Commit graph

538 commits

Author SHA1 Message Date
stianst
61fe554617 KEYCLOAK-6051 Fix licenses 2017-12-19 08:20:29 +01:00
Martin Kanis
47721957b7 KEYCLOAK-6018 Create BOM for Drools dependencies 2017-12-14 14:51:25 +01:00
stianst
35e60e0aa4 KEYCLOAK-5957 2017-12-06 08:59:40 +01:00
Hynek Mlnarik
b4532ec629 KEYCLOAK-5964 Fix keycloak-install-base.cli client session caches 2017-12-04 12:15:07 +01:00
pedroigor
b1127ffafe [KEYCLOAK-5953] - Making elytron dependencies optional 2017-12-04 10:13:55 +01:00
stianst
37de8e9f69 Bump version to 3.4.2.Final-SNAPSHOT 2017-12-01 09:34:48 +01:00
Peter Nalyvayko
b8e5fd2b99 KC-4335: working on adding a reverse proxy support to allow X.509 client certificate authentication when running keycloak behind a reverse proxy
KC-4335: reverse proxy => a swtich to change a type of reverse proxy when running the X509 integration tests; changes to the names of the reverse proxy providers

KC-4335: updated the migration scripts to add x509 spi to standalone and domain configurations; removed the HAproxy and apache x509 spi configuration
2017-11-30 11:00:32 +01:00
Alex Szczuczko
c860ca61c3 KEYCLOAK-5843 Add custom license processing plugin to avoid directory symlinks (#4723)
Symlinks are frequently unavailable on Windows (must be on NTFS and user must
have SeCreateSymbolicLinkPrivilege). Removing the symlinks for licenses/common/
should enable the build to function mostly normally on Windows. The individual
license files will be incorrect, but that shouldn't matter for local builds.
Release builds are done on *nix.

The plugin rolls several different plugin executions into one. The common files
are distributed using a resource jar, used by and unpacked by the plugin.
2017-11-27 12:31:31 -05:00
Stian Thorgersen
128ff12f8f Bump versions 2017-11-09 15:37:21 +01:00
Stian Thorgersen
e28652489e KEYCLOAK-5565 Change theme files to writable to permit patching 2017-11-09 15:37:01 +01:00
Pedro Igor
476dd1cef5 [KEYCLOAK-4439] - Fixing saml adapter 2017-11-08 19:01:54 -02:00
Alex Szczuczko
eb46f403d6 Extract the license files with maven-dependency-plugin instead of wildfly-server-provisioning-maven-plugin
This works around WFBUILD-27 aka wildfly/wildfly-build-tools#39. Once that's merged and new version is released this commit can be reverted.
2017-11-08 12:58:38 +01:00
Alex Szczuczko
9c0ec8cb10 Enforce a standard sort order on deduplication in download-license-files.sh
This will avoid noise in the diffs (files switching between symlink and regular
status) when users on systems with a different default sort order run the
script. `LC_ALL=C sort` will sort by byte order.
2017-11-08 12:58:38 +01:00
Alex Szczuczko
d268412738 Initial run of download-license-files.sh on license XMLs
Command line used:

find -path '*/src/main/resources/licenses' | while read -r r; do pushd "$r"; common/download-license-files.sh rh-sso/licenses.xml; common/download-license-files.sh keycloak/licenses.xml; popd; done
2017-11-08 12:58:38 +01:00
Alex Szczuczko
e360aadcd4 Explicitly define the dependency for unpacking in js-adapter-zip.
This makes it visible to append-product-licenses.groovy and other plugins.
2017-11-08 12:58:38 +01:00
Alex Szczuczko
f88b3cddb6 Port forward license data from maintenance, with improvements.
org.keycloak dependencies will be automatically added to the xml during the
build, removing the need for runs of download-license-files.sh every time the
keycloak version changes.

Documentation on "why and how" for the license data has also been added.

To reduce code duplication issues, plugin definitions are stored in
keycloak-parent, but only active in the projects that need them (not bound to
any phase by default). Also, the common files have been moved into
licenses/common/, so that a single symlink will suffice to replicate the
current and future files needed by the plugin executions. While the
assembly.xml definitions remain duplicated, they are fairly minimal and
shouldn't need to change often.

License data is available for all adapters shipped in the product, plus
server-feature-pack.

The keycloak slot is populated with data, in addition to the rh-sso slot. A
number of the adapters don't depend on any third-party artifacts, so they have
(mostly) blank license.xml files.
2017-11-08 12:58:38 +01:00
Marek Posolda
9e2ab2750a Merge pull request #4616 from vramik/KEYCLOAK-5749
KEYCLOAK-5749 Update migration scripts for WildFly 11 Final
2017-10-26 13:24:29 +02:00
vramik
906538e6aa KEYCLOAK-5749 Update migration scripts for WildFly 11 Final 2017-10-26 11:21:48 +02:00
Hynek Mlnarik
75c354fd94 KEYCLOAK-5745 Separate user and client sessions in infinispan 2017-10-26 10:39:41 +02:00
Hynek Mlnarik
d01be82b35 KEYCLOAK-5700 Add option to build jarless Wildfly distro
Use via the following maven command:

mvn clean install -Pdistribution -Dkeycloak.provisioning.xml=server-provisioning-devel.xml
2017-10-18 15:14:58 +02:00
Thomas Darimont
3103e0fd0a KEYCLOAK-5244 Add BlacklistPasswordPolicyProvider (#4370)
* KEYCLOAK-5244 Add BlacklistPasswordPolicyProvider

This introduces a new PasswordPolicy which can refer to
a named predefined password-blacklist to avoid users
choosing too easy to guess passwords.

The BlacklistPasswordPolicyProvider supports built-in as
well as custom blacklists.
built-in blacklists use the form `default/filename`
and custom ones `custom/filename`, where filename
is the name of the found blacklist-filename.

I'd propose to use some of the freely available password blacklists
from the [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Passwords) project.

For testing purposes one can download the password blacklist
```
wget -O 10_million_password_list_top_1000000.txt https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_1000000.txt?raw=true
```
to /data/keycloak/blacklists/

Custom password policies can be configured with the SPI
configuration mechanism via jboss-cli:
```
/subsystem=keycloak-server/spi=password-policy:add()
/subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:add(enabled=true)
/subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:write-attribute(name=properties.blacklistsFolderUri, value=file:///data/keycloak/blacklists/)
```

Password blacklist is stored in a TreeSet.

* KEYCLOAK-5244 Encode PasswordBlacklist as a BloomFilter

We now use a dynamically sized BloomFilter with a
false positive probability of 1% as a backing store
for PasswordBlacklists.

BloomFilter implementation is provided by google-guava
which is available in wildfly.

Password blacklist files are now resolved against
the ${jboss.server.data.dir}/password-blacklists.

This can be overridden via system property, or SPI config.
See JavaDoc of BlacklistPasswordPolicyProviderFactory for details.

Revised implementation to be more extensible, e.g. it could be
possible to use other stores like databases etc.

Moved FileSystem specific methods to FileBasesPasswordBlacklistPolicy.

The PasswordBlacklistProvider uses the guava version 20.0
shipped with wildfly. Unfortunately the arquillian testsuite
transitively depends on guava 23.0 via the selenium-3.5.1
dependency. Hence we need to use version 23.0 for tests but 20.0
for the policy provider to avoid NoClassDefFoundErrors in the
server-dist.

Configure password blacklist folder for tests

* KEYCLOAK-5244 Configure jboss.server.data.dir for test servers

* KEYCLOAK-5244 Translate blacklisted message in base/login
2017-10-17 20:41:44 +02:00
vramik
a42e0d6a31 KEYCLOAK-5674 updated migration scripts 2017-10-16 22:36:40 +02:00
Stan Silvert
6082e49252 KEYCLOAK-4952: Header information disclosure 2017-10-06 16:04:39 -04:00
Stian Thorgersen
ee35673615 KEYCLOAK-1250 Profile and console loader for new account management console 2017-09-14 19:53:02 +02:00
Bill Burke
e907a9aa6d put back elytron and resteasy providers 2017-09-11 17:21:30 -04:00
Bill Burke
cf47d49fc6 add back multipart provider 2017-09-11 09:47:56 -04:00
Bill Burke
1ed5730769 add back multipart, remove elytron 2017-09-08 14:47:37 -04:00
Bill Burke
9f660b48c4 KEYCLOAK-5439 2017-09-08 11:28:12 -04:00
Stian Thorgersen
463661b051 Set version to 3.4.0.CR1-SNAPSHOT 2017-08-28 15:46:22 +02:00
Stian Thorgersen
8cc1d02d46 KEYCLOAK-5342 (#4431) 2017-08-28 14:35:58 +02:00
Hynek Mlnarik
794c508b10 KEYCLOAK-4995 Support for distributed SAML logout in cross DC 2017-08-28 13:15:11 +02:00
Stian Thorgersen
31be564fa3 KEYCLOAK-5339 Upgrade to WildFly 11 CR1 (#4429) 2017-08-28 12:06:37 +02:00
Pedro Igor
a6dfb4ccdd [KEYCLOAK-5015] - Support for Elytron capabilities in subsystem 2017-08-22 18:01:19 -03:00
Pedro Igor
d3e559453b [KEYCLOAK-5015] - Updating Elytron Adapters 2017-08-22 18:01:19 -03:00
Markus Heberling
ef32585f57 create JS source maps (#4365)
updated minify plugin to 1.7.6
switch minify plugin to use CLOSURE compiler
enable source map generation https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k
include source maps in distribution files
2017-08-22 08:10:09 +02:00
Stian Thorgersen
efd44d86c5 KEYCLOAK-5263 (#4393) 2017-08-17 14:40:29 +02:00
Stian Thorgersen
ae54dd848d KEYCLOAK-5185 (#4392) 2017-08-17 13:15:41 +02:00
Hynek Mlnarik
f5d7f9b09b KEYCLOAK-5216 ClassNotFoundException when using SAML ECP 2017-07-21 15:57:14 +02:00
Stian Thorgersen
454c5f4d83 Set version to 3.3.0.CR1-SNAPSHOT 2017-06-30 09:47:11 +02:00
Stian Thorgersen
073f1eda54 Fix dependency exclusions in server-dist to make sure dependency versions are inherited from WF 2017-06-27 14:24:22 +02:00
Stian Thorgersen
af63fcbc4d KEYCLOAK-4891 Add keycloak-api-docs-dist to mvn repo in prod profile 2017-06-26 19:54:33 +02:00
Hynek Mlnarik
955cbc76d7 KEYCLOAK-5030 Change action tokens cache type to distributed 2017-06-26 10:11:53 +02:00
Pedro Igor
1d5bd2567e [KEYCLOAK-4913] - Caching more query methods 2017-05-23 16:13:20 -03:00
Stian Thorgersen
43a625db28 KEYCLOAK-4477 Fix update to WF 11 2017-05-19 08:31:29 +02:00
Stian Thorgersen
cc42ea9332 KEYCLOAK-4773 Remove 'providers' directory 2017-05-19 06:24:58 +02:00
Stian Thorgersen
9ec3a8c3d9 KEYCLOAK-4933 Fixes 2017-05-19 06:24:58 +02:00
Stian Thorgersen
2e83eda172 KEYCLOAK-4477 Update to WildFly 11 2017-05-19 06:24:58 +02:00
Stian Thorgersen
6d8a3f7a8b KEYCLOAK-4933 Fixes 2017-05-19 06:24:58 +02:00
Bob McWhirter
56d68c17f5 KEYCLOAK-4933
Use a newer version of the server-provisioning-plugin.

By using a newer version of the plugin, we can reduce
the amount of build code that replicates the provisioning
logic when building overlays.

This applies to both:

* Server distribution overlay
* Adapter distribution overlay

Both overlays are created purely by using the provisioning
plugin and the feature-packs produced elsewhere in the build,
along with the admin-cli artifact when appropriate.
2017-05-19 06:24:58 +02:00
Stian Thorgersen
28acf489a1 KEYCLOAK-4921
add-user-keycloak broken
2017-05-18 09:33:33 +02:00