Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Special characters in --db-password option #19831

Closed
2 tasks done
ajaiswal595 opened this issue Apr 20, 2023 · 13 comments · Fixed by #25218
Closed
2 tasks done

Special characters in --db-password option #19831

ajaiswal595 opened this issue Apr 20, 2023 · 13 comments · Fixed by #25218
Assignees
Labels
area/dist/quarkus kind/bug Categorizes a PR related to a bug team/cloud-native

Comments

@ajaiswal595
Copy link

Before reporting an issue

  • I have searched existing issues
  • I have reproduced the issue with the latest release

Area

core

Describe the bug

If i'm trying with some other application to same database i'm able to connect to SQL server , infact if i use the Driver to test connection i'm able to do that.

But when I'm using running Keycloak it fails to connect and throws the error.

2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Login failed for user 'keycloak-user'. ClientConnectionId:b3662e81-673b-4b0e-a2fc-906f8548e325
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option.

Version

20.0.3

Expected behavior

It should be able to connect

Actual behavior

2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Login failed for user 'keycloak-user'. ClientConnectionId:b3662e81-673b-4b0e-a2fc-906f8548e325
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option.

How to Reproduce?

Try to connect sql server with named instance which is running in remote machine.

Anything else?

Please fix asap , I'm blocked with it.

@ajaiswal595 ajaiswal595 added kind/bug Categorizes a PR related to a bug status/triage labels Apr 20, 2023
@ajaiswal595
Copy link
Author

@stianst @pedroigor @sschu

I have identified the root cause.

If the password contains some special char like ! $ @ and we pass it to the command then it's fails to start.

kc.bat start --https-key-store-file=E:\keystore.ks --https-key-store-password=password --https-trust-store-file=E:\truststore.ks --https-trust-store-password=password --db=mssql --transaction-xa-enabled=false --db-url="jdbc:sqlserver://localhost:1433;databaseName=Keycloak;encrypt=false" --db-username=keycloak-user --db-password=CTdemo123! --http-enabled=true --http-port=7777 --https-port=7778--hostname-strict=false --http-relative-path=/auth --log-le
vel=INFO --log="console,file" --log-file=../data/log/server.log --hostname-strict-https=false --spi-theme-welcome-theme=mythem

Could you please confirm it and let me know the quick fix as it's a blocker?

@sschu
Copy link
Contributor

sschu commented Apr 21, 2023

@ajaiswal595 I guess the quick fix is to set the password as an environment variable. It is the better way anyways as otherwise your password is visible in the process list.

@ajaiswal595
Copy link
Author

@sschu You are right but this is also a vulnerability if we store passwords in Envrionment Variable.

Did you come up with any vault yet for the Keyclaok Quarkus ?

@sschu
Copy link
Contributor

sschu commented Apr 24, 2023

@ajaiswal595 It is still way more secure using environment variables than passing a secret vie commandline args as they are just readable by everybody. The best way for now would be to pass secrets in a file.
I have seen some activity around vault implementation here: #19644

@mposolda mposolda added area/storage Indicates an issue that touches storage (change in data layout or data manipulation) and removed area/core labels Apr 26, 2023
@ghost ghost added the team/store label Apr 26, 2023
@ajaiswal595
Copy link
Author

ajaiswal595 commented Apr 28, 2023

@sschu @pedroigor @stianst

I choose to put the password into keycloak/conf/keycloak.conf file. It works for the password CTdemo123! as we can see in an earlier discussion.

But it is failing for the password Akjtl$$5421

Can you suggest how to resolve this issue or if any fix is available please let me know ASAP It's a blocker for me.

@pedroigor
Copy link
Contributor

@ajaiswal595 So this issue is mainly about the server failing to parse option values (in this case the database password) depending on the characters they have?

@ajaiswal595
Copy link
Author

Yes TRUE

Server is not able to parse the password also we may need to check for keystore and truststore password.

@sschu
Copy link
Contributor

sschu commented Apr 28, 2023

I can confirm this happens if the password contains two $. With only one $, everything works. For now I would suggest to pick a password without two dollar signs.

@hmlnarik
Copy link
Contributor

Removing storage and putting to quarkus area since the issue is in passing the correct password from the commandline / properties.

@hmlnarik hmlnarik added area/dist/quarkus and removed area/storage Indicates an issue that touches storage (change in data layout or data manipulation) team/store labels May 16, 2023
@ghost ghost added the team/cloud-native label May 16, 2023
@andre-nascimento6791 andre-nascimento6791 self-assigned this May 23, 2023
@andre-nascimento6791
Copy link
Contributor

Hello, @ajaiswal595 ,

We are investigating the aforementioned problem that happens when the password contains a double $ character.

The Good News are: The Keycloak Vault in File and Keystore feature is on the way! Check the issue #19644 .

Thanks.

@andre-nascimento6791 andre-nascimento6791 modified the milestone: Backlog May 25, 2023
@andre-nascimento6791
Copy link
Contributor

Hello, @ajaiswal595 ,

Sorry for the inconvenience, but due to the need to work on other issues with higher priority in order to release version 22, we're gonna moving this issue to Backlog to be re-evaluated after the mentioned event.

Thanks for the comprehension.

@andre-nascimento6791 andre-nascimento6791 removed their assignment May 25, 2023
@hmlnarik hmlnarik changed the title Unable to connect with SQL Server Special characters in --db-password option May 31, 2023
@shawkins
Copy link
Contributor

shawkins commented Nov 29, 2023

@andre-nascimento6791 @sschu the cli issue should have been resolved with #22585. The remaining issue with double dollar sign is more of smallrye problem. $ is an expression character, and $$ is used internally to escape it - in this case $$ is being mistaken for that escaping. So insead of the value Akjtl$$5421, some additional escaping is needed Akjtl\$\$5421.

A case could be made that the handling of $$ here is incorrect - that's due to the logic in smallrye's ExpressionConfigSourceInterceptor, which doesn't account for the possibility of $$ natually appearing in the value.

I think this issue could be resolved on the keycloak side with additional documentation and a smallrye issue (smallrye/smallrye-config#1056) to clarify $$ handling.

@shawkins shawkins self-assigned this Dec 1, 2023
shawkins added a commit to shawkins/keycloak that referenced this issue Dec 5, 2023
fix: keycloak#19831

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
ahus1 added a commit that referenced this issue Dec 6, 2023
Closes: #19831

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
@stianst stianst removed this from the Backlog milestone Dec 7, 2023
ShefeeqPM pushed a commit to ShefeeqPM/keycloak that referenced this issue Jan 27, 2024
Closes: keycloak#19831

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
@aqeelat
Copy link

aqeelat commented Jun 25, 2024

My password does not have $$ but has !@&? spread across, and I'm having this issue also.
I'm using the bitnami helm chart 21.4.4 with image 24.0.4 so I'm passing the password via an env variable.

keycloak 18:02:28.95 INFO ==> 
keycloak 18:02:28.96 INFO ==> Welcome to the Bitnami keycloak container
keycloak 18:02:28.96 INFO ==> Subscribe to project updates by watching https://github.com/bitnami/containers
keycloak 18:02:28.96 INFO ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
keycloak 18:02:28.96 INFO ==> Upgrade to Tanzu Application Catalog for production environments to access custom-configured and pre-packaged software components. Gain enhanced features, including Software Bill of Materials (SBOM), CVE scan result reports, and VEX documents. To learn more, visit https://bitnami.com/enterprise
keycloak 18:02:28.96 INFO ==> 
keycloak 18:02:28.97 INFO ==> ** Starting keycloak setup **
keycloak 18:02:28.98 INFO ==> Validating settings in KEYCLOAK_* env vars...
keycloak 18:02:29.03 INFO ==> Trying to connect to PostgreSQL server 10.10.0.24...
keycloak 18:02:29.04 INFO ==> Found PostgreSQL server listening at 10.10.0.24:5432
keycloak 18:02:29.05 INFO ==> Configuring database settings
keycloak 18:02:29.08 INFO ==> Enabling statistics
keycloak 18:02:29.09 INFO ==> Enabling health endpoints
keycloak 18:02:29.13 INFO ==> Configuring http settings
keycloak 18:02:29.17 INFO ==> Configuring hostname settings
keycloak 18:02:29.18 INFO ==> Configuring cache count
keycloak 18:02:29.20 INFO ==> Configuring log level
keycloak 18:02:29.25 INFO ==> Configuring proxy

keycloak 18:02:29.26 INFO ==> ** keycloak setup finished! **
keycloak 18:02:29.28 INFO ==> ** Starting keycloak **
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=bitnami-keycloak-headless.default.svc.cluster.local
2024-06-25 18:02:35,365 WARN  [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
	- proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-06-25 18:02:38,261 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-06-25 18:02:40,158 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-06-25 18:02:41,951 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-06-25 18:02:42,038 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: fcb28bda-2bf9-46c9-b994-967fbe211961, name: bitnami-keycloak-0-10097
2024-06-25 18:02:42,055 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57800
2024-06-25 18:02:44,178 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) bitnami-keycloak-0-10097: no members discovered after 2119 ms: creating cluster as coordinator
2024-06-25 18:02:44,250 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [bitnami-keycloak-0-10097|0] (1) [bitnami-keycloak-0-10097]
2024-06-25 18:02:44,843 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `bitnami-keycloak-0-10097`, physical addresses are `[10.60.13.64:7800]`
2024-06-25 18:02:44,938 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-06-25 18:02:49,067 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-06-25 18:02:49,843 WARN  [io.agroal.pool] (agroal-11) Datasource '<default>': FATAL: password authentication failed for user "fathom"
2024-06-25 18:02:49,845 WARN  [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread) HHH000342: Could not obtain connection to query metadata: java.lang.NullPointerException: Cannot invoke "org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(java.sql.SQLException, String)" because the return value of "org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.sqlExceptionHelper()" is null
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doTheWork(JtaIsolationDelegate.java:186)
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.lambda$delegateWork$1(JtaIsolationDelegate.java:75)
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doInSuspendedTransaction(JtaIsolationDelegate.java:107)
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.delegateWork(JtaIsolationDelegate.java:72)
	at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.getJdbcEnvironmentUsingJdbcMetadata(JdbcEnvironmentInitiator.java:276)
	at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:107)
	at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:68)
	at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:130)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:238)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
	at org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcServicesImpl.java:52)
	at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.configureService(StandardServiceRegistryImpl.java:136)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:247)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
	at org.hibernate.boot.internal.SessionFactoryOptionsBuilder.<init>(SessionFactoryOptionsBuilder.java:276)
	at io.quarkus.hibernate.orm.runtime.recording.PrevalidatedQuarkusMetadata.buildSessionFactoryOptionsBuilder(PrevalidatedQuarkusMetadata.java:70)
	at io.quarkus.hibernate.orm.runtime.boot.FastBootEntityManagerFactoryBuilder.build(FastBootEntityManagerFactoryBuilder.java:84)
	at io.quarkus.hibernate.orm.runtime.FastBootHibernatePersistenceProvider.createEntityManagerFactory(FastBootHibernatePersistenceProvider.java:72)
	at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:80)
	at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:55)
	at io.quarkus.hibernate.orm.runtime.JPAConfig$LazyPersistenceUnit.get(JPAConfig.java:157)
	at io.quarkus.hibernate.orm.runtime.JPAConfig$1.run(JPAConfig.java:64)
	at java.base/java.lang.Thread.run(Thread.java:840)

2024-06-25 18:02:52,143 WARN  [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-06-25 18:02:52,249 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: bitnami-keycloak-0-10097, Site name: null
2024-06-25 18:02:52,252 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-06-25 18:02:52,346 WARN  [io.agroal.pool] (agroal-11) Datasource '<default>': FATAL: password authentication failed for user "fathom"
2024-06-25 18:02:52,443 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2024-06-25 18:02:52,543 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
2024-06-25 18:02:52,543 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2024-06-25 18:02:52,544 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: FATAL: password authentication failed for user "fathom"
2024-06-25 18:02:52,544 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/dist/quarkus kind/bug Categorizes a PR related to a bug team/cloud-native
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants