ACS-9047 Use Keycloak 26

README.md

@@ -8,7 +8,7 @@
 *Keycloak* is a central component responsible for identity-related capabilities needed by other Alfresco software, such as managing users, groups, roles, profiles, and authentication. Currently it deals just with authentication. This project contains the open-source core of this service.
 
 For installing Keycloak you can choose either a sample Kubernetes distribution or a sample standalone distribution. Both methods are described in the following sections.
-For upgrading, it is recommended to follow the official [Keycloak upgrading guide](https://www.keycloak.org/docs/25.0.6/upgrading/).
+For upgrading, it is recommended to follow the official [Keycloak upgrading guide](https://www.keycloak.org/docs/26.0.7/upgrading/).
 
 Check the [Kubernetes deployment prerequisites](https://github.com/Alfresco/alfresco-dbp-deployment/blob/master/README-prerequisite.md) and [standalone prerequisites](#prerequisites) before you start.
 
@@ -65,7 +65,7 @@ http://<IP_ADDRESS>:8080/auth/admin/alfresco/console/
 
 #### Modifying the valid redirect URIs
 
-**Note**: for security reasons, the redirect URIs should be as specific as possible. [See Keycloak official documentation](https://www.keycloak.org/docs/25.0.6/securing_apps/#redirect-uris).
+**Note**: for security reasons, the redirect URIs should be as specific as possible. [See Keycloak official documentation](https://www.keycloak.org/docs/26.0.7/securing_apps/#redirect-uris).
 
   1. After logging in to the Alfresco realm follow the left side menu and choose clients.
   2. Choose the Alfresco client from the client list.
@@ -146,7 +146,7 @@ The above steps will deploy _Keycloak_ with the **default example realm applied*
 
 #### Changing Alfresco Client redirectUris
 
-**Note**: for security reasons, the redirect URIs should be as specific as possible. [See Keycloak official documentation](https://www.keycloak.org/docs/25.0.6/securing_apps/#redirect-uris).
+**Note**: for security reasons, the redirect URIs should be as specific as possible. [See Keycloak official documentation](https://www.keycloak.org/docs/26.0.7/securing_apps/#redirect-uris).
 
 You can override the default redirectUri of `http://localhost*` for your environment with the `realm.alfresco.client.redirectUris` property:
 
@@ -201,7 +201,7 @@ For added resilience, we rely on support in the Keycloak chart for specifying mu
 In addition, for high availability, Keycloak supports clustering. For more information on how to configure high availability and clustering, you can consult this additional documentation.  
 
 
-[Keycloak-X chart Readme](https://github.com/codecentric/helm-charts/blob/keycloakx-2.5.1/charts/keycloakx/README.md#high-availability-and-clustering)
+[Keycloak-X chart Readme](https://github.com/codecentric/helm-charts/blob/keycloakx-2.6.0/charts/keycloakx/README.md#high-availability-and-clustering)
 
 
 [Configuring Keycloak for production](https://www.keycloak.org/server/configuration-production)
@@ -256,21 +256,21 @@ helm install $RELEASENAME helm/alfresco-keycloak --devel \
 
 For further details see [Setting a Custom Realm](https://github.com/codecentric/helm-charts/tree/keycloak-18.0.0/charts/keycloak#setting-a-custom-realm).
 
-Once Keycloak is up and running, login to the [Management Console](https://www.keycloak.org/docs/25.0.6/server_admin/index.html#using-the-admin-console) to configure the required realm.
+Once Keycloak is up and running, login to the [Management Console](https://www.keycloak.org/docs/26.0.7/server_admin/index.html#using-the-admin-console) to configure the required realm.
 
 #### Manually
 
-1. [Add a realm](https://www.keycloak.org/docs/25.0.6/server_admin/index.html#proc-creating-a-realm_server_administration_guide) named "Alfresco"
+1. [Add a realm](https://www.keycloak.org/docs/26.0.7/server_admin/index.html#proc-creating-a-realm_server_administration_guide) named "Alfresco"
 
-2. [Create an OIDC client](https://www.keycloak.org/docs/25.0.6/server_admin/index.html#_oidc_clients) named "alfresco" within the Alfresco realm
+2. [Create an OIDC client](https://www.keycloak.org/docs/26.0.7/server_admin/index.html#_oidc_clients) named "alfresco" within the Alfresco realm
 
-3. [Create a group](https://www.keycloak.org/docs/25.0.6/server_admin/index.html#proc-managing-groups_server_administration_guide) named "admin"
+3. [Create a group](https://www.keycloak.org/docs/26.0.7/server_admin/index.html#proc-managing-groups_server_administration_guide) named "admin"
 
-4. [Add a new user](https://www.keycloak.org/docs/25.0.6/server_admin/index.html#proc-creating-user_server_administration_guide) with a username of "testuser", email of "[email protected]" and first and last name of "test"
+4. [Add a new user](https://www.keycloak.org/docs/26.0.7/server_admin/index.html#proc-creating-user_server_administration_guide) with a username of "testuser", email of "[email protected]" and first and last name of "test"
 
 #### Using the Sample Realm File
 
-1. Go to the [Add Realm](https://www.keycloak.org/docs/25.0.6/server_admin/index.html#proc-creating-a-realm_server_administration_guide) page and click the "Select File" button next to the **Import** label.
+1. Go to the [Add Realm](https://www.keycloak.org/docs/26.0.7/server_admin/index.html#proc-creating-a-realm_server_administration_guide) page and click the "Select File" button next to the **Import** label.
 
 2. Choose the [sample realm](./alfresco-realm.json) file and click the "Create" button.
 

distribution/build.properties

@@ -1,2 +1,2 @@
-KEYCLOAK_VERSION=25.0.6
+KEYCLOAK_VERSION=26.0.7
 THEME_VERSION=0.3.5

helm/alfresco-keycloak/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: alfresco-keycloak
 version: 1.0.0
-appVersion: 25.0.6
+appVersion: 26.0.7
 description: This is just a sample Helm installation of raw Keycloak with the Alfresco Realm and Theme pre-installed.
 keywords:
   - alfresco
@@ -13,7 +13,7 @@ maintainers:
   - name: Alfresco
 dependencies:
   - name: keycloakx
-    version: 2.5.1
+    version: 2.6.0
     repository: https://codecentric.github.io/helm-charts
   - name: common
     version: 1.11.3

helm/alfresco-keycloak/README.md

@@ -1,6 +1,6 @@
 # alfresco-keycloak
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 25.0.6](https://img.shields.io/badge/AppVersion-25.0.6-informational?style=flat-square)
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 26.0.7](https://img.shields.io/badge/AppVersion-26.0.7-informational?style=flat-square)
 
 This is just a sample Helm installation of raw Keycloak with the Alfresco Realm and Theme pre-installed.
 
@@ -22,7 +22,7 @@ This is just a sample Helm installation of raw Keycloak with the Alfresco Realm
 |------------|------|---------|
 | https://charts.bitnami.com/bitnami | common | 1.11.3 |
 | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 |
-| https://codecentric.github.io/helm-charts | keycloakx | 2.5.1 |
+| https://codecentric.github.io/helm-charts | keycloakx | 2.6.0 |
 
 ## Values
 
@@ -44,12 +44,12 @@ This is just a sample Helm installation of raw Keycloak with the Alfresco Realm
 | keycloakx.extraInitContainers | string | `"- name: theme-provider\n  image: busybox:1.36\n  imagePullPolicy: IfNotPresent\n  command:\n    - sh\n  args:\n    - -c\n    - |\n      THEME_VERSION=0.3.5\n      wget https://github.com/Alfresco/alfresco-keycloak-theme/releases/download/${THEME_VERSION}/alfresco-keycloak-theme-${THEME_VERSION}.zip -O /alfresco.zip\n      unzip alfresco.zip\n      mv alfresco/* /theme/\n  volumeMounts:\n    - name: theme\n      mountPath: /theme\n"` |  |
 | keycloakx.extraVolumeMounts | string | `"- name: realm-secret\n  mountPath: \"/opt/keycloak/data/import/\"\n  readOnly: true\n- name: theme\n  mountPath: \"/opt/keycloak/themes/alfresco\"\n  readOnly: true\n"` |  |
 | keycloakx.extraVolumes | string | `"- name: realm-secret\n  secret:\n    secretName: realm-secret\n- name: theme\n  emptyDir: {}\n"` |  |
-| keycloakx.image.tag | string | `"25.0.6"` |  |
+| keycloakx.image.tag | string | `"26.0.7"` |  |
 | keycloakx.imagePullSecrets[0].name | string | `"quay-registry-secret"` |  |
 | keycloakx.rbac.create | bool | `false` |  |
 | keycloakx.service.httpPort | int | `80` |  |
 | keycloakx.serviceAccount.create | bool | `true` |  |
-| postgresql.enabled | bool | `false` | Flag introduced for testing purposes, to actually run this with postgresql follow the approach explained [here](https://github.com/codecentric/helm-charts/blob/keycloakx-2.5.1/charts/keycloakx/examples/postgresql/readme.md). |
+| postgresql.enabled | bool | `false` | Flag introduced for testing purposes, to actually run this with postgresql follow the approach explained [here](https://github.com/codecentric/helm-charts/blob/keycloakx-2.6.0/charts/keycloakx/examples/postgresql/readme.md). |
 | realm.alfresco.adminPassword | string | `"admin"` |  |
 | realm.alfresco.client.redirectUris | list | `["*"]` | For security reasons, override the default value and use URIs to be as specific as possible. [See Keycloak official documentation](https://www.keycloak.org/docs/latest/securing_apps/#redirect-uris). |
 | realm.alfresco.client.webOrigins[0] | string | `"http://localhost*"` |  |

helm/alfresco-keycloak/alfresco-realm.json

@@ -2671,6 +2671,6 @@
     {{- end }}
     {{- end }}
   ],
-  "keycloakVersion": "25.0.6",
+  "keycloakVersion": "26.0.7",
   "userManagedAccessAllowed": false
 }

helm/alfresco-keycloak/values.yaml

@@ -67,7 +67,7 @@ keycloakx:
   rbac:
     create: false
   image:
-    tag: 25.0.6
+    tag: 26.0.7
   imagePullSecrets:
     - name: quay-registry-secret
   serviceAccount:
@@ -115,5 +115,5 @@ keycloakx:
           mountPath: /theme
 
 postgresql:
-  # -- Flag introduced for testing purposes, to actually run this with postgresql follow the approach explained [here](https://github.com/codecentric/helm-charts/blob/keycloakx-2.5.1/charts/keycloakx/examples/postgresql/readme.md).
+  # -- Flag introduced for testing purposes, to actually run this with postgresql follow the approach explained [here](https://github.com/codecentric/helm-charts/blob/keycloakx-2.6.0/charts/keycloakx/examples/postgresql/readme.md).
   enabled: false

test/saml/pom.xml

@@ -23,7 +23,7 @@
     <maven-compiler-plugin>3.8.0</maven-compiler-plugin>
     <maven-surefire-plugin.version>2.21.0</maven-surefire-plugin.version>
     <maven-dependency-plugin.version>3.1.2</maven-dependency-plugin.version>
-    <!-- IDS version where to test the upgrade scenario to the version defined in the build.properties file. E.g. upgrade IDS 1.8.0 to Keycloak 25.0.6 -->
+    <!-- IDS version where to test the upgrade scenario to the version defined in the build.properties file. E.g. upgrade IDS 1.8.0 to Keycloak 26.0.7 -->
     <identity-service-from.version>1.8.0.1</identity-service-from.version>
   </properties>
 

test/saml/upgrade/test-upgrade.sh

@@ -56,14 +56,14 @@ stop_kc() {
 
 # This is required if upgrading from a version of Keycloak which relies on h2 v1.x
 migrate_h2_database() {
-  wget https://repo1.maven.org/maven2/com/h2database/h2/2.2.224/h2-2.2.224.jar
+  wget https://repo1.maven.org/maven2/com/h2database/h2/2.3.230/h2-2.3.230.jar
   wget https://repo1.maven.org/maven2/com/h2database/h2/1.4.196/h2-1.4.196.jar
   dbdir="$(pwd)/${target}/data/h2"
   log_info "Exporting old h2 database to zip file..."
   java -cp h2-1.4.196.jar org.h2.tools.Script -url jdbc:h2:${dbdir}/keycloak -user sa -password sa -script h2db.zip -options compression zip
   rm -f ${target}/data/h2/keycloak.mv.db
   log_info "Creating new h2 database from zip file..."
-  java -cp h2-2.2.224.jar org.h2.tools.RunScript -url jdbc:h2:${dbdir}/keycloakdb -user sa -password password -script ./h2db.zip -options compression zip FROM_1X
+  java -cp h2-2.3.230.jar org.h2.tools.RunScript -url jdbc:h2:${dbdir}/keycloakdb -user sa -password password -script ./h2db.zip -options compression zip FROM_1X
   rm -f h2db.zip
   rm -f $dbdir/keycloak.*
   log_info "h2 1.x -> 3.x migration successful!"
@@ -76,8 +76,9 @@ migrate_h2_database() {
 # /saml directory
 current_dir=$(pwd)
 workspace="${current_dir}/target/distribution/workspace"
-# Get the host IP
-host_ip=$(ifconfig | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v 127.0.0.1 | awk '{ print $2 }' | cut -f2 -d: | head -n1)
+# Keycloak doesn't send cookies for the cross origin request from the non secure context. Since we are using http in our
+# tests we need to use loopback address which is considered as secure.
+host_ip="127.0.0.1"
 # Keycloak default port
 port=8080
 protocol="http"