Keycloak-authorization extension: exception in integration tests using combination of native image and container #25659

jmann-idt · 2022-05-18T14:21:54Z

Describe the bug

When running integration tests for applications that make use of the keycloak-authorization extension fail when the following is true:

Dev Services enabled (quarkus.devservices.enabled=true)
Native profile activated (-Pnative)
Container build enabled (quarkus.container-image.build=true)

The failure suggests that org.keycloak.adapters.authorization.PolicyEnforcer cannot connect to the authServerUrl. Exception provided below.

Expected behavior

Integration tests that pass whenquarkus.container-image.build=false would pass when quarkus.container-image.build=true

Actual behavior

Integration test fails with the following exception:

java.net.ConnectException: Connection refused (Connection refused)
	at com.oracle.svm.jni.JNIJavaCallWrappers.jniInvoke_VA_LIST_ConnectException_constructor_026ed3e065cc052585fca43de83265b2d1381f28(JNIJavaCallWrappers.java:0)
	at java.net.PlainSocketImpl.socketConnect(PlainSocketImpl.java)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:412)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:255)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:237)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:609)
	at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:121)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:84)
	at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
	at org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
	at org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
	at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
	at org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:246)
	at org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
	at org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:153)
	at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:76)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.createPolicyEnforcer(KeycloakPolicyEnforcerRecorder.java:102)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.setup(KeycloakPolicyEnforcerRecorder.java:37)
	at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup1036344509.deploy_0(Unknown Source)
	at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup1036344509.deploy(Unknown Source)
	at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
	at io.quarkus.runtime.Application.start(Application.java:101)
	at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:103)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:67)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:41)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:120)
	at io.quarkus.runner.GeneratedMain.main(Unknown Source)

How to Reproduce?

Using the security-keycloak-authorization-quickstart, apply the following patch to the existing pom.xml:

diff --git a/security-keycloak-authorization-quickstart/pom.xml b/security-keycloak-authorization-quickstart/pom.xml
index 5f53d82e..9476ee55 100644
--- a/security-keycloak-authorization-quickstart/pom.xml
+++ b/security-keycloak-authorization-quickstart/pom.xml
@@ -17,6 +17,11 @@
         <maven.compiler.source>11</maven.compiler.source>
         <maven.compiler.target>11</maven.compiler.target>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+        <!-- Added for bug test -->
+        <quarkus.container-image.group>${project.groupId}</quarkus.container-image.group>
+        <quarkus.container-image.name>${project.artifactId}</quarkus.container-image.name>
+        <quarkus.container-image.build>true</quarkus.container-image.build>
     </properties>
 
     <dependencyManagement>
@@ -45,6 +50,12 @@
             <artifactId>quarkus-resteasy-reactive-jackson</artifactId>
         </dependency>
 
+        <!-- Added for bug test -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-container-image-jib</artifactId>
+        </dependency>
+
         <!-- Test -->
         <dependency>
             <groupId>io.rest-assured</groupId>

Run ./mvnw clean verify -Pnative -Dquarkus.container-image.build=false. See that both PolicyEnforcerTest and NativePolicyEnforcerIT pass.
Run ./mvnw clean verify -Pnative -Dquarkus.container-image.build=true. See PolicyEnforcerTest passes, but NativePolicyEnforcerIT fails.

Output of `uname -a` or `ver`

Linux ubuntu 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Output of `java -version`

openjdk version "11.0.15" 2022-04-19

GraalVM version (if different from Java)

GraalVM 22.0.0.2 Java 11 CE

Quarkus version or git rev

2.9.1.Final

Build tool (ie. output of `mvnw --version` or `gradlew --version`)

Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)

Additional information

No response

The text was updated successfully, but these errors were encountered:

quarkus-bot · 2022-05-18T14:21:57Z

/cc @geoand, @pedroigor, @sberyozkin

sberyozkin · 2022-05-18T15:41:22Z

@jmann-idt thanks.
@geoand Hey Georgios, in this code, with the jib container, should we really set quarkus.oidc.auth-server-url not using the internal URL but the same way we set the CLIENT one, where a hostUrl is used ?
While the code like KeycloakTestClient can see the CLIENT prefixed property, KeycloakPolicyRecorder can't so it ends up calling on the internal URL.
I can experiment, I don't recall why quarkus.auth-server-url stays on the internal one...

sberyozkin · 2022-05-18T16:34:43Z

Actually, #18249 may be the real cause, I'll have a look

geoand · 2022-05-19T05:54:53Z

@sberyozkin not really sure, but I can take a look if needed

sberyozkin · 2022-05-19T09:35:22Z

@geoand Thanks, I'll investigate a bit later, will ping you if I get stuck

geoand · 2022-05-19T10:35:53Z

👍

sberyozkin · 2022-05-19T17:46:01Z

Opened a draft #25690, confirming a native mode failure.

jmann-idt added the kind/bug Something isn't working label May 18, 2022

quarkus-bot bot added area/container-image area/keycloak labels May 18, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Keycloak-authorization extension: exception in integration tests using combination of native image and container #25659

Keycloak-authorization extension: exception in integration tests using combination of native image and container #25659

jmann-idt commented May 18, 2022

quarkus-bot bot commented May 18, 2022

sberyozkin commented May 18, 2022 •

edited

Loading

sberyozkin commented May 18, 2022

geoand commented May 19, 2022

sberyozkin commented May 19, 2022

geoand commented May 19, 2022

sberyozkin commented May 19, 2022

Keycloak-authorization extension: exception in integration tests using combination of native image and container #25659

Keycloak-authorization extension: exception in integration tests using combination of native image and container #25659

Comments

jmann-idt commented May 18, 2022

Describe the bug

Expected behavior

Actual behavior

How to Reproduce?

Output of uname -a or ver

Output of java -version

GraalVM version (if different from Java)

Quarkus version or git rev

Build tool (ie. output of mvnw --version or gradlew --version)

Additional information

quarkus-bot bot commented May 18, 2022

sberyozkin commented May 18, 2022 • edited Loading

sberyozkin commented May 18, 2022

geoand commented May 19, 2022

sberyozkin commented May 19, 2022

geoand commented May 19, 2022

sberyozkin commented May 19, 2022

Output of `uname -a` or `ver`

Output of `java -version`

Build tool (ie. output of `mvnw --version` or `gradlew --version`)

sberyozkin commented May 18, 2022 •

edited

Loading