Removing OpenShift integration and moving to separate extension

closes keycloak#20496

Co-authored-by: mposolda <mposolda@gmail.com>

common/src/main/java/org/keycloak/common/Profile.java

@@ -57,8 +57,6 @@ public enum Feature {
 
         IMPERSONATION("Ability for admins to impersonate users", Type.DEFAULT),
 
-        OPENSHIFT_INTEGRATION("Extension to enable securing OpenShift", Type.PREVIEW),
-
         SCRIPTS("Write custom authenticators using JavaScript", Type.PREVIEW),
 
         TOKEN_EXCHANGE("Token Exchange Service", Type.PREVIEW),

common/src/test/java/org/keycloak/common/ProfileTest.java

@@ -79,7 +79,6 @@ public void checkDefaults() {
             Profile.Feature.RECOVERY_CODES,
             Profile.Feature.SCRIPTS,
             Profile.Feature.TOKEN_EXCHANGE,
-            Profile.Feature.OPENSHIFT_INTEGRATION,
             Profile.Feature.MAP_STORAGE,
             Profile.Feature.DECLARATIVE_USER_PROFILE,
             Profile.Feature.CLIENT_SECRET_ROTATION,
@@ -91,7 +90,7 @@ public void checkDefaults() {
             disabledFeatures.add(Profile.Feature.KERBEROS);
         }
         assertEquals(profile.getDisabledFeatures(), disabledFeatures);
-        assertEquals(profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL);
+        assertEquals(profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL);
     }
 
     @Test

dependencies/server-all/pom.xml

@@ -112,11 +112,6 @@
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-authz-policy-common</artifactId>
         </dependency>
-
-        <dependency>
-            <groupId>com.openshift</groupId>
-            <artifactId>openshift-restclient-java</artifactId>
-        </dependency>
     </dependencies>
 
 </project>

docs/documentation/release_notes/topics/22_0_0.adoc

@@ -55,3 +55,9 @@ For example, let's assume we want to overwrite the https://github.com/keycloak/k
 Installations which use Keycloak's `--proxy` configuration setting with mode *passthrough* should review the documentation as the behavior of this mode has changed.
 
 See the migration guide for more details.
+
+= Removed openshift-integration feature and related providers
+
+The `openshift-integration` preview feature was removed from Keycloak codebase into separate extension project.
+
+See the migration guide for more details.

docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc

@@ -226,3 +226,20 @@ This change is already in our documentation and in our quickstart repository. Fo
 If you cannot migrate your applications to Jakarta, you can still use the "legacy" SAML JEE adapter and still
 be able to integrate with future releases of the server. However, consider upgrading your applications as soon as possible
 because we are no longer providing support to JEE.
+
+= Changes for openshift-integration feature
+
+The preview feature `openshift-integration` was removed from Keycloak codebase and moved into separate extension. This includes
+moving of related providers such as custom client storage provider and token review endpoint for Openshift integration.
+
+If you used this feature, you should not use the `openshift-integration` feature anymore when starting Keycloak server and instead you need to deploy
+the JAR file from custom extension. You can check the https://github.com/keycloak-extensions/keycloak-openshift-ext/[Openshift extension] and the instructions
+in it's README file for how to deploy the extension to your Keycloak server.
+
+= Removing thirdparty dependencies
+
+The removal of openshift-integration allows us to remove few thirdparty dependencies from Keycloak distribution. This includes
+`openshift-rest-client`, `okio-jvm`, `okhttp`, `commons-lang`, `commons-compress`, `jboss-dmr` and `kotlin-stdlib`. This means that if you use
+any of these libraries as dependencies of your own providers deployed to Keycloak server, you may also need to copy those `jar` files
+explicitly to the Keycloak distribution `providers` directory as well.
+

federation/sssd/pom.xml

@@ -84,6 +84,11 @@
             <artifactId>jboss-logging</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
 
     <profiles>

misc/keycloak-test-helper/src/main/java/org/keycloak/test/builders/UserBuilder.java

@@ -0,0 +1,206 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates
+ *  and other contributors as indicated by the @author tags.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package org.keycloak.test.builders;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.LinkedList;
+
+import org.keycloak.models.credential.OTPCredentialModel;
+import org.keycloak.models.utils.HmacOTP;
+import org.keycloak.models.utils.ModelToRepresentation;
+import org.keycloak.representations.idm.CredentialRepresentation;
+import org.keycloak.representations.idm.FederatedIdentityRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class UserBuilder {
+
+    private final UserRepresentation rep;
+
+    public static UserBuilder create() {
+        UserRepresentation rep = new UserRepresentation();
+        rep.setEnabled(Boolean.TRUE);
+        return new UserBuilder(rep);
+    }
+
+    public static UserBuilder edit(UserRepresentation rep) {
+        return new UserBuilder(rep);
+    }
+
+    private UserBuilder(UserRepresentation rep) {
+        this.rep = rep;
+    }
+
+    public UserBuilder id(String id) {
+        rep.setId(id);
+        return this;
+    }
+
+    public UserBuilder username(String username) {
+        rep.setUsername(username);
+        return this;
+    }
+
+    public UserBuilder firstName(String firstName) {
+        rep.setFirstName(firstName);
+        return this;
+    }
+
+    public UserBuilder lastName(String lastName) {
+        rep.setLastName(lastName);
+        return this;
+    }
+
+    /**
+     * This method adds additional passwords to the user.
+     */
+    public UserBuilder addPassword(String password) {
+        if (rep.getCredentials() == null) {
+            rep.setCredentials(new LinkedList<>());
+        }
+
+        CredentialRepresentation credential = new CredentialRepresentation();
+        credential.setType(CredentialRepresentation.PASSWORD);
+        credential.setValue(password);
+
+        rep.getCredentials().add(credential);
+        return this;
+    }
+
+    public UserBuilder addAttribute(String name, String... values) {
+        if (rep.getAttributes() == null) {
+            rep.setAttributes(new HashMap<>());
+        }
+
+        rep.getAttributes().put(name, Arrays.asList(values));
+        return this;
+    }
+
+    /**
+     * This method makes sure that there is one single password for the user.
+     */
+    public UserBuilder password(String password) {
+        rep.setCredentials(null);
+        return addPassword(password);
+    }
+
+    public UserBuilder email(String email) {
+        rep.setEmail(email);
+        return this;
+    }
+
+    public UserBuilder emailVerified(boolean emailVerified) {
+        rep.setEmailVerified(emailVerified);
+        return this;
+    }
+
+    public UserBuilder enabled(boolean enabled) {
+        rep.setEnabled(enabled);
+        return this;
+    }
+
+    public UserBuilder addRoles(String... roles) {
+        if (rep.getRealmRoles() == null) {
+            rep.setRealmRoles(new ArrayList<>());
+        }
+        rep.getRealmRoles().addAll(Arrays.asList(roles));
+        return this;
+    }
+
+    public UserBuilder role(String client, String role) {
+        if (rep.getClientRoles() == null) {
+            rep.setClientRoles(new HashMap<>());
+        }
+        if (rep.getClientRoles().get(client) == null) {
+            rep.getClientRoles().put(client, new LinkedList<>());
+        }
+        rep.getClientRoles().get(client).add(role);
+        return this;
+    }
+
+    public UserBuilder requiredAction(String requiredAction) {
+        if (rep.getRequiredActions() == null) {
+            rep.setRequiredActions(new LinkedList<>());
+        }
+        rep.getRequiredActions().add(requiredAction);
+        return this;
+    }
+
+    public UserBuilder serviceAccountId(String serviceAccountId) {
+        rep.setServiceAccountClientId(serviceAccountId);
+        return this;
+    }
+
+    public UserBuilder secret(CredentialRepresentation credential) {
+        if (rep.getCredentials() == null) {
+            rep.setCredentials(new LinkedList<>());
+        }
+
+        rep.getCredentials().add(credential);
+        rep.setTotp(true);
+        return this;
+    }
+
+    public UserBuilder totpSecret(String totpSecret) {
+        CredentialRepresentation credential = ModelToRepresentation.toRepresentation(
+                OTPCredentialModel.createTOTP(totpSecret, 6, 30, HmacOTP.HMAC_SHA1));
+        return secret(credential);
+    }
+
+    public UserBuilder hotpSecret(String hotpSecret) {
+        CredentialRepresentation credential = ModelToRepresentation.toRepresentation(
+                OTPCredentialModel.createHOTP(hotpSecret, 6, 0, HmacOTP.HMAC_SHA1));
+        return secret(credential);
+    }
+
+    public UserBuilder otpEnabled() {
+        rep.setTotp(Boolean.TRUE);
+        return this;
+    }
+
+    public UserBuilder addGroups(String... group) {
+        if (rep.getGroups() == null) {
+            rep.setGroups(new ArrayList<>());
+        }
+        rep.getGroups().addAll(Arrays.asList(group));
+        return this;
+    }
+
+    public UserBuilder federatedLink(String identityProvider, String federatedUserId) {
+        if (rep.getFederatedIdentities() == null) {
+            rep.setFederatedIdentities(new LinkedList<>());
+        }
+        FederatedIdentityRepresentation federatedIdentity = new FederatedIdentityRepresentation();
+        federatedIdentity.setUserId(federatedUserId);
+        federatedIdentity.setUserName(rep.getUsername());
+        federatedIdentity.setIdentityProvider(identityProvider);
+
+        rep.getFederatedIdentities().add(federatedIdentity);
+        return this;
+    }
+
+    public UserRepresentation build() {
+        return rep;
+    }
+}

model/legacy-services/pom.xml

@@ -43,10 +43,6 @@
             <artifactId>hamcrest</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>com.openshift</groupId>
-            <artifactId>openshift-restclient-java</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.jboss.resteasy</groupId>
             <artifactId>resteasy-core</artifactId>