From a5670af745c1033479c539f2f0a50a396ea9c486 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Wed, 14 Dec 2022 16:12:23 +0100 Subject: [PATCH] Keycloak CI workflow refactoring (#15968) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík * Update CodeQL actions Co-authored-by: Hynek Mlnařík --- .github/actions/build-keycloak/action.yml | 82 +++ .github/actions/changed-files/action.yml | 49 ++ .github/actions/checks-job-pass/action.yml | 34 + .github/actions/checks-success/action.yml | 16 + .../actions/integration-test-setup/action.yml | 41 ++ .github/actions/maven-cache/action.yml | 28 + .github/actions/npm-cache/action.yml | 17 + .github/actions/phantomjs-cache/action.yml | 26 + .github/actions/unit-test-setup/action.yml | 26 + .github/scripts/quickstarts/prepare-server.sh | 11 - .github/settings.xml | 48 -- .github/workflows/ci.yml | 673 ++++++------------ .github/workflows/codeql-analysis.yml | 150 ++++ .github/workflows/codeql-java-analysis.yml | 59 -- .../workflows/codeql-js-adapter-analysis.yml | 62 -- .github/workflows/codeql-theme-analysis.yml | 62 -- .github/workflows/operator-ci.yml | 139 ++-- .github/workflows/snyk-analysis.yml | 45 ++ .github/workflows/snyk.yml | 68 -- .github/workflows/trivy-analysis.yml | 69 +- .gitignore | 3 + adapters/oidc/js/pom.xml | 1 + .../runtime/integration/QuarkusPlatform.java | 5 + .../keycloak/platform/PlatformProvider.java | 2 + .../servers/auth-server/pom.xml | 17 +- .../services/testsuite-providers/pom.xml | 22 - .../theme/TestThemeResourceProvider.java | 13 +- .../tests/base/testsuites/base-suite | 47 ++ .../tests/base/testsuites/base-suite.sh | 43 ++ .../tests/base/testsuites/database-suite | 18 + .../tests/base/testsuites/fips-suite | 15 + .../tests/base/testsuites/jdk-suite | 17 + .../tests/base/testsuites/suite.sh | 35 + .../org/keycloak/testsuite/TestPlatform.java | 5 + themes/pom.xml | 4 +- 35 files changed, 1027 insertions(+), 925 deletions(-) create mode 100644 .github/actions/build-keycloak/action.yml create mode 100644 .github/actions/changed-files/action.yml create mode 100644 .github/actions/checks-job-pass/action.yml create mode 100644 .github/actions/checks-success/action.yml create mode 100644 .github/actions/integration-test-setup/action.yml create mode 100644 .github/actions/maven-cache/action.yml create mode 100644 .github/actions/npm-cache/action.yml create mode 100644 .github/actions/phantomjs-cache/action.yml create mode 100644 .github/actions/unit-test-setup/action.yml delete mode 100755 .github/scripts/quickstarts/prepare-server.sh delete mode 100644 .github/settings.xml create mode 100644 .github/workflows/codeql-analysis.yml delete mode 100644 .github/workflows/codeql-java-analysis.yml delete mode 100644 .github/workflows/codeql-js-adapter-analysis.yml delete mode 100644 .github/workflows/codeql-theme-analysis.yml create mode 100644 .github/workflows/snyk-analysis.yml delete mode 100644 .github/workflows/snyk.yml create mode 100644 testsuite/integration-arquillian/tests/base/testsuites/base-suite create mode 100755 testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh create mode 100644 testsuite/integration-arquillian/tests/base/testsuites/database-suite create mode 100644 testsuite/integration-arquillian/tests/base/testsuites/fips-suite create mode 100644 testsuite/integration-arquillian/tests/base/testsuites/jdk-suite create mode 100755 testsuite/integration-arquillian/tests/base/testsuites/suite.sh diff --git a/.github/actions/build-keycloak/action.yml b/.github/actions/build-keycloak/action.yml new file mode 100644 index 0000000000..8587495e29 --- /dev/null +++ b/.github/actions/build-keycloak/action.yml @@ -0,0 +1,82 @@ +name: Build Keycloak +description: Builds Keycloak providing Maven repository with all artifacts + +inputs: + upload-m2-repo: + description: Upload Maven repository for org.keycloak artifacts + required: false + default: true + upload-dist: + description: Upload distribution + required: false + default: false + jdk-dist: + description: JDK distribution + required: false + default: temurin + jdk-version: + description: JDK version + required: false + default: 11 + +runs: + using: composite + steps: + - id: setup-java + name: Setup Java + uses: actions/setup-java@v3 + with: + distribution: ${{ inputs.jdk-dist }} + java-version: ${{ inputs.jdk-version }} + + - id: maven-cache + name: Maven cache + uses: ./.github/actions/maven-cache + + - id: phantomjs-cache + name: PhantomJS cache + uses: ./.github/actions/phantomjs-cache + + - id: npm-cache + name: NPM cache + uses: ./.github/actions/npm-cache + + - id: build-keycloak + name: Build Keycloak + shell: bash + run: | + MVN_HTTP_CONFIG="-Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120" + ./mvnw install -nsu -B -e -DskipTests -DskipExamples $MVN_HTTP_CONFIG + + - id: compress-keycloak-maven-repository + name: Compress Keycloak Maven artifacts + if: inputs.upload-m2-repo == 'true' + shell: bash + run: | + tar -C ~/ --use-compress-program zstd -cf m2-keycloak.tzts \ + --exclude '*.tar.gz' \ + .m2/repository/org/keycloak + + - id: upload-keycloak-maven-repository + name: Upload Keycloak Maven artifacts + if: inputs.upload-m2-repo == 'true' + uses: actions/upload-artifact@v3 + with: + name: m2-keycloak.tzts + path: m2-keycloak.tzts + retention-days: 1 + + - id: upload-keycloak-dist + name: Upload Keycloak dist + if: inputs.upload-dist == 'true' + uses: actions/upload-artifact@v3 + with: + name: keycloak-dist + path: quarkus/dist/target/keycloak*.tar.gz + retention-days: 1 + + - id: maven-cache-cleanup + name: Maven cache cleanup + if: steps.maven-cache.outputs.cache-hit != 'true' + shell: bash + run: rm -rf ~/.m2/repository/org/keycloak diff --git a/.github/actions/changed-files/action.yml b/.github/actions/changed-files/action.yml new file mode 100644 index 0000000000..cf9dbeb6bd --- /dev/null +++ b/.github/actions/changed-files/action.yml @@ -0,0 +1,49 @@ +name: Changed Files +description: Checks changes against target branch + +outputs: + java: + description: Changes to Java files + value: ${{ steps.changes.outputs.java }} + themes: + description: Changes to themes + value: ${{ steps.changes.outputs.themes }} + js-adapter: + description: Changes to JavaScript adapter + value: ${{ steps.changes.outputs.js-adapter }} + +runs: + using: composite + steps: + - id: changes + name: Find changes + shell: bash + run: | + BASE_REF=${{ github.base_ref }} + + changed () { + git diff --name-only origin/${{ github.base_ref }} | grep -E "$1" &>/dev/null && echo true || echo false + } + + if [ "$BASE_REF" != "" ]; then + echo "Checking changes against orgin/$BASE_REF" + git fetch origin + + JAVA=`changed '^.*/.*.java$'` + THEMES=`changed '^themes/src/main/.*$'` + JS_ADAPTER=`changed '^adapters/oidc/js/.*$'` + else + echo "Not a pull request, marking everything as changed" + + JAVA=true + THEMES=true + JS_ADAPTER=true + fi + + echo "Java changed: $JAVA" + echo "Themes changed: $THEMES" + echo "JS adapter changed: $JS_ADAPTER" + + echo "java=$JAVA" >> $GITHUB_OUTPUT + echo "themes=$THEMES" >> $GITHUB_OUTPUT + echo "js-adapter=$JS_ADAPTER" >> $GITHUB_OUTPUT diff --git a/.github/actions/checks-job-pass/action.yml b/.github/actions/checks-job-pass/action.yml new file mode 100644 index 0000000000..30b782a7e8 --- /dev/null +++ b/.github/actions/checks-job-pass/action.yml @@ -0,0 +1,34 @@ +name: Check if a job passed +description: Fails if the job is required and was not successful + +inputs: + required: + description: Is the job required + required: true + default: true + conclusion: + description: Job conclusion (success if passed, most likely empty otherwise) + required: true + +outputs: + status: + description: "Check status" + value: ${{ steps.changes.outputs.java }} + +runs: + using: "composite" + steps: + - id: check-job + name: Check job + shell: bash + run: | + if [ "${{ inputs.required }}" == "false" ]; then + echo "Not required to run, skipping" + else + if [ "${{ inputs.conclusion }}" == "success" ]; then + echo "Success" + else + echo "Required to run, but didn't succeed" + exit 1 + fi + fi diff --git a/.github/actions/checks-success/action.yml b/.github/actions/checks-success/action.yml new file mode 100644 index 0000000000..64377fb426 --- /dev/null +++ b/.github/actions/checks-success/action.yml @@ -0,0 +1,16 @@ +name: Mark job as successful +description: Workaround for GitHub Actions not setting conclusion on jobs passed through needs + +outputs: + conclusion: + description: Conclusion + value: ${{ steps.check.outputs.conclusion }} + +runs: + using: composite + steps: + - id: check + name: Set success + shell: bash + run: | + echo "conclusion=success" >> $GITHUB_OUTPUT diff --git a/.github/actions/integration-test-setup/action.yml b/.github/actions/integration-test-setup/action.yml new file mode 100644 index 0000000000..f698c51206 --- /dev/null +++ b/.github/actions/integration-test-setup/action.yml @@ -0,0 +1,41 @@ +name: Setup integration test +description: Download Maven caches needed for integration tests + +inputs: + jdk-dist: + description: JDK distribution + required: false + default: temurin + jdk-version: + description: JDK version + required: false + default: 11 + +runs: + using: composite + steps: + - id: setup-java + name: Setup Java + uses: actions/setup-java@v3 + with: + distribution: ${{ inputs.jdk-dist }} + java-version: ${{ inputs.jdk-version }} + + - id: maven-cache + name: Maven cache + uses: ./.github/actions/maven-cache + + - id: phantomjs-cache + name: PhantomJS cache + uses: ./.github/actions/phantomjs-cache + + - id: download-keycloak + name: Download Keycloak Maven artifacts + uses: actions/download-artifact@v3 + with: + name: m2-keycloak.tzts + + - id: extract-maven-artifacts + name: Extract Keycloak Maven artifacts + shell: bash + run: tar -C ~/ --use-compress-program unzstd -xf m2-keycloak.tzts diff --git a/.github/actions/maven-cache/action.yml b/.github/actions/maven-cache/action.yml new file mode 100644 index 0000000000..7d2c56f8e4 --- /dev/null +++ b/.github/actions/maven-cache/action.yml @@ -0,0 +1,28 @@ +name: Maven Cache +description: Caches Maven artifacts + +runs: + using: composite + steps: + - id: weekly-cache-key + name: Key for weekly rotation of cache + shell: bash + run: echo "key=mvn-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT + + - id: cache-maven-repository + name: Maven cache + uses: actions/cache@v3 + with: + path: ~/.m2/repository + key: ${{ steps.weekly-cache-key.outputs.key }} + + - id: check-maven-cache + name: Check cache has no Keycloak artifacts + if: steps.cache-maven-repository.outputs.cache-hit == 'true' + shell: bash + run: | + if ( stat ~/.m2/repository/org/keycloak &>/dev/null ); then + echo "Found org/keycloak artifacts in Maven repository cache" + ls ~/.m2/repository/org/keycloak + exit 1 + fi diff --git a/.github/actions/npm-cache/action.yml b/.github/actions/npm-cache/action.yml new file mode 100644 index 0000000000..efc9c3faa9 --- /dev/null +++ b/.github/actions/npm-cache/action.yml @@ -0,0 +1,17 @@ +name: NPM Cache +description: Caches NPM artifacts + +runs: + using: composite + steps: + - id: weekly-cache-key + name: Key for weekly rotation of cache + shell: bash + run: echo "key=npm-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT + + - id: cache-npm-repository + name: NPM cache + uses: actions/cache@v3 + with: + path: ~/.npm + key: ${{ steps.weekly-cache-key.outputs.key }} diff --git a/.github/actions/phantomjs-cache/action.yml b/.github/actions/phantomjs-cache/action.yml new file mode 100644 index 0000000000..6b17be10c1 --- /dev/null +++ b/.github/actions/phantomjs-cache/action.yml @@ -0,0 +1,26 @@ +name: PhantomJS Cache +description: Caches PhantomJS driver + +inputs: + version: + description: PhantomJS Driver version + required: false + default: 2.1.1 + +runs: + using: composite + steps: + - id: cache-phantomjs-driver + name: PhantomJS Driver cache + uses: actions/cache@v3 + with: + path: ~/.arquillian/drone + key: phantomjs-${{ inputs.version }} + + - id: download-phantomjs-driver + name: Download PhantomJS Driver + if: steps.cache-phantomjs-driver.outputs.cache-hit != 'true' + shell: bash + run: | + mkdir -p ~/.arquillian/drone/phantomjs/${{ inputs.version }}/ + curl -L https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-${{ inputs.version }}-linux-x86_64.tar.bz2 --output ~/.arquillian/drone/phantomjs/${{ inputs.version }}/phantomjs-${{ inputs.version }}-linux-x86_64.tar.bz2 diff --git a/.github/actions/unit-test-setup/action.yml b/.github/actions/unit-test-setup/action.yml new file mode 100644 index 0000000000..763506f809 --- /dev/null +++ b/.github/actions/unit-test-setup/action.yml @@ -0,0 +1,26 @@ +name: Setup unit test +description: Download Maven caches needed for unit tests + +inputs: + jdk-dist: + description: JDK distribution + required: false + default: temurin + jdk-version: + description: JDK version + required: false + default: 11 + +runs: + using: composite + steps: + - id: setup-java + name: Setup Java + uses: actions/setup-java@v3 + with: + distribution: ${{ inputs.jdk-dist }} + java-version: ${{ inputs.jdk-version }} + + - id: maven-cache + name: Maven cache + uses: ./.github/actions/maven-cache diff --git a/.github/scripts/quickstarts/prepare-server.sh b/.github/scripts/quickstarts/prepare-server.sh deleted file mode 100755 index a036908bd0..0000000000 --- a/.github/scripts/quickstarts/prepare-server.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -e - -VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec -f keycloak) - -unzip ~/.m2/repository/org/keycloak/keycloak-server-dist/${VERSION}/keycloak-server-dist-${VERSION}.zip -mv keycloak-${VERSION} keycloak-dist - -keycloak-dist/bin/add-user-keycloak.sh -u admin -p admin - -# update QS version to match KC version -mvn versions:set -DnewVersion=$VERSION -DgenerateBackupPoms=false -DgroupId=org.keycloak* -DartifactId=* -Pbump-version -B \ No newline at end of file diff --git a/.github/settings.xml b/.github/settings.xml deleted file mode 100644 index e7974ab9bb..0000000000 --- a/.github/settings.xml +++ /dev/null @@ -1,48 +0,0 @@ - - - - update-policy - - true - - - - central - Maven Central - https://repo.maven.apache.org/maven2 - - false - - - interval:43200 - - - - jboss-public-repository - Jboss Public - https://repository.jboss.org/nexus/content/groups/public/ - - false - - - interval:43200 - - - - redhat-enterprise-maven-repository - Red Hat Enterprise Maven Repository - https://maven.repository.redhat.com/ga/ - - false - - - interval:43200 - - - - - - diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 25fc14bf8c..3b81676ee6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,374 +2,198 @@ name: Keycloak CI on: push: - branches-ignore: [main] - # as the ci.yml contains actions that are required for PRs to be merged, it will always need to run on all PRs - pull_request: {} + branches-ignore: + - main + - dependabot/** + pull_request: schedule: - - cron: '0 20,23,2,5 * * *' + - cron: 0 20,23,2,5 * * * workflow_dispatch: env: DEFAULT_JDK_VERSION: 11 - MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 + DEFAULT_JDK_DIST: temurin concurrency: - # Only cancel jobs for new commits on PRs, and always do a complete run on other branches (e.g. `main`). - # See: https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value - group: keycloak-ci-${{ github.head_ref || github.run_id }} + # Only cancel jobs for PR updates + group: ci-${{ github.head_ref || github.run_id }} cancel-in-progress: true +defaults: + run: + shell: bash + jobs: build: name: Build - if: ${{ ( github.event_name != 'schedule' ) || ( github.event_name == 'schedule' && github.repository == 'keycloak/keycloak' ) }} + if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - cache: 'maven' - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - name: Build Keycloak - run: | - ./mvnw clean install -nsu -B -e -DskipTests -Pdistribution - ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server -Pauth-server-quarkus - ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server -Pauth-server-undertow - - - name: Store Keycloak artifacts - id: store-keycloak - uses: actions/upload-artifact@v3 - with: - name: keycloak-artifacts.zip - retention-days: 1 - path: | - ~/.m2/repository/org/keycloak - !~/.m2/repository/org/keycloak/**/*.tar.gz - - - name: Remove keycloak artifacts before caching - if: steps.cache.outputs.cache-hit != 'true' - run: rm -rf ~/.m2/repository/org/keycloak - -# Tests: Regular distribution + uses: ./.github/actions/build-keycloak unit-tests: - name: Unit Tests + name: Base UT runs-on: ubuntu-latest needs: build timeout-minutes: 30 steps: - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - cache: 'maven' - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - name: Cleanup org.keycloak artifacts - run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true - - name: Download built keycloak - id: download-keycloak - uses: actions/download-artifact@v3 - with: - path: ~/.m2/repository/org/keycloak/ - name: keycloak-artifacts.zip + + - id: unit-test-setup + name: Unit test setup + uses: ./.github/actions/unit-test-setup + - name: Run unit tests - run: | - if ! ./mvnw install -nsu -B -DskipTestsuite -DskipQuarkus -DskipExamples -f pom.xml; then - find . -path '*/target/surefire-reports/*.xml' | zip -q reports-unit-tests.zip -@ - exit 1 - fi + run: ./mvnw install -nsu -B -DskipTestsuite -DskipQuarkus -DskipExamples - - name: Analyze Test and/or Coverage Results - uses: runforesight/foresight-test-kit-action@v1.3.0 - if: always() && github.repository == 'keycloak/keycloak' - with: - api_key: ${{ secrets.FORESIGHT_API_KEY }} - test_format: JUNIT - test_framework: JUNIT - test_path: '**/target/surefire-reports/*.xml' - - - name: Unit test reports - uses: actions/upload-artifact@v3 - if: failure() - with: - name: reports-unit-tests - retention-days: 14 - path: reports-unit-tests.zip - if-no-files-found: ignore - - crypto-tests: - name: Crypto Tests - runs-on: ubuntu-latest - needs: build - timeout-minutes: 20 - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - cache: 'maven' - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - name: Cleanup org.keycloak artifacts - run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true - - name: Download built keycloak - id: download-keycloak - uses: actions/download-artifact@v3 - with: - path: ~/.m2/repository/org/keycloak/ - name: keycloak-artifacts.zip - - name: Run crypto tests (BCFIPS non-approved mode) - run: | - if ! ./mvnw install -nsu -B -f crypto/pom.xml -Dcom.redhat.fips=true; then - find . -path 'crypto/target/surefire-reports/*.xml' | zip -q reports-crypto-tests.zip -@ - exit 1 - fi - - - name: Run crypto tests (BCFIPS approved mode) - run: | - if ! ./mvnw install -nsu -B -f crypto/pom.xml -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true; then - find . -path 'crypto/target/surefire-reports/*.xml' | zip -q reports-crypto-tests.zip -@ - exit 1 - fi - - - name: Crypto test reports - uses: actions/upload-artifact@v3 - if: failure() - with: - name: reports-crypto-tests - retention-days: 14 - path: reports-crypto-tests.zip - if-no-files-found: ignore - - model-tests: - name: Model Tests - runs-on: ubuntu-latest - needs: build - timeout-minutes: 60 - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - cache: 'maven' - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - name: Cleanup org.keycloak artifacts - run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true - - name: Download built keycloak - id: download-keycloak - uses: actions/download-artifact@v3 - with: - path: ~/.m2/repository/org/keycloak/ - name: keycloak-artifacts.zip - - name: Run model tests - run: | - if ! testsuite/model/test-all-profiles.sh; then - find . -path '*/target/surefire-reports*/*.xml' | zip -q reports-model-tests.zip -@ - exit 1 - fi - - - name: Analyze Test and/or Coverage Results - uses: runforesight/foresight-test-kit-action@v1.3.0 - if: always() && github.repository == 'keycloak/keycloak' - with: - api_key: ${{ secrets.FORESIGHT_API_KEY }} - test_format: JUNIT - test_framework: JUNIT - test_path: 'testsuite/model/target/surefire-reports/*.xml' - - - name: Model test reports - uses: actions/upload-artifact@v3 - if: failure() - with: - name: reports-model-tests - retention-days: 14 - path: reports-model-tests.zip - if-no-files-found: ignore - - test: - name: Base testsuite + base-integration-tests: + name: Base IT needs: build runs-on: ubuntu-latest timeout-minutes: 100 strategy: matrix: - server: ['quarkus', 'quarkus-map', 'quarkus-map-hot-rod', 'quarkus-map-jpa'] - tests: ['group1','group2','group3'] + group: [1, 2, 3, 4, 5, 6] fail-fast: false steps: - uses: actions/checkout@v3 - with: - fetch-depth: 2 - - name: Check whether HEAD^ contains HotRod storage relevant changes - run: echo "GIT_HOTROD_RELEVANT_DIFF=$( git diff --name-only HEAD^ | egrep -ic -e '^model/map-hot-rod|^model/map/|^model/build-processor' )" >> $GITHUB_ENV + - id: integration-test-setup + name: Integration test setup + uses: ./.github/actions/integration-test-setup - - name: Check whether HotRod storage matrix should be executed - if: ${{ endsWith(matrix.server, '-map-hot-rod') && env.GIT_HOTROD_RELEVANT_DIFF == 0 }} - run: echo "SHOULD_BE_EXECUTED=false" >> $GITHUB_ENV - - - name: Check whether HEAD^ contains JPA map storage relevant changes - run: echo "GIT_MAP_JPA_RELEVANT_DIFF=$( git diff --name-only HEAD^ | egrep -ic -e '^model/map-jpa/|^model/map/|^model/build-processor' )" >> $GITHUB_ENV - - - name: Check whether Map-JPA storage matrix should be executed - if: ${{ endsWith(matrix.server, '-map-jpa') && env.GIT_MAP_JPA_RELEVANT_DIFF == 0 }} - run: echo "SHOULD_BE_EXECUTED=false" >> $GITHUB_ENV - - - name: Cache Maven packages - if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }} - uses: actions/cache@v3 - with: - path: ~/.m2/repository - key: cache-2-${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: cache-1-${{ runner.os }}-m2 - - - name: Download built keycloak - if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }} - id: download-keycloak - uses: actions/download-artifact@v3 - with: - path: ~/.m2/repository/org/keycloak/ - name: keycloak-artifacts.zip - - # - name: List M2 repo - # run: | - # find ~ -name *dist*.zip - # ls -lR ~/.m2/repository - - - uses: actions/setup-java@v3 - if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }} - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - - name: Update maven settings - if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }} - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - name: Prepare test providers - if: ${{ matrix.server == 'quarkus' || matrix.server == 'quarkus-map' }} - run: ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers -Pauth-server-quarkus - name: Run base tests - if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }} run: | - declare -A PARAMS TESTGROUP - PARAMS["quarkus"]="-Pauth-server-quarkus" - PARAMS["quarkus-map"]="-Pauth-server-quarkus -Pmap-storage -Dpageload.timeout=90000" - PARAMS["quarkus-map-hot-rod"]="-Pauth-server-quarkus -Pmap-storage,map-storage-hot-rod -Dpageload.timeout=90000" - PARAMS["quarkus-map-jpa"]="-Pauth-server-quarkus -Pmap-storage,map-storage-jpa -Dpageload.timeout=90000" - TESTGROUP["group1"]="-Dtest=!**.crossdc.**,!**.cluster.**,%regex[org.keycloak.testsuite.(a[abc]|ad[a-l]|[^a-q]).*]" # Tests alphabetically before admin tests and those after "r" - TESTGROUP["group2"]="-Dtest=!**.crossdc.**,!**.cluster.**,%regex[org.keycloak.testsuite.(ad[^a-l]|a[^a-d]|b).*]" # Admin tests and those starting with "b" - TESTGROUP["group3"]="-Dtest=!**.crossdc.**,!**.cluster.**,%regex[org.keycloak.testsuite.([c-q]).*]" # All the rest + TESTS=`testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh ${{ matrix.group }}` + echo "Tests: $TESTS" + ./mvnw install -nsu -B -Pauth-server-quarkus -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh - ./mvnw clean install -nsu -B ${PARAMS["${{ matrix.server }}"]} ${TESTGROUP["${{ matrix.tests }}"]} -f testsuite/integration-arquillian/tests/base/pom.xml | misc/log/trimmer.sh + quarkus-integration-tests: + name: Quarkus IT + needs: build + runs-on: ubuntu-latest + timeout-minutes: 115 + strategy: + matrix: + server: [zip, container, storage] + fail-fast: false + env: + MAVEN_OPTS: -Xmx1024m + steps: + - uses: actions/checkout@v3 - TEST_RESULT=${PIPESTATUS[0]} - find . -path '*/target/surefire-reports/*.xml' | zip -q reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip -@ - exit $TEST_RESULT + - id: unit-test-setup + name: Unit test setup + uses: ./.github/actions/unit-test-setup - - name: Analyze Test and/or Coverage Results - uses: runforesight/foresight-test-kit-action@v1.3.0 - if: always() && github.repository == 'keycloak/keycloak' + - name: Run Quarkus integration Tests + run: | + declare -A PARAMS + PARAMS["zip"]="" + PARAMS["container"]="-Dkc.quarkus.tests.dist=docker" + PARAMS["storage"]="-Ptest-database -Dtest=PostgreSQLDistTest,MariaDBDistTest#testSuccessful,MySQLDistTest#testSuccessful,DatabaseOptionsDistTest,JPAStoreDistTest,HotRodStoreDistTest,MixedStoreDistTest" + + ./mvnw install -nsu -B -pl quarkus/tests/integration -am -DskipTests + ./mvnw test -nsu -B -pl quarkus/tests/integration ${PARAMS["${{ matrix.server }}"]} | misc/log/trimmer.sh + + jdk-integration-tests: + name: Java Distribution IT + needs: build + runs-on: ubuntu-latest + timeout-minutes: 100 + strategy: + matrix: + dist: [temurin] + version: [17, 19] + fail-fast: false + steps: + - uses: actions/checkout@v3 + + - id: integration-test-setup + name: Integration test setup + uses: ./.github/actions/integration-test-setup with: - api_key: ${{ secrets.FORESIGHT_API_KEY }} - test_format: JUNIT - test_framework: JUNIT - test_path: 'testsuite/integration-arquillian/tests/base/target/surefire-reports/*.xml' + jdk-dist: ${{ matrix.dist }} + jdk-version: ${{ matrix.version }} - - name: Base test reports - uses: actions/upload-artifact@v3 - if: failure() - with: - name: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }} - retention-days: 14 - path: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip - if-no-files-found: ignore + - name: Prepare Quarkus distribution with current JDK + run: ./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus - test-fips: - name: Base testsuite (fips) + - name: Run base tests + run: | + TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh jdk` + echo "Tests: $TESTS" + ./mvnw install -nsu -B -Pauth-server-quarkus -Pdb-${{ matrix.db }} -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh + + new-store-integration-tests: + name: New Store IT needs: build runs-on: ubuntu-latest timeout-minutes: 45 strategy: matrix: - server: ['bcfips-nonapproved-pkcs12'] - tests: ['group1', 'group2'] + db: [chm, hot-rod, jpa] fail-fast: false steps: - uses: actions/checkout@v3 - with: - fetch-depth: 2 - - name: Cache Maven packages - uses: actions/cache@v3 - with: - path: ~/.m2/repository - key: cache-2-${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: cache-1-${{ runner.os }}-m2 + - id: integration-test-setup + name: Integration test setup + uses: ./.github/actions/integration-test-setup - - name: Download built keycloak - id: download-keycloak - uses: actions/download-artifact@v3 - with: - path: ~/.m2/repository/org/keycloak/ - name: keycloak-artifacts.zip - - # - name: List M2 repo - # run: | - # find ~ -name *dist*.zip - # ls -lR ~/.m2/repository - - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - name: Prepare quarkus distribution with BCFIPS - run: ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2 - name: Run base tests run: | - declare -A PARAMS TESTGROUP - PARAMS["bcfips-nonapproved-pkcs12"]="-Pauth-server-quarkus,auth-server-fips140-2" - # Tests in the package "forms" and some keystore related tests - TESTGROUP["group1"]="-Dtest=org.keycloak.testsuite.forms.**,ClientAuthSignedJWTTest,CredentialsTest,JavaKeystoreKeyProviderTest,ServerInfoTest,UserFederationLdapConnectionTest,LDAPUserLoginTest" - TESTGROUP["group2"]="-Dtest=org.keycloak.testsuite.x509.**,MutualTLSClientTest,FAPI1Test,FAPICIBATest,KcRegTest,KcRegCreateTest,KcAdmTest,KcAdmCreateTest" # Tests for X.509 authentication with users and clients and CLI tests - - ./mvnw clean install -nsu -B ${PARAMS["${{ matrix.server }}"]} ${TESTGROUP["${{ matrix.tests }}"]} -f testsuite/integration-arquillian/tests/base/pom.xml | misc/log/trimmer.sh - - TEST_RESULT=${PIPESTATUS[0]} - find . -path '*/target/surefire-reports/*.xml' | zip -q reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip -@ - exit $TEST_RESULT + declare -A PARAMS + PARAMS["chm"]="-Pmap-storage -Dpageload.timeout=90000" + PARAMS["hot-rod"]="-Pmap-storage,map-storage-hot-rod -Dpageload.timeout=90000" + PARAMS["jpa"]="-Pmap-storage,map-storage-jpa -Dpageload.timeout=90000" - - name: Analyze Test and/or Coverage Results - uses: runforesight/foresight-test-kit-action@v1.3.0 - if: always() && github.repository == 'keycloak/keycloak' - with: - api_key: ${{ secrets.FORESIGHT_API_KEY }} - test_format: JUNIT - test_framework: JUNIT - test_path: 'testsuite/integration-arquillian/tests/base/target/surefire-reports/*.xml' + TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh database` + echo "Tests: $TESTS" + ./mvnw install -nsu -B -Pauth-server-quarkus ${PARAMS["${{ matrix.db }}"]} -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh - - name: Base test reports - uses: actions/upload-artifact@v3 - if: failure() - with: - name: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }} - retention-days: 14 - path: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip - if-no-files-found: ignore + legacy-store-integration-tests: + name: Legacy Store IT + needs: build + runs-on: ubuntu-latest + timeout-minutes: 45 + strategy: + matrix: + db: [postgres, mysql] # 'mariadb' is not always shutting down, 'mssql', 'oracle11g' containers not available + fail-fast: false + steps: + - uses: actions/checkout@v3 -### Tests: Quarkus distribution + - id: integration-test-setup + name: Integration test setup + uses: ./.github/actions/integration-test-setup - quarkus-test-cluster: - name: Quarkus Test Clustering + - name: Run base tests + run: | + TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh database` + echo "Tests: $TESTS" + ./mvnw install -nsu -B -Pauth-server-quarkus -Pdb-${{ matrix.db }} -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh + + store-model-tests: + name: Store Model Tests + runs-on: ubuntu-latest + needs: build + timeout-minutes: 60 + steps: + - uses: actions/checkout@v3 + + - id: integration-test-setup + name: Integration test setup + uses: ./.github/actions/integration-test-setup + + - name: Run model tests + run: testsuite/model/test-all-profiles.sh + + clustering-integration-tests: + name: Legacy Clustering IT needs: build runs-on: ubuntu-latest timeout-minutes: 35 @@ -378,181 +202,86 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - cache: 'maven' + - id: integration-test-setup + name: Integration test setup + uses: ./.github/actions/integration-test-setup - - name: Cleanup org.keycloak artifacts - run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true - - - name: Download built keycloak - id: download-keycloak - uses: actions/download-artifact@v3 - with: - path: ~/.m2/repository/org/keycloak/ - name: keycloak-artifacts.zip - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - name: Run Quarkus cluster tests + - name: Run cluster tests run: | - echo '::group::Compiling testsuite' - ./mvnw clean install -nsu -B -Pauth-server-quarkus -DskipTests -f testsuite/pom.xml - echo '::endgroup::' - ./mvnw clean install -nsu -B -Pauth-server-cluster-quarkus -Dsession.cache.owners=2 -Dtest=**.cluster.** -f testsuite/integration-arquillian/pom.xml | misc/log/trimmer.sh - TEST_RESULT=${PIPESTATUS[0]} - find . -path '*/target/surefire-reports/*.xml' | zip -q reports-quarkus-cluster-tests.zip -@ - exit $TEST_RESULT + ./mvnw install -nsu -B -Pauth-server-cluster-quarkus -Dsession.cache.owners=2 -Dtest=**.cluster.** -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh - - name: Analyze Test and/or Coverage Results - uses: runforesight/foresight-test-kit-action@v1.3.0 - if: always() && github.repository == 'keycloak/keycloak' - with: - api_key: ${{ secrets.FORESIGHT_API_KEY }} - test_format: JUNIT - test_framework: JUNIT - test_path: 'testsuite/integration-arquillian/tests/base/target/surefire-reports/*.xml' - - - name: Quarkus cluster test reports - uses: actions/upload-artifact@v3 - if: failure() - with: - name: reports-quarkus-cluster-tests - retention-days: 14 - path: reports-quarkus-cluster-tests.zip - if-no-files-found: ignore - - ### Tests: Quarkus distribution - - quarkus-tests: - name: Quarkus Tests - needs: build + fips-unit-tests: + name: FIPS UT runs-on: ubuntu-latest - timeout-minutes: 115 - env: - MAVEN_OPTS: -Xmx1024m + needs: build + timeout-minutes: 20 steps: - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: ${{ env.DEFAULT_JDK_VERSION }} - cache: 'maven' - - name: Cleanup org.keycloak artifacts - run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true - - name: Download built keycloak - id: download-keycloak - uses: actions/download-artifact@v3 - with: - path: ~/.m2/repository/org/keycloak/ - name: keycloak-artifacts.zip - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ + - id: unit-test-setup + name: Unit test setup + uses: ./.github/actions/unit-test-setup - - name: Prepare the local distribution archives - run: ./mvnw clean install -DskipTests -Pdistribution + - name: Run crypto tests (BCFIPS non-approved mode) + run: ./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402,crypto/elytron -Dcom.redhat.fips=true - - name: Run Quarkus Integration Tests + - name: Run crypto tests (BCFIPS approved mode) + run: ./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402,crypto/elytron -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true + + fips-integration-tests: + name: FIPS IT + needs: build + runs-on: ubuntu-latest + timeout-minutes: 45 + steps: + - uses: actions/checkout@v3 + + - id: integration-test-setup + name: Integration test setup + uses: ./.github/actions/integration-test-setup + + - name: Prepare Quarkus distribution with BCFIPS + run: ./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2 + + - name: Run base tests run: | - ./mvnw clean install -nsu -B -f quarkus/tests/pom.xml | misc/log/trimmer.sh - TEST_RESULT=${PIPESTATUS[0]} - find . -path '*/target/surefire-reports/*.xml' | zip -q reports-quarkus-tests.zip -@ - exit $TEST_RESULT + TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips` + echo "Tests: $TESTS" + ./mvnw install -nsu -B -Pauth-server-quarkus,auth-server-fips140-2 -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh - - name: Run Quarkus Storage Tests - run: | - ./mvnw clean install -nsu -B -f quarkus/tests/pom.xml -Ptest-database -Dtest=PostgreSQLDistTest,MariaDBDistTest#testSuccessful,MySQLDistTest#testSuccessful,DatabaseOptionsDistTest,JPAStoreDistTest,HotRodStoreDistTest,MixedStoreDistTest | misc/log/trimmer.sh - TEST_RESULT=${PIPESTATUS[0]} - find . -path '*/target/surefire-reports/*.xml' | zip -q reports-quarkus-tests.zip -@ - exit $TEST_RESULT + check-set-status: + name: Set check conclusion + needs: + - unit-tests + - base-integration-tests + - quarkus-integration-tests + - jdk-integration-tests + - new-store-integration-tests + - legacy-store-integration-tests + - store-model-tests + - clustering-integration-tests + - fips-unit-tests + - fips-integration-tests + runs-on: ubuntu-latest + outputs: + conclusion: ${{ steps.check.outputs.conclusion }} - - name: Run Quarkus Tests in Docker - run: | - ./mvnw clean install -nsu -B -f quarkus/tests/pom.xml -Dkc.quarkus.tests.dist=docker -Dtest=StartCommandDistTest | misc/log/trimmer.sh - TEST_RESULT=${PIPESTATUS[0]} - exit $TEST_RESULT + steps: + - uses: actions/checkout@v3 - - name: Analyze Test and/or Coverage Results - uses: runforesight/foresight-test-kit-action@v1.3.0 - if: always() && github.repository == 'keycloak/keycloak' + - id: check + uses: ./.github/actions/checks-success + + check: + name: Check + if: always() && ( github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' ) + needs: [check-set-status] + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Check status + uses: ./.github/actions/checks-job-pass with: - api_key: ${{ secrets.FORESIGHT_API_KEY }} - test_format: JUNIT - test_framework: JUNIT - test_path: 'quarkus/tests/integration/target/surefire-reports/*.xml' - - - name: Quarkus test reports - uses: actions/upload-artifact@v3 - if: failure() - with: - name: reports-quarkus-tests - retention-days: 14 - path: reports-quarkus-tests.zip - if-no-files-found: ignore - -# NOTE: WebAuthn tests can be enabled once the issue #12621 is resolved -# -# webauthn-test: -# name: WebAuthn Tests -# needs: build -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@v2 -# with: -# fetch-depth: 2 -# -# - name: Check whether this phase should run -# run: echo "GIT_DIFF=$[ $( git diff --name-only HEAD^ | egrep -ic 'webauthn|passwordless' ) ]" >> $GITHUB_ENV -# -# - uses: actions/setup-java@v1 -# if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }} -# with: -# java-version: ${{ env.DEFAULT_JDK_VERSION }} -# -# - name: Update maven settings -# if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }} -# run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ -# -# - name: Cache Maven packages -# if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }} -# uses: actions/cache@v2 -# with: -# path: ~/.m2/repository -# key: cache-1-${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} -# restore-keys: cache-1-${{ runner.os }}-m2 -# -# - name: Cleanup org.keycloak artifacts -# if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }} -# run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true -# -# - name: Download built keycloak -# if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }} -# id: download-keycloak -# uses: actions/download-artifact@v2 -# with: -# path: ~/.m2/repository/org/keycloak/ -# name: keycloak-artifacts.zip -# -# - name: Run WebAuthn tests -# if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }} -# run: | -# mvn clean install -nsu -B -Dbrowser=chrome -Pwebauthn -f testsuite/integration-arquillian/tests/other/pom.xml -Dtest=org.keycloak.testsuite.webauthn.**.*Test | misc/log/trimmer.sh -# -# TEST_RESULT=${PIPESTATUS[0]} -# find . -path '*/target/surefire-reports/*.xml' | zip -q reports-webauthn-tests.zip -@ -# exit $TEST_RESULT -# -# - name: WebAuthn test reports -# uses: actions/upload-artifact@v2 -# if: failure() -# with: -# name: reports-webauthn-tests -# retention-days: 14 -# path: reports-webauthn-tests.zip -# if-no-files-found: ignore + conclusion: ${{ needs.check-set-status.outputs.conclusion }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000000..c1d4fc8338 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,150 @@ +name: CodeQL + +on: + push: + branches-ignore: + - main + - dependabot/** + pull_request: + branches: [main] + schedule: + - cron: 0 9 * * 2 + +concurrency: + # Only cancel jobs for PR updates + group: codeql-analysis-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +defaults: + run: + shell: bash + +jobs: + + changes: + name: Check changes + if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' + runs-on: ubuntu-latest + outputs: + java: ${{ steps.changes.outputs.java }} + themes: ${{ steps.changes.outputs.themes }} + js-adapter: ${{ steps.changes.outputs.js-adapter }} + steps: + - uses: actions/checkout@v3 + + - id: changes + uses: ./.github/actions/changed-files + + java: + name: CodeQL Java + needs: changes + runs-on: ubuntu-latest + if: needs.changes.outputs.java == 'true' + outputs: + conclusion: ${{ steps.check.outputs.conclusion }} + + steps: + - uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2.1.36 + with: + languages: java + + - name: Build Keycloak + uses: ./.github/actions/build-keycloak + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2.1.36 + with: + wait-for-processing: true + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' + + - id: check + uses: ./.github/actions/checks-success + + js-adapter: + name: CodeQL JavaScript Adapter + needs: changes + runs-on: ubuntu-latest + if: needs.changes.outputs.js-adapter == 'true' + outputs: + conclusion: ${{ steps.check.outputs.conclusion }} + + steps: + - uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2.1.36 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' + with: + languages: javascript + source-root: adapters/oidc/js/src/ + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2.1.36 + with: + wait-for-processing: true + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' + + - id: check + uses: ./.github/actions/checks-success + + themes: + name: CodeQL Themes + needs: changes + runs-on: ubuntu-latest + if: needs.changes.outputs.themes == 'true' + outputs: + conclusion: ${{ steps.check.outputs.conclusion }} + + steps: + - uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2.1.36 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' + with: + languages: javascript + source-root: themes/src/main/ + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2.1.36 + with: + wait-for-processing: true + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' + + - id: check + uses: ./.github/actions/checks-success + + check: + name: Check + if: always() && ( github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' ) + needs: [changes, java, js-adapter, themes] + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: CodeQL Java + uses: ./.github/actions/checks-job-pass + with: + required: ${{ needs.changes.outputs.java }} + conclusion: ${{ needs.java.outputs.conclusion }} + + - name: CodeQL JavaScript Adapter + uses: ./.github/actions/checks-job-pass + with: + required: ${{ needs.changes.outputs.js-adapter }} + conclusion: ${{ needs.js-adapter.outputs.conclusion }} + + - name: CodeQL Themes + uses: ./.github/actions/checks-job-pass + with: + required: ${{ needs.changes.outputs.themes }} + conclusion: ${{ needs.themes.outputs.conclusion }} diff --git a/.github/workflows/codeql-java-analysis.yml b/.github/workflows/codeql-java-analysis.yml deleted file mode 100644 index 23af7d1df4..0000000000 --- a/.github/workflows/codeql-java-analysis.yml +++ /dev/null @@ -1,59 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL Java" - -on: - push: - branches-ignore: - - 'main' - - 'dependabot/**' - pull_request: - branches: [main] - paths: - - '**.java' - - '.github/workflows/codeql-java-analysis.yml' - schedule: - - cron: '0 9 * * 2' - -concurrency: - # Only run once for latest commit per ref and cancel other (previous) runs. - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -env: - MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 - -jobs: - analyze: - name: CodeQL analyze - runs-on: ubuntu-latest - if: github.repository == 'keycloak/keycloak' - - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: '11' - cache: 'maven' - - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2.1.36 - with: - languages: java - - - name: Build Keycloak - run: mvn -B install -DskipTests -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2.1.36 - with: - wait-for-processing: true - env: - CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' diff --git a/.github/workflows/codeql-js-adapter-analysis.yml b/.github/workflows/codeql-js-adapter-analysis.yml deleted file mode 100644 index 22c9cb2273..0000000000 --- a/.github/workflows/codeql-js-adapter-analysis.yml +++ /dev/null @@ -1,62 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL JS Adapter" - -on: - push: - branches-ignore: - - 'main' - - 'dependabot/**' - pull_request: - branches: [main] - paths: - - 'adapters/oidc/js/**' - - '.github/workflows/codeql-js-adapter-analysis.yml' - schedule: - - cron: '0 9 * * 2' - -concurrency: - # Only run once for latest commit per ref and cancel other (previous) runs. - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -env: - MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 - -jobs: - analyze: - name: CodeQL analyze - runs-on: ubuntu-latest - if: github.repository == 'keycloak/keycloak' - - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: '11' - cache: 'maven' - - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2.1.36 - env: - CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' - with: - languages: javascript - source-root: adapters/oidc/js/ - - - name: Build Keycloak - run: mvn -B install -DskipTests -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2.1.36 - with: - wait-for-processing: true - env: - CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' diff --git a/.github/workflows/codeql-theme-analysis.yml b/.github/workflows/codeql-theme-analysis.yml deleted file mode 100644 index 594201f5ec..0000000000 --- a/.github/workflows/codeql-theme-analysis.yml +++ /dev/null @@ -1,62 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL Themes" - -on: - push: - branches-ignore: - - 'main' - - 'dependabot/**' - pull_request: - branches: [main] - paths: - - 'themes/src/**' - - '.github/workflows/codeql-theme-analysis.yml' - schedule: - - cron: '0 9 * * 2' - -concurrency: - # Only run once for latest commit per ref and cancel other (previous) runs. - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -env: - MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 - -jobs: - analyze: - name: CodeQL analyze - runs-on: ubuntu-latest - if: github.repository == 'keycloak/keycloak' - - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: '11' - cache: 'maven' - - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2.1.36 - env: - CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' - with: - languages: javascript - source-root: themes/ - - - name: Build Keycloak - run: mvn -B install -DskipTests -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2.1.36 - with: - wait-for-processing: true - env: - CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' diff --git a/.github/workflows/operator-ci.yml b/.github/workflows/operator-ci.yml index 4027419cd9..6082a73a71 100644 --- a/.github/workflows/operator-ci.yml +++ b/.github/workflows/operator-ci.yml @@ -2,49 +2,42 @@ name: Keycloak Operator CI on: push: - branches-ignore: [main] + branches-ignore: + - main + - dependabot/** pull_request: - paths-ignore: - - '.github/workflows/**' - - '!.github/workflows/operator-ci.yml' schedule: - - cron: '0 20,22,0,2,4 * * *' + - cron: 0 20,23,2,5 * * * + workflow_dispatch: env: - JDK_VERSION: 11 - MINIKUBE_VERSION: "v1.24.0" - KUBERNETES_VERSION: "v1.22.3" - MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 + DEFAULT_JDK_VERSION: 11 + DEFAULT_JDK_DIST: temurin + MINIKUBE_VERSION: v1.24.0 + KUBERNETES_VERSION: v1.22.3 + +defaults: + run: + shell: bash concurrency: - # Only run once for latest commit per ref and cancel other (previous) runs. - group: ${{ github.workflow }}-${{ github.ref }} + # Only cancel jobs for PR updates + group: operator-ci-${{ github.head_ref || github.run_id }} cancel-in-progress: true jobs: build: name: Build distribution - if: ${{ ( github.event_name != 'schedule' ) || ( github.event_name == 'schedule' && github.repository == 'keycloak/keycloak' ) }} + if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - uses: actions/setup-java@v3 + + - name: Build Keycloak + uses: ./.github/actions/build-keycloak with: - distribution: 'temurin' - java-version: ${{ env.JDK_VERSION }} - cache: 'maven' - - name: Create the Keycloak distribution - run: | - mvn clean install -Pdistribution -DskipTests -DskipExamples -DskipTestsuite - - name: Store Keycloak distribution - id: store-keycloak - uses: actions/upload-artifact@v3 - with: - name: keycloak-distribution - retention-days: 1 - path: quarkus/dist/target/keycloak*.tar.gz + upload-m2-repo: false + upload-dist: true test-local: name: Test local @@ -52,16 +45,16 @@ jobs: needs: [build] steps: - uses: actions/checkout@v3 - - name: Set outputs + + - name: Set version id: vars run: echo "version_local=0.0.1-${GITHUB_SHA::6}" >> $GITHUB_ENV - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ + - uses: actions/setup-java@v2 with: - distribution: 'temurin' - java-version: ${{ env.JDK_VERSION }} - cache: 'maven' + distribution: ${{ env.DEFAULT_JDK_DIST }} + java-version: ${{ env.DEFAULT_JDK_VERSION }} + - name: Setup Minikube-Kubernetes uses: manusa/actions-setup-minikube@v2.7.1 with: @@ -69,13 +62,15 @@ jobs: kubernetes version: ${{ env.KUBERNETES_VERSION }} github token: ${{ secrets.GITHUB_TOKEN }} driver: docker - start args: '--addons=ingress' + start args: --addons=ingress + - name: Download keycloak distribution id: download-keycloak-dist uses: actions/download-artifact@v3 with: - name: keycloak-distribution + name: keycloak-dist path: quarkus/container + - name: Build Keycloak Docker images run: | eval $(minikube -p minikube docker-env) @@ -84,7 +79,7 @@ jobs: - name: Test operator running locally run: | - mvn clean install -Poperator -pl :keycloak-operator -am \ + mvn install -Poperator -pl :keycloak-operator -am \ -Dquarkus.kubernetes.image-pull-policy=IfNotPresent \ -Doperator.keycloak.image=keycloak:${{ env.version_local }} \ -Dtest.operator.custom.image=custom-keycloak:${{ env.version_local }} \ @@ -97,16 +92,16 @@ jobs: needs: [build] steps: - uses: actions/checkout@v3 - - name: Set outputs + + - name: Set version id: vars run: echo "version_remote=0.0.1-${GITHUB_SHA::6}" >> $GITHUB_ENV - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ + - uses: actions/setup-java@v2 with: - distribution: 'temurin' - java-version: ${{ env.JDK_VERSION }} - cache: 'maven' + distribution: ${{ env.DEFAULT_JDK_DIST }} + java-version: ${{ env.DEFAULT_JDK_VERSION }} + - name: Setup Minikube-Kubernetes uses: manusa/actions-setup-minikube@v2.7.1 with: @@ -114,13 +109,15 @@ jobs: kubernetes version: ${{ env.KUBERNETES_VERSION }} github token: ${{ secrets.GITHUB_TOKEN }} driver: docker - start args: '--addons=ingress' + start args: --addons=ingress + - name: Download keycloak distribution id: download-keycloak-dist uses: actions/download-artifact@v3 with: - name: keycloak-distribution + name: keycloak-dist path: quarkus/container + - name: Build Keycloak Docker images run: | eval $(minikube -p minikube docker-env) @@ -130,7 +127,7 @@ jobs: - name: Test operator running in cluster run: | eval $(minikube -p minikube docker-env) - mvn clean install -Poperator -pl :keycloak-operator -am \ + mvn install -Poperator -pl :keycloak-operator -am \ -Dquarkus.container-image.build=true \ -Dquarkus.kubernetes.image-pull-policy=IfNotPresent \ -Doperator.keycloak.image=keycloak:${{ env.version_remote }} \ @@ -145,13 +142,12 @@ jobs: needs: [build] steps: - uses: actions/checkout@v3 - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ + - uses: actions/setup-java@v2 with: - distribution: 'temurin' - java-version: ${{ env.JDK_VERSION }} - cache: 'maven' + distribution: ${{ env.DEFAULT_JDK_DIST }} + java-version: ${{ env.DEFAULT_JDK_VERSION }} + - name: Setup Minikube-Kubernetes uses: manusa/actions-setup-minikube@v2.7.1 with: @@ -159,22 +155,27 @@ jobs: kubernetes version: ${{ env.KUBERNETES_VERSION }} github token: ${{ secrets.GITHUB_TOKEN }} driver: docker + - name: Install OPM uses: redhat-actions/openshift-tools-installer@v1 with: - source: "github" - opm: "1.21.0" + source: github + opm: 1.21.0 + - name: Install Yq run: sudo snap install yq + - name: Install OLM working-directory: operator run: ./scripts/install-olm.sh + - name: Download keycloak distribution id: download-keycloak-dist uses: actions/download-artifact@v3 with: - name: keycloak-distribution + name: keycloak-dist path: quarkus/container + - name: Arrange OLM test installation working-directory: operator run: | @@ -192,3 +193,33 @@ jobs: kubectl apply -f src/main/resources/example-realm.yaml # Wait for the CRs to be ready ./scripts/check-examples-installed.sh + + check-set-status: + name: Set check conclusion + needs: + - test-local + - test-remote + - test-olm + runs-on: ubuntu-latest + outputs: + conclusion: ${{ steps.check.outputs.conclusion }} + + steps: + - uses: actions/checkout@v3 + + - id: check + uses: ./.github/actions/checks-success + + check: + name: Check + if: always() && ( github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' ) + needs: [check-set-status] + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Check status + uses: ./.github/actions/checks-job-pass + with: + conclusion: ${{ needs.check-set-status.outputs.conclusion }} diff --git a/.github/workflows/snyk-analysis.yml b/.github/workflows/snyk-analysis.yml new file mode 100644 index 0000000000..a8ac9f96f5 --- /dev/null +++ b/.github/workflows/snyk-analysis.yml @@ -0,0 +1,45 @@ +name: Snyk + +on: + schedule: + - cron: 0 0 * * * + workflow_dispatch: + +defaults: + run: + shell: bash + +jobs: + analysis: + name: Analysis of Quarkus and Operator + runs-on: ubuntu-latest + if: github.repository == 'keycloak/keycloak' + steps: + - uses: actions/checkout@v3 + + - name: Build Keycloak + uses: ./.github/actions/build-keycloak + + - uses: snyk/actions/setup@master + + - name: Check for vulnerabilities in Quarkus + run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Upload Quarkus scanner results to GitHub + uses: github/codeql-action/upload-sarif@v2.1.36 + with: + sarif_file: quarkus-report.sarif + + - name: Check for vulnerabilities in Operator + run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Upload Operator scanner results to GitHub + uses: github/codeql-action/upload-sarif@v2.1.36 + with: + sarif_file: operator-report.sarif diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml deleted file mode 100644 index bb5416270e..0000000000 --- a/.github/workflows/snyk.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: "Snyk" - -on: - schedule: - - cron: "0 0 * * *" - -env: - DEFAULT_JDK_VERSION: 11 - MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 - -jobs: - quarkus: - name: Quarkus - runs-on: ubuntu-latest - if: ${{ github.repository == 'keycloak/keycloak' }} - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - uses: actions/setup-java@v3 - with: - java-version: ${{ env.DEFAULT_JDK_VERSION }} - distribution: temurin - cache: maven - - - name: Build Quarkus - run: mvn -Psnyk-quarkus -pl quarkus/dist -am -DskipTests clean install - - - uses: snyk/actions/setup@master - - name: Check for vulnerabilities - run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Upload scanner results to GitHub - uses: github/codeql-action/upload-sarif@v2.1.36 - with: - sarif_file: quarkus-report.sarif - - operator: - name: Operator - runs-on: ubuntu-latest - if: ${{ github.repository == 'keycloak/keycloak' }} - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - uses: actions/setup-java@v3 - with: - java-version: ${{ env.DEFAULT_JDK_VERSION }} - distribution: temurin - cache: maven - - - name: Build Keycloak - run: mvn -Poperator -pl operator -am -DskipTests clean install - - - uses: snyk/actions/setup@master - - name: Check for vulnerabilities for the Operator - run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Upload scanner results for the Operator to GitHub - uses: github/codeql-action/upload-sarif@v2.1.36 - with: - sarif_file: operator-report.sarif diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml index 01fa7a6f4d..779a1e770c 100644 --- a/.github/workflows/trivy-analysis.yml +++ b/.github/workflows/trivy-analysis.yml @@ -1,63 +1,36 @@ name: Trivy + on: - workflow_dispatch: schedule: - - cron: "0 6 * * *" + - cron: 0 6 * * * + workflow_dispatch: + +defaults: + run: + shell: bash jobs: - quarkus-dist: - name: Vulnerability scanner for Quarkus distribution images - runs-on: "ubuntu-18.04" + + analysis: + name: Vulnerability scanner for nightly containers + runs-on: ubuntu-latest + if: github.repository == 'keycloak/keycloak' + strategy: + matrix: + container: [keycloak, keycloak-operator] + fail-fast: false steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 with: - image-ref: 'quay.io/keycloak/keycloak:nightly' - format: 'template' + image-ref: quay.io/keycloak/${{ matrix.container}}:nightly + format: template template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'MEDIUM,CRITICAL,HIGH' + output: trivy-results.sarif + severity: MEDIUM,CRITICAL,HIGH ignore-unfixed: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2.1.36 with: - sarif_file: 'trivy-results.sarif' - - legacy-dist: - name: Vulnerability scanner for WildFly distribution images - runs-on: "ubuntu-18.04" - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 - with: - image-ref: 'quay.io/keycloak/keycloak:legacy' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'legacy-results.sarif' - severity: 'MEDIUM,CRITICAL,HIGH' - ignore-unfixed: true - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2.1.36 - with: - sarif_file: 'legacy-results.sarif' - - keycloak-operator: - name: Vulnerability scanner for Keycloak Operator distribution images - runs-on: "ubuntu-18.04" - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 - with: - image-ref: 'quay.io/keycloak/keycloak-operator:nightly' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'operator-results.sarif' - severity: 'MEDIUM,CRITICAL,HIGH' - ignore-unfixed: true - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2.1.36 - with: - sarif_file: 'operator-results.sarif' + sarif_file: trivy-results.sarif diff --git a/.gitignore b/.gitignore index 028de3c76d..59a1cb100e 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,6 @@ quarkus/data/*.db # Git ephemeral files *.versionsBackup + +# Node.js for frontend-maven-plugin # +node diff --git a/adapters/oidc/js/pom.xml b/adapters/oidc/js/pom.xml index 1c95abcfda..4e99c524e9 100755 --- a/adapters/oidc/js/pom.xml +++ b/adapters/oidc/js/pom.xml @@ -77,6 +77,7 @@ ${node.version} + ../../../ diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java index 8ca454b15f..cad2c8dd20 100644 --- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java +++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java @@ -44,6 +44,11 @@ public class QuarkusPlatform implements PlatformProvider { private static final Logger log = Logger.getLogger(QuarkusPlatform.class); + @Override + public String name() { + return "Quarkus"; + } + public static void addInitializationException(Throwable throwable) { QuarkusPlatform platform = (QuarkusPlatform) Platform.getPlatform(); platform.addDeferredException(throwable); diff --git a/services/src/main/java/org/keycloak/platform/PlatformProvider.java b/services/src/main/java/org/keycloak/platform/PlatformProvider.java index 0d2aa1587b..159503c818 100644 --- a/services/src/main/java/org/keycloak/platform/PlatformProvider.java +++ b/services/src/main/java/org/keycloak/platform/PlatformProvider.java @@ -22,6 +22,8 @@ import java.io.File; import org.keycloak.Config; public interface PlatformProvider { + + String name(); void onStartup(Runnable runnable); diff --git a/testsuite/integration-arquillian/servers/auth-server/pom.xml b/testsuite/integration-arquillian/servers/auth-server/pom.xml index a7747a86a1..cc1c415844 100644 --- a/testsuite/integration-arquillian/servers/auth-server/pom.xml +++ b/testsuite/integration-arquillian/servers/auth-server/pom.xml @@ -37,21 +37,6 @@ services undertow + quarkus - - - - auth-server-quarkus - - quarkus - - - - auth-server-cluster-quarkus - - quarkus - - - - diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml index e44a157687..1749490245 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml @@ -115,26 +115,4 @@ - - - - auth-server-quarkus - - - - org.apache.maven.plugins - maven-jar-plugin - - - - - **/TestThemeResourceProvider** - **/org.keycloak.theme.ThemeResourceProviderFactory - - - - - - - diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/theme/TestThemeResourceProvider.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/theme/TestThemeResourceProvider.java index e621b82f8a..bdddbcc2a2 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/theme/TestThemeResourceProvider.java +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/theme/TestThemeResourceProvider.java @@ -1,11 +1,22 @@ package org.keycloak.testsuite.theme; +import org.keycloak.platform.Platform; +import org.keycloak.provider.EnvironmentDependentProviderFactory; import org.keycloak.theme.ClasspathThemeResourceProviderFactory; -public class TestThemeResourceProvider extends ClasspathThemeResourceProviderFactory { +public class TestThemeResourceProvider extends ClasspathThemeResourceProviderFactory implements EnvironmentDependentProviderFactory { public TestThemeResourceProvider() { super("test-resources", TestThemeResourceProvider.class.getClassLoader()); } + /** + * Quarkus detects theme resources automatically, so this provider should only be enabled on Undertow + * + * @return true if platform is Undertow + */ + @Override + public boolean isSupported() { + return Platform.getPlatform().name().equals("Undertow"); + } } diff --git a/testsuite/integration-arquillian/tests/base/testsuites/base-suite b/testsuite/integration-arquillian/tests/base/testsuites/base-suite new file mode 100644 index 0000000000..169b061442 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/testsuites/base-suite @@ -0,0 +1,47 @@ +account,4 +actions,1 +adapter,2 +admin,1 +authz,3 +broker,3 +cli,4 +client,4 +cluster,IGNORED +composites,4 +cookies,4 +crossdc,IGNORED +docker,4 +domainextension,4 +error,4 +events,4 +exportimport,4 +feature,4 +federation,5 +forms,5 +i18n,5 +jaas,5 +javascript,5 +keys,4 +login,4 +metrics,4 +migration,4 +model,6 +oauth,6 +oidc,6 +openshift,6 +policy,6 +runonserver,6 +saml,6 +script,6 +session,6 +sessionlimits,6 +ssl,6 +theme,6 +transactions,6 +url,6 +user,4 +util,4 +validation,6 +vault,4 +welcomepage,6 +x509,4 diff --git a/testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh b/testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh new file mode 100755 index 0000000000..3b200ee841 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh @@ -0,0 +1,43 @@ +#!/bin/bash -e + +GROUP="$1" +if [ "$GROUP" == "" ]; then + echo 'Usage: base-suite.sh ' + exit +fi + +cd "`readlink -f "$0" | xargs dirname`" + +TESTSUITE_FILE='base-suite' +TEST_DIR='../src/test/java/org/keycloak/testsuite' +BASE_PACKAGE='org.keycloak.testsuite' + +PACKAGES=`cat $TESTSUITE_FILE | grep -v '^[[:space:]]*$' | grep -v '^[[:space:]]*#'` + +# Check all packages in testsuite are included +for i in `ls -d $TEST_DIR/*/ | sed "s|$TEST_DIR||g" | sed "s|/||g"`; do + if ( ! cat $TESTSUITE_FILE | grep "^$i," >/dev/null ); then + echo "Package 'org.keycloak.testsuite.$i' not defined in base-suite" + exit 1 + fi +done + +SEP="" +TESTS="" +for i in `echo $PACKAGES`; do + PACKAGE=`echo $i | cut -d ',' -f 1` + PACKAGE_GROUP=`echo $i | cut -d ',' -f 2` + + # Check package exists + if [ ! -d "$TEST_DIR/$PACKAGE" ]; then + echo "Package 'org.keycloak.testsuite.$PACKAGE' not found" + exit 1 + fi + + if [ "$GROUP" == "$PACKAGE_GROUP" ]; then + TESTS="$TESTS$SEP$BASE_PACKAGE.$PACKAGE.**" + SEP=',' + fi +done + +echo "$TESTS" \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/testsuites/database-suite b/testsuite/integration-arquillian/tests/base/testsuites/database-suite new file mode 100644 index 0000000000..8461a625a8 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/testsuites/database-suite @@ -0,0 +1,18 @@ +AccountRestServiceTest +AuthorizationCodeTest +AuthorizationTest +ClientRegistrationTest +EventStoreProviderTest +ExportImportTest +GeneratedRsaKeyProviderTest +KcOidcBrokerTest +LDAPUserLoginTest +LoginTest +PasswordPolicyTest +RequiredActionUpdateProfileTest +SSOTest +SamlClientTest +TransactionsTest +UserProfileTest +org.keycloak.testsuite.admin.** +org.keycloak.testsuite.authz.**ManagementTest \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/testsuites/fips-suite b/testsuite/integration-arquillian/tests/base/testsuites/fips-suite new file mode 100644 index 0000000000..9845bfa38e --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/testsuites/fips-suite @@ -0,0 +1,15 @@ +org.keycloak.testsuite.forms.** +ClientAuthSignedJWTTest +CredentialsTest +JavaKeystoreKeyProviderTest +ServerInfoTest +UserFederationLdapConnectionTest +LDAPUserLoginTest +org.keycloak.testsuite.x509.** +MutualTLSClientTest +FAPI1Test +FAPICIBATest +KcRegTest +KcRegCreateTest +KcAdmTest +KcAdmCreateTest diff --git a/testsuite/integration-arquillian/tests/base/testsuites/jdk-suite b/testsuite/integration-arquillian/tests/base/testsuites/jdk-suite new file mode 100644 index 0000000000..adc953a127 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/testsuites/jdk-suite @@ -0,0 +1,17 @@ +AccountRestServiceTest +AuthorizationCodeTest +CredentialsTest +DeployedScriptAuthenticatorTest +ExportImportTest +GeneratedRsaKeyProviderTest +JavaKeystoreKeyProviderTest +KcOidcBrokerTest +KerberosLdapTest +LDAPUserLoginTest +LoginTest +MutualTLSClientTest +PasswordPolicyTest +SSOTest +SamlClientTest +TransactionsTest +X509BrowserLoginTest diff --git a/testsuite/integration-arquillian/tests/base/testsuites/suite.sh b/testsuite/integration-arquillian/tests/base/testsuites/suite.sh new file mode 100755 index 0000000000..27cf54732c --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/testsuites/suite.sh @@ -0,0 +1,35 @@ +#!/bin/bash -e + +GROUP="$1" +if [ "$GROUP" == "" ]; then + echo 'Usage: suite.sh ' + exit +fi + +cd "`readlink -f "$0" | xargs dirname`" + +TEST_DIR="../src/test/java/" +SUITE_FILE="$GROUP-suite" + +if [ ! -f "$SUITE_FILE" ]; then + echo "$SUITE_FILE not found" + exit 1 +fi + +SEP="" +TESTS="" +for i in `cat "$SUITE_FILE" | grep -v '^[[:space:]]*$' | grep -v '^[[:space:]]*#'`; do + # Check test exists, ignoring checking packages for now + if [[ "$i" != *'.'* ]]; then + SEARCH=`find "$TEST_DIR" -name "$i.java"` + if [ "$SEARCH" == "" ]; then + echo "$i not found in testsuite" + exit 1 + fi + fi + + TESTS="$TESTS$SEP$i" + SEP="," +done + +echo "$TESTS" \ No newline at end of file diff --git a/testsuite/utils/src/main/java/org/keycloak/testsuite/TestPlatform.java b/testsuite/utils/src/main/java/org/keycloak/testsuite/TestPlatform.java index 81d034f5fc..76f097062e 100644 --- a/testsuite/utils/src/main/java/org/keycloak/testsuite/TestPlatform.java +++ b/testsuite/utils/src/main/java/org/keycloak/testsuite/TestPlatform.java @@ -41,6 +41,11 @@ public class TestPlatform implements PlatformProvider { ); } + @Override + public String name() { + return "Undertow"; + } + @Override public void onStartup(Runnable startupHook) { startupHook.run(); diff --git a/themes/pom.xml b/themes/pom.xml index d671e1b049..bf9217029f 100755 --- a/themes/pom.xml +++ b/themes/pom.xml @@ -134,7 +134,7 @@ ${node.version} - ${project.basedir} + ../ @@ -187,7 +187,7 @@ ${node.version} - ${project.basedir} + ../