From e94344a7eae030e26e6a7076fb408a6945784fd6 Mon Sep 17 00:00:00 2001 From: Michal Vala Date: Thu, 11 Nov 2021 14:59:38 +0100 Subject: [PATCH] fix configuration Signed-off-by: Michal Vala --- .../src/main/webapp/WEB-INF/classes/che/che.properties | 2 +- .../configurator/CredentialsSecretConfiguratorTest.java | 6 ++++++ .../server/KeycloakEnvironmentInitializationFilter.java | 5 ++--- .../che/multiuser/keycloak/server/KeycloakSettings.java | 9 +++++---- .../KeycloakEnvironmentInitializationFilterTest.java | 9 ++++----- .../multiuser/keycloak/server/KeycloakSettingsTest.java | 8 ++++---- .../che/multiuser/keycloak/shared/KeycloakConstants.java | 2 -- 7 files changed, 22 insertions(+), 19 deletions(-) create mode 100644 infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/CredentialsSecretConfiguratorTest.java diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index 152c6c0edfd..a9719ec179f 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -553,7 +553,7 @@ che.infra.kubernetes.trusted_ca.dest_configmap_labels= # This results in huge privilege escalation. # It impacts only Kubernetes infrastructure. Therefore it implies no security risk on OpenShift with OAuth. # Do not enable this, unless you understand the risks. -che.infra.kubernetes.enable_unsupported_k8s=false +# che.infra.kubernetes.enable_unsupported_k8s=false ### OpenShift Infra parameters diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/CredentialsSecretConfiguratorTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/CredentialsSecretConfiguratorTest.java new file mode 100644 index 00000000000..62355ed15f9 --- /dev/null +++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/CredentialsSecretConfiguratorTest.java @@ -0,0 +1,6 @@ +package org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator; + +import static org.testng.Assert.*; +public class CredentialsSecretConfiguratorTest { + +} diff --git a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java index 84bf08d59f2..92d8f324a64 100644 --- a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java +++ b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilter.java @@ -13,6 +13,7 @@ import static com.google.common.base.Strings.isNullOrEmpty; import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; +import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_USERNAME_CLAIM_SETTING; import com.google.common.base.Splitter; import io.jsonwebtoken.Claims; @@ -43,7 +44,6 @@ import org.eclipse.che.multiuser.api.authentication.commons.token.RequestTokenExtractor; import org.eclipse.che.multiuser.api.permission.server.AuthorizedSubject; import org.eclipse.che.multiuser.api.permission.server.PermissionChecker; -import org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -123,8 +123,7 @@ public Subject extractSubject(String token, Jws processedToken) throws S try { String username = - claims.get( - keycloakSettings.get().get(KeycloakConstants.USERNAME_CLAIM_SETTING), String.class); + claims.get(keycloakSettings.get().get(OIDC_USERNAME_CLAIM_SETTING), String.class); if (username == null) { // fallback to unique id promised by spec // https://openid.net/specs/openid-connect-basic-1_0.html#ClaimStability username = claims.getIssuer() + ":" + claims.getSubject(); diff --git a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettings.java b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettings.java index 5e2927c5451..e805c98b2a2 100644 --- a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettings.java +++ b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettings.java @@ -18,17 +18,17 @@ import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.JS_ADAPTER_URL_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.JWKS_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.LOGOUT_ENDPOINT_SETTING; -import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.OIDC_PROVIDER_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.OSO_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.PASSWORD_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.PROFILE_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.REALM_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.TOKEN_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USERINFO_ENDPOINT_SETTING; -import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USERNAME_CLAIM_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USE_FIXED_REDIRECT_URLS_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USE_NONCE_SETTING; import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.AUTH_SERVER_URL_SETTING; +import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_PROVIDER_SETTING; +import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_USERNAME_CLAIM_SETTING; import com.google.common.collect.Maps; import java.util.Collections; @@ -55,7 +55,7 @@ public KeycloakSettings( @Nullable @Named(REALM_SETTING) String realm, @Named(CLIENT_ID_SETTING) String clientId, @Nullable @Named(OIDC_PROVIDER_SETTING) String oidcProviderUrl, - @Nullable @Named(USERNAME_CLAIM_SETTING) String usernameClaim, + @Nullable @Named(OIDC_USERNAME_CLAIM_SETTING) String usernameClaim, @Named(USE_NONCE_SETTING) boolean useNonce, @Nullable @Named(OSO_ENDPOINT_SETTING) String osoEndpoint, @Nullable @Named(GITHUB_ENDPOINT_SETTING) String gitHubEndpoint, @@ -65,7 +65,8 @@ public KeycloakSettings( Map settings = Maps.newHashMap(); settings.put( - USERNAME_CLAIM_SETTING, usernameClaim == null ? DEFAULT_USERNAME_CLAIM : usernameClaim); + OIDC_USERNAME_CLAIM_SETTING, + usernameClaim == null ? DEFAULT_USERNAME_CLAIM : usernameClaim); settings.put(CLIENT_ID_SETTING, clientId); settings.put(REALM_SETTING, realm); diff --git a/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilterTest.java b/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilterTest.java index 8ada9dd6112..a1732ecf048 100644 --- a/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilterTest.java +++ b/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitializationFilterTest.java @@ -12,7 +12,7 @@ package org.eclipse.che.multiuser.keycloak.server; import static org.eclipse.che.multiuser.api.authentication.commons.Constants.CHE_SUBJECT_ATTRIBUTE; -import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USERNAME_CLAIM_SETTING; +import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_USERNAME_CLAIM_SETTING; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyBoolean; import static org.mockito.ArgumentMatchers.anyString; @@ -50,7 +50,6 @@ import org.eclipse.che.multiuser.api.authentication.commons.token.RequestTokenExtractor; import org.eclipse.che.multiuser.api.permission.server.AuthorizedSubject; import org.eclipse.che.multiuser.api.permission.server.PermissionChecker; -import org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants; import org.eclipse.che.multiuser.machine.authentication.server.signature.SignatureKeyManager; import org.mockito.ArgumentCaptor; import org.mockito.Mock; @@ -119,7 +118,7 @@ public void shouldReplaceBackSlashAndAtSignInUsername() throws Exception { DefaultJws jws = new DefaultJws<>(new DefaultJwsHeader(), claims, ""); when(tokenExtractor.getToken(any(HttpServletRequest.class))).thenReturn("token"); when(jwtParser.parseClaimsJws(anyString())).thenReturn(jws); - keycloakSettingsMap.put(USERNAME_CLAIM_SETTING, "preferred_username"); + keycloakSettingsMap.put(OIDC_USERNAME_CLAIM_SETTING, "preferred_username"); when(userManager.getOrCreateUser(anyString(), anyString(), anyString())) .thenReturn(mock(UserImpl.class, RETURNS_DEEP_STUBS)); filter = @@ -149,7 +148,7 @@ public void shoulBeAbleToDisableUsernameStringReplacing() throws Exception { DefaultJws jws = new DefaultJws<>(new DefaultJwsHeader(), claims, ""); when(tokenExtractor.getToken(any(HttpServletRequest.class))).thenReturn("token"); when(jwtParser.parseClaimsJws(anyString())).thenReturn(jws); - keycloakSettingsMap.put(USERNAME_CLAIM_SETTING, "preferred_username"); + keycloakSettingsMap.put(OIDC_USERNAME_CLAIM_SETTING, "preferred_username"); when(userManager.getOrCreateUser(anyString(), anyString(), anyString())) .thenReturn(mock(UserImpl.class, RETURNS_DEEP_STUBS)); filter = @@ -210,7 +209,7 @@ public void shouldRetrieveTheEmailWhenItIsNotInJwtToken() throws Exception { Claims claims = new DefaultClaims(claimParams).setSubject("id"); DefaultJws jws = new DefaultJws<>(new DefaultJwsHeader(), claims, ""); UserImpl user = new UserImpl("id", "test@test.com", "username"); - keycloakSettingsMap.put(KeycloakConstants.USERNAME_CLAIM_SETTING, "preferred_username"); + keycloakSettingsMap.put(OIDC_USERNAME_CLAIM_SETTING, "preferred_username"); // given when(tokenExtractor.getToken(any(HttpServletRequest.class))).thenReturn("token"); when(jwtParser.parseClaimsJws(anyString())).thenReturn(jws); diff --git a/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettingsTest.java b/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettingsTest.java index 4656803ad15..6138eae411b 100644 --- a/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettingsTest.java +++ b/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/KeycloakSettingsTest.java @@ -19,16 +19,16 @@ import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.JS_ADAPTER_URL_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.JWKS_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.LOGOUT_ENDPOINT_SETTING; -import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.OIDC_PROVIDER_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.OSO_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.PASSWORD_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.PROFILE_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.REALM_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.TOKEN_ENDPOINT_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USERINFO_ENDPOINT_SETTING; -import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USERNAME_CLAIM_SETTING; import static org.eclipse.che.multiuser.keycloak.shared.KeycloakConstants.USE_NONCE_SETTING; import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.AUTH_SERVER_URL_SETTING; +import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_PROVIDER_SETTING; +import static org.eclipse.che.multiuser.oidc.OIDCInfoProvider.OIDC_USERNAME_CLAIM_SETTING; import static org.mockito.Mockito.when; import static org.testng.Assert.assertEquals; import static org.testng.Assert.assertNull; @@ -209,7 +209,7 @@ public void shouldBeUsedConfigurationFromExternalOIDCProviderWithoutFixedRedirec oidcInfo); Map publicSettings = settings.get(); - assertEquals(publicSettings.get(USERNAME_CLAIM_SETTING), DEFAULT_USERNAME_CLAIM); + assertEquals(publicSettings.get(OIDC_USERNAME_CLAIM_SETTING), DEFAULT_USERNAME_CLAIM); assertEquals(publicSettings.get(CLIENT_ID_SETTING), CLIENT_ID); assertEquals(publicSettings.get(REALM_SETTING), CHE_REALM); assertNull(publicSettings.get(AUTH_SERVER_URL_SETTING)); @@ -254,7 +254,7 @@ public void shouldBeUsedConfigurationFromExternalAuthServer() { oidcInfo); Map publicSettings = settings.get(); - assertEquals(publicSettings.get(USERNAME_CLAIM_SETTING), DEFAULT_USERNAME_CLAIM); + assertEquals(publicSettings.get(OIDC_USERNAME_CLAIM_SETTING), DEFAULT_USERNAME_CLAIM); assertEquals(publicSettings.get(CLIENT_ID_SETTING), CLIENT_ID); assertEquals(publicSettings.get(REALM_SETTING), CHE_REALM); assertEquals(publicSettings.get(AUTH_SERVER_URL_SETTING), SERVER_AUTH_URL); diff --git a/multiuser/keycloak/che-multiuser-keycloak-shared/src/main/java/org/eclipse/che/multiuser/keycloak/shared/KeycloakConstants.java b/multiuser/keycloak/che-multiuser-keycloak-shared/src/main/java/org/eclipse/che/multiuser/keycloak/shared/KeycloakConstants.java index 1ed8b65d39c..15cd6467e27 100644 --- a/multiuser/keycloak/che-multiuser-keycloak-shared/src/main/java/org/eclipse/che/multiuser/keycloak/shared/KeycloakConstants.java +++ b/multiuser/keycloak/che-multiuser-keycloak-shared/src/main/java/org/eclipse/che/multiuser/keycloak/shared/KeycloakConstants.java @@ -19,8 +19,6 @@ public class KeycloakConstants { public static final String REALM_SETTING = KEYCLOAK_SETTING_PREFIX + "realm"; public static final String CLIENT_ID_SETTING = KEYCLOAK_SETTING_PREFIX + "client_id"; - public static final String OIDC_PROVIDER_SETTING = KEYCLOAK_SETTING_PREFIX + "oidc_provider"; - public static final String USERNAME_CLAIM_SETTING = KEYCLOAK_SETTING_PREFIX + "username_claim"; public static final String USE_NONCE_SETTING = KEYCLOAK_SETTING_PREFIX + "use_nonce"; public static final String USE_FIXED_REDIRECT_URLS_SETTING = KEYCLOAK_SETTING_PREFIX + "use_fixed_redirect_urls";