KEYCLOAK-19858 Add Tests to check that no credentials are leaking when using CLI commands. Also: Tests for Help Command output using Golden master technique
This commit is contained in:
parent
93853e9dc4
commit
f2abfecca1
28 changed files with 1118 additions and 111 deletions
2
.gitattributes
vendored
2
.gitattributes
vendored
|
@ -18,3 +18,5 @@
|
|||
*.eot binary
|
||||
*.otf binary
|
||||
*.woff binary
|
||||
# See https://github.com/approvals/ApprovalTests.Java#approved-file-artifacts (used in golden testing for help output of quarkus based dist)
|
||||
*.approved.* binary
|
||||
|
|
|
@ -83,12 +83,6 @@ public final class Environment {
|
|||
}
|
||||
|
||||
public static String getCommand() {
|
||||
String homeDir = getHomeDir();
|
||||
|
||||
if (homeDir == null) {
|
||||
return "java -jar $KEYCLOAK_HOME/lib/quarkus-run.jar";
|
||||
}
|
||||
|
||||
if (isWindows()) {
|
||||
return "kc.bat";
|
||||
}
|
||||
|
@ -183,6 +177,6 @@ public final class Environment {
|
|||
}
|
||||
|
||||
public static boolean isDistribution() {
|
||||
return Environment.getCommand().startsWith("kc.");
|
||||
return getHomeDir() != null;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -70,6 +70,8 @@ public final class Main {
|
|||
|
||||
public static final String PROFILE_SHORT_NAME = "-pf";
|
||||
public static final String PROFILE_LONG_NAME = "--profile";
|
||||
public static final String CONFIG_FILE_SHORT_NAME = "-cf";
|
||||
public static final String CONFIG_FILE_LONG_NAME = "--config-file";
|
||||
|
||||
@CommandLine.Spec
|
||||
CommandLine.Model.CommandSpec spec;
|
||||
|
@ -103,7 +105,7 @@ public final class Main {
|
|||
Environment.setProfile(profile);
|
||||
}
|
||||
|
||||
@Option(names = { "-cf", "--config-file" },
|
||||
@Option(names = { CONFIG_FILE_SHORT_NAME, CONFIG_FILE_LONG_NAME },
|
||||
arity = "1",
|
||||
description = "Set the path to a configuration file. By default, configuration properties are read from the \"keycloak.properties\" file in the \"conf\" directory.",
|
||||
paramLabel = "file")
|
||||
|
|
|
@ -45,6 +45,7 @@ import picocli.CommandLine.Parameters;
|
|||
description = "%nPrint out the current configuration.")
|
||||
public final class ShowConfig extends AbstractCommand implements Runnable {
|
||||
|
||||
public static final String NAME = "show-config";
|
||||
@Parameters(
|
||||
paramLabel = "filter",
|
||||
defaultValue = "none",
|
||||
|
|
|
@ -34,8 +34,6 @@ import java.util.function.BiConsumer;
|
|||
import java.util.function.Predicate;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.jboss.logging.Logger;
|
||||
|
||||
import io.smallrye.config.PropertiesConfigSource;
|
||||
|
||||
import org.keycloak.quarkus.runtime.cli.Picocli;
|
||||
|
@ -53,8 +51,6 @@ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
|||
*/
|
||||
public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
||||
|
||||
private static final Logger log = Logger.getLogger(ConfigArgsConfigSource.class);
|
||||
|
||||
public static final String CLI_ARGS = "kc.config.args";
|
||||
private static final String ARG_SEPARATOR = ";;";
|
||||
private static final Pattern ARG_SPLIT = Pattern.compile(";;");
|
||||
|
@ -120,7 +116,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
|||
String rawArgs = getRawConfigArgs();
|
||||
|
||||
if (rawArgs == null || "".equals(rawArgs.trim())) {
|
||||
log.trace("No command-line arguments provided");
|
||||
return Collections.emptyMap();
|
||||
}
|
||||
|
||||
|
@ -131,7 +126,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
|||
public void accept(String key, String value) {
|
||||
key = NS_KEYCLOAK_PREFIX + key.substring(2);
|
||||
|
||||
log.tracef("Adding property [%s=%s] from command-line", key, value);
|
||||
properties.put(key, value);
|
||||
|
||||
String mappedPropertyName = getMappedPropertyName(key);
|
||||
|
@ -171,7 +165,6 @@ public class ConfigArgsConfigSource extends PropertiesConfigSource {
|
|||
String rawArgs = getRawConfigArgs();
|
||||
|
||||
if (rawArgs == null || "".equals(rawArgs.trim())) {
|
||||
log.trace("No command-line arguments provided");
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -29,6 +29,7 @@ import io.smallrye.config.ConfigValue;
|
|||
import io.smallrye.config.SmallRyeConfig;
|
||||
import io.smallrye.config.SmallRyeConfigProviderResolver;
|
||||
|
||||
import org.eclipse.microprofile.config.spi.ConfigProviderResolver;
|
||||
import org.eclipse.microprofile.config.spi.ConfigSource;
|
||||
import org.keycloak.quarkus.runtime.Environment;
|
||||
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper;
|
||||
|
@ -39,17 +40,12 @@ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
|||
*/
|
||||
public final class Configuration {
|
||||
|
||||
private static volatile SmallRyeConfig CONFIG;
|
||||
|
||||
private Configuration() {
|
||||
|
||||
}
|
||||
|
||||
public static synchronized SmallRyeConfig getConfig() {
|
||||
if (CONFIG == null) {
|
||||
CONFIG = (SmallRyeConfig) SmallRyeConfigProviderResolver.instance().getConfig();
|
||||
}
|
||||
return CONFIG;
|
||||
return (SmallRyeConfig) ConfigProviderResolver.instance().getConfig();
|
||||
}
|
||||
|
||||
public static Optional<String> getBuildTimeProperty(String name) {
|
||||
|
|
|
@ -63,6 +63,9 @@ public class KeycloakConfigSourceProvider implements ConfigSourceProvider {
|
|||
|
||||
@Override
|
||||
public Iterable<ConfigSource> getConfigSources(ClassLoader forClassLoader) {
|
||||
if(Environment.isTestLaunchMode()) {
|
||||
reload();
|
||||
}
|
||||
return CONFIG_SOURCES;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020 Red Hat, Inc. and/or its affiliates
|
||||
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
|
@ -15,7 +15,7 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.provider.quarkus;
|
||||
package org.keycloak.quarkus.runtime.configuration.test;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
|
@ -32,6 +32,11 @@
|
|||
<artifactId>keycloak-quarkus-integration-tests</artifactId>
|
||||
<packaging>jar</packaging>
|
||||
|
||||
<properties>
|
||||
<kc.quarkus.tests.dist>raw</kc.quarkus.tests.dist>
|
||||
<approvaltests.version>12.3.2</approvaltests.version>
|
||||
</properties>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
|
@ -64,6 +69,11 @@
|
|||
<groupId>org.testcontainers</groupId>
|
||||
<artifactId>junit-jupiter</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.approvaltests</groupId>
|
||||
<artifactId>approvaltests</artifactId>
|
||||
<version>${approvaltests.version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
|
@ -72,12 +82,9 @@
|
|||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
<name>kc.quarkus.tests.dist</name>
|
||||
<value>${kc.quarkus.tests.dist}</value>
|
||||
</property>
|
||||
</systemProperties>
|
||||
<systemPropertyVariables>
|
||||
<kc.quarkus.tests.dist>${kc.quarkus.tests.dist}</kc.quarkus.tests.dist>
|
||||
</systemPropertyVariables>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
|
|
|
@ -19,22 +19,14 @@ package org.keycloak.it.junit5.extension;
|
|||
|
||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||
import static org.junit.jupiter.api.Assertions.fail;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.PrintStream;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import org.keycloak.quarkus.runtime.cli.Picocli;
|
||||
|
||||
import org.approvaltests.Approvals;
|
||||
import io.quarkus.test.junit.main.LaunchResult;
|
||||
import picocli.CommandLine;
|
||||
|
||||
public interface CLIResult extends LaunchResult {
|
||||
|
||||
static Object create(List<String> outputStream, List<String> errStream, int exitCode, boolean distribution) {
|
||||
static Object create(List<String> outputStream, List<String> errStream, int exitCode) {
|
||||
return new CLIResult() {
|
||||
@Override
|
||||
public List<String> getOutputStream() {
|
||||
|
@ -50,16 +42,9 @@ public interface CLIResult extends LaunchResult {
|
|||
public int exitCode() {
|
||||
return exitCode;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isDistribution() {
|
||||
return distribution;
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
boolean isDistribution();
|
||||
|
||||
default void assertStarted() {
|
||||
assertFalse(getOutput().contains("The delayed handler's queue was overrun and log record(s) were lost (Did you forget to configure logging?)"), () -> "The standard Output:\n" + getOutput() + "should not contain a warning about log queue overrun.");
|
||||
assertTrue(getOutput().contains("Listening on:"), () -> "The standard output:\n" + getOutput() + "does include \"Listening on:\"");
|
||||
|
@ -81,31 +66,10 @@ public interface CLIResult extends LaunchResult {
|
|||
() -> "The Error Output:\n " + getErrorOutput() + "\ndoesn't contains " + msg);
|
||||
}
|
||||
|
||||
default void assertHelp(String command) {
|
||||
if (command == null) {
|
||||
fail("No command provided");
|
||||
}
|
||||
|
||||
CommandLine cmd = Picocli.createCommandLine(Arrays.asList(command, "--help"));
|
||||
|
||||
if (isDistribution()) {
|
||||
cmd.setCommandName("kc.sh");
|
||||
}
|
||||
|
||||
try (
|
||||
ByteArrayOutputStream outStream = new ByteArrayOutputStream();
|
||||
PrintStream printStream = new PrintStream(outStream, true)
|
||||
) {
|
||||
if ("kc.sh".equals(command)) {
|
||||
cmd.usage(printStream);
|
||||
} else {
|
||||
cmd.getSubcommands().get(command).usage(printStream);
|
||||
}
|
||||
|
||||
// not very reliable, we should be comparing the output with some static reference to the help message.
|
||||
assertTrue(getOutput().trim().equals(outStream.toString().trim()),
|
||||
() -> "The Output:\n " + getOutput() + "\ndoesnt't contains " + outStream.toString().trim());
|
||||
} catch (IOException cause) {
|
||||
default void assertHelp() {
|
||||
try {
|
||||
Approvals.verify(getOutput());
|
||||
} catch (Exception cause) {
|
||||
throw new RuntimeException("Failed to assert help", cause);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,10 +20,15 @@ package org.keycloak.it.junit5.extension;
|
|||
import static org.keycloak.it.junit5.extension.DistributionTest.ReInstall.BEFORE_ALL;
|
||||
import static org.keycloak.it.junit5.extension.DistributionType.RAW;
|
||||
import static org.keycloak.quarkus.runtime.Environment.forceTestLaunchMode;
|
||||
import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_LONG_NAME;
|
||||
import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_SHORT_NAME;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import io.quarkus.runtime.configuration.QuarkusConfigFactory;
|
||||
import org.junit.jupiter.api.extension.ExtensionContext;
|
||||
import org.junit.jupiter.api.extension.ParameterContext;
|
||||
import org.junit.jupiter.api.extension.ParameterResolutionException;
|
||||
|
@ -35,17 +40,29 @@ import org.keycloak.quarkus.runtime.cli.command.StartDev;
|
|||
import io.quarkus.test.junit.QuarkusMainTestExtension;
|
||||
import io.quarkus.test.junit.main.Launch;
|
||||
import io.quarkus.test.junit.main.LaunchResult;
|
||||
import org.keycloak.quarkus.runtime.configuration.KeycloakPropertiesConfigSource;
|
||||
|
||||
public class CLITestExtension extends QuarkusMainTestExtension {
|
||||
|
||||
private static final String KEY_VALUE_SEPARATOR = "[= ]";
|
||||
private KeycloakDistribution dist;
|
||||
|
||||
@Override
|
||||
public void beforeEach(ExtensionContext context) throws Exception {
|
||||
DistributionTest distConfig = getDistributionConfig(context);
|
||||
Launch launch = context.getRequiredTestMethod().getAnnotation(Launch.class);
|
||||
|
||||
if (launch != null) {
|
||||
for (String arg : launch.value()) {
|
||||
if (arg.contains(CONFIG_FILE_SHORT_NAME) || arg.contains(CONFIG_FILE_LONG_NAME)) {
|
||||
Pattern kvSeparator = Pattern.compile(KEY_VALUE_SEPARATOR);
|
||||
String[] cfKeyValue = kvSeparator.split(arg);
|
||||
System.setProperty(KeycloakPropertiesConfigSource.KEYCLOAK_CONFIG_FILE_PROP, cfKeyValue[1]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (distConfig != null) {
|
||||
Launch launch = context.getRequiredTestMethod().getAnnotation(Launch.class);
|
||||
|
||||
if (launch != null) {
|
||||
if (dist == null) {
|
||||
|
@ -70,19 +87,15 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
|||
}
|
||||
|
||||
super.afterEach(context);
|
||||
reset();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void afterAll(ExtensionContext context) throws Exception {
|
||||
if (dist != null) {
|
||||
// just to make sure the server is stopped after all tests
|
||||
dist.stop();
|
||||
}
|
||||
super.afterAll(context);
|
||||
}
|
||||
|
||||
private KeycloakDistribution createDistribution(DistributionTest config) {
|
||||
return DistributionType.getCurrent().orElse(RAW).newInstance(config);
|
||||
private void reset() {
|
||||
QuarkusConfigFactory.setConfig(null);
|
||||
//remove the config file property if set, and also the profile, to not have side effects in other tests.
|
||||
System.getProperties().remove(KeycloakPropertiesConfigSource.KEYCLOAK_CONFIG_FILE_PROP);
|
||||
System.getProperties().remove(Environment.PROFILE);
|
||||
System.getProperties().remove("quarkus.profile");
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -100,6 +113,19 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
|||
super.beforeAll(context);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void afterAll(ExtensionContext context) throws Exception {
|
||||
if (dist != null) {
|
||||
// just to make sure the server is stopped after all tests
|
||||
dist.stop();
|
||||
}
|
||||
super.afterAll(context);
|
||||
}
|
||||
|
||||
private KeycloakDistribution createDistribution(DistributionTest config) {
|
||||
return DistributionType.getCurrent().orElse(RAW).newInstance(config);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object resolveParameter(ParameterContext parameterContext, ExtensionContext context)
|
||||
throws ParameterResolutionException {
|
||||
|
@ -123,10 +149,10 @@ public class CLITestExtension extends QuarkusMainTestExtension {
|
|||
exitCode = result.exitCode();
|
||||
}
|
||||
|
||||
return CLIResult.create(outputStream, errStream, exitCode, isDistribution);
|
||||
return CLIResult.create(outputStream, errStream, exitCode);
|
||||
}
|
||||
|
||||
// for now, not support for manual launching using QuarkusMainLauncher
|
||||
// for now, no support for manual launching using QuarkusMainLauncher
|
||||
throw new RuntimeException("Parameter type [" + type + "] not supported");
|
||||
}
|
||||
|
||||
|
|
|
@ -22,10 +22,11 @@ import java.lang.annotation.Retention;
|
|||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
import org.junit.jupiter.api.condition.EnabledIfSystemProperty;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
|
||||
/**
|
||||
* {@link RawDistOnly} is used to signal that the annotated tests class is only enabled when running tests using the {@link DistributionType#RAW}.
|
||||
* {@link RawDistOnly} is used to signal that the annotated test class
|
||||
* is only enabled when running tests using the {@link DistributionType#RAW}
|
||||
* or running tests in whitebox mode in the same jvm using {@link CLITest}
|
||||
*/
|
||||
@Target(ElementType.TYPE)
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
|
|
|
@ -43,15 +43,12 @@ import javax.net.ssl.SSLSocketFactory;
|
|||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
import org.apache.commons.io.FileUtils;
|
||||
import org.jboss.logging.Logger;
|
||||
|
||||
import io.quarkus.bootstrap.util.ZipUtils;
|
||||
import org.keycloak.common.Version;
|
||||
|
||||
public final class RawKeycloakDistribution implements KeycloakDistribution {
|
||||
|
||||
private static final Logger LOGGER = Logger.getLogger(RawKeycloakDistribution.class);
|
||||
|
||||
private Process keycloak;
|
||||
private int exitCode = -1;
|
||||
private final Path distPath;
|
||||
|
@ -164,7 +161,6 @@ public final class RawKeycloakDistribution implements KeycloakDistribution {
|
|||
connection.connect();
|
||||
|
||||
if (connection.getResponseCode() == 200) {
|
||||
LOGGER.infof("Keycloak is ready at %s", contextRoot);
|
||||
break;
|
||||
}
|
||||
} catch (Exception ignore) {
|
||||
|
|
|
@ -17,14 +17,15 @@
|
|||
|
||||
package org.keycloak.it.cli;
|
||||
|
||||
import org.junit.jupiter.api.Assertions;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.keycloak.it.junit5.extension.CLIResult;
|
||||
import org.keycloak.it.junit5.extension.CLITest;
|
||||
import org.keycloak.quarkus.runtime.cli.command.Main;
|
||||
import org.keycloak.quarkus.runtime.cli.command.Build;
|
||||
|
||||
import io.quarkus.test.junit.main.Launch;
|
||||
import io.quarkus.test.junit.main.LaunchResult;
|
||||
import org.keycloak.quarkus.runtime.cli.command.Start;
|
||||
import org.keycloak.quarkus.runtime.cli.command.StartDev;
|
||||
|
||||
@CLITest
|
||||
public class HelpCommandTest {
|
||||
|
@ -33,34 +34,56 @@ public class HelpCommandTest {
|
|||
@Launch({})
|
||||
void testDefaultToHelp(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp("kc.sh");
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "--help" })
|
||||
void testHelpCommand(LaunchResult result) {
|
||||
void testHelp(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp("kc.sh");
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "start", "--help" })
|
||||
void testStartHelpCommand(LaunchResult result) {
|
||||
@Launch({ "-h" })
|
||||
void testHelpShort(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp("start");
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "start-dev", "--help" })
|
||||
void testStartDevCommand(LaunchResult result) {
|
||||
@Launch({ Start.NAME, "--help" })
|
||||
void testStartHelp(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp("start-dev");
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "build", "--help" })
|
||||
void testBuildCommand(LaunchResult result) {
|
||||
@Launch({ StartDev.NAME, "--help" })
|
||||
void testStartDevHelp(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp("build");
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ StartDev.NAME, "--help-all" })
|
||||
void testStartDevHelpAll(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ Build.NAME, "--help" })
|
||||
void testBuildHelp(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ Build.NAME, "--help-all" })
|
||||
void testBuildHelpAll(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
cliResult.assertHelp();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
package org.keycloak.it.cli;
|
||||
|
||||
import org.keycloak.it.junit5.extension.CLITestExtension;
|
||||
|
||||
/**
|
||||
* Used to specify the output directory for the received / to-be-approved outputs of this packages tests.
|
||||
* In our case they should be stored under resources/clitest/approvals or resources/rawdist/approvals depending
|
||||
* on the runtype of the tests (@DistributionTest in Raw mode, or @CLITest, leading to either using "kc.sh"
|
||||
* or "java -jar $KEYCLOAK_HOME/lib/quarkus-run.jar" as command in the usage output).
|
||||
*
|
||||
* Note: Creates the directories if they don't exist yet.
|
||||
* **/
|
||||
public class PackageSettings {
|
||||
|
||||
public String UseApprovalSubdirectory = "approvals/cli/help";
|
||||
public String ApprovalBaseDirectory = "../resources";
|
||||
}
|
|
@ -23,19 +23,23 @@ import org.keycloak.it.junit5.extension.CLITest;
|
|||
|
||||
import io.quarkus.test.junit.main.Launch;
|
||||
import io.quarkus.test.junit.main.LaunchResult;
|
||||
import org.keycloak.quarkus.runtime.cli.command.ShowConfig;
|
||||
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
||||
|
||||
import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_LONG_NAME;
|
||||
|
||||
@CLITest
|
||||
class ShowConfigCommandTest {
|
||||
public class ShowConfigCommandTest {
|
||||
|
||||
@Test
|
||||
@Launch({ "show-config" })
|
||||
@Launch({ ShowConfig.NAME })
|
||||
void testShowConfigCommandShowsRuntimeConfig(LaunchResult result) {
|
||||
Assertions.assertTrue(result.getOutput()
|
||||
.contains("Runtime Configuration"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "show-config", "all" })
|
||||
@Launch({ ShowConfig.NAME, "all" })
|
||||
void testShowConfigCommandWithAllShowsAllProfiles(LaunchResult result) {
|
||||
Assertions.assertTrue(result.getOutput()
|
||||
.contains("Runtime Configuration"));
|
||||
|
@ -44,4 +48,17 @@ class ShowConfigCommandTest {
|
|||
Assertions.assertTrue(result.getOutput()
|
||||
.contains("Profile \"import_export\" Configuration"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ CONFIG_FILE_LONG_NAME+"=src/test/resources/ShowConfigCommandTest/keycloak.properties", ShowConfig.NAME, "all" })
|
||||
void testShowConfigCommandHidesCredentialsInProfiles(LaunchResult result) {
|
||||
String output = result.getOutput();
|
||||
Assertions.assertFalse(output.contains("testpw1"));
|
||||
Assertions.assertFalse(output.contains("testpw2"));
|
||||
Assertions.assertFalse(output.contains("testpw3"));
|
||||
Assertions.assertTrue(output.contains("kc.db.password = " + PropertyMappers.VALUE_MASK));
|
||||
Assertions.assertTrue(output.contains("%dev.kc.db.password = " + PropertyMappers.VALUE_MASK));
|
||||
Assertions.assertTrue(output.contains("%dev.kc.https.key-store.password = " + PropertyMappers.VALUE_MASK));
|
||||
Assertions.assertTrue(output.contains("%import_export.kc.db.password = " + PropertyMappers.VALUE_MASK));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,9 @@ package org.keycloak.it.cli.dist;
|
|||
|
||||
import org.keycloak.it.cli.HelpCommandTest;
|
||||
import org.keycloak.it.junit5.extension.DistributionTest;
|
||||
import org.keycloak.it.junit5.extension.RawDistOnly;
|
||||
|
||||
@DistributionTest
|
||||
@RawDistOnly(reason = "Verifying the help message output doesn't need long spin-up of docker dist tests.")
|
||||
public class HelpCommandDistTest extends HelpCommandTest {
|
||||
}
|
||||
|
|
|
@ -22,10 +22,12 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
|
|||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.keycloak.it.cli.StartCommandTest;
|
||||
import org.keycloak.it.junit5.extension.CLIResult;
|
||||
import org.keycloak.it.junit5.extension.DistributionTest;
|
||||
|
||||
import io.quarkus.test.junit.main.Launch;
|
||||
import io.quarkus.test.junit.main.LaunchResult;
|
||||
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
|
||||
|
||||
@DistributionTest
|
||||
public class StartCommandDistTest extends StartCommandTest {
|
||||
|
@ -44,4 +46,12 @@ public class StartCommandDistTest extends StartCommandTest {
|
|||
assertTrue(result.getErrorOutput().contains("ERROR: Strict hostname resolution configured but no hostname was set"),
|
||||
() -> "The Output:\n" + result.getOutput() + "doesn't contains the expected string.");
|
||||
}
|
||||
|
||||
@Test
|
||||
@Launch({ "start", "--auto-build", "--db-password=secret", "--https-key-store-password=secret"})
|
||||
void testStartWithAutoBuildDoesntShowCredentialsInConsole(LaunchResult result) {
|
||||
CLIResult cliResult = (CLIResult) result;
|
||||
assertTrue(cliResult.getOutput().contains("--db-password=" + PropertyMappers.VALUE_MASK));
|
||||
assertTrue(cliResult.getOutput().contains("--https-key-store-password=" + PropertyMappers.VALUE_MASK));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
# Default and non-production grade database vendor
|
||||
db=h2-file
|
||||
db.username = sa
|
||||
db.password = keycloak
|
||||
|
||||
# Insecure requests are disabled by default
|
||||
http.enabled=false
|
||||
|
||||
# Metrics and healthcheck are disabled by default
|
||||
metrics.enabled=false
|
||||
|
||||
# Basic settings for running in production. Change accordingly before deploying the server.
|
||||
# Database
|
||||
#%prod.db=postgres
|
||||
#%prod.db.username=keycloak
|
||||
#%prod.db.password=password
|
||||
#%prod.db.url=jdbc:postgresql://localhost/keycloak
|
||||
# Observability
|
||||
#%prod.metrics.enabled=true
|
||||
# HTTP
|
||||
#%prod.spi.hostname.frontend-url=https://localhost:8443
|
||||
#%prod.https.certificate.file=${kc.home.dir}conf/server.crt.pem
|
||||
#%prod.https.certificate.key-file=${kc.home.dir}conf/server.key.pem
|
||||
#%prod.proxy=reencrypt
|
||||
#%prod.hostname=myhostname
|
||||
|
||||
# Default, and insecure, and non-production grade configuration for the development profile
|
||||
%dev.http.enabled=true
|
||||
%dev.hostname.strict=false
|
||||
%dev.db.password=testpw1
|
||||
%dev.hostname.strict-https=false
|
||||
%dev.cluster=local
|
||||
%dev.spi.theme.cache-themes=false
|
||||
%dev.spi.theme.cache-templates=false
|
||||
%dev.spi.theme.static-max-age=-1
|
||||
%dev.https.key-store.password=testpw2
|
||||
|
||||
# The default configuration when running in import or export mode
|
||||
%import_export.http.enabled=true
|
||||
%import_export.db.password=testpw3
|
||||
%import_export.hostname.strict=false
|
||||
%import_export.hostname.strict-https=false
|
||||
%import_export.cluster=local
|
||||
|
||||
# Logging configuration. INFO is the default level for most of the categories
|
||||
#quarkus.log.level = DEBUG
|
||||
quarkus.log.category."org.jboss.resteasy.resteasy_jaxrs.i18n".level=WARN
|
||||
quarkus.log.category."org.infinispan.transaction.lookup.JBossStandaloneJTAManagerLookup".level=WARN
|
|
@ -0,0 +1,136 @@
|
|||
Creates a new and optimized server image.
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh build [OPTIONS]
|
||||
|
||||
Creates a new and optimized server image based on the configuration options
|
||||
passed to this command. Once created, the configuration will be persisted and
|
||||
read during startup without having to pass them over again.
|
||||
|
||||
Some configuration options require this command to be executed in order to
|
||||
actually change a configuration. For instance
|
||||
|
||||
- Change database vendor
|
||||
- Enable/disable features
|
||||
- Enable/Disable providers or set a default
|
||||
|
||||
Consider running this command before running the server in production for an
|
||||
optimal runtime.
|
||||
|
||||
Options:
|
||||
|
||||
-h, --help This help message.
|
||||
--help-all This same help message but with additional options.
|
||||
|
||||
Cluster:
|
||||
|
||||
--cache <type> Defines the cache mechanism for high-availability. By default, a 'ispn' cache
|
||||
is used to create a cluster between multiple server nodes. A 'local' cache
|
||||
disables clustering and is intended for development and testing purposes.
|
||||
Default: ispn.
|
||||
--cache-config-file <file>
|
||||
Defines the file from which cache configuration should be loaded from.
|
||||
--cache-stack <stack>
|
||||
Define the default stack to use for cluster communication and node discovery.
|
||||
This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
|
||||
|
||||
Database:
|
||||
|
||||
--db <vendor> The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
|
||||
mssql-2012, mysql, oracle, postgres, postgres-95
|
||||
|
||||
Feature:
|
||||
|
||||
--features-account2 <enabled|disabled>
|
||||
Enables the ACCOUNT2 feature.
|
||||
--features-account_api <enabled|disabled>
|
||||
Enables the ACCOUNT_API feature.
|
||||
--features-admin2 <enabled|disabled>
|
||||
Enables the ADMIN2 feature.
|
||||
--features-admin_fine_grained_authz <enabled|disabled>
|
||||
Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
|
||||
--features-authorization <enabled|disabled>
|
||||
Enables the AUTHORIZATION feature.
|
||||
--features-ciba <enabled|disabled>
|
||||
Enables the CIBA feature.
|
||||
--features-client_policies <enabled|disabled>
|
||||
Enables the CLIENT_POLICIES feature.
|
||||
--features-declarative_user_profile <enabled|disabled>
|
||||
Enables the DECLARATIVE_USER_PROFILE feature.
|
||||
--features-docker <enabled|disabled>
|
||||
Enables the DOCKER feature.
|
||||
--features-impersonation <enabled|disabled>
|
||||
Enables the IMPERSONATION feature.
|
||||
--features-map_storage <enabled|disabled>
|
||||
Enables the MAP_STORAGE feature.
|
||||
--features-openshift_integration <enabled|disabled>
|
||||
Enables the OPENSHIFT_INTEGRATION feature.
|
||||
--features-par <enabled|disabled>
|
||||
Enables the PAR feature.
|
||||
--features-scripts <enabled|disabled>
|
||||
Enables the SCRIPTS feature.
|
||||
--features-token_exchange <enabled|disabled>
|
||||
Enables the TOKEN_EXCHANGE feature.
|
||||
--features-upload_scripts <enabled|disabled>
|
||||
Enables the UPLOAD_SCRIPTS feature.
|
||||
--features-web_authn <enabled|disabled>
|
||||
Enables the WEB_AUTHN feature.
|
||||
-ft, --features <preview>
|
||||
Enables all tech preview features.
|
||||
|
||||
HTTP/TLS:
|
||||
|
||||
--http-relative-path <path>
|
||||
Set the path relative to '/' for serving resources. Default: /.
|
||||
|
||||
Metrics:
|
||||
|
||||
--metrics-enabled <true|false>
|
||||
If the server should expose metrics and healthcheck. If enabled, metrics are
|
||||
available at the '/metrics' endpoint and healthcheck at the '/health'
|
||||
endpoint. Default: false.
|
||||
|
||||
Vault:
|
||||
|
||||
--vault-file-path <dir>
|
||||
If set, secrets can be obtained by reading the content of files within the
|
||||
given path.
|
||||
--vault-hashicorp-paths <paths>
|
||||
A set of one or more paths that should be used when looking up secrets.
|
||||
|
||||
Examples:
|
||||
|
||||
Optimize the server based on a profile configuration:
|
||||
|
||||
$ kc.sh --profile=prod build
|
||||
|
||||
Change database settings:
|
||||
|
||||
$ kc.sh build --db=postgres [--db-url][--db-username][--db-password]
|
||||
|
||||
Enable a feature:
|
||||
|
||||
$ kc.sh build --features-<feature_name>=[enabled|disabled]
|
||||
|
||||
Or alternatively, enable all tech preview features:
|
||||
|
||||
$ kc.sh build --features=preview
|
||||
|
||||
Enable metrics:
|
||||
|
||||
$ kc.sh build --metrics-enabled=true
|
||||
|
||||
Change the relative path:
|
||||
|
||||
$ kc.sh build --http-relative-path=/auth
|
||||
|
||||
You can also use the "--auto-build" option when starting the server to avoid
|
||||
running this command every time you change a configuration:
|
||||
|
||||
$ kc.sh start --auto-build <OPTIONS>
|
||||
|
||||
By doing that you have an additional overhead when the server is starting.
|
||||
|
||||
Use 'kc.sh build --help-all' to list all available options, including the start
|
||||
options.
|
|
@ -0,0 +1,213 @@
|
|||
Creates a new and optimized server image.
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh build [OPTIONS]
|
||||
|
||||
Creates a new and optimized server image based on the configuration options
|
||||
passed to this command. Once created, the configuration will be persisted and
|
||||
read during startup without having to pass them over again.
|
||||
|
||||
Some configuration options require this command to be executed in order to
|
||||
actually change a configuration. For instance
|
||||
|
||||
- Change database vendor
|
||||
- Enable/disable features
|
||||
- Enable/Disable providers or set a default
|
||||
|
||||
Consider running this command before running the server in production for an
|
||||
optimal runtime.
|
||||
|
||||
Options:
|
||||
|
||||
-h, --help This help message.
|
||||
--help-all This same help message but with additional options.
|
||||
|
||||
Cluster:
|
||||
|
||||
--cache <type> Defines the cache mechanism for high-availability. By default, a 'ispn' cache
|
||||
is used to create a cluster between multiple server nodes. A 'local' cache
|
||||
disables clustering and is intended for development and testing purposes.
|
||||
Default: ispn.
|
||||
--cache-config-file <file>
|
||||
Defines the file from which cache configuration should be loaded from.
|
||||
--cache-stack <stack>
|
||||
Define the default stack to use for cluster communication and node discovery.
|
||||
This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
|
||||
|
||||
Database:
|
||||
|
||||
--db <vendor> The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
|
||||
mssql-2012, mysql, oracle, postgres, postgres-95
|
||||
--db-password <password>
|
||||
The password of the database user.
|
||||
--db-pool-initial-size <size>
|
||||
The initial size of the connection pool.
|
||||
--db-pool-max-size <size>
|
||||
The maximum size of the connection pool. Default: 100.
|
||||
--db-pool-min-size <size>
|
||||
The minimal size of the connection pool.
|
||||
--db-schema <schema> The database schema to be used.
|
||||
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||
selected database vendor. For instance, if using 'postgres', the default
|
||||
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||
--db-url-database <dbname>
|
||||
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-host <hostname>
|
||||
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-properties <properties>
|
||||
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-username <username>
|
||||
The username of the database user.
|
||||
|
||||
Feature:
|
||||
|
||||
--features-account2 <enabled|disabled>
|
||||
Enables the ACCOUNT2 feature.
|
||||
--features-account_api <enabled|disabled>
|
||||
Enables the ACCOUNT_API feature.
|
||||
--features-admin2 <enabled|disabled>
|
||||
Enables the ADMIN2 feature.
|
||||
--features-admin_fine_grained_authz <enabled|disabled>
|
||||
Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
|
||||
--features-authorization <enabled|disabled>
|
||||
Enables the AUTHORIZATION feature.
|
||||
--features-ciba <enabled|disabled>
|
||||
Enables the CIBA feature.
|
||||
--features-client_policies <enabled|disabled>
|
||||
Enables the CLIENT_POLICIES feature.
|
||||
--features-declarative_user_profile <enabled|disabled>
|
||||
Enables the DECLARATIVE_USER_PROFILE feature.
|
||||
--features-docker <enabled|disabled>
|
||||
Enables the DOCKER feature.
|
||||
--features-impersonation <enabled|disabled>
|
||||
Enables the IMPERSONATION feature.
|
||||
--features-map_storage <enabled|disabled>
|
||||
Enables the MAP_STORAGE feature.
|
||||
--features-openshift_integration <enabled|disabled>
|
||||
Enables the OPENSHIFT_INTEGRATION feature.
|
||||
--features-par <enabled|disabled>
|
||||
Enables the PAR feature.
|
||||
--features-scripts <enabled|disabled>
|
||||
Enables the SCRIPTS feature.
|
||||
--features-token_exchange <enabled|disabled>
|
||||
Enables the TOKEN_EXCHANGE feature.
|
||||
--features-upload_scripts <enabled|disabled>
|
||||
Enables the UPLOAD_SCRIPTS feature.
|
||||
--features-web_authn <enabled|disabled>
|
||||
Enables the WEB_AUTHN feature.
|
||||
-ft, --features <preview>
|
||||
Enables all tech preview features.
|
||||
|
||||
Hostname:
|
||||
|
||||
--hostname <hostname>
|
||||
Hostname for the Keycloak server.
|
||||
--hostname-admin <url>
|
||||
Overrides the hostname for the admin console and APIs.
|
||||
--hostname-path <path>
|
||||
This should be set if proxy uses a different context-path for Keycloak.
|
||||
--hostname-strict <true|false>
|
||||
Disables dynamically resolving the hostname from request headers. Should
|
||||
always be set to true in production, unless proxy verifies the Host header.
|
||||
Default: true.
|
||||
--hostname-strict-backchannel <true|false>
|
||||
By default backchannel URLs are dynamically resolved from request headers to
|
||||
allow internal an external applications. If all applications use the public
|
||||
URL this option should be enabled. Default: false.
|
||||
|
||||
HTTP/TLS:
|
||||
|
||||
--http-enabled <true|false>
|
||||
Enables the HTTP listener. Default: false.
|
||||
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||
--http-port <port> The used HTTP port. Default: 8080.
|
||||
--http-relative-path <path>
|
||||
Set the path relative to '/' for serving resources. Default: /.
|
||||
--https-certificate-file <file>
|
||||
The file path to a server certificate or certificate chain in PEM format.
|
||||
--https-certificate-key-file <file>
|
||||
The file path to a private key in PEM format.
|
||||
--https-cipher-suites <ciphers>
|
||||
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||
--https-client-auth <auth>
|
||||
Configures the server to require/request client authentication. Possible
|
||||
Values: none, request, required. Default: none.
|
||||
--https-key-store-file <file>
|
||||
The key store which holds the certificate information instead of specifying
|
||||
separate files.
|
||||
--https-key-store-password <password>
|
||||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable.
|
||||
--https-trust-store-file <file>
|
||||
The trust store which holds the certificate information of the certificates to
|
||||
trust.
|
||||
--https-trust-store-password <password>
|
||||
The password of the trust store file.
|
||||
--https-trust-store-type <type>
|
||||
The type of the trust store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
|
||||
Metrics:
|
||||
|
||||
--metrics-enabled <true|false>
|
||||
If the server should expose metrics and healthcheck. If enabled, metrics are
|
||||
available at the '/metrics' endpoint and healthcheck at the '/health'
|
||||
endpoint. Default: false.
|
||||
|
||||
Proxy:
|
||||
|
||||
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||
|
||||
Vault:
|
||||
|
||||
--vault-file-path <dir>
|
||||
If set, secrets can be obtained by reading the content of files within the
|
||||
given path.
|
||||
--vault-hashicorp-paths <paths>
|
||||
A set of one or more paths that should be used when looking up secrets.
|
||||
|
||||
Examples:
|
||||
|
||||
Optimize the server based on a profile configuration:
|
||||
|
||||
$ kc.sh --profile=prod build
|
||||
|
||||
Change database settings:
|
||||
|
||||
$ kc.sh build --db=postgres [--db-url][--db-username][--db-password]
|
||||
|
||||
Enable a feature:
|
||||
|
||||
$ kc.sh build --features-<feature_name>=[enabled|disabled]
|
||||
|
||||
Or alternatively, enable all tech preview features:
|
||||
|
||||
$ kc.sh build --features=preview
|
||||
|
||||
Enable metrics:
|
||||
|
||||
$ kc.sh build --metrics-enabled=true
|
||||
|
||||
Change the relative path:
|
||||
|
||||
$ kc.sh build --http-relative-path=/auth
|
||||
|
||||
You can also use the "--auto-build" option when starting the server to avoid
|
||||
running this command every time you change a configuration:
|
||||
|
||||
$ kc.sh start --auto-build <OPTIONS>
|
||||
|
||||
By doing that you have an additional overhead when the server is starting.
|
||||
|
||||
Use 'kc.sh build --help-all' to list all available options, including the start
|
||||
options.
|
|
@ -0,0 +1,59 @@
|
|||
Keycloak - Open Source Identity and Access Management
|
||||
|
||||
Find more information at: https://www.keycloak.org/docs/latest
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh [OPTIONS] [COMMAND]
|
||||
|
||||
Use this command-line tool to manage your Keycloak cluster.
|
||||
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
|
||||
"./kc.sh") to execute from the current folder.
|
||||
|
||||
Options:
|
||||
|
||||
-cf, --config-file <file>
|
||||
Set the path to a configuration file. By default, configuration properties are
|
||||
read from the "keycloak.properties" file in the "conf" directory.
|
||||
-D<key>=<value> <sysProps>
|
||||
Set a Java system property
|
||||
-h, --help This help message.
|
||||
-pf, --profile <profile>
|
||||
Set the profile. Use 'dev' profile to enable development mode.
|
||||
-v, --verbose Print out error details when running this command.
|
||||
-V, --version Show version information
|
||||
|
||||
Commands:
|
||||
|
||||
build Creates a new and optimized server image.
|
||||
start Start the server.
|
||||
start-dev Start the server in development mode.
|
||||
export Export data from realms to a file or directory.
|
||||
import Import data from a directory or a file.
|
||||
show-config Print out the current configuration.
|
||||
tools %nUtilities for use and interaction with the server.
|
||||
completion Generate bash/zsh completion script for kc.sh.
|
||||
|
||||
Examples:
|
||||
|
||||
Start the server in development mode for local development or testing:
|
||||
|
||||
$ kc.sh start-dev
|
||||
|
||||
Building an optimized server runtime:
|
||||
|
||||
$ kc.sh build <OPTIONS>
|
||||
|
||||
Start the server in production mode:
|
||||
|
||||
$ kc.sh start <OPTIONS>
|
||||
|
||||
Enable auto-completion to bash/zsh:
|
||||
|
||||
$ source <(kc.sh tools completion)
|
||||
|
||||
Please, take a look at the documentation for more details before deploying in
|
||||
production.
|
||||
|
||||
Use "kc.sh start --help" for the available options when starting the server.
|
||||
Use "kc.sh <command> --help" for more information about other commands.
|
|
@ -0,0 +1,59 @@
|
|||
Keycloak - Open Source Identity and Access Management
|
||||
|
||||
Find more information at: https://www.keycloak.org/docs/latest
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh [OPTIONS] [COMMAND]
|
||||
|
||||
Use this command-line tool to manage your Keycloak cluster.
|
||||
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
|
||||
"./kc.sh") to execute from the current folder.
|
||||
|
||||
Options:
|
||||
|
||||
-cf, --config-file <file>
|
||||
Set the path to a configuration file. By default, configuration properties are
|
||||
read from the "keycloak.properties" file in the "conf" directory.
|
||||
-D<key>=<value> <sysProps>
|
||||
Set a Java system property
|
||||
-h, --help This help message.
|
||||
-pf, --profile <profile>
|
||||
Set the profile. Use 'dev' profile to enable development mode.
|
||||
-v, --verbose Print out error details when running this command.
|
||||
-V, --version Show version information
|
||||
|
||||
Commands:
|
||||
|
||||
build Creates a new and optimized server image.
|
||||
start Start the server.
|
||||
start-dev Start the server in development mode.
|
||||
export Export data from realms to a file or directory.
|
||||
import Import data from a directory or a file.
|
||||
show-config Print out the current configuration.
|
||||
tools %nUtilities for use and interaction with the server.
|
||||
completion Generate bash/zsh completion script for kc.sh.
|
||||
|
||||
Examples:
|
||||
|
||||
Start the server in development mode for local development or testing:
|
||||
|
||||
$ kc.sh start-dev
|
||||
|
||||
Building an optimized server runtime:
|
||||
|
||||
$ kc.sh build <OPTIONS>
|
||||
|
||||
Start the server in production mode:
|
||||
|
||||
$ kc.sh start <OPTIONS>
|
||||
|
||||
Enable auto-completion to bash/zsh:
|
||||
|
||||
$ source <(kc.sh tools completion)
|
||||
|
||||
Please, take a look at the documentation for more details before deploying in
|
||||
production.
|
||||
|
||||
Use "kc.sh start --help" for the available options when starting the server.
|
||||
Use "kc.sh <command> --help" for more information about other commands.
|
|
@ -0,0 +1,59 @@
|
|||
Keycloak - Open Source Identity and Access Management
|
||||
|
||||
Find more information at: https://www.keycloak.org/docs/latest
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh [OPTIONS] [COMMAND]
|
||||
|
||||
Use this command-line tool to manage your Keycloak cluster.
|
||||
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
|
||||
"./kc.sh") to execute from the current folder.
|
||||
|
||||
Options:
|
||||
|
||||
-cf, --config-file <file>
|
||||
Set the path to a configuration file. By default, configuration properties are
|
||||
read from the "keycloak.properties" file in the "conf" directory.
|
||||
-D<key>=<value> <sysProps>
|
||||
Set a Java system property
|
||||
-h, --help This help message.
|
||||
-pf, --profile <profile>
|
||||
Set the profile. Use 'dev' profile to enable development mode.
|
||||
-v, --verbose Print out error details when running this command.
|
||||
-V, --version Show version information
|
||||
|
||||
Commands:
|
||||
|
||||
build Creates a new and optimized server image.
|
||||
start Start the server.
|
||||
start-dev Start the server in development mode.
|
||||
export Export data from realms to a file or directory.
|
||||
import Import data from a directory or a file.
|
||||
show-config Print out the current configuration.
|
||||
tools %nUtilities for use and interaction with the server.
|
||||
completion Generate bash/zsh completion script for kc.sh.
|
||||
|
||||
Examples:
|
||||
|
||||
Start the server in development mode for local development or testing:
|
||||
|
||||
$ kc.sh start-dev
|
||||
|
||||
Building an optimized server runtime:
|
||||
|
||||
$ kc.sh build <OPTIONS>
|
||||
|
||||
Start the server in production mode:
|
||||
|
||||
$ kc.sh start <OPTIONS>
|
||||
|
||||
Enable auto-completion to bash/zsh:
|
||||
|
||||
$ source <(kc.sh tools completion)
|
||||
|
||||
Please, take a look at the documentation for more details before deploying in
|
||||
production.
|
||||
|
||||
Use "kc.sh start --help" for the available options when starting the server.
|
||||
Use "kc.sh <command> --help" for more information about other commands.
|
|
@ -0,0 +1,101 @@
|
|||
Start the server in development mode.
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh start-dev [OPTIONS]
|
||||
|
||||
Use this command if you want to run the server locally for development or
|
||||
testing purposes.
|
||||
|
||||
Options:
|
||||
|
||||
-h, --help This help message.
|
||||
--help-all This same help message but with additional options.
|
||||
|
||||
Database:
|
||||
|
||||
--db-password <password>
|
||||
The password of the database user.
|
||||
--db-pool-initial-size <size>
|
||||
The initial size of the connection pool.
|
||||
--db-pool-max-size <size>
|
||||
The maximum size of the connection pool. Default: 100.
|
||||
--db-pool-min-size <size>
|
||||
The minimal size of the connection pool.
|
||||
--db-schema <schema> The database schema to be used.
|
||||
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||
selected database vendor. For instance, if using 'postgres', the default
|
||||
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||
--db-url-database <dbname>
|
||||
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-host <hostname>
|
||||
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-properties <properties>
|
||||
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-username <username>
|
||||
The username of the database user.
|
||||
|
||||
Hostname:
|
||||
|
||||
--hostname <hostname>
|
||||
Hostname for the Keycloak server.
|
||||
--hostname-admin <url>
|
||||
Overrides the hostname for the admin console and APIs.
|
||||
--hostname-path <path>
|
||||
This should be set if proxy uses a different context-path for Keycloak.
|
||||
--hostname-strict <true|false>
|
||||
Disables dynamically resolving the hostname from request headers. Should
|
||||
always be set to true in production, unless proxy verifies the Host header.
|
||||
Default: true.
|
||||
--hostname-strict-backchannel <true|false>
|
||||
By default backchannel URLs are dynamically resolved from request headers to
|
||||
allow internal an external applications. If all applications use the public
|
||||
URL this option should be enabled. Default: false.
|
||||
|
||||
HTTP/TLS:
|
||||
|
||||
--http-enabled <true|false>
|
||||
Enables the HTTP listener. Default: false.
|
||||
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||
--http-port <port> The used HTTP port. Default: 8080.
|
||||
--https-certificate-file <file>
|
||||
The file path to a server certificate or certificate chain in PEM format.
|
||||
--https-certificate-key-file <file>
|
||||
The file path to a private key in PEM format.
|
||||
--https-cipher-suites <ciphers>
|
||||
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||
--https-client-auth <auth>
|
||||
Configures the server to require/request client authentication. Possible
|
||||
Values: none, request, required. Default: none.
|
||||
--https-key-store-file <file>
|
||||
The key store which holds the certificate information instead of specifying
|
||||
separate files.
|
||||
--https-key-store-password <password>
|
||||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable.
|
||||
--https-trust-store-file <file>
|
||||
The trust store which holds the certificate information of the certificates to
|
||||
trust.
|
||||
--https-trust-store-password <password>
|
||||
The password of the trust store file.
|
||||
--https-trust-store-type <type>
|
||||
The type of the trust store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
|
||||
Proxy:
|
||||
|
||||
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||
|
||||
Do NOT start the server using this command when deploying to production.
|
||||
|
||||
Use 'kc.sh start-dev --help-all' to list all available options, including build
|
||||
options.
|
|
@ -0,0 +1,171 @@
|
|||
Start the server in development mode.
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh start-dev [OPTIONS]
|
||||
|
||||
Use this command if you want to run the server locally for development or
|
||||
testing purposes.
|
||||
|
||||
Options:
|
||||
|
||||
-h, --help This help message.
|
||||
--help-all This same help message but with additional options.
|
||||
|
||||
Cluster:
|
||||
|
||||
--cache <type> Defines the cache mechanism for high-availability. By default, a 'ispn' cache
|
||||
is used to create a cluster between multiple server nodes. A 'local' cache
|
||||
disables clustering and is intended for development and testing purposes.
|
||||
Default: ispn.
|
||||
--cache-config-file <file>
|
||||
Defines the file from which cache configuration should be loaded from.
|
||||
--cache-stack <stack>
|
||||
Define the default stack to use for cluster communication and node discovery.
|
||||
This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
|
||||
|
||||
Database:
|
||||
|
||||
--db <vendor> The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
|
||||
mssql-2012, mysql, oracle, postgres, postgres-95
|
||||
--db-password <password>
|
||||
The password of the database user.
|
||||
--db-pool-initial-size <size>
|
||||
The initial size of the connection pool.
|
||||
--db-pool-max-size <size>
|
||||
The maximum size of the connection pool. Default: 100.
|
||||
--db-pool-min-size <size>
|
||||
The minimal size of the connection pool.
|
||||
--db-schema <schema> The database schema to be used.
|
||||
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||
selected database vendor. For instance, if using 'postgres', the default
|
||||
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||
--db-url-database <dbname>
|
||||
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-host <hostname>
|
||||
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-properties <properties>
|
||||
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-username <username>
|
||||
The username of the database user.
|
||||
|
||||
Feature:
|
||||
|
||||
--features-account2 <enabled|disabled>
|
||||
Enables the ACCOUNT2 feature.
|
||||
--features-account_api <enabled|disabled>
|
||||
Enables the ACCOUNT_API feature.
|
||||
--features-admin2 <enabled|disabled>
|
||||
Enables the ADMIN2 feature.
|
||||
--features-admin_fine_grained_authz <enabled|disabled>
|
||||
Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
|
||||
--features-authorization <enabled|disabled>
|
||||
Enables the AUTHORIZATION feature.
|
||||
--features-ciba <enabled|disabled>
|
||||
Enables the CIBA feature.
|
||||
--features-client_policies <enabled|disabled>
|
||||
Enables the CLIENT_POLICIES feature.
|
||||
--features-declarative_user_profile <enabled|disabled>
|
||||
Enables the DECLARATIVE_USER_PROFILE feature.
|
||||
--features-docker <enabled|disabled>
|
||||
Enables the DOCKER feature.
|
||||
--features-impersonation <enabled|disabled>
|
||||
Enables the IMPERSONATION feature.
|
||||
--features-map_storage <enabled|disabled>
|
||||
Enables the MAP_STORAGE feature.
|
||||
--features-openshift_integration <enabled|disabled>
|
||||
Enables the OPENSHIFT_INTEGRATION feature.
|
||||
--features-par <enabled|disabled>
|
||||
Enables the PAR feature.
|
||||
--features-scripts <enabled|disabled>
|
||||
Enables the SCRIPTS feature.
|
||||
--features-token_exchange <enabled|disabled>
|
||||
Enables the TOKEN_EXCHANGE feature.
|
||||
--features-upload_scripts <enabled|disabled>
|
||||
Enables the UPLOAD_SCRIPTS feature.
|
||||
--features-web_authn <enabled|disabled>
|
||||
Enables the WEB_AUTHN feature.
|
||||
-ft, --features <preview>
|
||||
Enables all tech preview features.
|
||||
|
||||
Hostname:
|
||||
|
||||
--hostname <hostname>
|
||||
Hostname for the Keycloak server.
|
||||
--hostname-admin <url>
|
||||
Overrides the hostname for the admin console and APIs.
|
||||
--hostname-path <path>
|
||||
This should be set if proxy uses a different context-path for Keycloak.
|
||||
--hostname-strict <true|false>
|
||||
Disables dynamically resolving the hostname from request headers. Should
|
||||
always be set to true in production, unless proxy verifies the Host header.
|
||||
Default: true.
|
||||
--hostname-strict-backchannel <true|false>
|
||||
By default backchannel URLs are dynamically resolved from request headers to
|
||||
allow internal an external applications. If all applications use the public
|
||||
URL this option should be enabled. Default: false.
|
||||
|
||||
HTTP/TLS:
|
||||
|
||||
--http-enabled <true|false>
|
||||
Enables the HTTP listener. Default: false.
|
||||
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||
--http-port <port> The used HTTP port. Default: 8080.
|
||||
--http-relative-path <path>
|
||||
Set the path relative to '/' for serving resources. Default: /.
|
||||
--https-certificate-file <file>
|
||||
The file path to a server certificate or certificate chain in PEM format.
|
||||
--https-certificate-key-file <file>
|
||||
The file path to a private key in PEM format.
|
||||
--https-cipher-suites <ciphers>
|
||||
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||
--https-client-auth <auth>
|
||||
Configures the server to require/request client authentication. Possible
|
||||
Values: none, request, required. Default: none.
|
||||
--https-key-store-file <file>
|
||||
The key store which holds the certificate information instead of specifying
|
||||
separate files.
|
||||
--https-key-store-password <password>
|
||||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable.
|
||||
--https-trust-store-file <file>
|
||||
The trust store which holds the certificate information of the certificates to
|
||||
trust.
|
||||
--https-trust-store-password <password>
|
||||
The password of the trust store file.
|
||||
--https-trust-store-type <type>
|
||||
The type of the trust store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
|
||||
Metrics:
|
||||
|
||||
--metrics-enabled <true|false>
|
||||
If the server should expose metrics and healthcheck. If enabled, metrics are
|
||||
available at the '/metrics' endpoint and healthcheck at the '/health'
|
||||
endpoint. Default: false.
|
||||
|
||||
Proxy:
|
||||
|
||||
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||
|
||||
Vault:
|
||||
|
||||
--vault-file-path <dir>
|
||||
If set, secrets can be obtained by reading the content of files within the
|
||||
given path.
|
||||
--vault-hashicorp-paths <paths>
|
||||
A set of one or more paths that should be used when looking up secrets.
|
||||
|
||||
Do NOT start the server using this command when deploying to production.
|
||||
|
||||
Use 'kc.sh start-dev --help-all' to list all available options, including build
|
||||
options.
|
|
@ -0,0 +1,107 @@
|
|||
Start the server.
|
||||
|
||||
Usage:
|
||||
|
||||
kc.sh start [OPTIONS]
|
||||
|
||||
Use this command to run the server in production.
|
||||
|
||||
Options:
|
||||
|
||||
-b, --auto-build Automatically detects whether the server configuration changed and a new
|
||||
server image must be built prior to starting the server. This option
|
||||
provides an alternative to manually running the 'build' prior to starting
|
||||
the server. Use this configuration carefully in production as it might
|
||||
impact the startup time.
|
||||
-h, --help This help message.
|
||||
|
||||
Database:
|
||||
|
||||
--db-password <password>
|
||||
The password of the database user.
|
||||
--db-pool-initial-size <size>
|
||||
The initial size of the connection pool.
|
||||
--db-pool-max-size <size>
|
||||
The maximum size of the connection pool. Default: 100.
|
||||
--db-pool-min-size <size>
|
||||
The minimal size of the connection pool.
|
||||
--db-schema <schema> The database schema to be used.
|
||||
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
|
||||
selected database vendor. For instance, if using 'postgres', the default
|
||||
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
|
||||
--db-url-database <dbname>
|
||||
Sets the database name of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-host <hostname>
|
||||
Sets the hostname of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-url-properties <properties>
|
||||
Sets the properties of the default JDBC URL of the chosen vendor. If the
|
||||
`db-url` option is set, this option is ignored.
|
||||
--db-username <username>
|
||||
The username of the database user.
|
||||
|
||||
Hostname:
|
||||
|
||||
--hostname <hostname>
|
||||
Hostname for the Keycloak server.
|
||||
--hostname-admin <url>
|
||||
Overrides the hostname for the admin console and APIs.
|
||||
--hostname-path <path>
|
||||
This should be set if proxy uses a different context-path for Keycloak.
|
||||
--hostname-strict <true|false>
|
||||
Disables dynamically resolving the hostname from request headers. Should
|
||||
always be set to true in production, unless proxy verifies the Host header.
|
||||
Default: true.
|
||||
--hostname-strict-backchannel <true|false>
|
||||
By default backchannel URLs are dynamically resolved from request headers to
|
||||
allow internal an external applications. If all applications use the public
|
||||
URL this option should be enabled. Default: false.
|
||||
|
||||
HTTP/TLS:
|
||||
|
||||
--http-enabled <true|false>
|
||||
Enables the HTTP listener. Default: false.
|
||||
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||
--http-port <port> The used HTTP port. Default: 8080.
|
||||
--https-certificate-file <file>
|
||||
The file path to a server certificate or certificate chain in PEM format.
|
||||
--https-certificate-key-file <file>
|
||||
The file path to a private key in PEM format.
|
||||
--https-cipher-suites <ciphers>
|
||||
The cipher suites to use. If none is given, a reasonable default is selected.
|
||||
--https-client-auth <auth>
|
||||
Configures the server to require/request client authentication. Possible
|
||||
Values: none, request, required. Default: none.
|
||||
--https-key-store-file <file>
|
||||
The key store which holds the certificate information instead of specifying
|
||||
separate files.
|
||||
--https-key-store-password <password>
|
||||
The password of the key store file. Default: password.
|
||||
--https-key-store-type <type>
|
||||
The type of the key store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
--https-port <port> The used HTTPS port. Default: 8443.
|
||||
--https-protocols <protocols>
|
||||
The list of protocols to explicitly enable.
|
||||
--https-trust-store-file <file>
|
||||
The trust store which holds the certificate information of the certificates to
|
||||
trust.
|
||||
--https-trust-store-password <password>
|
||||
The password of the trust store file.
|
||||
--https-trust-store-type <type>
|
||||
The type of the trust store file. If not given, the type is automatically
|
||||
detected based on the file name.
|
||||
|
||||
Proxy:
|
||||
|
||||
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
|
||||
Possible values are: none,edge,reencrypt,passthrough Default: none.
|
||||
|
||||
You may use the "--auto-build" option when starting the server to avoid running
|
||||
the "build" command everytime you need to change a static property:
|
||||
|
||||
$ kc.sh start --auto-build <OPTIONS>
|
||||
|
||||
By doing that you have an additional overhead when the server is starting. Run
|
||||
"kc.sh build -h" for more details.
|
Loading…
Reference in a new issue