Merge branch 'main' into issue-23582

edewit · Oct 16, 2023 · d84fbdb · d84fbdb
2 parents db3548c + 50916d5
commit d84fbdb
Show file tree

Hide file tree

Showing 15 changed files with 69 additions and 93 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -509,7 +509,7 @@ jobs:
     timeout-minutes: 75
     strategy:
       matrix:
-        browser: [chrome, firefox]
+        browser: [chrome]
       fail-fast: false
     steps:
       - uses: actions/checkout@v4
@@ -519,7 +519,7 @@ jobs:
         uses: ./.github/actions/integration-test-setup
 
       - name: Run Account Console IT
-        run: ./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=**.account2.**,!SigningInTest#passwordlessWebAuthnTest,!SigningInTest#twoFactorWebAuthnTest -Dbrowser=${{ matrix.browser }} "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" "-Dwebdriver.gecko.driver=$GECKOWEBDRIVER/geckodriver" -f testsuite/integration-arquillian/tests/other/base-ui/pom.xml | misc/log/trimmer.sh
+        run: ./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=**.account2.**,!SigningInTest#passwordlessWebAuthnTest,!SigningInTest#twoFactorWebAuthnTest -Dbrowser=${{ matrix.browser }} "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" -f testsuite/integration-arquillian/tests/other/base-ui/pom.xml | misc/log/trimmer.sh
 
       - name: Upload JVM Heapdumps
         if: always()

diff --git a/docs/documentation/.github/workflows/test-external-links.yml b/docs/documentation/.github/workflows/test-external-links.yml
diff --git a/docs/documentation/.github/workflows/test-guides.yml b/docs/documentation/.github/workflows/test-guides.yml
diff --git a/docs/guides/getting-started/getting-started-openshift.adoc b/docs/guides/getting-started/getting-started-openshift.adoc
@@ -55,7 +55,7 @@ oc process -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/la
 | oc create -f -
 ----
 +
-In this example, the user name and and password are `admin`.
+In this example, the user name and password are `admin`.
 
 . Once the command above completes, look for a message similar to this:
 +

diff --git a/docs/guides/getting-started/getting-started-zip.adoc b/docs/guides/getting-started/getting-started-zip.adoc
@@ -1,4 +1,5 @@
 <#import "/templates/guide.adoc" as tmpl>
+<#import "/templates/profile.adoc" as profile>
 
 <@tmpl.guide
 title="OpenJDK"
@@ -10,14 +11,20 @@ summary="Get started with Keycloak on bare metal">
 
 == Before you start
 
-Make sure you have https://openjdk.java.net/[OpenJDK 17] or a higher version installed.
+Make sure you have https://openjdk.java.net/[OpenJDK 17] installed.
 
 == Download Keycloak
 
 Download and extract https://github.com/keycloak/keycloak/releases/download/{version}/keycloak-{version}.zip[keycloak-{version}.zip]
 from the Keycloak website.
 
-After extracting this file, you should have a directory named keycloak-{version}.
+<@profile.ifCommunity>
+After extracting this file, you should have a directory with a name that starts with `keycloak-{version}`.
+</@profile.ifCommunity>
+
+<@profile.ifProduct>
+After extracting this file, you should have a directory with a name that starts with `rhbk-{version}`.
+</@profile.ifProduct>
 
 include::templates/start-keycloak-localhost.adoc[]
 

diff --git a/docs/guides/getting-started/templates/realm-config.adoc b/docs/guides/getting-started/templates/realm-config.adoc
@@ -37,6 +37,6 @@ This user needs a password to log in. To set the initial password:
 
 . Click *Credentials* at the top of the page.
 . Fill in the *Set password* form with a password.
-. Toggle *Temporary* to *Off* so that the user does not need update this password at the first login.
+. Toggle *Temporary* to *Off* so that the user does not need to update this password at the first login.
 
 image::set-password.png[Set password]
diff --git a/docs/guides/getting-started/templates/start-keycloak-localhost.adoc b/docs/guides/getting-started/templates/start-keycloak-localhost.adoc
@@ -1,7 +1,18 @@
+<#import "/templates/profile.adoc" as profile>
+
 == Start Keycloak
 
 . From a terminal, open the keycloak-{version} directory.
 . Enter the following command:
+<@profile.ifProduct> 
++
+[source,bash,subs="attributes+"]
+----
+bin/kc.sh start-dev
+----
+</@profile.ifProduct>
+
+<@profile.ifCommunity>
 * On Linux, run:
 +
 [source,bash,subs="attributes+"]
@@ -15,3 +26,7 @@ bin/kc.sh start-dev
 ----
 bin\kc.bat start-dev
 ----
+</@profile.ifCommunity>
+
+Using the `start-dev` option, you are starting Keycloak development mode. In this mode, you can try out Keycloak for the first time to get it up and running quickly. This mode offers convenient defaults for developers, such as for developing a new Keycloak theme.
+
diff --git a/docs/guides/operator/basic-deployment.adoc b/docs/guides/operator/basic-deployment.adoc
@@ -28,7 +28,7 @@ Once the Keycloak Operator is installed and running in the cluster namespace, yo
 
 A database should be available and accessible from the cluster namespace where Keycloak is installed.
 For a list of supported databases, see <@links.server id="db"/>.
-The Keycloak Operator does not manage the database and you need to provision it yourself. Consider verifying your cloud provider offering or using a database operator such as https://access.crunchydata.com/documentation/postgres-operator/latest/[Crunchy].
+The Keycloak Operator does not manage the database and you need to provision it yourself. Consider verifying your cloud provider offering or using a database operator.
 
 For development purposes, you can use an ephemeral PostgreSQL pod installation. To provision it, follow the approach below:
 

diff --git a/...egacy-private/src/main/java/org/keycloak/storage/datastore/LegacyExportImportManager.java b/...egacy-private/src/main/java/org/keycloak/storage/datastore/LegacyExportImportManager.java
@@ -260,8 +260,8 @@ public void importRealm(RealmRepresentation rep, RealmModel newRealm, boolean sk
         // OAuth 2.0 Device Authorization Grant
         OAuth2DeviceConfig deviceConfig = newRealm.getOAuth2DeviceConfig();
 
-        deviceConfig.setOAuth2DeviceCodeLifespan(rep.getOAuth2DeviceCodeLifespan());
-        deviceConfig.setOAuth2DevicePollingInterval(rep.getOAuth2DevicePollingInterval());
+        deviceConfig.setOAuth2DeviceCodeLifespan(newRealm, rep.getOAuth2DeviceCodeLifespan());
+        deviceConfig.setOAuth2DevicePollingInterval(newRealm, rep.getOAuth2DevicePollingInterval());
 
         if (rep.getSslRequired() != null)
             newRealm.setSslRequired(SslRequired.valueOf(rep.getSslRequired().toUpperCase()));
@@ -764,8 +764,8 @@ public void updateRealm(RealmRepresentation rep, RealmModel realm) {
 
         OAuth2DeviceConfig deviceConfig = realm.getOAuth2DeviceConfig();
 
-        deviceConfig.setOAuth2DeviceCodeLifespan(rep.getOAuth2DeviceCodeLifespan());
-        deviceConfig.setOAuth2DevicePollingInterval(rep.getOAuth2DevicePollingInterval());
+        deviceConfig.setOAuth2DeviceCodeLifespan(realm, rep.getOAuth2DeviceCodeLifespan());
+        deviceConfig.setOAuth2DevicePollingInterval(realm, rep.getOAuth2DevicePollingInterval());
 
         if (rep.getNotBefore() != null) realm.setNotBefore(rep.getNotBefore());
         if (rep.getDefaultSignatureAlgorithm() != null) realm.setDefaultSignatureAlgorithm(rep.getDefaultSignatureAlgorithm());

diff --git a/model/map/src/main/java/org/keycloak/models/map/datastore/MapExportImportManager.java b/model/map/src/main/java/org/keycloak/models/map/datastore/MapExportImportManager.java
@@ -266,8 +266,8 @@ public void importRealm(RealmRepresentation rep, RealmModel newRealm, boolean sk
         // OAuth 2.0 Device Authorization Grant
         OAuth2DeviceConfig deviceConfig = newRealm.getOAuth2DeviceConfig();
 
-        deviceConfig.setOAuth2DeviceCodeLifespan(rep.getOAuth2DeviceCodeLifespan());
-        deviceConfig.setOAuth2DevicePollingInterval(rep.getOAuth2DevicePollingInterval());
+        deviceConfig.setOAuth2DeviceCodeLifespan(newRealm, rep.getOAuth2DeviceCodeLifespan());
+        deviceConfig.setOAuth2DevicePollingInterval(newRealm, rep.getOAuth2DevicePollingInterval());
 
         if (rep.getSslRequired() != null)
             newRealm.setSslRequired(SslRequired.valueOf(rep.getSslRequired().toUpperCase()));
@@ -1053,8 +1053,8 @@ public void updateRealm(RealmRepresentation rep, RealmModel realm) {
 
         OAuth2DeviceConfig deviceConfig = realm.getOAuth2DeviceConfig();
 
-        deviceConfig.setOAuth2DeviceCodeLifespan(rep.getOAuth2DeviceCodeLifespan());
-        deviceConfig.setOAuth2DevicePollingInterval(rep.getOAuth2DevicePollingInterval());
+        deviceConfig.setOAuth2DeviceCodeLifespan(realm, rep.getOAuth2DeviceCodeLifespan());
+        deviceConfig.setOAuth2DevicePollingInterval(realm, rep.getOAuth2DevicePollingInterval());
 
         if (rep.getNotBefore() != null) realm.setNotBefore(rep.getNotBefore());
         if (rep.getDefaultSignatureAlgorithm() != null) realm.setDefaultSignatureAlgorithm(rep.getDefaultSignatureAlgorithm());

diff --git a/server-spi/src/main/java/org/keycloak/models/OAuth2DeviceConfig.java b/server-spi/src/main/java/org/keycloak/models/OAuth2DeviceConfig.java
@@ -41,17 +41,10 @@ public final class OAuth2DeviceConfig implements Serializable {
     public static String OAUTH2_DEVICE_POLLING_INTERVAL_PER_CLIENT = "oauth2.device.polling.interval";
     public static final String OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED = "oauth2.device.authorization.grant.enabled";
 
-    private transient Supplier<RealmModel> realm;
-
-    // Make sure setters are not called when calling this from constructor to avoid DB updates
-    private transient Supplier<RealmModel> realmForWrite;
-
     private int lifespan = DEFAULT_OAUTH2_DEVICE_CODE_LIFESPAN;
     private int poolingInterval = DEFAULT_OAUTH2_DEVICE_POLLING_INTERVAL;
 
     public OAuth2DeviceConfig(RealmModel realm) {
-        this.realm = () -> realm;
-
         String lifespan = realm.getAttribute(OAUTH2_DEVICE_CODE_LIFESPAN);
 
         if (lifespan != null && !lifespan.trim().isEmpty()) {
@@ -63,35 +56,39 @@ public OAuth2DeviceConfig(RealmModel realm) {
         if (pooling != null && !pooling.trim().isEmpty()) {
             setOAuth2DevicePollingInterval(Integer.parseInt(pooling));
         }
-
-        this.realmForWrite = () -> realm;
     }
 
     public int getLifespan() {
         return lifespan;
     }
 
     public void setOAuth2DeviceCodeLifespan(Integer seconds) {
+        setOAuth2DeviceCodeLifespan(null, seconds);
+    }
+
+    public void setOAuth2DeviceCodeLifespan(RealmModel realm, Integer seconds) {
         if (seconds == null) {
             seconds = DEFAULT_OAUTH2_DEVICE_CODE_LIFESPAN;
         }
         this.lifespan = seconds;
-        persistRealmAttribute(OAUTH2_DEVICE_CODE_LIFESPAN, lifespan);
+        persistRealmAttribute(realm, OAUTH2_DEVICE_CODE_LIFESPAN, lifespan);
     }
 
     public int getPoolingInterval() {
         return poolingInterval;
     }
 
     public void setOAuth2DevicePollingInterval(Integer seconds) {
+        setOAuth2DevicePollingInterval(null, seconds);
+    }
+
+    public void setOAuth2DevicePollingInterval(RealmModel realm, Integer seconds) {
         if (seconds == null) {
             seconds = DEFAULT_OAUTH2_DEVICE_POLLING_INTERVAL;
         }
         this.poolingInterval = seconds;
 
-        RealmModel model = getRealm();
-
-        persistRealmAttribute(OAUTH2_DEVICE_POLLING_INTERVAL, poolingInterval);
+        persistRealmAttribute(realm, OAUTH2_DEVICE_POLLING_INTERVAL, poolingInterval);
     }
 
     public int getLifespan(ClientModel client) {
@@ -119,18 +116,7 @@ public boolean isOAuth2DeviceAuthorizationGrantEnabled(ClientModel client) {
         return Boolean.parseBoolean(enabled);
     }
 
-    private RealmModel getRealm() {
-        RealmModel model = realm.get();
-
-        if (model == null) {
-            throw new RuntimeException("Can only update after invalidating the realm");
-        }
-
-        return model;
-    }
-
-    private void persistRealmAttribute(String name, Integer value) {
-        RealmModel realm = realmForWrite == null ? null : this.realmForWrite.get();
+    private void persistRealmAttribute(RealmModel realm, String name, Integer value) {
         if (realm != null) {
             realm.setAttribute(name, value);
         }

diff --git a/...stsuite-providers/src/main/java/org/keycloak/testsuite/runonserver/SerializationUtil.java b/...stsuite-providers/src/main/java/org/keycloak/testsuite/runonserver/SerializationUtil.java
@@ -51,6 +51,9 @@ public static String encodeException(Throwable t) {
             oos.close();
 
             return "EXCEPTION:" + Base64.encodeBytes(os.toByteArray());
+        } catch (NotSerializableException e) {
+            // when the exception can't be serialized, at least log the original exception, so it can be analyzed
+            throw new RuntimeException("Unable to serialize exception due to not serializable class " + e.getMessage(), t);
         } catch (Exception e) {
             throw new RuntimeException(e);
         }

diff --git a/...lian/tests/base/src/main/java/org/keycloak/testsuite/pages/social/OpenShiftLoginPage.java b/...lian/tests/base/src/main/java/org/keycloak/testsuite/pages/social/OpenShiftLoginPage.java
@@ -17,6 +17,7 @@
 
 package org.keycloak.testsuite.pages.social;
 
+import org.keycloak.testsuite.util.WaitUtils;
 import org.openqa.selenium.By;
 import org.openqa.selenium.Keys;
 import org.openqa.selenium.NoSuchElementException;
@@ -35,6 +36,9 @@ public class OpenShiftLoginPage extends AbstractSocialLoginPage {
     @FindBy(name = "password")
     private WebElement passwordInput;
 
+    @FindBy(name = "approve")
+    private WebElement authorizeButton;
+
     private String userLoginLinkTitle;
 
     private WebElement userLoginLink;
@@ -48,9 +52,18 @@ public void login(String user, String password) {
             }
         }
 
+        WaitUtils.pause(3000);
         usernameInput.sendKeys(user);
         passwordInput.sendKeys(password);
         passwordInput.sendKeys(Keys.RETURN);
+
+        try {
+            WaitUtils.pause(3000);
+            authorizeButton.click();
+        }
+        catch (NoSuchElementException e) {
+            log.info("User already allowed in the app");
+        }
     }
 
     public void setUserLoginLinkTitle(String title) {

diff --git a/...on-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java b/...on-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java
@@ -250,7 +250,7 @@ public static void setupClientExchangePermissions(KeycloakSession session) {
     public void openshiftLogin() {
         setTestProvider(OPENSHIFT);
         performLogin();
-        assertUpdateProfile(false, false, true);
+        assertUpdateProfile(true, true, true);
         appPage.assertCurrent();
         testTokenExchange();
     }

diff --git a/...src/test/java/org/keycloak/testsuite/federation/ldap/LDAPProvidersFullNameMapperTest.java b/...src/test/java/org/keycloak/testsuite/federation/ldap/LDAPProvidersFullNameMapperTest.java
@@ -167,7 +167,7 @@ public void testUpdatingAttributesWorksEvenWithEmptyAttributes() {
             MatcherAssert.assertThat(Arrays.asList("one", "two", "three"),
                 Matchers.containsInAnyOrder(fullnameUser.getAttributeStream("myAttrThreeValues").toArray(String[]::new)));
 
-            // Remove "fullnameUser" to assert he is removed from LDAP.
+            // Remove "fullnameUser" to prevent conflicts with other tests
             session.users().removeUser(appRealm, fullnameUser);
         });
     }
@@ -201,6 +201,9 @@ public void testMultiValuedAttributes() {
 
             UserModel fullnameUser = session.users().getUserByUsername(appRealm, "fullname");
             Assert.assertEquals(Arrays.asList("role1", "role2"), fullnameUser.getAttributeStream("roles").collect(Collectors.toList()));
+
+            // Remove "fullnameUser" to prevent conflicts with other tests
+            session.users().removeUser(appRealm, fullnameUser);
         });
     }
 }