Polish fips-mode switch for preview (#17228)

* Polish fips-mode switch for preview
Closes #17208 #17210 


Co-authored-by: mposolda <mposolda@gmail.com>
This commit is contained in:
rmartinc 2023-02-22 12:12:52 +01:00 committed by GitHub
parent 9df7ef4331
commit f91ac2970d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
33 changed files with 150 additions and 106 deletions

View file

@ -32,6 +32,7 @@ import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@ -86,7 +87,9 @@ public class Profile {
UPDATE_EMAIL("Update Email Action", Type.PREVIEW),
JS_ADAPTER("Host keycloak.js and keycloak-authz.js through the Keycloak sever", Type.DEFAULT);
JS_ADAPTER("Host keycloak.js and keycloak-authz.js through the Keycloak sever", Type.DEFAULT),
FIPS("FIPS 140-2 mode", Type.PREVIEW_DISABLED_BY_DEFAULT);
private final Type type;
private String label;
@ -123,6 +126,7 @@ public class Profile {
DEFAULT("Default"),
DISABLED_BY_DEFAULT("Disabled by default"),
PREVIEW("Preview"),
PREVIEW_DISABLED_BY_DEFAULT("Preview disabled by default"), // Preview features, which are not automatically enabled even with enabled preview profile (Needs to be enabled explicitly)
EXPERIMENTAL("Experimental"),
DEPRECATED("Deprecated");
@ -197,8 +201,12 @@ public class Profile {
return features.entrySet().stream().filter(e -> !e.getValue()).map(Map.Entry::getKey).collect(Collectors.toSet());
}
/**
* @return all features of type "preview" or "preview_disabled_by_default"
*/
public Set<Feature> getPreviewFeatures() {
return getFeatures(Feature.Type.PREVIEW);
return Stream.concat(getFeatures(Feature.Type.PREVIEW).stream(), getFeatures(Feature.Type.PREVIEW_DISABLED_BY_DEFAULT).stream())
.collect(Collectors.toSet());
}
public Set<Feature> getExperimentalFeatures() {
@ -257,14 +265,18 @@ public class Profile {
}
private void logUnsupportedFeatures() {
logUnsuportedFeatures(Feature.Type.PREVIEW, Logger.Level.INFO);
logUnsuportedFeatures(Feature.Type.EXPERIMENTAL, Logger.Level.WARN);
logUnsuportedFeatures(Feature.Type.DEPRECATED, Logger.Level.WARN);
logUnsuportedFeatures(Feature.Type.PREVIEW, getPreviewFeatures(), Logger.Level.INFO);
logUnsuportedFeatures(Feature.Type.EXPERIMENTAL, getExperimentalFeatures(), Logger.Level.WARN);
logUnsuportedFeatures(Feature.Type.DEPRECATED, getDeprecatedFeatures(), Logger.Level.WARN);
}
private void logUnsuportedFeatures(Feature.Type type, Logger.Level level) {
private void logUnsuportedFeatures(Feature.Type type, Set<Feature> checkedFeatures, Logger.Level level) {
Set<Feature.Type> checkedFeatureTypes = checkedFeatures.stream()
.map(Feature::getType)
.collect(Collectors.toSet());
String enabledFeaturesOfType = features.entrySet().stream()
.filter(e -> e.getValue() && e.getKey().getType().equals(type))
.filter(e -> e.getValue() && checkedFeatureTypes.contains(e.getKey().getType()))
.map(e -> e.getKey().getKey()).sorted().collect(Collectors.joining(", "));
if (!enabledFeaturesOfType.isEmpty()) {

View file

@ -1,21 +1,32 @@
package org.keycloak.common.crypto;
public enum FipsMode {
enabled("org.keycloak.crypto.fips.FIPS1402Provider"),
strict("org.keycloak.crypto.fips.Fips1402StrictCryptoProvider"),
disabled("org.keycloak.crypto.def.DefaultCryptoProvider");
NON_STRICT("org.keycloak.crypto.fips.FIPS1402Provider"),
STRICT("org.keycloak.crypto.fips.Fips1402StrictCryptoProvider"),
DISABLED("org.keycloak.crypto.def.DefaultCryptoProvider");
private String providerClassName;
private final String providerClassName;
private final String optionName;
FipsMode(String providerClassName) {
this.providerClassName = providerClassName;
this.optionName = name().toLowerCase().replace('_', '-');
}
public boolean isFipsEnabled() {
return this.equals(enabled) || this.equals(strict);
return this.equals(NON_STRICT) || this.equals(STRICT);
}
public String getProviderClassName() {
return providerClassName;
}
public static FipsMode valueOfOption(String name) {
return valueOf(name.toUpperCase().replace('-', '_'));
}
@Override
public String toString() {
return optionName;
}
}

View file

@ -70,13 +70,13 @@ public class ProfileTest {
}
Assert.assertEquals(Profile.ProfileName.DEFAULT, profile.getName());
Set<Profile.Feature> disabledFeatutes = new HashSet<>(Arrays.asList(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DYNAMIC_SCOPES, Profile.Feature.DOCKER, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.MAP_STORAGE, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL));
Set<Profile.Feature> disabledFeatutes = new HashSet<>(Arrays.asList(Profile.Feature.FIPS, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DYNAMIC_SCOPES, Profile.Feature.DOCKER, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.MAP_STORAGE, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL));
// KERBEROS can be disabled (i.e. FIPS mode disables SunJGSS provider)
if (Profile.Feature.KERBEROS.getType() == Profile.Feature.Type.DISABLED_BY_DEFAULT) {
disabledFeatutes.add(Profile.Feature.KERBEROS);
}
assertEquals(profile.getDisabledFeatures(), disabledFeatutes);
assertEquals(profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL);
assertEquals(profile.getPreviewFeatures(), Profile.Feature.FIPS, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL);
}
@Test

View file

@ -84,7 +84,7 @@ public class HttpOptions {
.category(OptionCategory.HTTP)
.description("The type of the key store file. " +
"If not given, the type is automatically detected based on the file name. " +
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.strict.name() + "' and no value is set, it defaults to 'BCFKS'.")
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.")
.build();
public static final Option HTTPS_TRUST_STORE_FILE = new OptionBuilder<>("https-trust-store-file", File.class)
@ -101,7 +101,7 @@ public class HttpOptions {
.category(OptionCategory.HTTP)
.description("The type of the trust store file. " +
"If not given, the type is automatically detected based on the file name. " +
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.strict.name() + "' and no value is set, it defaults to 'BCFKS'.")
"If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.")
.build();
public static final Option<Boolean> HTTP_SERVER_ENABLED = new OptionBuilder<>("http-server-enabled", Boolean.class)

View file

@ -14,7 +14,7 @@ public enum OptionCategory {
PROXY("Proxy", 90, ConfigSupportLevel.SUPPORTED),
VAULT("Vault", 100, ConfigSupportLevel.SUPPORTED),
LOGGING("Logging", 110, ConfigSupportLevel.SUPPORTED),
SECURITY("Security", 120, ConfigSupportLevel.EXPERIMENTAL),
SECURITY("Security", 120, ConfigSupportLevel.PREVIEW),
GENERAL("General", 999, ConfigSupportLevel.SUPPORTED);
private String heading;

View file

@ -1,13 +1,21 @@
package org.keycloak.config;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import org.keycloak.common.crypto.FipsMode;
public class SecurityOptions {
public static final Option<FipsMode> FIPS_MODE = new OptionBuilder<>("fips-mode", FipsMode.class)
.category(OptionCategory.SECURITY)
.expectedValues(SecurityOptions::getFipsModeValues)
.buildTime(true)
.description("Sets the FIPS mode. If 'enabled' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set 'strict' to run on approved mode.")
.defaultValue(FipsMode.disabled)
.description("Sets the FIPS mode. If '" + FipsMode.NON_STRICT + "' is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set '" + FipsMode.STRICT + "' to run on approved mode.")
.defaultValue(FipsMode.DISABLED)
.build();
private static List<String> getFipsModeValues() {
return Arrays.asList(FipsMode.NON_STRICT.toString(), FipsMode.STRICT.toString());
}
}

View file

@ -84,7 +84,6 @@ import io.smallrye.config.ConfigValue;
import org.hibernate.cfg.AvailableSettings;
import org.hibernate.jpa.boot.internal.ParsedPersistenceXmlDescriptor;
import org.hibernate.jpa.boot.internal.PersistenceXmlParser;
import org.hibernate.resource.jdbc.spi.PhysicalConnectionHandlingMode;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
import org.jboss.jandex.ClassInfo;
@ -217,9 +216,7 @@ class KeycloakProcessor {
return new ConfigBuildItem();
}
@Record(ExecutionTime.STATIC_INIT)
@BuildStep
@Consume(ConfigBuildItem.class)
// called from setCryptoProvider now
ProfileBuildItem configureProfile(KeycloakRecorder recorder) {
Profile profile = Profile.configure(
new QuarkusProfileConfigResolver(),
@ -625,9 +622,16 @@ class KeycloakProcessor {
@BuildStep
@Record(ExecutionTime.STATIC_INIT)
void setCryptoProvider(KeycloakRecorder recorder) {
FipsMode fipsMode = Configuration.getOptionalValue(
NS_KEYCLOAK_PREFIX + SecurityOptions.FIPS_MODE.getKey()).map(
FipsMode::valueOf).orElse(FipsMode.disabled);
configureProfile(recorder);
FipsMode fipsMode = Configuration.getOptionalValue(NS_KEYCLOAK_PREFIX + SecurityOptions.FIPS_MODE.getKey())
.map(FipsMode::valueOfOption)
.orElse(FipsMode.DISABLED);
if (Profile.isFeatureEnabled(Profile.Feature.FIPS) && !fipsMode.isFipsEnabled()) {
// default to non strict when fips feature enabled
fipsMode = FipsMode.NON_STRICT;
} else if (fipsMode.isFipsEnabled() && !Profile.isFeatureEnabled(Profile.Feature.FIPS)) {
throw new RuntimeException("FIPS mode cannot be enabled without enabling the FIPS feature --features=fips");
}
recorder.setCryptoProvider(fipsMode);
}

View file

@ -2,17 +2,13 @@ package org.keycloak.quarkus.runtime.configuration.mappers;
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
import java.util.Optional;
import org.keycloak.common.crypto.FipsMode;
import org.keycloak.config.ClassLoaderOptions;
import org.keycloak.config.SecurityOptions;
import org.keycloak.quarkus.runtime.Environment;
import org.keycloak.quarkus.runtime.configuration.Configuration;
import org.keycloak.quarkus.runtime.configuration.MicroProfileConfigProvider;
import io.smallrye.config.ConfigSourceInterceptorContext;
import io.smallrye.config.ConfigValue;
import java.util.Optional;
import org.keycloak.common.Profile;
import org.keycloak.common.profile.PropertiesFileProfileConfigResolver;
import org.keycloak.config.ClassLoaderOptions;
import org.keycloak.quarkus.runtime.Environment;
import org.keycloak.quarkus.runtime.QuarkusProfileConfigResolver;
final class ClassLoaderPropertyMappers {
@ -29,10 +25,9 @@ final class ClassLoaderPropertyMappers {
private static Optional<String> resolveIgnoredArtifacts(Optional<String> value, ConfigSourceInterceptorContext context) {
if (Environment.isRebuildCheck() || Environment.isRebuild()) {
ConfigValue fipsEnabled = Configuration.getConfigValue(
MicroProfileConfigProvider.NS_KEYCLOAK_PREFIX + SecurityOptions.FIPS_MODE.getKey());
Profile profile = Profile.configure(new QuarkusProfileConfigResolver(), new PropertiesFileProfileConfigResolver());
if (fipsEnabled != null && FipsMode.valueOf(fipsEnabled.getValue()).isFipsEnabled()) {
if (profile.getFeatures().get(Profile.Feature.FIPS)) {
return Optional.of(
"org.bouncycastle:bcprov-jdk15on,org.bouncycastle:bcpkix-jdk15on,org.bouncycastle:bcutil-jdk15on,org.keycloak:keycloak-crypto-default");
}

View file

@ -147,7 +147,7 @@ final class HttpPropertyMappers {
ConfigSourceInterceptorContext configSourceInterceptorContext) {
if (value.isPresent()) {
try {
if (FipsMode.valueOf(value.get()).equals(FipsMode.strict)) {
if (FipsMode.valueOfOption(value.get()).equals(FipsMode.STRICT)) {
return of("BCFKS");
}
return empty();

View file

@ -25,16 +25,16 @@ final class SecurityPropertyMappers {
private static Optional<String> resolveFipsMode(Optional<String> value, ConfigSourceInterceptorContext context) {
if (value.isEmpty()) {
return of(FipsMode.disabled.toString());
return of(FipsMode.DISABLED.toString());
}
return of(FipsMode.valueOf(value.get()).toString());
return of(FipsMode.valueOfOption(value.get()).toString());
}
private static Optional<String> resolveSecurityProvider(Optional<String> value,
ConfigSourceInterceptorContext configSourceInterceptorContext) {
FipsMode fipsMode = value.map(FipsMode::valueOf)
.orElse(FipsMode.disabled);
FipsMode fipsMode = value.map(FipsMode::valueOfOption)
.orElse(FipsMode.DISABLED);
if (fipsMode.isFipsEnabled()) {
return of("BCFIPS");

View file

@ -118,7 +118,7 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-Djdk.net.hosts.file=${project.build.testOutputDirectory}/hosts_file -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError</argLine>
<argLine>-Djdk.net.hosts.file=${project.build.testOutputDirectory}/hosts_file -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError --add-opens=java.base/java.security=ALL-UNNAMED</argLine>
<systemPropertyVariables>
<kc.quarkus.tests.dist>${kc.quarkus.tests.dist}</kc.quarkus.tests.dist>
</systemPropertyVariables>

View file

@ -123,7 +123,7 @@ public class Keycloak {
addOptionIfNotSet(args, StorageOptions.STORAGE, StorageOptions.StorageType.chm);
}
boolean isFipsEnabled = ofNullable(getOptionValue(args, SecurityOptions.FIPS_MODE)).orElse(FipsMode.disabled).isFipsEnabled();
boolean isFipsEnabled = ofNullable(getOptionValue(args, SecurityOptions.FIPS_MODE)).orElse(FipsMode.DISABLED).isFipsEnabled();
if (isFipsEnabled) {
String logLevel = getOptionValue(args, LoggingOptions.LOG_LEVEL);

View file

@ -60,7 +60,6 @@ final class ServerOptions extends ArrayList<String> {
private Map<String, Predicate<String>> getDefaultOptions(LegacyStore legacyStoreConfig, WithDatabase withDatabase) {
Map<String, Predicate<String>> defaultOptions = new HashMap<>();
defaultOptions.put("--storage=chm", ignoreStorageChm(legacyStoreConfig, withDatabase));
defaultOptions.put("--cache=local", ignoreCacheLocal(legacyStoreConfig));
return defaultOptions;

View file

@ -28,6 +28,8 @@ import static org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.OPTI
@LegacyStore
public class FeaturesDistTest {
private static final String PREVIEW_FEATURES_EXPECTED_LOG = "Preview features enabled: admin-fine-grained-authz, client-secret-rotation, declarative-user-profile, openshift-integration, recovery-codes, scripts, token-exchange, update-email";
@Test
public void testEnableOnBuild(KeycloakDistribution dist) {
CLIResult cliResult = dist.run(Build.NAME, "--features=preview");
@ -47,6 +49,18 @@ public class FeaturesDistTest {
assertPreviewFeaturesEnabled((CLIResult) result);
}
// Should enable "fips" together with all other "preview" features
@Test
@Launch({StartDev.NAME, "--features=preview,fips"})
public void testEnablePreviewFeaturesAndFips(LaunchResult result) {
CLIResult cliResult = (CLIResult) result;
String previewFeaturesWithFipsIncluded = PREVIEW_FEATURES_EXPECTED_LOG.replace("declarative-user-profile", "declarative-user-profile, fips");
assertThat(result.getOutput(), CoreMatchers.allOf(
containsString(previewFeaturesWithFipsIncluded)));
cliResult.assertError("Failed to configure FIPS.");
}
@Test
@Launch({StartDev.NAME, "--features=preview", "--features-disabled=token-exchange"})
public void testPreviewFeatureDisabledInPreviewMode(LaunchResult result) {
@ -87,6 +101,6 @@ public class FeaturesDistTest {
private void assertPreviewFeaturesEnabled(CLIResult result) {
assertThat(result.getOutput(), CoreMatchers.allOf(
containsString("Preview features enabled: admin-fine-grained-authz, client-secret-rotation, declarative-user-profile, openshift-integration, recovery-codes, scripts, token-exchange, update-email")));
containsString(PREVIEW_FEATURES_EXPECTED_LOG)));
}
}

View file

@ -29,14 +29,14 @@ import org.keycloak.it.utils.RawKeycloakDistribution;
import io.quarkus.test.junit.main.Launch;
import io.quarkus.test.junit.main.LaunchResult;
@DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true", "--hostname-strict=false", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
@DistributionTest(keepAlive = true, defaultOptions = { "--features=fips", "--http-enabled=true", "--hostname-strict=false", "--log-level=org.keycloak.common.crypto.CryptoIntegration:trace" })
@RawDistOnly(reason = "Containers are immutable")
public class FipsDistTest {
@Test
void testFipsNonApprovedMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
CLIResult cliResult = dist.run("start", "--fips-mode=enabled");
CLIResult cliResult = dist.run("start");
cliResult.assertStarted();
cliResult.assertMessage("Java security providers: [ \n"
+ " KC(BCFIPS version 1.000203, FIPS-JVM: " + KeycloakFipsSecurityProvider.isSystemFipsEnabled() + ") version 1.0 - class org.keycloak.crypto.fips.KeycloakFipsSecurityProvider");
@ -64,7 +64,7 @@ public class FipsDistTest {
}
@Test
@Launch({ "start", "--fips-mode=enabled" })
@Launch({ "start", "--fips-mode=non-strict" })
void failStartDueToMissingFipsDependencies(LaunchResult result) {
CLIResult cliResult = (CLIResult) result;
cliResult.assertError("Failed to configure FIPS. Make sure you have added the Bouncy Castle FIPS dependencies to the 'providers' directory.");
@ -116,7 +116,7 @@ public class FipsDistTest {
void testHttpsPkcs12KeyStoreInNonApprovedMode(KeycloakDistribution dist) {
runOnFipsEnabledDistribution(dist, () -> {
dist.copyOrReplaceFileFromClasspath("/server.keystore.pkcs12", Path.of("conf", "server.keystore"));
CLIResult cliResult = dist.run("start", "--fips-mode=enabled", "--https-key-store-password=passwordpassword");
CLIResult cliResult = dist.run("start", "--fips-mode=non-strict", "--https-key-store-password=passwordpassword");
cliResult.assertStarted();
});
}
@ -129,8 +129,8 @@ public class FipsDistTest {
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
Path truststorePath = rawDist.getDistPath().resolve("conf").resolve("server.keystore").toAbsolutePath();
// https-trust-store-type should be automatically set to pkcs12 in fips-mode=enabled
CLIResult cliResult = dist.run("--verbose", "start", "--fips-mode=enabled", "--https-key-store-password=passwordpassword",
// https-trust-store-type should be automatically set to pkcs12 in fips-mode=non-strict
CLIResult cliResult = dist.run("--verbose", "start", "--fips-mode=non-strict", "--https-key-store-password=passwordpassword",
"--https-trust-store-file=" + truststorePath, "--https-trust-store-password=passwordpassword");
cliResult.assertStarted();
});

View file

@ -75,13 +75,13 @@ public class ImportAtStartupDistTest {
@Test
@BeforeStartDistribution(CreateRealmConfigurationFile.class)
void testImportFromFileCreatedByExportAllRealms(KeycloakDistribution dist) throws IOException {
dist.run("start-dev", "--import-realm");
dist.run("start-dev", "--import-realm", "--storage=chm");
dist.run("export", "--file=../data/import/realm.json");
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
FileUtil.deleteDirectory(rawDist.getDistPath().resolve("data").resolve("chm").toAbsolutePath());
CLIResult result = dist.run("start-dev", "--import-realm");
CLIResult result = dist.run("start-dev", "--import-realm", "--storage=chm");
result.assertMessage("Realm 'quickstart-realm' imported");
result.assertMessage("Realm 'master' already exists. Import skipped");
}
@ -89,13 +89,13 @@ public class ImportAtStartupDistTest {
@Test
@BeforeStartDistribution(CreateRealmConfigurationFile.class)
void testImportFromFileCreatedByExportSingleRealm(KeycloakDistribution dist) throws IOException {
dist.run("start-dev", "--import-realm");
dist.run("start-dev", "--import-realm", "--storage=chm");
dist.run("export", "--realm=quickstart-realm", "--file=../data/import/realm.json");
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
FileUtil.deleteDirectory(rawDist.getDistPath().resolve("data").resolve("chm").toAbsolutePath());
CLIResult result = dist.run("start-dev", "--import-realm");
CLIResult result = dist.run("start-dev", "--import-realm", "--storage=chm");
result.assertMessage("Realm 'quickstart-realm' imported");
result.assertNoMessage("Not importing realm master from file");
}
@ -103,14 +103,14 @@ public class ImportAtStartupDistTest {
@Test
@BeforeStartDistribution(CreateRealmConfigurationFile.class)
void testImportFromDirCreatedByExport(KeycloakDistribution dist) throws IOException {
dist.run("start-dev", "--import-realm");
dist.run("start-dev", "--import-realm", "--storage=chm");
RawKeycloakDistribution rawDist = dist.unwrap(RawKeycloakDistribution.class);
FileUtil.deleteDirectory(rawDist.getDistPath().resolve("data").resolve("import").toAbsolutePath());
dist.run("export", "--dir=../data/import");
FileUtil.deleteDirectory(rawDist.getDistPath().resolve("data").resolve("chm").toAbsolutePath());
CLIResult result = dist.run("start-dev", "--import-realm");
CLIResult result = dist.run("start-dev", "--import-realm", "--storage=chm");
result.assertMessage("Realm 'quickstart-realm' imported");
result.assertNoMessage("Not importing realm master from file");
}

View file

@ -46,14 +46,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.

View file

@ -46,14 +46,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.

View file

@ -69,14 +69,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.

View file

@ -69,14 +69,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.

View file

@ -129,14 +129,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
@ -280,11 +280,11 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Experimental):
Security (Preview):
--fips-mode <mode> Experimental: Sets the FIPS mode. If 'enabled' is set, FIPS is enabled but on
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: enabled, strict, disabled. Default: disabled.
mode. Possible values are: non-strict, strict. Default: disabled.
Do NOT start the server using this command when deploying to production.

View file

@ -129,14 +129,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
@ -280,11 +280,11 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Experimental):
Security (Preview):
--fips-mode <mode> Experimental: Sets the FIPS mode. If 'enabled' is set, FIPS is enabled but on
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: enabled, strict, disabled. Default: disabled.
mode. Possible values are: non-strict, strict. Default: disabled.
Do NOT start the server using this command when deploying to production.

View file

@ -75,14 +75,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.

View file

@ -75,14 +75,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.

View file

@ -135,14 +135,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
@ -286,11 +286,11 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Experimental):
Security (Preview):
--fips-mode <mode> Experimental: Sets the FIPS mode. If 'enabled' is set, FIPS is enabled but on
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: enabled, strict, disabled. Default: disabled.
mode. Possible values are: non-strict, strict. Default: disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the

View file

@ -135,14 +135,14 @@ Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, admin-api, admin-fine-grained-authz, admin2, authorization, ciba,
client-policies, client-secret-rotation, declarative-user-profile, docker,
dynamic-scopes, impersonation, js-adapter, kerberos, map-storage,
dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage,
openshift-integration, par, preview, recovery-codes, scripts,
step-up-authentication, token-exchange, update-email, web-authn.
@ -286,11 +286,11 @@ Logging:
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security (Experimental):
Security (Preview):
--fips-mode <mode> Experimental: Sets the FIPS mode. If 'enabled' is set, FIPS is enabled but on
--fips-mode <mode> Preview: Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. Possible values are: enabled, strict, disabled. Default: disabled.
mode. Possible values are: non-strict, strict. Default: disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the

View file

@ -304,7 +304,7 @@
<profile>
<id>auth-server-fips140-2</id>
<properties>
<auth.server.fips.mode>enabled</auth.server.fips.mode>
<auth.server.fips.mode>non-strict</auth.server.fips.mode>
</properties>
<dependencies>

View file

@ -131,7 +131,7 @@ public class AuthServerTestEnricher {
public static final String AUTH_SERVER_FIPS_MODE_PROPERTY = "auth.server.fips.mode";
public static final FipsMode AUTH_SERVER_FIPS_MODE = FipsMode.valueOf(System.getProperty(AUTH_SERVER_FIPS_MODE_PROPERTY, FipsMode.disabled.toString()));
public static final FipsMode AUTH_SERVER_FIPS_MODE = FipsMode.valueOfOption(System.getProperty(AUTH_SERVER_FIPS_MODE_PROPERTY, FipsMode.DISABLED.toString()));
public static final String CACHE_SERVER_LIFECYCLE_SKIP_PROPERTY = "cache.server.lifecycle.skip";
public static final boolean CACHE_SERVER_LIFECYCLE_SKIP = Boolean.parseBoolean(System.getProperty(CACHE_SERVER_LIFECYCLE_SKIP_PROPERTY, "false"));

View file

@ -173,7 +173,7 @@ public abstract class AbstractQuarkusDeployableContainer implements DeployableCo
log.debugf("FIPS Mode: %s", configuration.getFipsMode());
// only run build during first execution of the server (if the DB is specified), restarts or when running cluster tests
if (restart.get() || shouldSetUpDb.get() || "ha".equals(getClusterConfig.get()) || configuration.getFipsMode() != FipsMode.disabled) {
if (restart.get() || shouldSetUpDb.get() || "ha".equals(getClusterConfig.get()) || configuration.getFipsMode() != FipsMode.DISABLED) {
commands.removeIf("--optimized"::equals);
commands.add("--http-relative-path=/auth");
@ -187,7 +187,7 @@ public abstract class AbstractQuarkusDeployableContainer implements DeployableCo
}
}
if (configuration.getFipsMode() != FipsMode.disabled) {
if (configuration.getFipsMode() != FipsMode.DISABLED) {
addFipsOptions(commands);
}
}
@ -325,6 +325,7 @@ public abstract class AbstractQuarkusDeployableContainer implements DeployableCo
}
private void addFipsOptions(List<String> commands) {
commands.add("--features=fips");
commands.add("--fips-mode=" + configuration.getFipsMode().toString());
log.debugf("Keystore file: %s, truststore file: %s",
@ -339,7 +340,7 @@ public abstract class AbstractQuarkusDeployableContainer implements DeployableCo
// BCFIPS approved mode requires passwords of at least 112 bits (14 characters) to be used. To bypass this, we use this by default
// as testsuite uses shorter passwords everywhere
if (FipsMode.strict == configuration.getFipsMode()) {
if (FipsMode.STRICT == configuration.getFipsMode()) {
commands.add("--spi-password-hashing-pbkdf2-max-padding-length=14");
commands.add("--spi-password-hashing-pbkdf2-sha256-max-padding-length=14");
commands.add("--spi-password-hashing-pbkdf2-sha512-max-padding-length=14");

View file

@ -45,7 +45,7 @@ public class KeycloakQuarkusConfiguration implements ContainerConfiguration {
private boolean reaugmentBeforeStart;
private String importFile = System.getProperty("migration.import.file.name");
private FipsMode fipsMode = FipsMode.valueOf(System.getProperty("auth.server.fips.mode"));
private FipsMode fipsMode = FipsMode.valueOfOption(System.getProperty("auth.server.fips.mode"));
@Override
public void validate() throws ConfigurationException {

View file

@ -75,7 +75,7 @@ public abstract class AbstractCliTest extends AbstractKeycloakTest {
}
private boolean isFipsDisabled() {
return AuthServerTestEnricher.AUTH_SERVER_FIPS_MODE == FipsMode.disabled;
return AuthServerTestEnricher.AUTH_SERVER_FIPS_MODE == FipsMode.DISABLED;
}
}

View file

@ -213,7 +213,7 @@ public class KcRegCreateTest extends AbstractRegCliTest {
}
// TODO: SAML is not tested with FIPS enabled as it does not work. This needs to be revisited when SAML works with FIPS
if (AuthServerTestEnricher.AUTH_SERVER_FIPS_MODE == FipsMode.disabled) {
if (AuthServerTestEnricher.AUTH_SERVER_FIPS_MODE == FipsMode.DISABLED) {
// test create saml formated xml - format autodetection
File samlSpMetaFile = new File(System.getProperty("user.dir") + "/src/test/resources/cli/kcreg/saml-sp-metadata.xml");

View file

@ -1569,7 +1569,7 @@
<profile>
<id>auth-server-fips140-2</id>
<properties>
<auth.server.fips.mode>enabled</auth.server.fips.mode>
<auth.server.fips.mode>non-strict</auth.server.fips.mode>
<auth.server.supported.keystore.types>PKCS12,BCFKS</auth.server.supported.keystore.types>
<auth.server.kerberos.supported>false</auth.server.kerberos.supported>