Special characters in --db-password option

[ajaiswal595]

Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

core

Describe the bug

If i'm trying with some other application to same database i'm able to connect to SQL server , infact if i use the Driver to test connection i'm able to do that.

But when I'm using running Keycloak it fails to connect and throws the error.

2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Login failed for user 'keycloak-user'. ClientConnectionId:b3662e81-673b-4b0e-a2fc-906f8548e325
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option.

Version

20.0.3

Expected behavior

It should be able to connect

Actual behavior

2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Login failed for user 'keycloak-user'. ClientConnectionId:b3662e81-673b-4b0e-a2fc-906f8548e325
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option.

How to Reproduce?

Try to connect sql server with named instance which is running in remote machine.

Anything else?

Please fix asap , I'm blocked with it.

[ajaiswal595]

@stianst @pedroigor @sschu

I have identified the root cause.

If the password contains some special char like ! $ @ and we pass it to the command then it's fails to start.

kc.bat start --https-key-store-file=E:\keystore.ks --https-key-store-password=password --https-trust-store-file=E:\truststore.ks --https-trust-store-password=password --db=mssql --transaction-xa-enabled=false --db-url="jdbc:sqlserver://localhost:1433;databaseName=Keycloak;encrypt=false" --db-username=keycloak-user --db-password=CTdemo123! --http-enabled=true --http-port=7777 --https-port=7778--hostname-strict=false --http-relative-path=/auth --log-le
vel=INFO --log="console,file" --log-file=../data/log/server.log --hostname-strict-https=false --spi-theme-welcome-theme=mythem

Could you please confirm it and let me know the quick fix as it's a blocker?

[sschu]

@ajaiswal595 I guess the quick fix is to set the password as an environment variable. It is the better way anyways as otherwise your password is visible in the process list.

[ajaiswal595]

@sschu You are right but this is also a vulnerability if we store passwords in Envrionment Variable.

Did you come up with any vault yet for the Keyclaok Quarkus ?

[sschu]

@ajaiswal595 It is still way more secure using environment variables than passing a secret vie commandline args as they are just readable by everybody. The best way for now would be to pass secrets in a file.
I have seen some activity around vault implementation here: #19644

[ajaiswal595]

@sschu @pedroigor @stianst

I choose to put the password into keycloak/conf/keycloak.conf file. It works for the password CTdemo123! as we can see in an earlier discussion.

But it is failing for the password Akjtl$$5421

Can you suggest how to resolve this issue or if any fix is available please let me know ASAP It's a blocker for me.

[pedroigor]

@ajaiswal595 So this issue is mainly about the server failing to parse option values (in this case the database password) depending on the characters they have?

[ajaiswal595]

Yes TRUE

Server is not able to parse the password also we may need to check for keystore and truststore password.

[sschu]

I can confirm this happens if the password contains two $. With only one $, everything works. For now I would suggest to pick a password without two dollar signs.

[hmlnarik]

Removing storage and putting to quarkus area since the issue is in passing the correct password from the commandline / properties.

[andre-nascimento6791]

Hello, @ajaiswal595 ,

We are investigating the aforementioned problem that happens when the password contains a double $ character.

The Good News are: The Keycloak Vault in File and Keystore feature is on the way! Check the issue #19644 .

Thanks.

[andre-nascimento6791]

Hello, @ajaiswal595 ,

Sorry for the inconvenience, but due to the need to work on other issues with higher priority in order to release version 22, we're gonna moving this issue to Backlog to be re-evaluated after the mentioned event.

Thanks for the comprehension.

[shawkins]

@andre-nascimento6791 @sschu the cli issue should have been resolved with #22585. The remaining issue with double dollar sign is more of smallrye problem. $ is an expression character, and $$ is used internally to escape it - in this case $$ is being mistaken for that escaping. So insead of the value Akjtl$$5421, some additional escaping is needed Akjtl\$\$5421.

A case could be made that the handling of $$ here is incorrect - that's due to the logic in smallrye's ExpressionConfigSourceInterceptor, which doesn't account for the possibility of $$ natually appearing in the value.

I think this issue could be resolved on the keycloak side with additional documentation and a smallrye issue (smallrye/smallrye-config#1056) to clarify $$ handling.

[aqeelat]

My password does not have $$ but has !@&? spread across, and I'm having this issue also.
I'm using the bitnami helm chart 21.4.4 with image 24.0.4 so I'm passing the password via an env variable.

keycloak 18:02:28.95 INFO ==> 
keycloak 18:02:28.96 INFO ==> Welcome to the Bitnami keycloak container
keycloak 18:02:28.96 INFO ==> Subscribe to project updates by watching https://github.com/bitnami/containers
keycloak 18:02:28.96 INFO ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
keycloak 18:02:28.96 INFO ==> Upgrade to Tanzu Application Catalog for production environments to access custom-configured and pre-packaged software components. Gain enhanced features, including Software Bill of Materials (SBOM), CVE scan result reports, and VEX documents. To learn more, visit https://bitnami.com/enterprise
keycloak 18:02:28.96 INFO ==> 
keycloak 18:02:28.97 INFO ==> ** Starting keycloak setup **
keycloak 18:02:28.98 INFO ==> Validating settings in KEYCLOAK_* env vars...
keycloak 18:02:29.03 INFO ==> Trying to connect to PostgreSQL server 10.10.0.24...
keycloak 18:02:29.04 INFO ==> Found PostgreSQL server listening at 10.10.0.24:5432
keycloak 18:02:29.05 INFO ==> Configuring database settings
keycloak 18:02:29.08 INFO ==> Enabling statistics
keycloak 18:02:29.09 INFO ==> Enabling health endpoints
keycloak 18:02:29.13 INFO ==> Configuring http settings
keycloak 18:02:29.17 INFO ==> Configuring hostname settings
keycloak 18:02:29.18 INFO ==> Configuring cache count
keycloak 18:02:29.20 INFO ==> Configuring log level
keycloak 18:02:29.25 INFO ==> Configuring proxy

keycloak 18:02:29.26 INFO ==> ** keycloak setup finished! **
keycloak 18:02:29.28 INFO ==> ** Starting keycloak **
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=bitnami-keycloak-headless.default.svc.cluster.local
2024-06-25 18:02:35,365 WARN  [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
	- proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-06-25 18:02:38,261 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-06-25 18:02:40,158 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-06-25 18:02:41,951 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-06-25 18:02:42,038 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: fcb28bda-2bf9-46c9-b994-967fbe211961, name: bitnami-keycloak-0-10097
2024-06-25 18:02:42,055 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57800
2024-06-25 18:02:44,178 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) bitnami-keycloak-0-10097: no members discovered after 2119 ms: creating cluster as coordinator
2024-06-25 18:02:44,250 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [bitnami-keycloak-0-10097|0] (1) [bitnami-keycloak-0-10097]
2024-06-25 18:02:44,843 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `bitnami-keycloak-0-10097`, physical addresses are `[10.60.13.64:7800]`
2024-06-25 18:02:44,938 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-06-25 18:02:49,067 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-06-25 18:02:49,843 WARN  [io.agroal.pool] (agroal-11) Datasource '<default>': FATAL: password authentication failed for user "fathom"
2024-06-25 18:02:49,845 WARN  [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread) HHH000342: Could not obtain connection to query metadata: java.lang.NullPointerException: Cannot invoke "org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(java.sql.SQLException, String)" because the return value of "org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.sqlExceptionHelper()" is null
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doTheWork(JtaIsolationDelegate.java:186)
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.lambda$delegateWork$1(JtaIsolationDelegate.java:75)
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.doInSuspendedTransaction(JtaIsolationDelegate.java:107)
	at org.hibernate.resource.transaction.backend.jta.internal.JtaIsolationDelegate.delegateWork(JtaIsolationDelegate.java:72)
	at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.getJdbcEnvironmentUsingJdbcMetadata(JdbcEnvironmentInitiator.java:276)
	at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:107)
	at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:68)
	at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:130)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:238)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
	at org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcServicesImpl.java:52)
	at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.configureService(StandardServiceRegistryImpl.java:136)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:247)
	at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:215)
	at org.hibernate.boot.internal.SessionFactoryOptionsBuilder.<init>(SessionFactoryOptionsBuilder.java:276)
	at io.quarkus.hibernate.orm.runtime.recording.PrevalidatedQuarkusMetadata.buildSessionFactoryOptionsBuilder(PrevalidatedQuarkusMetadata.java:70)
	at io.quarkus.hibernate.orm.runtime.boot.FastBootEntityManagerFactoryBuilder.build(FastBootEntityManagerFactoryBuilder.java:84)
	at io.quarkus.hibernate.orm.runtime.FastBootHibernatePersistenceProvider.createEntityManagerFactory(FastBootHibernatePersistenceProvider.java:72)
	at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:80)
	at jakarta.persistence.Persistence.createEntityManagerFactory(Persistence.java:55)
	at io.quarkus.hibernate.orm.runtime.JPAConfig$LazyPersistenceUnit.get(JPAConfig.java:157)
	at io.quarkus.hibernate.orm.runtime.JPAConfig$1.run(JPAConfig.java:64)
	at java.base/java.lang.Thread.run(Thread.java:840)

2024-06-25 18:02:52,143 WARN  [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-06-25 18:02:52,249 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: bitnami-keycloak-0-10097, Site name: null
2024-06-25 18:02:52,252 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-06-25 18:02:52,346 WARN  [io.agroal.pool] (agroal-11) Datasource '<default>': FATAL: password authentication failed for user "fathom"
2024-06-25 18:02:52,443 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2024-06-25 18:02:52,543 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
2024-06-25 18:02:52,543 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2024-06-25 18:02:52,544 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: FATAL: password authentication failed for user "fathom"
2024-06-25 18:02:52,544 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.