Encryption key validation #3
Conversation
DT-696 Fix duplicated index for Postgres
| @@ -8,7 +8,7 @@ WORKDIR /app | |||
| COPY pom.xml . | |||
| RUN mvn verify --fail-never -Dkeycloak.version=$KEYCLOAK_VERSION | |||
| COPY src ./src | |||
| RUN mvn package -o -Dkeycloak.version=$KEYCLOAK_VERSION | |||
There was a problem hiding this comment.
Was there a reason to have the offline parameter?
There was a problem hiding this comment.
Yes, the reason being the mvn command is splitted into two to optimize Docker builds. The mvn verify after COPY pom.xml will first download all dependencies as defined by the pom.xml. The mvn package -o after the COPY src ./src will compile the source code using the dependencies already downloaded by mvn verify. Without the offline parameter, maven somehow still attempts to check and re-download dependencies even though the dependencies are all there.
With Docker build automatically re-uses the caches if no files have changed, we don't want to re-download dependencies when we just modify files inside the src folder.
So, yes the offline flag is very intentionally added to optimize Docker builds. Please revert.
There was a problem hiding this comment.
In a535479 i moved the tests to be ran together with verify and skipped them in the package step. This because tests required some more packages to be downloaded.
I also removed the --fail-never in verify because we don't want failed tests to be ignored, you agree? The question is why do we have that in verify.. ?
There was a problem hiding this comment.
The unit tests require the src folder, don't they? If so, then they cannot be run with the mvn verify command because at that point only pom.xml is copied over into the Docker build layer. Only after the COPY src ./src command that the src folder is available inside the layer for the unit tests to execute.
Whatever packages needed by the unit tests are declared inside pom.xml so I think mvn verify should already download the packages. If it doesn't then maybe we need to tweak the mvn verify parameters to also download <scope>test</scope>
Here was basically my original intention:
- Add
pom.xmlinto Docker build layer - Download dependencies declared in the
pom.xmlincluding any plugins needed for packaging - Add the rest of the source code inside
srcfolder - Do the actual packaging into JAR
This way, if I don't change anything inside pom.xml then Docker build engine will not need to perform step 1 & 2 and thus saving a lot of time by re-using the Docker build caches, skipping the re-download of dependencies.
|
Sorry for not discussing this earlier, but we need this check, especially with the addition of unit tests. It's up to you if you think it will be useful :) |
Added a key validation check on "startup", eliminating the risk of having an invalid key and silently failing encryption. Encryption functions ignore errors, potentially leaving data unencrypted.
ianaz
force-pushed
the
encryption-key-validation
branch
from
009a883 to
7b4549e
Compare
Changes - Add the release GitHub workflow to be referenced from a Dockerfile.
|
Dear @ianaz, thank you for this pull request. Before I can accept & merge this, can you please make a few changes in pom.xml <dependency>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.5.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.maven.surefire</groupId>
<artifactId>surefire-junit-platform</artifactId>
<version>3.5.2</version>
<scope>test</scope>
</dependency>Dockerfile COPY pom.xml .
RUN mvn verify -B -Dkeycloak.version=$KEYCLOAK_VERSION
COPY src ./src
RUN mvn test package -B -Dkeycloak.version=$KEYCLOAK_VERSIONThese changes effectively do the following:
|
Thanks for the changes! Done in 3d037b4 |
Added a key validation check on "startup", eliminating the risk of having an invalid key and silently failing encryption. Encryption functions ignore errors, potentially leaving data unencrypted.