[sync] Diff libraries
by Corinne Krych
Hello Ladies and Gentlemen,
I was looking for some diff/patch libraries to get differences between 2 objects (either json format of map/array format) ideally in iOS (withpodspec) or in C/C++. To plug into custom conflict management in you sync demo app. Like Luke did using jsondiffpatch in JS [1].
For comparing text there is google-diff-match-patch [2] lib that is implemented in several langagues and format (including iOS).
But i couldn’t find a jsondiff liek lib for iOS… I’m asking my favourite oracle (i.e.: the mailing list), see if i get more lucky.
++
Corinne
[1] https://github.com/benjamine/JsonDiffPatch
[2] https://github.com/JanX2/google-diff-match-patch
10 years, 10 months
Question around encryption for iOS push certificate passphrase
by Matthias Wessendorf
Hello,
I started to take a quick look at [1], for a better encryption of the
passphrase for all the iOS variants (stored as plaintext ATM). For that I
started looking at our neat Pbkdf2 class, from AeroGear-Crypto.
The idea is to store both: the encrypted password + the salt in the
database, instead of the plaintext version of the password/passphrase.
Something like here:
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wes...
This works fine on things like logins:
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wes...
However, I am afraid it does not work for the iOS passphrase, required to
connect to Apple - looks like the library we use requires it in plain
text... (due to Apple? Not sure...)
https://github.com/notnoop/java-apns/blob/master/src/main/java/com/notnoo...
BTW. here is the relevant usage inside of our UnifiedPush Server:
https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/serve...
I am now wondering if there is something we can do for [1], in the long
run, not now?
I see the 'java-apns API' supports passing in a java.security.Keystore, but
unfortunately I am not sure if there is an impl. of that which is able to
deal w/ encrypted passwords or if something like that might even work at
all :-/
Greetings,
Matthias
[1] https://issues.jboss.org/browse/AGPUSH-358
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
10 years, 10 months
Re: [aerogear-dev] [keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC
by Karel Piwko
On Tue, 04 Feb 2014 13:51:37 -0500
Bill Burke <bburke(a)redhat.com> wrote:
>
>
> On 2/4/2014 12:13 PM, Karel Piwko wrote:
> > Hey,
> >
> > I've combined Aerogear UPS and Keycloak cartridges together. You can check
> > the results at:
> >
> > https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> > https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> >
> > For keycloak, I have used original cart [1]:
> >
> > $ rhc app create -g small --no-git keycloak
> > https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
> >
> > For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
> > [3]:
Given your comments, I'll modify setup to have (primarily) single cart option.
Should I keep two carts setup? It at least seems as a good QE test case ;-)
Note, I will either have to wait for WF8 Final (due to Hibernate bug in CR1) or
base cart on AS7.
> >
> > $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> > 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-o...'
> >
> > There are some gotchas though:
> >
> > * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
> > We still need a way how to pass keycloak.json to UPS cartridge, which is AS7
> > and we can't ask user to modify standalone.xml anyway. However, we could
> > make a hook on OpenShift - user will add keycloak.json to git repo and it
> > will automagically put at right location. Could we have a hook in Keycloak
> > to load keycloak.json from external location? Or should we rather do some
> > war exploding magic?
>
> I need to go through Stan's work. I want to be able to configure the
> subsystem from the keycloak admin console without having to create a
> keycloak.json file. I just don't know yet if the subsystem will work on
> AS7.
This will work for app and Keycloak being deployed on a single server. It does
not solve SaaS scenario - keycloak admin console can configure subsystem of
current WF(AS) only. Keycloak would need to manage subsystem of a remote WF - I
doubt this would ever be possible with AS7 on OpenShift and I think security
concerns of such setup are not even allowing this on WF8.
>
>
> > * AS7-3227 I worked this around by doing parameter injection for
> > SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> > Keycloak package for AS7? Any better option?
>
> This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
> excludes built in one.
Well, it is either keycloak packaging issue or documentation issue (or problem
here in Brno in between chair and keyboard). I've added
keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
Keycloak WAR. IIRC this was setup pre alpha-1.
>
> > * Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
> > However, as it goes through Keycloak Auth Server, this is considered CORS
> > request. I had to configure Web Origin for UPS application. This is
> > confusing to me, Origin header should be transparent for Keycloak as I'm
> > firing request to the same domain. Note this does not happen in Firefox,
> > which identifies same domain and avoids Origin header. I need some
> > insight here from more skilled people.
>
> JIRA for this one. I've only tested/experimented with CORS on Firefox.
https://issues.jboss.org/browse/KEYCLOAK-281
>
> > * I wasn't able to keep http->https rewriting valve with Keycloak to avoid
> > UPS usage via http protocol. I'll go deeper into that.
> > * Changes to Web Origin in Keycloak admin UI are not reflected to already
> > logged users. They need to log out first.
>
> We can't fix this. But it will be mitigated when we add refresh tokens.
> We'll have a short token lifespan that needs to be refreshed. The
> refresh will pick up the changes.
>
Sounds good.
> > More detailed steps:
> >
> > 1/ Create Keycloak cart
> > 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> > 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
> > location
>
>
> Couldn't the cartridge come with a pre-configured keycloak database? We
> also have a realm import option, but we haven't documented the json
> format yet. Also there's the admin REST interface you could use to
> create the realm/application/roles etc.
If I'm able to get public key via admin REST interface, it should be possible
to preconfigure that. Setup will be complicated but possible with
Keycloak subsystem. Having realm import json format documentation will
definitely help here.
>
>
> > 4/ Get keycloak.json
> > 5/ Enable CORS in keycloak.json, modify password
> > 6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> > 7/ Package UPS via 'mvn clean package'
> > 8/ Put war into
> > openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
>
> This may be able to be done from the keycloak console.
Right, but not in SaaS scenario, only if app and Keycloak run on same instance.
>
> > 9/ Push that online
> > 10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
> > master), enable mysql-5.1 gear as well
> > 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> > 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
> >
>
> :)
>
10 years, 10 months
Re: [aerogear-dev] [keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC
by Karel Piwko
On Tue, 04 Feb 2014 13:51:37 -0500
Bill Burke <bburke(a)redhat.com> wrote:
>
>
> On 2/4/2014 12:13 PM, Karel Piwko wrote:
> > Hey,
> >
> > I've combined Aerogear UPS and Keycloak cartridges together. You can check
> > the results at:
> >
> > https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> > https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> >
> > For keycloak, I have used original cart [1]:
> >
> > $ rhc app create -g small --no-git keycloak
> > https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
> >
> > For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
> > [3]:
Given your comments, I'll modify setup to have (primarily) single cart option.
Should I keep two carts setup? It at least seems as a good QE test case ;-)
Note, I will either have to wait for WF8 Final (due to Hibernate bug in CR1) or
base it on AS7.
> >
> > $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> > 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-o...'
> >
> > There are some gotchas though:
> >
> > * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
> > We still need a way how to pass keycloak.json to UPS cartridge, which is AS7
> > and we can't ask user to modify standalone.xml anyway. However, we could
> > make a hook on OpenShift - user will add keycloak.json to git repo and it
> > will automagically put at right location. Could we have a hook in Keycloak
> > to load keycloak.json from external location? Or should we rather do some
> > war exploding magic?
>
> I need to go through Stan's work. I want to be able to configure the
> subsystem from the keycloak admin console without having to create a
> keycloak.json file. I just don't know yet if the subsystem will work on
> AS7.
This will work for app and Keycloak being deployed on a single server. It does
not solve SaaS scenario - keycloak admin console can configure subsystem of
current AS/WF only. Keycloak would need to manage subsystem of remote WF - I
doubt this would ever be possible with AS7 on OpenShift and I think security
concerns of such setup are not
>
>
> > * AS7-3227 I worked this around by doing parameter injection for
> > SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> > Keycloak package for AS7? Any better option?
>
> This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
> excludes built in one.
Well, it is either keycloak packaging issue or documentation issue (or problem
here in Brno in between chair and keyboard). I've added
keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
Keycloak WAR. IIRC this was setup pre alpha-1.
>
> > * Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
> > However, as it goes through Keycloak Auth Server, this is considered CORS
> > request. I had to configure Web Origin for UPS application. This is
> > confusing to me, Origin header should be transparent for Keycloak as I'm
> > firing request to the same domain. Note this does not happen in Firefox,
> > which identifies same domain and avoids Origin header. I need some
> > insight here from more skilled people.
>
> JIRA for this one. I've only tested/experimented with CORS on Firefox.
https://issues.jboss.org/browse/KEYCLOAK-233
>
> > * I wasn't able to keep http->https rewriting valve with Keycloak to avoid
> > UPS usage via http protocol. I'll go deeper into that.
> > * Changes to Web Origin in Keycloak admin UI are not reflected to already
> > logged users. They need to log out first.
>
> We can't fix this. But it will be mitigated when we add refresh tokens.
> We'll have a short token lifespan that needs to be refreshed. The
> refresh will pick up the changes.
>
Sounds good.
> > More detailed steps:
> >
> > 1/ Create Keycloak cart
> > 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> > 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
> > location
>
>
> Couldn't the cartridge come with a pre-configured keycloak database? We
> also have a realm import option, but we haven't documented the json
> format yet. Also there's the admin REST interface you could use to
> create the realm/application/roles etc.
If I'm able to get public key via admin REST interface, it should be possible
to preconfigure that. Setup will be complicated but possible with
Keycloak subsystem. Having realm import json format documentation will
definitely help here.
>
>
> > 4/ Get keycloak.json
> > 5/ Enable CORS in keycloak.json, modify password
> > 6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> > 7/ Package UPS via 'mvn clean package'
> > 8/ Put war into
> > openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
>
> This may be able to be done from the keycloak console.
Right, but not in SaaS scenario, only if app and Keycloak run on same instance.
>
> > 9/ Push that online
> > 10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
> > master), enable mysql-5.1 gear as well
> > 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> > 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
> >
>
> :)
>
10 years, 10 months
Aerogear UPS + Keycloak cartridge combined together POC
by Karel Piwko
Hey,
I've combined Aerogear UPS and Keycloak cartridges together. You can check the
results at:
https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
https://keycloak-mobileqa.rhcloud.com/ (admin/password)
For keycloak, I have used original cart [1]:
$ rhc app create -g small --no-git keycloak
https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
[3]:
$ rhc app create -g small --no-git agpushkeycloak mysql-5.1
'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-o...'
There are some gotchas though:
* keycloak.json - I'm not sure how this will be addressed by WF subsystem. We
still need a way how to pass keycloak.json to UPS cartridge, which is AS7
and we can't ask user to modify standalone.xml anyway. However, we could make
a hook on OpenShift - user will add keycloak.json to git repo and it will
automagically put at right location. Could we have a hook in Keycloak to
load keycloak.json from external location? Or should we rather do some war
exploding magic?
* AS7-3227 I worked this around by doing parameter injection for
SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of Keycloak
package for AS7? Any better option?
* Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
However, as it goes through Keycloak Auth Server, this is considered CORS
request. I had to configure Web Origin for UPS application. This is
confusing to me, Origin header should be transparent for Keycloak as I'm
firing request to the same domain. Note this does not happen in Firefox,
which identifies same domain and avoids Origin header. I need some insight
here from more skilled people.
* I wasn't able to keep http->https rewriting valve with Keycloak to avoid UPS
usage via http protocol. I'll go deeper into that.
* Changes to Web Origin in Keycloak admin UI are not reflected to already logged
users. They need to log out first.
* Missing logout button in UPS. Related to previous point.
Let me know if you want me to convert some of these points to JIRAs in AGPUSH
or KEYCLOAK projects. Also, let me please now if I should have configured
something differently.
Thanks,
Karel
[1] https://github.com/stianst/openshift-keycloak-cartridge
[2]
https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/k...
[3]
https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-opens...
More detailed steps:
1/ Create Keycloak cart
2/ Add AeroGear-UnifiedPush realm with roles admin, user
3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
location
4/ Get keycloak.json
5/ Enable CORS in keycloak.json, modify password
6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
7/ Package UPS via 'mvn clean package'
8/ Put war into
openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
9/ Push that online
10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
master), enable mysql-5.1 gear as well
11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
10 years, 10 months
Mutable vs Immutable for AGMemoryStore and AGPropertyStore
by Corinne Krych
Hello Guys,
Using AGPropertyListStorage in Xmas app [1], I run into this interesting issue:
In the app I retrieve a NSArray of NSMutableDictionary, I get a mutable copy of the NSArray and I save encrypted data in it.
I decrypt some of the data in memory BUT I actually don't want those to be saved decrypted into permanent storage.
And then let's say I add some more data with encrypted value then I save this dato to my AGProperListStorage. Just this one.
But surprise, if I look in my permenet storage, I see my newly data encrypted but the other data I ecrypted in memory were saved decrypted.
What happened?
In one word: shallow mutable copy of NSArray.
My mutable array still point to original MSMutableDictionary and when saving one data to permanent storage the all memory is dumped into plist resulting in decrypted value to be stored.
How did I fixed it?
Using deep mutable copy see in [2].
In AGMemoryStorage (and its inherited AGPropertyListStorage) we use NSMutableDictionary because you can save item (represented as Key/Value with NSMutableDictionary) without id, the store will take care of generating this id and assign it back into the item.
Even the AGMemoryStorage which returns a NSArray of NSMutableDictionary is misleading because you can actually do
NSArray myArray = [store reallAll]
and then modify the contain of the memory storage without using save.
That experience brings the topic whether it's a good pratice to use mutable object
Options
- option1: stick to immutable objects whithin the AGStore and let the save method return an immutable NSDictinary containing the item
- option2: leave it as it is, responsability of user to do deep copy
- others ?
Personal Preference go for option1 which I found less confusing.
++
Corinne
[1] https://github.com/corinnekrych/aerogear-ios-cookbook/blob/master/Xmas/Xm...
[2] https://github.com/corinnekrych/aerogear-ios-cookbook/blob/master/Xmas/Xm...
10 years, 10 months