AIRAVATA-2342 Setting up trust store for Keycloak ResteasyClient The Keycloak ResteasyClient uses its own SSLContext so can't rely on the configuration of the default SSLContext that the TrustStoreManager performs.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/0eda7d20 Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/0eda7d20 Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/0eda7d20 Branch: refs/heads/registry-refactoring Commit: 0eda7d202c68bc64caa876a888b92e035d9ebcef Parents: 0a6afd1 Author: Marcus Christie <[email protected]> Authored: Tue May 23 16:55:24 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Tue May 23 16:57:50 2017 -0400 ---------------------------------------------------------------------- .../core/impl/TenantManagementKeycloakImpl.java | 63 ++++++++++++++++---- .../handlers/IamAdminServicesHandler.java | 15 ++--- 2 files changed, 56 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/0eda7d20/airavata-services/profile-service/iam-admin-services-core/src/main/java/org/apache/airavata/service/profile/iam/admin/services/core/impl/TenantManagementKeycloakImpl.java ---------------------------------------------------------------------- diff --git a/airavata-services/profile-service/iam-admin-services-core/src/main/java/org/apache/airavata/service/profile/iam/admin/services/core/impl/TenantManagementKeycloakImpl.java b/airavata-services/profile-service/iam-admin-services-core/src/main/java/org/apache/airavata/service/profile/iam/admin/services/core/impl/TenantManagementKeycloakImpl.java index 0d2e9a8..60a8f5d 100644 --- a/airavata-services/profile-service/iam-admin-services-core/src/main/java/org/apache/airavata/service/profile/iam/admin/services/core/impl/TenantManagementKeycloakImpl.java +++ b/airavata-services/profile-service/iam-admin-services-core/src/main/java/org/apache/airavata/service/profile/iam/admin/services/core/impl/TenantManagementKeycloakImpl.java @@ -28,12 +28,19 @@ import org.apache.airavata.model.user.UserProfile; import org.apache.airavata.model.workspace.Gateway; import org.apache.airavata.service.profile.iam.admin.services.core.interfaces.TenantManagementInterface; import org.apache.airavata.service.profile.iam.admin.services.cpi.exception.IamAdminServicesException; +import org.jboss.resteasy.client.jaxrs.ResteasyClient; +import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; import org.keycloak.admin.client.Keycloak; +import org.keycloak.admin.client.KeycloakBuilder; import org.keycloak.admin.client.resource.UserResource; import org.keycloak.representations.idm.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; + import javax.ws.rs.core.Response; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.KeyStore; import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -42,23 +49,57 @@ public class TenantManagementKeycloakImpl implements TenantManagementInterface { private final static Logger logger = LoggerFactory.getLogger(TenantManagementKeycloakImpl.class); + // TODO: close Keycloak client once done with it? private static Keycloak getClient(String adminUrl, String realm, PasswordCredential AdminPasswordCreds) { - return Keycloak.getInstance( - adminUrl, - realm, // the realm to log in to - AdminPasswordCreds.getLoginUserName(), AdminPasswordCreds.getPassword(), // the user - "admin-cli"); // admin-cli is the client ID used for keycloak admin operations. + ResteasyClient resteasyClient = new ResteasyClientBuilder() + .connectionPoolSize(10) + .trustStore(loadKeyStore()) + .build(); + return KeycloakBuilder.builder() + .serverUrl(adminUrl) + .realm(realm) + .username(AdminPasswordCreds.getLoginUserName()) + .password(AdminPasswordCreds.getPassword()) + .clientId("admin-cli") + .resteasyClient(resteasyClient) + .build(); } private static Keycloak getClient(String adminUrl, String realm, String authToken) { - return Keycloak.getInstance( - adminUrl, - realm, // the realm to log in to - "admin-cli", - authToken // the realm admin's auth token - ); + ResteasyClient resteasyClient = new ResteasyClientBuilder() + .connectionPoolSize(10) + .trustStore(loadKeyStore()) + .build(); + return KeycloakBuilder.builder() + .serverUrl(adminUrl) + .realm(realm) + .authorization(authToken) + .clientId("admin-cli") + .resteasyClient(resteasyClient) + .build(); + } + + private static KeyStore loadKeyStore() { + + FileInputStream fis = null; + try { + fis = new java.io.FileInputStream(ServerSettings.getTrustStorePath()); + KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); + ks.load(fis, ServerSettings.getTrustStorePassword().toCharArray()); + return ks; + } catch (Exception e) { + throw new RuntimeException("Failed to load trust store KeyStore instance", e); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (IOException e) { + logger.error("Failed to close trust store FileInputStream", e); + } + } + } } @Override http://git-wip-us.apache.org/repos/asf/airavata/blob/0eda7d20/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/IamAdminServicesHandler.java ---------------------------------------------------------------------- diff --git a/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/IamAdminServicesHandler.java b/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/IamAdminServicesHandler.java index 26fa1ed..9f33cd5 100644 --- a/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/IamAdminServicesHandler.java +++ b/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/IamAdminServicesHandler.java @@ -37,23 +37,16 @@ import org.apache.thrift.TException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.net.URL; import java.util.List; public class IamAdminServicesHandler implements IamAdminServices.Iface { private final static Logger logger = LoggerFactory.getLogger(IamAdminServicesHandler.class); - public IamAdminServicesHandler() { - - try { - //initialize SSL context with the trust store that contains the CA cert signing the Keycloak server cert - TrustStoreManager trustStoreManager = new TrustStoreManager(); - trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(), - ServerSettings.getTrustStorePassword()); - } catch (Exception e) { - throw new RuntimeException(e.getMessage(), e); - } - } @Override public String getAPIVersion(AuthzToken authzToken) throws IamAdminServicesException, AuthorizationException {
