Skip to content

Update bcpkix and bcprov dependencies #21543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vmuzikar merged 1 commit into from
Jul 20, 2023
Merged

Update bcpkix and bcprov dependencies #21543

vmuzikar merged 1 commit into from
Jul 20, 2023

Conversation

@vmuzikar
Copy link
Contributor

@vmuzikar vmuzikar commented Jul 10, 2023
edited
Loading

Closes #21360 (important to see for more context and discussion)

Supersedes #21369

@vmuzikar vmuzikar mentioned this pull request Jul 10, 2023
Closed
@vmuzikar vmuzikar marked this pull request as ready for review July 10, 2023 10:08
@vmuzikar vmuzikar requested review from a team as code owners July 10, 2023 10:08
@vmuzikar vmuzikar requested a review from a team July 10, 2023 10:08
@vmuzikar vmuzikar marked this pull request as draft July 10, 2023 10:36
@ghost ghost added the flaky-test label Jul 10, 2023
@ghost ghost mentioned this pull request Jul 10, 2023
Closed
ghost
ghost reviewed Jul 10, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@ghost
Copy link

ghost commented Jul 10, 2023

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.ui.account2.ApplicationsTest#toggleApplicationDetailsTest

Keycloak CI - Account Console IT (firefox)

java.lang.AssertionError: Expected ApplicationsPage but was Keycloak Account Management (https://localhost:8543/auth/realms/test/account/#/applications&state=fbb8aab0-1b12-4a4e-a93b-93596915c9db&session_state=35840859-0395-403b-9569-7de773e60438&code=319a478d-9df7-4815-8518-2a05120c768f.35840859-0395-403b-9569-7de773e60438.d136b9ad-9a34-470d-8d70-bc7106fc0deb)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.page.AbstractPage.assertCurrent(AbstractPage.java:110)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

Report flaky test

@vmuzikar vmuzikar mentioned this pull request Jul 10, 2023
Closed
@ghost ghost mentioned this pull request Jul 10, 2023
Closed
vmuzikar
vmuzikar commented Jul 17, 2023
View reviewed changes
testsuite/integration-arquillian/tests/pom.xml
<app.server.2.jboss.jvm.debug.args>-agentlib:jdwp=transport=dt_socket,server=y,suspend=${app.server.2.debug.suspend},address=localhost:${app.server.2.debug.port}</app.server.2.jboss.jvm.debug.args>
<app.server.memory.Xms>64m</app.server.memory.Xms>
<app.server.memory.Xmx>512m</app.server.memory.Xmx>
<app.server.memory.Xmx>768m</app.server.memory.Xmx>
Copy link
Contributor Author

@vmuzikar vmuzikar Jul 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this change is safe. Seems like newer versions of BC are more memory demanding (see a failing test without this change). Is that something we want to risk as it might be directly affecting users.

Copy link
Contributor

@mposolda mposolda Jul 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's good point. Hopefully it affects just the app-server (which may not be that important AFAIK due the adapter tests executed on embedded undertow by default?).

Isn't it possible that app-server has both jdk15on and jdk18on dependencies and that being the cause of those issues?

Copy link
Contributor Author

@vmuzikar vmuzikar Jul 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We run with app-server-wildfly by default.

I did a little bit more digging into this. I realized we're actually not including any BC dependencies with the WF/EAP adapter. We use the default BC module that's already present in WF. You can simply double check that by building the adapters dist and checking the JARs included. There are actually no 3rd party deps bundled in our adapters dist. That means WF/EAP adapter should not be affected by this change at all.

The reason for the out of memory test failures is that we're including the BC deps in our test app WARs. The newer versions of BC libs are a few MBs larger. Hence I believe we're reaching the memory limit because of this.

However, where we are also including the BC deps is the Tomcat and Jetty adapters. Those are affected by this upgrade. This is NOT tested in GHA. @mposolda @miquelsi Do we need to run the full internal pipeline to test this?

Copy link
Contributor

@mposolda mposolda Jul 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running internal adapter pipeline can be nice, however our java adapters are deprecated. So not 100% sure it is strictly needed if it is too much work... IMO any performance/memory "regression" specific only to java adapters is fine due their deprecation (as long as it does not affect the Keycloak server).

Copy link
Contributor Author

@vmuzikar vmuzikar Jul 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mposolda Are you then fine with merging this? :) It'd be nice to have it in 22.0.1 to fix #21664

Copy link
Contributor

@mposolda mposolda Jul 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, ok. I am approving

@vmuzikar vmuzikar requested review from ASzc, mposolda and sschu July 17, 2023 11:34
@vmuzikar vmuzikar marked this pull request as ready for review July 17, 2023 11:34
mposolda
mposolda reviewed Jul 17, 2023
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, it looks as a good change, but might worth to investigate the memory consumption issue as pointed in the inline comments.

testsuite/integration-arquillian/tests/pom.xml
<app.server.2.jboss.jvm.debug.args>-agentlib:jdwp=transport=dt_socket,server=y,suspend=${app.server.2.debug.suspend},address=localhost:${app.server.2.debug.port}</app.server.2.jboss.jvm.debug.args>
<app.server.memory.Xms>64m</app.server.memory.Xms>
<app.server.memory.Xmx>512m</app.server.memory.Xmx>
<app.server.memory.Xmx>768m</app.server.memory.Xmx>
Copy link
Contributor

@mposolda mposolda Jul 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's good point. Hopefully it affects just the app-server (which may not be that important AFAIK due the adapter tests executed on embedded undertow by default?).

Isn't it possible that app-server has both jdk15on and jdk18on dependencies and that being the cause of those issues?

ghost
ghost reviewed Jul 17, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@ghost
Copy link

ghost commented Jul 17, 2023

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportNFC

Keycloak CI - WebAuthn IT (chrome)

java.lang.AssertionError: Expected SigningInPage but was Sign in to test (https://localhost:8543/auth/realms/test/login-actions/authenticate?client_id=account-console&tab_id=TtolwhKIJj0)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.page.AbstractPage.assertCurrent(AbstractPage.java:110)
	at jdk.internal.reflect.GeneratedMethodAccessor612.invoke(Unknown Source)
...

Report flaky test

@vmuzikar vmuzikar requested a review from miquelsi July 17, 2023 16:06
ASzc
ASzc approved these changes Jul 17, 2023
View reviewed changes
Copy link
Contributor

@ASzc ASzc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like this will do what you want it to do. There are a limited number of productized versions available for bcprov-jdk18on, so weigh that potential impact before merging.

@vmuzikar
Copy link
Contributor Author

vmuzikar commented Jul 17, 2023

There are a limited number of productized versions available for bcprov-jdk18on, so weigh that potential impact before merging.

@ASzc Thanks for the review. Is 1.74 fine from the prod perspective? It's what Quarkus uses at the moment, so I assume should be fine.

@ASzc
Copy link
Contributor

ASzc commented Jul 17, 2023

@vmuzikar The closest version I see is 1.73. I don't see any bouncycastle artifacts on my list from RHBQ that they claim to support. I can inquire if needed. Are we shipping this jar, or is it being used in a "provided" context, given these are adapters that seem to be using it?

@vmuzikar
Copy link
Contributor Author

vmuzikar commented Jul 18, 2023

@ASzc We're shipping the JARs.

@vmuzikar vmuzikar linked an issue Jul 18, 2023 that may be closed by this pull request
CVE-2023-33201 - Information Exposure vulnerability in org.bouncycastle:bcprov-jdk15on #21664
Closed
@ASzc
Copy link
Contributor

ASzc commented Jul 18, 2023

@vmuzikar I have sent an inquiry about these GAVs

@vmuzikar vmuzikar merged commit 776bcbc into keycloak:main Jul 20, 2023
@vmuzikar vmuzikar deleted the bc-alignment branch July 20, 2023 09:57
vmuzikar added a commit to vmuzikar/keycloak that referenced this pull request Jul 20, 2023
@vmuzikar
Update bcpkix and bcprov dependencies (keycloak#21543)
f20052d 
Closes keycloak#21360

(cherry picked from commit 776bcbc)
@ASzc
Copy link
Contributor

ASzc commented Jul 21, 2023

@vmuzikar RHBQ has decided to productize these BC GAVs, so we're good

@vmuzikar
Copy link
Contributor Author

vmuzikar commented Jul 21, 2023

@ASzc Thanks!

stianst pushed a commit that referenced this pull request Jul 26, 2023
@vmuzikar
Update bcpkix and bcprov dependencies (#21543) (#21845)
13893cb 
Closes #21360

(cherry picked from commit 776bcbc)
This was referenced Sep 4, 2023
Closed
Closed
Closed
@bhatpmk bhatpmk mentioned this pull request Sep 22, 2023
Merged
@stianst stianst mentioned this pull request Nov 14, 2023
Closed
@stianst stianst mentioned this pull request May 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

+4 more reviewers

@miquelsi miquelsi miquelsi approved these changes

@ASzc ASzc ASzc approved these changes

@sschu sschu sschu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

flaky-test team/cloud-native

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2023-33201 - Information Exposure vulnerability in org.bouncycastle:bcprov-jdk15on Update bcpkix and bcprov dependencies

5 participants

@vmuzikar @ASzc @mposolda @miquelsi @sschu