Docker Protocol Implementation #3565
Conversation
|
That sounds great |
|
@cainj13, any suggestion what I might be doing wrong setting up client with docker-v2 protocol here? |
|
Docs PR: keycloak/keycloak-documentation#55 |
|
@cainj13 I'll try again, and let you know. |
|
@cainj13 I got it working, but I'm seeing some issues, so maybe I didn't configure everything properly. See here for how exactly I configured it. The issue I'm seeing now is when I authenticate as a non-existing user. If user exists but the password is incorrect everything works correctly - the server returns 401 Unauthorized. |
| @@ -52,17 +53,24 @@ public String getDisplayType() { | |||
|
|
|||
| @Override | |||
| public String getReferenceCategory() { | |||
| return null; | |||
| return "basic"; | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
@stianst If HttpBasicAuthenticator is usable beyond saml ecp protocol I suggest we move it to authentication/authenticators/browser
There was a problem hiding this comment.
I'd be down for that, but looking at the error responses, I need to make some updates to this MR. With the implementation we've got running, we're sending back JSON responses specific to the docker client for display back to the user. I suppose we'd want to do that as well here, but that's probably going to mean having a docker-specific HTTP Basic authenticator since we'll be crafting custom error responses. Any other way to do that?
There was a problem hiding this comment.
No idea. But I don't think there's a problem with having docker specific HTTP Basic Authenticator. Maybe we should just call it DockerAuthenticator to avoid any confusion as to what it's there for.
| @@ -37,7 +37,7 @@ | |||
| </div> | |||
| <kc-tooltip>{{:: 'client.enabled.tooltip' | translate}}</kc-tooltip> | |||
| </div> | |||
| <div class="form-group clearfix block"> | |||
| <div class="form-group clearfix block" data-ng-show="protocol != 'docker-v2'"> | |||
| <label class="col-md-2 control-label" for="consentRequired">{{:: 'consent-required' | translate}}</label> | |||
| <div class="col-sm-6"> | |||
| <input ng-model="clientEdit.consentRequired" name="consentRequired" id="consentRequired" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/> | |||
There was a problem hiding this comment.
Is there a way to sort Client Protocol list for #protocol select input in such a way that docker-v2 is the last one in the list - it makes more sense for it to be the last choice as it's reasonable to expect that it will be the least used option?
There was a problem hiding this comment.
I can certainly look. I'd agree that it's probably going to be the least-used option.
There was a problem hiding this comment.
So I took a look at this - other than one-off hacking the order (which I don't think we wanna do), this would require a pretty broad change to the data model for the serverInfo's ProviderRepresentation. Right now angular is just doing a naive sort:
$scope.protocols = Object.keys(serverInfo.providers['login-protocol'].providers).sort();
Could we perhaps create an issue and do that on a follow-up review? This one's already gotten pretty big, and I'd consider that a more general aesthetic fix. For instance, there is not a determinitive order in authenticator choices in the dropdown, etc. I think the angular models could use a widespread application of some kind of salience/display order.
There was a problem hiding this comment.
I agree. If docker-v2 feature has to be enabled explicitly, then I think it's acceptable to have it like this for now.
Sorting is a problem present in multiple locations. If we wanted sorting control at db query layer that would require to model current unsorted collections as lists rather than sets, which is quite a disruptive upgrade in the model. Simple alphabetic sorting (ascending, descending by some field) at REST endpoint would already get us very far for a general case (performance-wise it would be better to do it at db layer), but here we even have a special case where we want specific entry to be at the end of the list. That would still best be done in REST endpoint rather than on the client. For example a special query parameter with special syntax using something like:
?reorder=authenticationProviders[-docker-v2]
might be used to move docker-v2 entry to the end of the collection (leading minus signifying 'move to the end'). We could implement that as part of a bigger REST API overhaul which would add facilities like that across the board in a generic way.
| public String getDisplayType() { | ||
| return "Quickstart"; | ||
| } | ||
|
|
There was a problem hiding this comment.
I think it would make more sense to call this 'Docker Machine YAML' rather than 'Quickstart'. There is a Keycloak Quickstarts repository, and it would make more sense to create a submodule 'docker' there and move all the quickstart related documentation there.
There was a problem hiding this comment.
I meant 'Docker Compose YAML' ...
There was a problem hiding this comment.
Done. I think it leaves out the fact that it generates certs for you to mount for your registry, but no name is perfect. Two hard things.
| @@ -67,4 +67,7 @@ keycloak.server.subsys.default.config=\ | |||
| </properties>\ | |||
| </provider>\ | |||
| </spi>\ | |||
| <spi name="login-protocol">\ | |||
| <provider name="docker-v2" enabled="false"/>\ | |||
| </spi>\ | |||
| import org.keycloak.events.EventBuilder; | ||
| import org.keycloak.models.AuthenticationFlowModel; | ||
| import org.keycloak.models.ClientSessionModel; | ||
| import org.keycloak.models.KeycloakSession; | ||
| import org.keycloak.models.RealmModel; | ||
| import org.keycloak.protocol.LoginProtocol.Error; | ||
| import org.keycloak.services.ErrorPageException; | ||
| import org.keycloak.services.ServicesLogger; |
There was a problem hiding this comment.
Looks like a redundant import.
There was a problem hiding this comment.
Fixed. did an import organization on all docker stuff as well.
| private KeycloakSession session; | ||
| private RealmModel realm; | ||
| private UriInfo uriInfo; | ||
| private HttpHeaders headers; |
There was a problem hiding this comment.
Fields uriInfo and headers seem redundant - assigned, but never used.
There was a problem hiding this comment.
They're part of the setters defined in LoginProtocol. Docker protocol doesn't need them, can make those no-op setters if you prefer.
There was a problem hiding this comment.
No, it's better as it is. I just pointed out what IDEA was telling me. Maybe that part of implementation was still incomplete.
| } | ||
|
|
||
| public static String formatPublicKeyContents(final PublicKey publicKey) { | ||
| return encodeAndPrettify(BEGIN_CERT, publicKey.getEncoded(), END_CERT); |
There was a problem hiding this comment.
CERTIFICATE is not exactly the same as PUBLIC KEY. For public key for example 'openssl' CLI tool uses '-----BEGIN PUBLIC KEY-----' and '-----END PUBLIC KEY-----'.
There was a problem hiding this comment.
Sure. Was just testing with compatibility with a docker registry since that's what's going to be consuming it. Want me to make the switch and see how docker likes it?
| public void writeToRealZip() throws IOException { | ||
| final Response response = fireInstallationProvider(); | ||
| final byte[] responseBytes = (byte[]) response.getEntity(); | ||
| FileUtils.writeByteArrayToFile(new File("target/docker-quickstart-install.zip"), responseBytes); |
There was a problem hiding this comment.
Test makes no assertion. It should probably check that what was returned is a zip file.
There was a problem hiding this comment.
Was for smoke testing only - so I could validate locally without having to spin up a server. Have marked as ignored, but can remove if you'd like.
| import static org.keycloak.protocol.docker.installation.DockerQuickstartInstallationProvider.QUICKSTART_ROOT_DIR; | ||
|
|
||
| public class QuickstartInstallationTest { | ||
|
|
There was a problem hiding this comment.
Ideally we would just have one test that unpacks returned zip and checks if everything is there as it should be.
Our testsuite performance is not the best, so we should try skip unnecessary processing, especially when it's trivial to achieve.
There was a problem hiding this comment.
Done. Should be a single zip operation now.
|
I've noticed another UI issue. When clicking around different clients in Admin Console, it now displays 'docker-v2' protocol for every client. |
|
@mstruk The non-existent user problem should be fixed now. I subclassed the HttpBasic authenticator and made it return Docker error tokens as described in the docs. Now localized docker messages should appear. I took some liberties in the getMessageForKey() method to try to resolve message bundles. Generally this happens in the Freemarker section, but we're operating outside of a LoginFormsProvider for this protocol. Can you give that a once-over and make sure it's OK? There also was an issue where the SAML ECP profile didn't seem to check for disabled users. I added the check, but can easily pull it out of the base class if that's not desired behavior. Also, I couldn't observe a clear pattern between the use of singletons and instantiating a new provider every time (I.E. the cookie provider and ECP HTTP basic provider differ). I went with instantiating one each time, but if there is a preference for the opposite just let me know. |
Yeah.... so turns out that those clients are being created with a 'null' protocol. They happened to look right previously since OIDC was the first protocol alphabetically sorted, but they have a null 'Protocol' column on creation in the DB. Should probably do something about that... |
Opened #3998 to deal with this. |
| import java.util.List; | ||
| import java.util.Map; | ||
| import java.util.Set; | ||
| import org.keycloak.provider.*; |
There was a problem hiding this comment.
Imports should not be folded like this. Default IDEA setting is bad.
There was a problem hiding this comment.
yeah... just updated and started from a fresh IDEA instance. Haven't taken the time to tune all the things back yet. Fixed now.
| if (factory instanceof FeatureDependentProviderFactory) { | ||
| return Optional.ofNullable(((FeatureDependentProviderFactory) factory).getRequiredFeatures()).orElse(Collections.emptySet()) | ||
| .stream().allMatch(requiredFeature -> Profile.isFeatureEnabled(requiredFeature)); | ||
| } |
There was a problem hiding this comment.
@stianst Is it ok to merge this additional feature in common services into this PR, or should it be a separate PR (addition of FeatureDependentProviderFactory, and its handling here)?
There was a problem hiding this comment.
We already have EnvironmentDependentProviderFactory#isSupported which covers this and there is no need to introduce yet another way to do it. It's nice and simple to use and is also flexible beyond just profiles. Look at:
There was a problem hiding this comment.
Yes. I agree conditional would be a much better name. However, renaming it breaks backwards compatibility so that's not an option and I don't like alternatives so it is what it is ;)
|
Authentication seems to work fine now. One little thing I noticed in UI still is client settings - after creating a new client of type docker-v2, the 'Valid Redirect URIs' field is reported as required. If this information is not used at all maybe 'Root URL', 'Valid Redirect URIs' and 'Base URL' should simply be hidden from the form? At the minimum it seems the field 'Valid Redirect URIs' should not be marked required, if there's a reason it should stay displayed on the form. |
| context.success(); | ||
| } else { | ||
| userDisabledFailure(context, realm, user); | ||
| } |
There was a problem hiding this comment.
Yes, I believe this should be in a separate PR.
@pedroigor Can you confirm the way this should fail for disabled users is a proper fix?
There was a problem hiding this comment.
OK - so I updated the userDisabledFailure to do what it was doing before in the HttpBasicAuthenticator: letting users in. Otherwise, the refactoring in place is just to expose various action components to the Docker child class. Will that fly?
| @Override | ||
| protected void authFailure(final AuthenticationFlowContext context, final RealmModel realm, final UserModel user) { | ||
| invalidUserAction(context, realm, user.getUsername(), context.getSession().getContext().resolveLocale(user)); | ||
| } |
There was a problem hiding this comment.
It seems to me that by resolving locale for error messages for existing user we may give away the information that the attempted user is in fact a valid user. For example, if I try 'bob':'1234' I get back "Unknown user or invalid password", but if I try 'jacques':'1234' I may get back something like 'Utilisateur inconnu ou mot de passe invalide'. Now I know jacques is a valid username.
Localisation should only take into account passed language value - extra query parameter in auth request, or a cookie - if docker-v2 protocol supports that.
But then, won't the result of 'docker login' then be something like:
Error response from daemon: Get https://localhost:5000/v2/: unauthorized: Utilisateur inconnu ou mot de passe invalide.
Why even bother with such a halfway solution? I would keep it simple - just return all messages in english.
There was a problem hiding this comment.
Valid point. Just assumed that l10n would be a requirement for userspace mssages, but I see what you're saying, and agree that said issue could be used to enumerate at least some of the users. Has been removed, to my knowledge there is no support for that in the docker auth v2 login protocol.
|
@mstruk - Display settings for client information has been updated per your comments. Anything else here or are we good? |
|
Almost :) We also need to add some integration tests under testsuite/integration-arquillian as was discussed. Let's assume docker tools are installed on the system. Instructions for preparing the test run should be added to HOW-TO-RUN.md Maybe @pdrozd or @stianst can chime in with any more specific suggestions. Finally, there is one big thing that needs to be done before we can merge this PR, and that is - it needs to be squashed into a single commit. Current remerging from master into your branch makes it impossible to clearly see the changes, and makes it messy to undo merge should there be some issue. The simplest way that I see to do this is to simply backup your branch, hard reset it to latest remotes/upstream/master and then cherry-pick into it from your backup branch, resolving conflicts as you move along. Finally, squash it into one commit, and force push it over current branch to update the PR. |
|
@stianst So I think I have a reasonably sound test harness. It requires a working docker binary on the host machine, and will just skip if one is not found. The docker client and registry are spun up and configured with some custom settings in containers and the existing arquillian/junit framework is used to stand up a test docker realm. Will address the idea of an entirely new flow for docker auth shortly. |
|
@vmuzikar I've set up a Fedora 25 in VirtualBox to try and find a way to support both Fedora, and macOS. Looks like I found a way: mstruk@2bce514 Could you check, and see if that works for you? See HOW-TO-RUN.md I had quite a few problems fighting through it. Seems there's an issue with error reporting. At least some of error details seems to be suppressed. For example I don't see AssumptionViolatedExceptions from @BeforeClass logged anywhere. That requires working with source code to debug why the test was skipped for example. |
|
@mstruk Thanks for the update! Seems it fixed the iptables problems in CI (RHEL 7.3). However, it still persists on my Fedora 25 installations (both on my machine and a virtual one which is a clean fresh installation). So, I've updated the HOW-TO-RUN accordingly. One last thing before we are good to go. |
|
@vmuzikar I tried your instructions and they work for me. WRT intermittent failures I think I have experienced that a few times. I have not seen that often, and assumed it was some config change of mine that caused it. |
josh-cain
force-pushed
the
dockerProtocolNew
branch
from
479f645
to
048ccc8
Compare
|
@vmuzikar - Just updated with a wait to validate that the docker daemon is up and running. Is that what you're after? Also merged in changes from you and Marek. |
|
@cainj13 Thanks for the update. Unfortunately, it didn't seem to fix the issue. I've done some research and I've found 2 problems:
I hope I fixed both problems in vmuzikar@9334803 Also I've created KEYCLOAK-5079 so we wouldn't forget to update testcontainers once the new version with fixed SELinux is released. So if my changes are ok and you'll merge them, I believe we are finally ready to merge! :) I'm sorry it took too long and perhaps even got a bit frustrating. :) I needed to be sure that the test is ok and working fine before merging so we could start testing it in the CI right away. |
|
@vmuzikar sounds great! Totally understand that this needs to be pretty stable before allowing it into the base. I appreciate the work you, @stianst, and @mposolda have put into this. It looks like testcontainers-java #334 was actually merged today, so hopefully that'll find its way to a release fairly quickly. Finally, Travis looks to be having some issues with failing tests. Dare I ask what's up with those? They appear to be unrelated, but I've not had massive Travis failures like this before... |
|
Are we ready to go? One last rebase/squash of commits and this can be merged from my POV. |
|
Yes yes - from QE POV we are good to go. |
josh-cain
force-pushed
the
dockerProtocolNew
branch
from
7baafe7
to
aaeb1cc
Compare
|
@stianst @vmuzikar attempted to squash this monstrosity of a PR into a commit. Of course there were plenty of conflicts - I think I resolved them correctly, but would just like to call out that the likelihood of error on those is growing with the size/duration. Will keep an eye on the builds tonight and see of the results go well. |
|
Looks like something went rather wrong and all tests are broken now :( |
|
@cainj13 Hmm... it seems like the test is now failing for me with: Also, I quickly glanced at the test and it seems like it's not the latest version - there are missing e.g. my changes (waiting for the container - the |
|
Sorry guys, I'll get to it when I can. Already sunk a ton of time into the PR process (far more time than it took to actually write the implementation), and I've got some other high priority tasking atm. I knew better than to attempt a rebase of this size without a backup, so see dockerProtocolJustInCase branch if you want a snapshot of a pre-rebase version. |
|
@cainj13 I'm sorry about the lengthy time it's taken to get this PR accepted. I'm partially to blame as I should have given it more love early on. Sorry for that. We're almost at the goal line now though so don't give up hope :) I'm holding of the 3.2 release until we can get this merged and it's one of the last things we're waiting for now. |
|
@cainj13 I'm trying to squash it now. Hopefully I can get this sorted. |
|
Trying to squash this was a disaster in it's own right. So I took a different strategy and uses "git reset" then added a new commit. This looses the author, but I mentioned you as the author in the commit instead. Hope that's OK. After that it was fairly simple to rebase on master, only a few minor merge conflicts to sort out. https://github.com/stianst/keycloak/tree/docker-rebase-master Going to run tests and check it out now. |
|
Opened a new PR here #4267. If it passes tests and I can run the Docker tests locally I'll merge that. |
josh-cain
force-pushed
the
dockerProtocolNew
branch
from
aaeb1cc
to
c6e8c07
Compare
|
@stianst I pulled in your changes - minus trimming of a bit of whitespace in a couple files these branches should now be identical. I'll examine the tests, still have failures :( |
|
I've just run the test in the CI with the Stian's branch and it passed. @cainj13 What's it failing on for you? |
|
@vmuzikar I was referring to https://travis-ci.org/keycloak/keycloak/builds/247906586 - had failures. We'll see what Travis does here ^ I suppose... |
|
@stianst @vmuzikar failures are around stuff like this: UndertowDemoServletsAdapterTest>AbstractDemoServletsAdapterTest.testTokenMinTTL:524 URL expected to begin with:http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth; actual URL: http://0.0.0.0:8180/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=token-min-ttl&redirect_uri=http%3A%2F%2F0.0.0.0%3A8180%2Ftoken-min-ttl&state=76082516-a9f9-4bf1-8868-eeaf57008281&login=true&scope=openid Looks like changing the bind settings from 'localhost' to '0.0.0.0' made some tests unhappy. |
|
Fixed the issue with the tests and all tests are now passing with auth-server-wildfly and on Travis: PR merged here #4269 |
|
@cainj13 We got there in the end! Thanks for all the work :) |
See KEYCLOAK-3592.