feat: quarkus version of keyloak - RHBK 24.0.5 (#363)

* feat: dockerfile for 22.0.8 and action for build * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: in progress * feat: updated dockerfile * feat: updated initial keycloak configuration * feat: addded quotes in keycloak configuration * feat: removed quotes for exception-output-type * feat: added quarkus.log.file.path * feat: commented some config * feat: using env.hostname for logfile name * feat: removed double quotes for some config * feat: create log file from keycloak.conf * feat: updated log file path * feat: updated log file path * feat: updated log file path * feat: updated log file path * feat: updated log file path * feat: updated log file path * feat: updated log file path * feat: enabled health check * feat: added custom fields to provider config * feat: removing override * feat: updated model with new attribute * feat: removed added attribute * feat: enabled legacy logout redirect URI * feat: removed double quotes from log file suffix * feat: rm legacy logout switch and update cache settings * feat: using replicated cache * feat: enabled cache * feat: trying cache stack kubernetes * feat: renamed file cache ispn * feat: use distributed cache * feat: use default cache settings * feat: removed keystore settings * feat: use cache stack tcp * feat: rollback cache settings * feat: turning on debug level * feat: using community version of keycloak 24 * feat: using cache stack kubernetes * feat: using cache stack kubernetes with rhbk * feat: update image tag to 22-10 * feat: using custom cache configuration * feat: using distributed cache configuration * feat: setting db pool min and max sizes * feat: migrating idp userinfo changes * feat: import base64 package * feat: initial commit of rhbk-24 * feat: removed cache conf for kc24 * feat: set forwarded proxy headers * feat: enable http * feat: migration to KC24 document * feat: updated developer guide * feat: updated kc24 migration guide * feat: update migration document * feat: IDP Userinfo multi attrs and validate sign * feat: add user session removed ext * feat: minor syntax fix * feat: default user profile config * feat: JWS signature verification by IDP Userinfo * feat: ensure userinfo is not null * feat: updated user profile json path * feat: upgrade to RHBK 24.0.5 * feat: improved error message to handle bcsc * fix: regex to handle hypens inside provider names * test: remove JS logic to update username to debug error * test: remove JS logic to update username to debug error * fix: handle special chars in username for error message * fix: use single quotes for username in error message * feat: support encryption for IDP userinfo mapper * fix: target 24-10 tag to build rhbk image * feat: remove 22 folder and updated git action to publish rhbk * feat: handle xss vulnerability in js --------- Co-authored-by: Marco Villeneuve <[email protected]>
bcgov · Jul 9, 2024 · cc723e9 · cc723e9
1 parent f8963a4
commit cc723e9
Show file tree

Hide file tree

Showing 86 changed files with 4,524 additions and 29 deletions.
diff --git a/.github/workflows/publish-image-keycloak.yml b/.github/workflows/publish-image-keycloak.yml
@@ -64,7 +64,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          file: docker/keycloak/Dockerfile-${{ startsWith(github.ref, 'refs/tags/7.4-37') && '7.4-37' || '7.6' }}
+          file: docker/keycloak/Dockerfile-${{ startsWith(github.ref, 'refs/tags/7.6') && '7.6' || '24' }}
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 

diff --git a/.github/workflows/publish-image-rhbk-dev.yml b/.github/workflows/publish-image-rhbk-dev.yml
@@ -0,0 +1,65 @@
+name: Create and publish Keycloak Docker image - Dev
+
+on:
+  push:
+    branches:
+      - 'feature/quarkus'
+
+env:
+  GITHUB_REGISTRY: ghcr.io
+  REDHAT_REGISTRY: registry.redhat.io
+  IMAGE_NAME: bcgov/sso
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to the GitHub Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.GITHUB_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to the REDHAT Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REDHAT_REGISTRY }}
+          username: ${{ secrets.REDHAT_USERNAME }}
+          password: ${{ secrets.REDHAT_PASSWORD }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: docker/keycloak
+          push: true
+          tags: ${{ env.GITHUB_REGISTRY }}/${{env.IMAGE_NAME}}:dev-rhbk-24
+          file: docker/keycloak/Dockerfile-24
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+        # Temp fix
+        # https://github.com/docker/build-push-action/issues/252
+        # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
diff --git a/docker/kc-cron-job/yarn.lock b/docker/kc-cron-job/yarn.lock
@@ -1146,9 +1146,9 @@ camelcase@^6.2.0:
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
 
 camelize@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/camelize/-/camelize-1.0.0.tgz#164a5483e630fa4321e5af07020e531831b2609b"
-  integrity sha1-FkpUg+Yw+kMh5a8HAg5TGDGyYJs=
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/camelize/-/camelize-1.0.1.tgz#89b7e16884056331a35d6b5ad064332c91daa6c3"
+  integrity sha512-dU+Tx2fsypxTgtLoE36npi3UqcjSSMNYfkqgmoEhtZrraP5VWq0K7FkWVTYa8eMPtnU/G2txVsfdCJTn9uzpuQ==
 
 caniuse-lite@^1.0.30001541:
   version "1.0.30001550"
@@ -1315,9 +1315,9 @@ debug@^4.1.0, debug@^4.1.1, debug@^4.3.2:
     ms "2.1.2"
 
 decode-uri-component@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545"
-  integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=
+  version "0.2.2"
+  resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9"
+  integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==
 
 dedent@^1.0.0:
   version "1.5.1"
@@ -1830,7 +1830,7 @@ fill-range@^7.0.1:
 filter-obj@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/filter-obj/-/filter-obj-1.1.0.tgz#9b311112bc6c6127a16e016c6c5d7f19e0805c5b"
-  integrity sha1-mzERErxsYSehbgFsbF1/GeCAXFs=
+  integrity sha512-8rXg1ZnX7xzy2NGDVkBVaAy+lSlPNwad13BtgSlLuxfIslyt5Vg64U7tFcCt4WS1R0hvtnQybT/IyCkGZ3DpXQ==
 
 find-up@^4.0.0, find-up@^4.1.0:
   version "4.1.0"
@@ -1863,9 +1863,9 @@ flatted@^3.2.9:
   integrity sha512-36yxDn5H7OFZQla0/jFJmbIKTdZAQHngCedGxiMmpNfEZM0sdEeT+WczLQrjK6D7o2aiyLYDnkw0R3JK0Qv1RQ==
 
 follow-redirects@^1.14.0:
-  version "1.14.4"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.14.4.tgz#838fdf48a8bbdd79e52ee51fb1c94e3ed98b9379"
-  integrity sha512-zwGkiSXC1MUJG/qmeIFH2HBJx9u0V46QGUe3YR1fXG8bXQxq7fLj0RjLZQ5nubr9qNJUZrH+xUcwXEoXNpfS+g==
+  version "1.15.6"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b"
+  integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
 
 follow-redirects@^1.15.0:
   version "1.15.2"
@@ -3739,7 +3739,7 @@ stack-utils@^2.0.3:
 strict-uri-encode@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/strict-uri-encode/-/strict-uri-encode-2.0.0.tgz#b9c7330c7042862f6b142dc274bbcc5866ce3546"
-  integrity sha1-ucczDHBChi9rFC3CdLvMWGbONUY=
+  integrity sha512-QwiXZgpRcKkhTj2Scnn++4PKtWsH0kpzZ62L2R6c/LUVYv7hVnZqcg2+sMuT6R7Jusu1vviK/MFsu6kNJfWlEQ==
 
 string-length@^4.0.1:
   version "4.0.2"
@@ -4031,7 +4031,7 @@ url-join@^4.0.0:
 url-template@^2.0.8:
   version "2.0.8"
   resolved "https://registry.yarnpkg.com/url-template/-/url-template-2.0.8.tgz#fc565a3cccbff7730c775f5641f9555791439f21"
-  integrity sha1-/FZaPMy/93MMd19WQflVV5FDnyE=
+  integrity sha512-XdVKMF4SJ0nP/O7XIPB0JwAEuT9lDIYnNsK8yGVe43y0AWoKeJNdv3ZNWh7ksJ6KqQFjOO6ox/VEitLnaVNufw==
 
 util-deprecate@^1.0.1, util-deprecate@~1.0.1:
   version "1.0.2"

diff --git a/docker/keycloak/Dockerfile-24 b/docker/keycloak/Dockerfile-24
@@ -0,0 +1,36 @@
+FROM maven:3.8.5-openjdk-17-slim AS extensions-builder
+
+COPY ./extensions-24 /tmp/
+WORKDIR /tmp/
+RUN mvn -B clean package --file pom.xml
+
+FROM registry.redhat.io/rhbk/keycloak-rhel9:24-10 as builder
+
+# Enable health and metrics support
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
+
+# Configure a database vendor
+ENV KC_DB=postgres
+
+COPY --from=extensions-builder /tmp/services/target/bcgov-services-1.0.0.jar /opt/keycloak/providers/
+
+WORKDIR /opt/keycloak
+
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM registry.redhat.io/rhbk/keycloak-rhel9:24-10
+
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+
+# copy the theme directory to `/opt/keycloak/themes/` for now, but we can consider to archive to be deployed later.
+COPY ./extensions-24/themes/src/main/resources/theme /opt/keycloak/themes
+
+COPY ./configuration/24/keycloak.conf /opt/keycloak/conf
+
+COPY ./configuration/24/quarkus.properties /opt/keycloak/conf
+
+COPY ./configuration/24/keycloak-default-user-profile.json /tmp
+
+# change these values to point to a running postgres instance
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
diff --git a/docker/keycloak/configuration/24/keycloak-default-user-profile.json b/docker/keycloak/configuration/24/keycloak-default-user-profile.json
@@ -0,0 +1,61 @@
+{
+  "unmanagedAttributePolicy": "ENABLED",
+  "attributes": [
+    {
+      "name": "username",
+      "displayName": "${username}",
+      "permissions": {
+        "view": ["admin", "user"],
+        "edit": ["admin", "user"]
+      },
+      "validations": {
+        "length": { "min": 3, "max": 255 },
+        "username-prohibited-characters": {},
+        "up-username-not-idn-homograph": {}
+      }
+    },
+    {
+      "name": "email",
+      "displayName": "${email}",
+      "permissions": {
+        "view": ["admin", "user"],
+        "edit": ["admin", "user"]
+      },
+      "validations": {
+        "email": {},
+        "length": { "max": 255 }
+      }
+    },
+    {
+      "name": "firstName",
+      "displayName": "${firstName}",
+      "permissions": {
+        "view": ["admin", "user"],
+        "edit": ["admin", "user"]
+      },
+      "validations": {
+        "length": { "max": 255 },
+        "person-name-prohibited-characters": {}
+      }
+    },
+    {
+      "name": "lastName",
+      "displayName": "${lastName}",
+      "permissions": {
+        "view": ["admin", "user"],
+        "edit": ["admin", "user"]
+      },
+      "validations": {
+        "length": { "max": 255 },
+        "person-name-prohibited-characters": {}
+      }
+    }
+  ],
+  "groups": [
+    {
+      "name": "user-metadata",
+      "displayHeader": "User metadata",
+      "displayDescription": "Attributes, which refer to user metadata"
+    }
+  ]
+}
diff --git a/docker/keycloak/configuration/24/keycloak.conf b/docker/keycloak/configuration/24/keycloak.conf
@@ -0,0 +1,39 @@
+health-enabled=true
+metrics-enabled=true
+
+# database
+db-pool-min-size=5
+db-pool-max-size=20
+
+# theme
+spi-theme-static-max-age=2592000
+spi-theme-cache-themes=true
+spi-theme-cache-templates=true
+
+# logging
+log=console,file
+log-console-color=false
+log-file=/var/log/eap/${HOSTNAME}.log
+
+# root-logger-level:INFO
+log-level=info,com.arjuna:warn,io.jaegertracing.Configuration:warn,org.jboss.as.config:debug,org.keycloak.events:debug,sun.rmi:warn
+log-console-output=json
+log-file-output=json
+
+# SPIs
+spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
+spi-user-profile-declarative-user-profile-config-file=/tmp/keycloak-default-user-profile.json
+
+# cache
+cache=ispn
+# DNS_PING is particularly useful in environments like Kubernetes and Red Hat OpenShift where UDP multicast, a different cluster discovery method, might not be available. This is because DNS is a standard service that's always available, making DNS_PING a reliable way for Infinispan nodes to discover each other.
+# The below option requires passing -Djgroups.dns.query=sso-keycloak-ping.<NAMESPACE>.svc.cluster.local to start command
+cache-stack=kubernetes
+#cache-config-file=cache-ispn-custom.xml
+
+# tls
+# https-key-store-file=server.keystore
+# https-key-store-password=password
+
+http-enabled=true
+proxy-headers=forwarded
diff --git a/docker/keycloak/configuration/24/quarkus.properties b/docker/keycloak/configuration/24/quarkus.properties
@@ -0,0 +1,10 @@
+quarkus.log.console.json.exception-output-type=formatted
+quarkus.log.console.json.key-overrides=timestamp=@timestamp
+quarkus.log.console.json.additional-field."@version".value=1
+quarkus.log.file.json.exception-output-type=formatted
+quarkus.log.file.json.key-overrides=timestamp=@timestamp
+quarkus.log.file.json.additional-field."@version".value=1
+quarkus.log.file.rotation.file-suffix=.yyyy-MM-dd
+# Optional: Disable rotation by size (adjust value as needed)
+quarkus.log.handler.file.rotation.max-file-size="10000M"
+quarkus.log.handler.file.rotation.max-backup-index="100"
diff --git a/docker/keycloak/extensions-24/.vscode/settings.json b/docker/keycloak/extensions-24/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+  "java.configuration.updateBuildConfiguration": "interactive"
+}
diff --git a/docker/keycloak/extensions-24/pom.xml b/docker/keycloak/extensions-24/pom.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.github.bcgov.keycloak</groupId>
+    <artifactId>extensions-parent</artifactId>
+    <version>1.0.0</version>
+    <packaging>pom</packaging>
+
+    <properties>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <keycloak.version>24.0.5</keycloak.version>
+    </properties>
+
+    <build>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-jar-plugin</artifactId>
+                    <version>3.2.0</version>
+                </plugin>
+            </plugins>
+        </pluginManagement>
+    </build>
+
+    <modules>
+        <module>services</module>
+        <module>themes</module>
+    </modules>
+</project>