Sharing Contributions with ForgeRock via Git Subtree part 2

In my previous post we used Git's subtree feature to pull an existing subdirectory out of a larger maven project and push it to a third party repository for contributing just that subdirectory and below to open source. In today's post we'll see how to tie that subtree to that external repository, make some changes, and selectively push those changes up as well among a few other things.

Replacing with the Now External Source

Currently we have made our subdirectory into a subtree and used a branch to push just its contents and nested directories and resources out. But those contents are still there and not yet tied to the external location that will be the source going forward. Our first step is to remove the existing items.

Back in the root of our main project directory we remove the original directory and correspondingly its subtree to get rid of the original items. Then we commit those changes without pushing. That leaves us one commit ahead of origin/master, the remote on-premise repo. That is an important point to remember.

git rm -r openam-authentication/openam-auth-radius
git commit -m "remove openam-auth-radius to replace with subtree"

Then we define a new remote for referring to the external repository and create a new subtree with that remote as its source. The --squash parameter  means that we only get one commit added to our history indicating the update to the subtree from the repo.

git remote add 
  ext-radius https://github.com/...<fill-in-your-repo>

git subtree add --prefix=openam-authentication/openam-auth-radius 
  --squash ext-radius master

When I did this I ran into the following error on that second command:

prefix 'openam-authentication/openam-auth-radius' already exists.

The directory was still there. Only the Git tracked resources were removed. There was still a target directory left over from the last time I did a build and its contents were still sitting in there. So I used rm -rf to remove the directory completely. Running that second command again resulted in this output from Git:

git fetch ext-radius master
From https://github.com/...<fill-in-your-repo>
 * branch            master     -> FETCH_HEAD
 * [new branch]      master     -> ext-radius/master
Added dir 'openam-authentication/openam-auth-radius'

Interestingly, if we run git status at this point we are now three commits ahead of origin master. Running git log shows those three commits at the top. The second commit holds the link to the current commit of the external upstream repo. That highlighted commit matches the most recent commit in the repo.

commit ee4b098ad60e55f419789a82a0dc80bd949a3609
Merge: 0ae47a3 ceef534
Author: Mark R. Boyd <boydmr@ldschurch.org>
Date:   Thu Feb 26 10:36:10 2015 -0700

    Merge commit 'ceef534cae7ff8cba41a204867b03766d4422c4b' as 'openam-authentication/openam-auth-radius'

commit ceef534cae7ff8cba41a204867b03766d4422c4b
Author: Mark R. Boyd <boydmr@ldschurch.org>
Date:   Thu Feb 26 10:36:10 2015 -0700

    Squashed 'openam-authentication/openam-auth-radius/' content from commit 2c46086

    git-subtree-dir: openam-authentication/openam-auth-radius
    git-subtree-split: 2c4608649741ce14ce09e21bd766681bf6d219f3

commit 0ae47a3f1f64238ab95883cf9ba22dd01c85911b
Author: Mark R. Boyd <boydmr@ldschurch.org>
Date:   Thu Feb 26 10:28:30 2015 -0700

    removed openam-auth-radius to replace with subtree

If I now look in the openam-auth-radius directory I see my files have been restored. But at this point the files from that directory on down are associated with the upstream external repo. Now lets push to our internal repo shared by the team. In the root of the project I run:

git push

Impact on Other Team Members?

So how do other members of my team see these changes? To simulate another team member I'll clone our on-prem openam repo into another directory, openam2, and then run a maven build:

cd ..
mkdir openam2
git clone https://BoydMR@...<internal repo path> openam2
cd openam2
mvn clean install

Everything builds just as it always has. And why wouldn't it? If you look in the openam-authentication/openam-auth-radius directory the source code is there in contrast with Git submodules whose source isn't in the repo but must be pulled by each user separately. With subtrees the source is in our repo so everyone works just as they always have and knows no difference unless they need to fetch from or push to the subtree's upstream external repo. As long as they are working with the internal remote repo used by the team they see no difference.

Sharing Changes via Internal Repo

To that point, lets try making changes at this point. To be clear, changes may be pushed into the team's internal repo or pushed from the subtree into its external remote by either me or my coworkers. We'll try both. First I'll do the former.

Lets say one of my coworkers needs to tweak a file. Mimicking a coworker I use the openam2 copy of the project and make an edit, commit, and push to the on-premise repo.  I've trimmed some of the path for readability.

git add openam-authentication/openam-auth-radius/src/main/java/.../ConsoleClient.java

git commit -m "removed double print of build date from ConsoleClient startup"

git push

As a member of the team I'd see these changes when next I fetched commits and did a diff with the internal on-premise repo or just did a pull there from. Back in the openam directory and hence a different repo I see the following after doing the fetch to get commits from the internal repo. Recall that this gets commits that I don't have locally but does not merge them into the current branch in contrast to a pull which does both:

git fetch 

git diff master origin/master

And in the output I'll see any changes that were made. And a git status at this point tells me that my current branch master is behind origin/master by one commit since we did a fetch and not a pull. But note that I did not specify a remote. By default it uses the origin remote. If we did a fetch from the remote associated with our subtree we won't get anything brought in from their either because nothing has changed. So lets try that route next.

Seeing Changes in Subtree's External Upstream

Suppose that my coworker made changes to what is now tracked in our subtree directory of openam-authentication/openam-auth-radius and pushed them into the subtree's external upstream remote repo. To simulate that I move to the openam2 directory, edit a file, and commit but will leave those details out to save space. To push to the upstream we need first to add the remote. We have that already in the repository of the openam directory but didn't add it to this repo yet. Once added we then subtree push to the upstream:

git remote add upstream-radius https://github.com/...<fill-in-your-repo>

git subtree push   --prefix=openam-authentication/openam-auth-radius   upstream-radius master

Again we get some interesting output from that last command:

git push using:  upstream-radius master

-n 1/     109 (0)

-n 2/     109 (1)

-n 3/     109 (2)

...

-n 108/     109 (106)

-n 109/     109 (107)

Counting objects: 27, done.

Delta compression using up to 4 threads.

Compressing objects: 100% (9/9), done.

Writing objects: 100% (15/15), 6.14 KiB | 0 bytes/s, done.

Total 15 (delta 3), reused 0 (delta 0)

To https://github.com/...<fill-in-your-repo>

   2c46086..dd773db  dd773dbe09d065a440f67021f0d309ff4acb7939 -> master

Now that my coworker placed changes in the external library I have older code in my openam repo subtree. But how can I tell that? The steps are the same as with a regular remote. I first do a fetch from that remote to gather those changes. Remember that in the openam repo the remote is ext-radius: 

git fetch ext-radius master 

The output from this command is:

remote: Counting objects: 15, done.

remote: Compressing objects: 100% (6/6), done.

remote: Total 15 (delta 3), reused 15 (delta 3), pack-reused 0

Unpacking objects: 100% (15/15), done.

From https://github.com/ForgeRock/radius-server

 * branch            master     -> FETCH_HEAD

   2c46086..dd773db  master     -> ext-radius/master

And again, now that we have fetched those changes into our repo we can see what effect they will have without pulling them into our current branch:

git diff master origin/master

And sure enough I'll see the changes and how they'll impact my local source. In my next post I'd like to take this one step further and consider how I would collaborate on that upstream library, itself a single maven submodule, a subdirectory, if I didn't have write privileges on it as I have had here. 

See you then.   

Sharing Contributions with Forge Rock via Git Subtree

The Radius Server functionality has raised interest in the community and is desired as a feature of Open AM. At the same time there is more to do on the feature set such as adding attribute mapping. Currently, the final success response is a simple Access-Accept response with no fields included as can be seen in that former post. So as work progresses I'd like to be able to do that in my local and on-premis remote repos and when ready with a new feature be able to push those changes as a unit to be included in baseline via an external remote repo.

But that goal is further complicated by how we are currently including Open AM and injecting extensions that we need.

Project Directory Structure

Our approach is to use maven's war overlay plugin as one maven subproject in a larger parent project and have siblings along side it representing separately build-able pieces that replace chunks of Open AM such as the openam-auth-radius maven submodule that we've extended to add the Radius Server functionality. Our project directory structure looks like this:

The root maven project is the top level openam folder. I'll cover the relevant parts beneath that directory. The openam-authentication directory is a maven subproject mirroring Open AM's corresponding submodule. Within this module are two authentication submodules one being openam-auth-radius that contains the original Open AM code with our enhancements. The openam-auth-smsotp is a One Time Passcode authentication module that delivers via an in-house REST SMS service and includes support for both HTTP and Radius clients allowing us to do multi-factor authentication for VPN access as well as web sites.

The openam-extensions includes extension point implementations such as a post authentication processor enabling us to front our older Oracle Access Manager system with Open AM, some custom tag libs for help in skinning the sign-in page, and other supporting runtime code.

The openam-warOverlay directory is a maven submodule that has the magic for pulling in the version of Open AM that we build against (12.0.0 currently) and including the other modules mentioned openam-extensions, openam-auth-smsotp, and openam-auth-radius replacing the corresponding jar where applicable in the Radius case.

Sharing That One Directory

The goal is to share the openam-auth-radius directory with a separate and off-premise Git repo while maintaining a local copy of the code to be worked on as needed and then selectively push enhancements to the external repo only when we have a fully functional feature to contribute. But I need to do this with an existing directory structure. I researched both Git submodules and Git subtrees and felt the latter were the better approach since all members of our internal team would just get the codebase when they clone without having to take steps to pull in the Git submodules themselves.

The steps found here looked exactly like what I needed. The steps that I took follow. In case that other page goes away I'm adding comments here for my reference when I have to do this again.

Extract the Directory as a Git Subtree

First I pull that directory's code out of the project by making an empty Git repo and pushing the current code to it. I created the radius-contrib directory as a sibling to the openam directory but it really could be anywhere outside of an existing Git project.

mkdir ~/git/radius-contrib
cd radius-contrib
git init --bare

Back in the openam project root directory I create a Git subtree by splitting out the openam-auth-radius subdirectory and creating a branch called contribs holding just that directory's code:

git subtree split --prefix=openam-authentication/openam-auth-radius -b contribs

Be forwarned, that step freaked me out a bit as it started dumping the following lines before indicating that the subtree was created. I don't know what they mean but it appears to be part of the process.

-n 1/     104 (0)
-n 2/     104 (1)
-n 3/     104 (2)
...
-n 102/     104 (101)
-n 103/     104 (102)
-n 104/     104 (103)
Created branch 'contribs'
2c4608649741ce14ce09e21bd766681bf6d219f3

Now I push that into my recently created empty repository. To do this I must be sitting in the newly create subtree otherwise you get messages like:

error: src refspec constribs does not match any.
error: failed to push some refs to '/Users/boydmr/git/radius-contrib/'

So change directory as needed and then do the push:

cd ~/git/openam/openam-authentication/openam-auth-radius
git push ~/git/radius-contrib/ contribs:master

Now moving into the directory of the newly created Git repo I can now see the newly created master branch that resulted from that step:

git branch -a
* master

Now we can push just that directory into the external remote repo:

git remote add origin https://github.com/...<fill-in-your-repo>

git push -u origin master

Once pushed that remote repo contains everything that resides within the openam-auth-radius directory and its subdirectories but not the openam-auth-radius directory itself. That is all for today. In my next post I'll take the next steps to now pull that repo into my subtree and even make some changes and push them back.

See you then.

Open AM Version Number Source (in 12.0.0)

This post is mostly for me to remember how I found where Open AM's version comes from since I used a number of mechanisms to find it and I don't want to forget them and the trip was amazingly long and convoluted. But I did successfully arrive at an end. And if it helps others when troubleshooting Open AM then that is a bonus.

As shown below, Open AM has a Version button in the top left corner of its admin console when signed in as an administrator. 

When clicking that button you typically get a popup browser window showing Open AM's current version like so:

Upon recently updating one of our servers to version 12.0.0 the update failed to offer us the typical prompt asking if we wanted to upgrade the configuration store. And upon starting the server up we seemed to be in some kind of limbo state where most of the console worked but there were some inaccessible areas including the version. It came up empty as in no version was discernible. Support said that the version was what triggered the prompt to upgrade configuration. And that prompted the following steps to find out the source from which the version value originated.

First: Chrome Developer Tools

That page holds the value. So where is it getting it from. I opened Chrome's Developer Tools, selected the Network pane, and checked Preserve Log so it wouldn't clear after a redirect or loading of a new page. Then I clicked the Version button again. It turns out that the page is loaded from the URL where /sso is Open AM's root in my installation:

/sso/ccversion/Version?

&productNameSrc=../console/images/PrimaryProductName.png

&windowTitle=Version+Information+-+

But this is a frameset with the gray section containing the version number value being loaded from a URL of:

/sso/base/Version

which returns text/html content. Looking through the server's web.xml doesn't show anything mapping to that path directly. Having done some debugging before in Open AM's JATO conundrum led me to wonder if this was being handled by a JATO JSP. Knowing from previous experience with the Login page and its affiliates that JATO typically maps the last path item to a similarly named JSP file I grabbed my next two tools.

Next Up: *nix's Find & Open AM's source

I opened a shell window, changed directory to the root of Open AM version 12's source. If you don't have Open AM's source you can download it from http://openam.forgerock.org/. Then I used "find" to see if there was a file by the name of Version.jsp somewhere in Open AM's source:

find . -name "Version.jsp" 

I'll use find in a number of places below and in each instance I will always be located in the root of Open AM's source. Running this command found a likely candidate at:

/openam/openam-console/src/main/webapp/console/base/Version.jsp

Opening that file and comparing its divs and their classes with the content of the frame convinced me that was indeed the provider of that content. This JSP was a typical JATO JSP. It contained a view bean declaration where the view bean in JATO can be seen as the controller and source of the model backing the JSP:

<jato:useViewBean 

className="com.sun.identity.console.base.VersionViewBean" 

fireChildDisplayEvents="true">

And based upon the divs and their classnames in that page the JSP was injecting the version content using the following tag. In JATO, that name attribute typically ends up being the name of a value set on the view bean:

<cc:text name="txtVersion" />

So back to our good friend Find. I then ran the following command in the root:

find . -name "VersionViewBean.java"

That found the java file at:

/openam/openam-console

/src/main/java/com/sun/identity/console/base/VersionViewBean.java

Fortunately, this view bean class file was only 78 lines long and it did indeed have a line setting a txtVersion value:

setDisplayFieldValue("txtVersion", AMSystemConfig.version);

Looking at imports  and using find the AMSystemConfig class is found in the same subproject at:

/openam/openam-console

/src/main/java/com/sun/identity/console/base/model/AMSystemConfig.java

Now you'd think that would be completely obvious based upon a similar package structure. But be forewarned that that is not always the case. Often I've found similarly packages classes in other Open AM submodules. So when you can't find a file drop back to find and let it do the looking for you. 

AMSystemConfig shows an interesting characteristic of Open AM. Its admin console can be run locally or remotely and delegate to the real servers. If the console is not remote then it gets the value for its version variable from:

SystemProperties.get(Constants.AM_VERSION)

I'll come back to SystemProperties in a minute. If the console is running remotely then a call is made to:

/sso/SMSServlet?method=version

Again looking in my web.xml I see that path is handled by:

<servlet>

        <servlet-name>SMSServlet</servlet-name>

        <servlet-class>com.sun.identity.sm.SMServlet</servlet-class>

</servlet>

...

<servlet-mapping>

    <servlet-name>SMSServlet</servlet-name>

    <url-pattern>/SMSServlet</url-pattern>

</servlet-mapping>

The SMServlet is found in:

/openam/openam-core/src/main/java/com/sun/identity/sm/SMServlet.java

That class too is a small one, only 88 lines long, and shows that it too is getting the value from the same place that AMSystemConfig is when running locally:

SystemProperties.get(Constants.AM_VERSION)

So that confirms where the version number is ultimately coming from. Hence, back to SystemProperties. Again, looking at the package path of the class and using find, I found that SystemProperties is located in:

/openam/openam-core

/src/main/java/com/iplanet/am/util/SystemProperties.java

And now the code got a lot more involved. SystemProperties is over 700 lines long. Its get method looks in a couple different places for values. So that is when I brought in my next tool.

Remote Debugging

One of the things about java that I fell in love with when it came out was the Java Debug Wire Protocol allowing any JVM to be started with debugging turned on even supporting a "suspend" mode preventing any code from running until a debugger connected to the JVM after start up thus allowing us to step through fleeting startup situations as well.

I have Open AM running in Tomcat8. The catalina.sh script supports specifying a parameter of jpda followed by start to trigger launching the JVM in debug mode. The comments at the top of catalina.sh are extremely helpful. By default, it does not start the JVM in debug mode. By adding a setenv.sh script as a peer to catalina.sh you can add values as defined in the comments to override the defaults. 

So I created setenv.sh  with the following value:

export JPDA_SUSPEND="y"

Then I launch tomcat with the following command:

$TOMCAT_HOME/bin/catalina.sh jpda start

And sure enough, using tail on logs/catalina.out shows that the JVM started in debug mode and since no further activity is being logged it appears to be suspended waiting for a debugger to connect to that port.

Listening for transport dt_socket at address: 8000

I use Intellij currently. But used eclipse for a number of years. Both readily support remote debugging. With Intellij open on the POM of the Open AM source:

/openam/pom.xml

I then created a Debug Configuration of type Remote and set the host to be 127.0.0.1 and port 8000. Before starting it up I opened SystemProperties and set a breakpoint at the top of the get method. Then I started up that debug configuration. It connected and some time thereafter I was stepping through that code.

However, I first wanted to know where the version value was coming from. Recalling that the most direct way to trigger retrieval of the version from SystemProperties was through the URL called by AMSystemConfig when the console is running remotely, I entered that URL into the browser and immediately had the debugger stop execution in the method. The key being passed to the method was:

com.iplanet.am.version

The value ultimately was being returned from the props properties object in SystemProperties. To find where that we being loaded I added breakpoints in every location where props was being set or added to. Our desired value was being returned in the Properties object returned from this line in the initializeProperties method. 

ServerConfiguration.getDefaults(appToken)

Again using find I located the ServerConfiguration file in:

/openam/openam-core/src/main/java

/com/sun/identity/common/configuration/ServerConfiguration.java

Stepping through these lines is getting into the core of Open AM's configuration code. It turns out that it load a ServiceConfigManager instance for the iPlanetAMPlatformService, obtains its global configuration, then loads a ServiceConfig instance for its sub configuration of com-sun-identity-servers and from that instance loads another ServiceConfig instance for sub configuration server-defaults.  From that instance of  it then gets the serverconfig attribute which holds a Set of 155 key/value strings with the = character as a delimiter between keys and values. And one of those values is the one we are looking for.

So where does this last paragraph mean? I've had some experience with ServiceConfigManager and  ServiceConfig. If you look in Open DJ at the root of your configuration you'll see the following items. I'm using Apache Directory Studio here. Note that my configuration is at the default location. Your root DN may differ depending on how you configured your system.

Notice the services element. Expanding it and looking for an element with an ou of iPlanetAMPlatformService. This relates to the ServiceConfigManager instance that we acquired. From there each of the other steps relate nicely to the structure beneath that element as shown below. There is a GlobalConfig with a sub configuration of  com-sun-identity-servers  and a sub configuration of server-defaults. 

By selecting that last item we can see that it has 157 values for the sunKeyValue multivalued attribute. 

Expanding it and looking through the list we find the value that we are searching for. 

And interestingly, if we use Directory Studio to modify the value and refresh the browser we immediately see that change appear.

One Final Note

It should be noted that the relationship between LDAP values and the code should not be relied upon. Things could change from release to release. But the tools and steps to locate this information when problems arise will hopefully be of use to someone. Most likely of course is that person will be me when I come back to my own work six months from now. At which time I'll be grateful for this breadcrumb.

Enjoy.