liquibase issues

[garpinc]

So as originally reported

Then I got an error from liquibase
Unable to resolve xml entity /META-INF/dbchangelog-3.9.xsd. liquibase.secureParsing is set to 'true' which does not allow remote lookups. Check for spelling or capitalization errors and missing extensions such as liquibase-commercial in your XSD definition. Or, set it to 'false' to allow remote lookups of xsd files.

It turned out that in liquibase.parser.core.xml.LiquibaseEntityResolver.resolveEntity(String name, String publicId, String baseURI, String systemId) systemId was being set to /META-INF/dbchangelog-3.9.xsd. This was being lowercased by systemId.toLowerCase() and hence it could not find that file. I changed the liquibase code to not do that and got past this error

Then I got this error from liquibase
because 'file' access is not allowed due to restriction set by the accessExternalSchema property
Turns out that liquibase.parser.core.xml.XMLChangeLogSAXParser does this
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "http,https"); //need to allow external schemas on http/https to support the liquibase.org xsd files

Doesn't seem very secure to me since the whole point of this was to not allow remote access from resolving xsd however i set it to "all" instead and got past the error.

So I just revisited this due to that I can't be introducing security issues.. I know I'm not allowed to modify your code and to distribute but to test it what I did is replace the /META-INF/dbchangelog-3.9.xsd in your scim-changelog.xml with http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.9.xsd

From here https://docs.liquibase.com/concepts/changelogs/xml-format.html it says "Liquibase contains XSD files locally and does not need to retrieve them from the internet to validate your XML." so why do you have the /META-INF/dbchangelog-3.9.xsd. It's causing problems for me so is that something you can revert in your code?

[Captain-P-Goldfish]

this is actually an old issue, and I - unfortunately - simply forgot about it. I will fix it as soon as I have time. For the time being modifying the liquibase-changelog headers won't do any harm. So as a quick fix you are free to do it until I got it fixed.

[Captain-P-Goldfish]

fixed in the next release

[garpinc]

Awesome. Let me know whenever that happens. I am in process of getting payment to you btw.

[garpinc]

Hi.. I just downloaded the enterprise version we bought scim-for-keycloak-kc-21-1.2.2-RC1-enterprise.jar.. and still getting Caused by: liquibase.parser.core.xml.XSDLookUpException: Unable to resolve xml entity /META-INF/dbchangelog-3.9.xsd. liquibase.secureParsing is set to 'true' which does not allow remote lookups. Check for spelling or capitalization errors and missing extensions such as liquibase-commercial in your XSD definition. Or, set it to 'false' to allow remote lookups of xsd files.

What should I do?

[Captain-P-Goldfish]

not deployed yet. I will try to release it this weekend.

[garpinc]

K great. in the meantime I continued to modify the code as you allowed.. I'm with nigesh and cambridgesemantics for use withing Anzo.

[Captain-P-Goldfish]

just uploaded kc-21-1.2.2-RC2-free and kc-21-1.2.2-RC2-enterprise Please let me know if the liquibase error does still occur. At least In my test-scenarios I could not provoke a lookup :-)

[Captain-P-Goldfish]

Does everything work now? If yes I would release the changes also for the other branches

[garpinc]

Hi.. very sorry.. I will try it now

[garpinc]

I tried it and it appears to work