
|
trust.
|
||||||
|
--https-trust-store-password <password>
|
||||||
|
The password of the trust store file.
|
||||||
|
--https-trust-store-type <type>
|
||||||
|
The type of the trust store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
|
||||||
|
Metrics:
|
||||||
|
|
||||||
|
--metrics-enabled <true|false>
|
||||||
|
If the server should expose metrics and healthcheck. If enabled, metrics are
|
||||||
|
available at the '/metrics' endpoint and healthcheck at the '/health'
|
||||||
|
endpoint. Default: false.
|
||||||
|
|
||||||
|
Proxy:
|
||||||
|
|
||||||
|
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||||
|
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||||
|
|
||||||
|
Vault:
|
||||||
|
|
||||||
|
--vault-file-path <dir>
|
||||||
|
If set, secrets can be obtained by reading the content of files within the
|
||||||
|
given path.
|
||||||
|
--vault-hashicorp-paths <paths>
|
||||||
|
A set of one or more paths that should be used when looking up secrets.
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
Optimize the server based on a profile configuration:
|
||||||
|
|
||||||
|
$ kc.sh --profile=prod build
|
||||||
|
|
||||||
|
Change database settings:
|
||||||
|
|
||||||
|
$ kc.sh build --db=postgres [--db-url][--db-username][--db-password]
|
||||||
|
|
||||||
|
Enable a feature:
|
||||||
|
|
||||||
|
$ kc.sh build --features-<feature_name>=[enabled|disabled]
|
||||||
|
|
||||||
|
Or alternatively, enable all tech preview features:
|
||||||
|
|
||||||
|
$ kc.sh build --features=preview
|
||||||
|
|
||||||
|
Enable metrics:
|
||||||
|
|
||||||
|
$ kc.sh build --metrics-enabled=true
|
||||||
|
|
||||||
|
Change the relative path:
|
||||||
|
|
||||||
|
$ kc.sh build --http-relative-path=/auth
|
||||||
|
|
||||||
|
You can also use the "--auto-build" option when starting the server to avoid
|
||||||
|
running this command every time you change a configuration:
|
||||||
|
|
||||||
|
$ kc.sh start --auto-build <OPTIONS>
|
||||||
|
|
||||||
|
By doing that you have an additional overhead when the server is starting.
|
||||||
|
|
||||||
|
Use 'kc.sh build --help-all' to list all available options, including the start
|
||||||
|
options.
|
|
@ -0,0 +1,59 @@
|
||||||
|
Keycloak - Open Source Identity and Access Management
|
||||||
|
|
||||||
|
Find more information at: https://www.keycloak.org/docs/latest
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh [OPTIONS] [COMMAND]
|
||||||
|
|
||||||
|
Use this command-line tool to manage your Keycloak cluster.
|
||||||
|
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
|
||||||
|
"./kc.sh") to execute from the current folder.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-cf, --config-file <file>
|
||||||
|
Set the path to a configuration file. By default, configuration properties are
|
||||||
|
read from the "keycloak.properties" file in the "conf" directory.
|
||||||
|
-D<key>=<value> <sysProps>
|
||||||
|
Set a Java system property
|
||||||
|
-h, --help This help message.
|
||||||
|
-pf, --profile <profile>
|
||||||
|
Set the profile. Use 'dev' profile to enable development mode.
|
||||||
|
-v, --verbose Print out error details when running this command.
|
||||||
|
-V, --version Show version information
|
||||||
|
|
||||||
|
Commands:
|
||||||
|
|
||||||
|
build Creates a new and optimized server image.
|
||||||
|
start Start the server.
|
||||||
|
start-dev Start the server in development mode.
|
||||||
|
export Export data from realms to a file or directory.
|
||||||
|
import Import data from a directory or a file.
|
||||||
|
show-config Print out the current configuration.
|
||||||
|
tools %nUtilities for use and interaction with the server.
|
||||||
|
completion Generate bash/zsh completion script for kc.sh.
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
Start the server in development mode for local development or testing:
|
||||||
|
|
||||||
|
$ kc.sh start-dev
|
||||||
|
|
||||||
|
Building an optimized server runtime:
|
||||||
|
|
||||||
|
$ kc.sh build <OPTIONS>
|
||||||
|
|
||||||
|
Start the server in production mode:
|
||||||
|
|
||||||
|
$ kc.sh start <OPTIONS>
|
||||||
|
|
||||||
|
Enable auto-completion to bash/zsh:
|
||||||
|
|
||||||
|
$ source <(kc.sh tools completion)
|
||||||
|
|
||||||
|
Please, take a look at the documentation for more details before deploying in
|
||||||
|
production.
|
||||||
|
|
||||||
|
Use "kc.sh start --help" for the available options when starting the server.
|
||||||
|
Use "kc.sh <command> --help" for more information about other commands.
|
|
@ -0,0 +1,59 @@
|
||||||
|
Keycloak - Open Source Identity and Access Management
|
||||||
|
|
||||||
|
Find more information at: https://www.keycloak.org/docs/latest
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh [OPTIONS] [COMMAND]
|
||||||
|
|
||||||
|
Use this command-line tool to manage your Keycloak cluster.
|
||||||
|
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
|
||||||
|
"./kc.sh") to execute from the current folder.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-cf, --config-file <file>
|
||||||
|
Set the path to a configuration file. By default, configuration properties are
|
||||||
|
read from the "keycloak.properties" file in the "conf" directory.
|
||||||
|
-D<key>=<value> <sysProps>
|
||||||
|
Set a Java system property
|
||||||
|
-h, --help This help message.
|
||||||
|
-pf, --profile <profile>
|
||||||
|
Set the profile. Use 'dev' profile to enable development mode.
|
||||||
|
-v, --verbose Print out error details when running this command.
|
||||||
|
-V, --version Show version information
|
||||||
|
|
||||||
|
Commands:
|
||||||
|
|
||||||
|
build Creates a new and optimized server image.
|
||||||
|
start Start the server.
|
||||||
|
start-dev Start the server in development mode.
|
||||||
|
export Export data from realms to a file or directory.
|
||||||
|
import Import data from a directory or a file.
|
||||||
|
show-config Print out the current configuration.
|
||||||
|
tools %nUtilities for use and interaction with the server.
|
||||||
|
completion Generate bash/zsh completion script for kc.sh.
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
Start the server in development mode for local development or testing:
|
||||||
|
|
||||||
|
$ kc.sh start-dev
|
||||||
|
|
||||||
|
Building an optimized server runtime:
|
||||||
|
|
||||||
|
$ kc.sh build <OPTIONS>
|
||||||
|
|
||||||
|
Start the server in production mode:
|
||||||
|
|
||||||
|
$ kc.sh start <OPTIONS>
|
||||||
|
|
||||||
|
Enable auto-completion to bash/zsh:
|
||||||
|
|
||||||
|
$ source <(kc.sh tools completion)
|
||||||
|
|
||||||
|
Please, take a look at the documentation for more details before deploying in
|
||||||
|
production.
|
||||||
|
|
||||||
|
Use "kc.sh start --help" for the available options when starting the server.
|
||||||
|
Use "kc.sh <command> --help" for more information about other commands.
|
|
@ -0,0 +1,59 @@
|
||||||
|
Keycloak - Open Source Identity and Access Management
|
||||||
|
|
||||||
|
Find more information at: https://www.keycloak.org/docs/latest
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh [OPTIONS] [COMMAND]
|
||||||
|
|
||||||
|
Use this command-line tool to manage your Keycloak cluster.
|
||||||
|
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
|
||||||
|
"./kc.sh") to execute from the current folder.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-cf, --config-file <file>
|
||||||
|
Set the path to a configuration file. By default, configuration properties are
|
||||||
|
read from the "keycloak.properties" file in the "conf" directory.
|
||||||
|
-D<key>=<value> <sysProps>
|
||||||
|
Set a Java system property
|
||||||
|
-h, --help This help message.
|
||||||
|
-pf, --profile <profile>
|
||||||
|
Set the profile. Use 'dev' profile to enable development mode.
|
||||||
|
-v, --verbose Print out error details when running this command.
|
||||||
|
-V, --version Show version information
|
||||||
|
|
||||||
|
Commands:
|
||||||
|
|
||||||
|
build Creates a new and optimized server image.
|
||||||
|
start Start the server.
|
||||||
|
start-dev Start the server in development mode.
|
||||||
|
export Export data from realms to a file or directory.
|
||||||
|
import Import data from a directory or a file.
|
||||||
|
show-config Print out the current configuration.
|
||||||
|
tools %nUtilities for use and interaction with the server.
|
||||||
|
completion Generate bash/zsh completion script for kc.sh.
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
Start the server in development mode for local development or testing:
|
||||||
|
|
||||||
|
$ kc.sh start-dev
|
||||||
|
|
||||||
|
Building an optimized server runtime:
|
||||||
|
|
||||||
|
$ kc.sh build <OPTIONS>
|
||||||
|
|
||||||
|
Start the server in production mode:
|
||||||
|
|
||||||
|
$ kc.sh start <OPTIONS>
|
||||||
|
|
||||||
|
Enable auto-completion to bash/zsh:
|
||||||
|
|
||||||
|
$ source <(kc.sh tools completion)
|
||||||
|
|
||||||
|
Please, take a look at the documentation for more details before deploying in
|
||||||
|
production.
|
||||||
|
|
||||||
|
Use "kc.sh start --help" for the available options when starting the server.
|
||||||
|
Use "kc.sh <command> --help" for more information about other commands.
|
|
@ -0,0 +1,101 @@
|
||||||
|
Start the server in development mode.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh start-dev [OPTIONS]
|
||||||
|
|
||||||
|
Use this command if you want to run the server locally for development or
|
||||||
|
testing purposes.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-h, --help This help message.
|
||||||
|
--help-all This same help message but with additional options.
|
||||||
|
|
||||||
|
Database:
|
||||||
|
|
||||||
|
--db-password <password>
|
||||||
|
The password of the database user.
|
||||||
|
--db-pool-initial-size <size>
|
||||||
|
The initial size of the connection pool.
|
||||||
|
--db-pool-max-size <size>
|
||||||
|
The maximum size of the connection pool. Default: 100.
|
||||||
|
--db-pool-min-size <size>
|
||||||
|
The minimal size of the connection pool.
|
||||||
|
--db-schema <schema> The database schema to be used.
|
||||||
|
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||||
|
selected database vendor. For instance, if using 'postgres', the default
|
||||||
|
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||||
|
--db-url-database <dbname>
|
||||||
|
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-host <hostname>
|
||||||
|
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-properties <properties>
|
||||||
|
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-username <username>
|
||||||
|
The username of the database user.
|
||||||
|
|
||||||
|
Hostname:
|
||||||
|
|
||||||
|
--hostname <hostname>
|
||||||
|
Hostname for the Keycloak server.
|
||||||
|
--hostname-admin <url>
|
||||||
|
Overrides the hostname for the admin console and APIs.
|
||||||
|
--hostname-path <path>
|
||||||
|
This should be set if proxy uses a different context-path for Keycloak.
|
||||||
|
--hostname-strict <true|false>
|
||||||
|
Disables dynamically resolving the hostname from request headers. Should
|
||||||
|
always be set to true in production, unless proxy verifies the Host header.
|
||||||
|
Default: true.
|
||||||
|
--hostname-strict-backchannel <true|false>
|
||||||
|
By default backchannel URLs are dynamically resolved from request headers to
|
||||||
|
allow internal an external applications. If all applications use the public
|
||||||
|
URL this option should be enabled. Default: false.
|
||||||
|
|
||||||
|
HTTP/TLS:
|
||||||
|
|
||||||
|
--http-enabled <true|false>
|
||||||
|
Enables the HTTP listener. Default: false.
|
||||||
|
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||||
|
--http-port <port> The used HTTP port. Default: 8080.
|
||||||
|
--https-certificate-file <file>
|
||||||
|
The file path to a server certificate or certificate chain in PEM format.
|
||||||
|
--https-certificate-key-file <file>
|
||||||
|
The file path to a private key in PEM format.
|
||||||
|
--https-cipher-suites <ciphers>
|
||||||
|
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||||
|
--https-client-auth <auth>
|
||||||
|
Configures the server to require/request client authentication. Possible
|
||||||
|
Values: none, request, required. Default: none.
|
||||||
|
--https-key-store-file <file>
|
||||||
|
The key store which holds the certificate information instead of specifying
|
||||||
|
separate files.
|
||||||
|
--https-key-store-password <password>
|
||||||
|
The password of the key store file. Default: password.
|
||||||
|
--https-key-store-type <type>
|
||||||
|
The type of the key store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
|
--https-protocols <protocols>
|
||||||
|
The list of protocols to explicitly enable.
|
||||||
|
--https-trust-store-file <file>
|
||||||
|
The trust store which holds the certificate information of the certificates to
|
||||||
|
trust.
|
||||||
|
--https-trust-store-password <password>
|
||||||
|
The password of the trust store file.
|
||||||
|
--https-trust-store-type <type>
|
||||||
|
The type of the trust store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
|
||||||
|
Proxy:
|
||||||
|
|
||||||
|
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||||
|
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||||
|
|
||||||
|
Do NOT start the server using this command when deploying to production.
|
||||||
|
|
||||||
|
Use 'kc.sh start-dev --help-all' to list all available options, including build
|
||||||
|
options.
|
|
@ -0,0 +1,171 @@
|
||||||
|
Start the server in development mode.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh start-dev [OPTIONS]
|
||||||
|
|
||||||
|
Use this command if you want to run the server locally for development or
|
||||||
|
testing purposes.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-h, --help This help message.
|
||||||
|
--help-all This same help message but with additional options.
|
||||||
|
|
||||||
|
Cluster:
|
||||||
|
|
||||||
|
--cache <type> Defines the cache mechanism for high-availability. By default, a 'ispn' cache
|
||||||
|
is used to create a cluster between multiple server nodes. A 'local' cache
|
||||||
|
disables clustering and is intended for development and testing purposes.
|
||||||
|
Default: ispn.
|
||||||
|
--cache-config-file <file>
|
||||||
|
Defines the file from which cache configuration should be loaded from.
|
||||||
|
--cache-stack <stack>
|
||||||
|
Define the default stack to use for cluster communication and node discovery.
|
||||||
|
This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
|
||||||
|
|
||||||
|
Database:
|
||||||
|
|
||||||
|
--db <vendor> The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
|
||||||
|
mssql-2012, mysql, oracle, postgres, postgres-95
|
||||||
|
--db-password <password>
|
||||||
|
The password of the database user.
|
||||||
|
--db-pool-initial-size <size>
|
||||||
|
The initial size of the connection pool.
|
||||||
|
--db-pool-max-size <size>
|
||||||
|
The maximum size of the connection pool. Default: 100.
|
||||||
|
--db-pool-min-size <size>
|
||||||
|
The minimal size of the connection pool.
|
||||||
|
--db-schema <schema> The database schema to be used.
|
||||||
|
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||||
|
selected database vendor. For instance, if using 'postgres', the default
|
||||||
|
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||||
|
--db-url-database <dbname>
|
||||||
|
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-host <hostname>
|
||||||
|
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-properties <properties>
|
||||||
|
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-username <username>
|
||||||
|
The username of the database user.
|
||||||
|
|
||||||
|
Feature:
|
||||||
|
|
||||||
|
--features-account2 <enabled|disabled>
|
||||||
|
Enables the ACCOUNT2 feature.
|
||||||
|
--features-account_api <enabled|disabled>
|
||||||
|
Enables the ACCOUNT_API feature.
|
||||||
|
--features-admin2 <enabled|disabled>
|
||||||
|
Enables the ADMIN2 feature.
|
||||||
|
--features-admin_fine_grained_authz <enabled|disabled>
|
||||||
|
Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
|
||||||
|
--features-authorization <enabled|disabled>
|
||||||
|
Enables the AUTHORIZATION feature.
|
||||||
|
--features-ciba <enabled|disabled>
|
||||||
|
Enables the CIBA feature.
|
||||||
|
--features-client_policies <enabled|disabled>
|
||||||
|
Enables the CLIENT_POLICIES feature.
|
||||||
|
--features-declarative_user_profile <enabled|disabled>
|
||||||
|
Enables the DECLARATIVE_USER_PROFILE feature.
|
||||||
|
--features-docker <enabled|disabled>
|
||||||
|
Enables the DOCKER feature.
|
||||||
|
--features-impersonation <enabled|disabled>
|
||||||
|
Enables the IMPERSONATION feature.
|
||||||
|
--features-map_storage <enabled|disabled>
|
||||||
|
Enables the MAP_STORAGE feature.
|
||||||
|
--features-openshift_integration <enabled|disabled>
|
||||||
|
Enables the OPENSHIFT_INTEGRATION feature.
|
||||||
|
--features-par <enabled|disabled>
|
||||||
|
Enables the PAR feature.
|
||||||
|
--features-scripts <enabled|disabled>
|
||||||
|
Enables the SCRIPTS feature.
|
||||||
|
--features-token_exchange <enabled|disabled>
|
||||||
|
Enables the TOKEN_EXCHANGE feature.
|
||||||
|
--features-upload_scripts <enabled|disabled>
|
||||||
|
Enables the UPLOAD_SCRIPTS feature.
|
||||||
|
--features-web_authn <enabled|disabled>
|
||||||
|
Enables the WEB_AUTHN feature.
|
||||||
|
-ft, --features <preview>
|
||||||
|
Enables all tech preview features.
|
||||||
|
|
||||||
|
Hostname:
|
||||||
|
|
||||||
|
--hostname <hostname>
|
||||||
|
Hostname for the Keycloak server.
|
||||||
|
--hostname-admin <url>
|
||||||
|
Overrides the hostname for the admin console and APIs.
|
||||||
|
--hostname-path <path>
|
||||||
|
This should be set if proxy uses a different context-path for Keycloak.
|
||||||
|
--hostname-strict <true|false>
|
||||||
|
Disables dynamically resolving the hostname from request headers. Should
|
||||||
|
always be set to true in production, unless proxy verifies the Host header.
|
||||||
|
Default: true.
|
||||||
|
--hostname-strict-backchannel <true|false>
|
||||||
|
By default backchannel URLs are dynamically resolved from request headers to
|
||||||
|
allow internal an external applications. If all applications use the public
|
||||||
|
URL this option should be enabled. Default: false.
|
||||||
|
|
||||||
|
HTTP/TLS:
|
||||||
|
|
||||||
|
--http-enabled <true|false>
|
||||||
|
Enables the HTTP listener. Default: false.
|
||||||
|
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||||
|
--http-port <port> The used HTTP port. Default: 8080.
|
||||||
|
--http-relative-path <path>
|
||||||
|
Set the path relative to '/' for serving resources. Default: /.
|
||||||
|
--https-certificate-file <file>
|
||||||
|
The file path to a server certificate or certificate chain in PEM format.
|
||||||
|
--https-certificate-key-file <file>
|
||||||
|
The file path to a private key in PEM format.
|
||||||
|
--https-cipher-suites <ciphers>
|
||||||
|
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||||
|
--https-client-auth <auth>
|
||||||
|
Configures the server to require/request client authentication. Possible
|
||||||
|
Values: none, request, required. Default: none.
|
||||||
|
--https-key-store-file <file>
|
||||||
|
The key store which holds the certificate information instead of specifying
|
||||||
|
separate files.
|
||||||
|
--https-key-store-password <password>
|
||||||
|
The password of the key store file. Default: password.
|
||||||
|
--https-key-store-type <type>
|
||||||
|
The type of the key store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
|
--https-protocols <protocols>
|
||||||
|
The list of protocols to explicitly enable.
|
||||||
|
--https-trust-store-file <file>
|
||||||
|
The trust store which holds the certificate information of the certificates to
|
||||||
|
trust.
|
||||||
|
--https-trust-store-password <password>
|
||||||
|
The password of the trust store file.
|
||||||
|
--https-trust-store-type <type>
|
||||||
|
The type of the trust store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
|
||||||
|
Metrics:
|
||||||
|
|
||||||
|
--metrics-enabled <true|false>
|
||||||
|
If the server should expose metrics and healthcheck. If enabled, metrics are
|
||||||
|
available at the '/metrics' endpoint and healthcheck at the '/health'
|
||||||
|
endpoint. Default: false.
|
||||||
|
|
||||||
|
Proxy:
|
||||||
|
|
||||||
|
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||||
|
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||||
|
|
||||||
|
Vault:
|
||||||
|
|
||||||
|
--vault-file-path <dir>
|
||||||
|
If set, secrets can be obtained by reading the content of files within the
|
||||||
|
given path.
|
||||||
|
--vault-hashicorp-paths <paths>
|
||||||
|
A set of one or more paths that should be used when looking up secrets.
|
||||||
|
|
||||||
|
Do NOT start the server using this command when deploying to production.
|
||||||
|
|
||||||
|
Use 'kc.sh start-dev --help-all' to list all available options, including build
|
||||||
|
options.
|
|
@ -0,0 +1,107 @@
|
||||||
|
Start the server.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
kc.sh start [OPTIONS]
|
||||||
|
|
||||||
|
Use this command to run the server in production.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
|
||||||
|
-b, --auto-build Automatically detects whether the server configuration changed and a new
|
||||||
|
server image must be built prior to starting the server. This option
|
||||||
|
provides an alternative to manually running the 'build' prior to starting
|
||||||
|
the server. Use this configuration carefully in production as it might
|
||||||
|
impact the startup time.
|
||||||
|
-h, --help This help message.
|
||||||
|
|
||||||
|
Database:
|
||||||
|
|
||||||
|
--db-password <password>
|
||||||
|
The password of the database user.
|
||||||
|
--db-pool-initial-size <size>
|
||||||
|
The initial size of the connection pool.
|
||||||
|
--db-pool-max-size <size>
|
||||||
|
The maximum size of the connection pool. Default: 100.
|
||||||
|
--db-pool-min-size <size>
|
||||||
|
The minimal size of the connection pool.
|
||||||
|
--db-schema <schema> The database schema to be used.
|
||||||
|
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||||
|
selected database vendor. For instance, if using 'postgres', the default
|
||||||
|
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||||
|
--db-url-database <dbname>
|
||||||
|
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-host <hostname>
|
||||||
|
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-url-properties <properties>
|
||||||
|
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||||
|
`db-url` option is set, this option is ignored.
|
||||||
|
--db-username <username>
|
||||||
|
The username of the database user.
|
||||||
|
|
||||||
|
Hostname:
|
||||||
|
|
||||||
|
--hostname <hostname>
|
||||||
|
Hostname for the Keycloak server.
|
||||||
|
--hostname-admin <url>
|
||||||
|
Overrides the hostname for the admin console and APIs.
|
||||||
|
--hostname-path <path>
|
||||||
|
This should be set if proxy uses a different context-path for Keycloak.
|
||||||
|
--hostname-strict <true|false>
|
||||||
|
Disables dynamically resolving the hostname from request headers. Should
|
||||||
|
always be set to true in production, unless proxy verifies the Host header.
|
||||||
|
Default: true.
|
||||||
|
--hostname-strict-backchannel <true|false>
|
||||||
|
By default backchannel URLs are dynamically resolved from request headers to
|
||||||
|
allow internal an external applications. If all applications use the public
|
||||||
|
URL this option should be enabled. Default: false.
|
||||||
|
|
||||||
|
HTTP/TLS:
|
||||||
|
|
||||||
|
--http-enabled <true|false>
|
||||||
|
Enables the HTTP listener. Default: false.
|
||||||
|
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||||
|
--http-port <port> The used HTTP port. Default: 8080.
|
||||||
|
--https-certificate-file <file>
|
||||||
|
The file path to a server certificate or certificate chain in PEM format.
|
||||||
|
--https-certificate-key-file <file>
|
||||||
|
The file path to a private key in PEM format.
|
||||||
|
--https-cipher-suites <ciphers>
|
||||||
|
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||||
|
--https-client-auth <auth>
|
||||||
|
Configures the server to require/request client authentication. Possible
|
||||||
|
Values: none, request, required. Default: none.
|
||||||
|
--https-key-store-file <file>
|
||||||
|
The key store which holds the certificate information instead of specifying
|
||||||
|
separate files.
|
||||||
|
--https-key-store-password <password>
|
||||||
|
The password of the key store file. Default: password.
|
||||||
|
--https-key-store-type <type>
|
||||||
|
The type of the key store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
--https-port <port> The used HTTPS port. Default: 8443.
|
||||||
|
--https-protocols <protocols>
|
||||||
|
The list of protocols to explicitly enable.
|
||||||
|
--https-trust-store-file <file>
|
||||||
|
The trust store which holds the certificate information of the certificates to
|
||||||
|
trust.
|
||||||
|
--https-trust-store-password <password>
|
||||||
|
The password of the trust store file.
|
||||||
|
--https-trust-store-type <type>
|
||||||
|
The type of the trust store file. If not given, the type is automatically
|
||||||
|
detected based on the file name.
|
||||||
|
|
||||||
|
Proxy:
|
||||||
|
|
||||||
|
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||||
|
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||||
|
|
||||||
|
You may use the "--auto-build" option when starting the server to avoid running
|
||||||
|
the "build" command everytime you need to change a static property:
|
||||||
|
|
||||||
|
$ kc.sh start --auto-build <OPTIONS>
|
||||||
|
|
||||||
|
By doing that you have an additional overhead when the server is starting. Run
|
||||||
|
"kc.sh build -h" for more details.
|
Loading…
Reference in a new issue