search

Captain-P-Goldfish / scim-for-keycloak

a third party module that extends keycloak by SCIM functionality
BSD 3-Clause "New" or "Revised" License
183 stars 47 forks source link

Provide a local XSD file for liquibase schema #44

Closed zambrovski closed 2 years ago

zambrovski commented 2 years ago

Currently, liquibase tries to resolve the schema from the db-changes XML file. In general it is ok, that this is performed, but I believe for a security system like Keycloak, it is better to provide a local copy of the XSD schema instead of letting the component to access a resource from the Internet.

You already got this problem reported in https://github.com/Captain-P-Goldfish/scim-for-keycloak/issues/40, but I believe it is more stable to have the version offline.

For example, liquibase changed some addresses as described here: https://github.com/liquibase/liquibase/issues/2448 or https://github.com/liquibase/liquibase/issues/1153.

To make your code independent from liquibase server setup, see the hint posted here: https://github.com/liquibase/liquibase/issues/1153#issuecomment-629219232

Captain-P-Goldfish commented 2 years ago

I actually wondering why this comes up only with this application. Keycloak itself is doing the exact same thing when looking at jpa-changelog-master.xml

<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
    <include file="META-INF/jpa-changelog-1.0.0.Final.xml"/>
    <include file="META-INF/jpa-changelog-1.0.0.Final-db2.xml"/>
    <include file="META-INF/jpa-changelog-1.1.0.Beta1.xml"/>
...

So I wonder why is it considered a problem here when it does not on keycloak?

ullgren commented 2 years ago

I can agree to that. However for some reason it seems that when keycloak itself does not call out to the actual server for the XSD. It might be that they use a different resource resolver.

What is evident is that scom-for-keycloak uses does fetch the xsd from the server. A simple test is to block outbound traffic from the keycloak server and start up.

ullgren commented 2 years ago

To reproduce:

  1. Unpack clean Keycloak 15.0.2 (maybe later)

  2. Setup iptables to reject traffic to www.liquibase.org (right now it resolves to 35.224.204.50) sudo iptables -A OUTPUT -d 35.224.204.50 -j REJECT

  3. Start keycoak verify that it starts correctly. This validates that "vanilla" keycloak does not call out to www.liquibase.org

  4. Shutdown keycloak

  5. Do a file deploy of scim-for-keycloak-kc-15-b1.ear

  6. Start keycloak It now fail to start due to not being able to "Connection refused"

  7. Remove the block of www.liquibase.org sudo iptables -D OUTPUT -d 35.224.204.50 -j REJECT

  8. Start keycloak, it now starts correctly since scim-for-keycloak can get the xsd file

Captain-P-Goldfish commented 2 years ago

just fixed it. XML schema was added in order to prevent the outgoing call.

ullgren commented 2 years ago

Thanks for the quick resolution :heart: I agree with you that it is strange that the http://... schema location works in vanilla keycloak