Merge pull request #3659 from fjuma/WFCORE-4307

[WFCORE-4307] / [WFCORE-4308] / [WFCORE-4058] WildFly Elytron Component Upgrades and related RFE
wildfly · Feb 6, 2019 · 2da5180 · 2da5180
2 parents 8faef56 + 940466f
commit 2da5180
Show file tree

Hide file tree

Showing 11 changed files with 115 additions and 12 deletions.
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java
@@ -83,7 +83,10 @@ public void registerTransformers(SubsystemTransformerRegistration registration)
 
     private static void from6(ChainedTransformationDescriptionBuilder chainedBuilder) {
         ResourceTransformationDescriptionBuilder builder = chainedBuilder.createBuilder(ELYTRON_6_0_0, ELYTRON_5_0_0);
-
+        builder.addChildResource(PathElement.pathElement(ElytronDescriptionConstants.KEY_STORE))
+            .getAttributeBuilder()
+            .addRejectCheck(RejectAttributeChecker.UNDEFINED, ElytronDescriptionConstants.TYPE)
+            .end();
     }
 
 

diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/KeyStoreDefinition.java b/elytron/src/main/java/org/wildfly/extension/elytron/KeyStoreDefinition.java
@@ -82,7 +82,7 @@ final class KeyStoreDefinition extends SimpleResourceDefinition {
 
     static final ServiceUtil<KeyStore> KEY_STORE_UTIL = ServiceUtil.newInstance(KEY_STORE_RUNTIME_CAPABILITY, ElytronDescriptionConstants.KEY_STORE, KeyStore.class);
 
-    static final SimpleAttributeDefinition TYPE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.TYPE, ModelType.STRING, false)
+    static final SimpleAttributeDefinition TYPE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.TYPE, ModelType.STRING, true)
         .setAttributeGroup(ElytronDescriptionConstants.IMPLEMENTATION)
         .setAllowExpression(true)
         .setMinSize(1)
@@ -241,7 +241,7 @@ protected void performRuntime(OperationContext context, ModelNode operation, Res
             ModelNode model = resource.getModel();
             String providers = PROVIDERS.resolveModelAttribute(context, model).asStringOrNull();
             String providerName = PROVIDER_NAME.resolveModelAttribute(context, model).asStringOrNull();
-            String type = TYPE.resolveModelAttribute(context, model).asString();
+            String type = TYPE.resolveModelAttribute(context, model).asStringOrNull();
             String path = PATH.resolveModelAttribute(context, model).asStringOrNull();
             String relativeTo = null;
             boolean required;
@@ -251,9 +251,11 @@ protected void performRuntime(OperationContext context, ModelNode operation, Res
             if (path != null) {
                 relativeTo = RELATIVE_TO.resolveModelAttribute(context, model).asStringOrNull();
                 required = REQUIRED.resolveModelAttribute(context, model).asBoolean();
-
                 keyStoreService = KeyStoreService.createFileBasedKeyStoreService(providerName, type, relativeTo, path, required, aliasFilter);
             } else {
+                if (type == null) {
+                    throw ROOT_LOGGER.filelessKeyStoreMissingType();
+                }
                 keyStoreService = KeyStoreService.createFileLessKeyStoreService(providerName, type, aliasFilter);
             }
 

diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/KeyStoreService.java b/elytron/src/main/java/org/wildfly/extension/elytron/KeyStoreService.java
@@ -54,6 +54,7 @@
 import org.wildfly.security.keystore.AliasFilter;
 import org.wildfly.security.keystore.AtomicLoadKeyStore;
 import org.wildfly.security.keystore.FilteringKeyStore;
+import org.wildfly.security.keystore.KeyStoreUtil;
 import org.wildfly.security.keystore.ModifyTrackingKeyStore;
 import org.wildfly.security.keystore.UnmodifiableKeyStore;
 import org.wildfly.security.password.interfaces.ClearPassword;
@@ -108,22 +109,28 @@ static KeyStoreService createFileBasedKeyStoreService(String provider, String ty
     @Override
     public void start(StartContext startContext) throws StartException {
         try {
-            Provider provider = resolveProvider();
-            AtomicLoadKeyStore keyStore = AtomicLoadKeyStore.newInstance(type, provider);
+            AtomicLoadKeyStore keyStore = null;
+
+            if (type != null) {
+                Provider provider = resolveProvider();
+                keyStore = AtomicLoadKeyStore.newInstance(type, provider);
+            }
+
             if (path != null) {
                 pathResolver = pathResolver();
                 resolvedPath = getResolvedPath(pathResolver, path, relativeTo);
             }
 
             synched = System.currentTimeMillis();
             if (resolvedPath != null && ! resolvedPath.exists()) {
-                if (required) {
+                if (required || type == null) {
                     throw ROOT_LOGGER.keyStoreFileNotExists(resolvedPath.getAbsolutePath());
                 } else {
                     ROOT_LOGGER.keyStoreFileNotExistsButIgnored(resolvedPath.getAbsolutePath());
                 }
             }
-            try (InputStream is = (resolvedPath != null && resolvedPath.exists()) ? new FileInputStream(resolvedPath) : null) {
+
+            try (FileInputStream is = (resolvedPath != null && resolvedPath.exists()) ? new FileInputStream(resolvedPath) : null) {
                 char[] password = resolvePassword();
 
                 ROOT_LOGGER.tracef(
@@ -132,7 +139,22 @@ public void start(StartContext startContext) throws StartException {
                 );
 
                 if (is != null) {
-                    keyStore.load(is, password);
+                    if (type != null) {
+                        keyStore.load(is, password);
+                    } else {
+                        Provider[] resolvedProviders = providers.getOptionalValue();
+                        if (resolvedProviders == null) {
+                            resolvedProviders = Security.getProviders();
+                        }
+                        final Provider[] finalProviders = resolvedProviders;
+                        KeyStore detected = KeyStoreUtil.loadKeyStore(() -> finalProviders, this.provider, is, resolvedPath.getPath(), password);
+
+                        if (detected == null) {
+                            throw ROOT_LOGGER.unableToDetectKeyStore(resolvedPath.getPath());
+                        }
+
+                        keyStore = AtomicLoadKeyStore.atomize(detected);
+                    }
                 } else {
                     synchronized (EmptyProvider.getInstance()) {
                         keyStore.load(null, password);

diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
@@ -551,4 +551,10 @@ public interface ElytronSubsystemMessages extends BasicLogger {
     @Message(id = 1058, value = "Failed to parse PEM public key with kid: %s")
     OperationFailedException failedToParsePEMPublicKey(String kid);
 
+    @Message(id = 1059, value = "Unable to detect KeyStore '%s'")
+    StartException unableToDetectKeyStore(String path);
+
+    @Message(id = 1060, value = "Fileless KeyStore needs to have a defined type.")
+    OperationFailedException filelessKeyStoreMissingType();
+
 }
diff --git a/elytron/src/main/resources/schema/wildfly-elytron_6_0.xsd b/elytron/src/main/resources/schema/wildfly-elytron_6_0.xsd
@@ -4610,7 +4610,7 @@
                 keystore implementation details
             </xs:documentation>
         </xs:annotation>
-        <xs:attribute name="type" type="xs:string" use="required">
+        <xs:attribute name="type" type="xs:string" use="optional">
             <xs:annotation>
                 <xs:documentation>
                     The KeyStore type, e.g. jks, pkcs#12.

diff --git a/elytron/src/test/java/org/wildfly/extension/elytron/KeyStoresTestCase.java b/elytron/src/test/java/org/wildfly/extension/elytron/KeyStoresTestCase.java
@@ -500,6 +500,59 @@ public void testFilteringKeystoreCli() throws Exception {
         assertTrue(firefly.get(ElytronDescriptionConstants.CERTIFICATE_CHAIN).isDefined());
     }
 
+    @Test
+    public void testAutomaticKeystoreService() throws Exception {
+        ServiceName serviceName = Capabilities.KEY_STORE_RUNTIME_CAPABILITY.getCapabilityServiceName("AutomaticKeystore");
+        KeyStore keyStore = (KeyStore) services.getContainer().getService(serviceName).getValue();
+        assertNotNull(keyStore);
+
+        assertTrue(keyStore.containsAlias("firefly"));
+        assertTrue(keyStore.isKeyEntry("firefly"));
+        X509Certificate cert = (X509Certificate) keyStore.getCertificate("firefly");
+        assertEquals("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Firefly", cert.getSubjectDN().getName());
+        assertEquals("firefly", keyStore.getCertificateAlias(cert));
+
+        Certificate[] chain = keyStore.getCertificateChain("firefly");
+        assertEquals("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Firefly", ((X509Certificate) chain[0]).getSubjectDN().getName());
+        assertEquals("O=Root Certificate Authority, [email protected], C=UK, ST=Elytron, CN=Elytron CA", ((X509Certificate) chain[1]).getSubjectDN().getName());
+
+        assertTrue(keyStore.containsAlias("ca"));
+        assertTrue(keyStore.isCertificateEntry("ca"));
+        X509Certificate certCa = (X509Certificate) keyStore.getCertificate("ca");
+        assertEquals("O=Root Certificate Authority, [email protected], C=UK, ST=Elytron, CN=Elytron CA", certCa.getSubjectDN().getName());
+        assertEquals("ca", keyStore.getCertificateAlias(certCa));
+    }
+
+    @Test
+    public void testAutomaticKeystoreCli() throws Exception {
+        ModelNode operation = new ModelNode();
+        operation.get(ClientConstants.OP_ADDR).add("subsystem","elytron");
+        operation.get(ClientConstants.OP).set("read-resource");
+        System.out.println(services.executeOperation(operation).get(ClientConstants.RESULT).asString());
+        operation = new ModelNode();
+        operation.get(ClientConstants.OP_ADDR).add("subsystem","elytron").add(ElytronDescriptionConstants.KEY_STORE,"AutomaticKeystore");
+        operation.get(ClientConstants.OP).set(ElytronDescriptionConstants.READ_ALIASES);
+        List<ModelNode> nodes = assertSuccess(services.executeOperation(operation)).get(ClientConstants.RESULT).asList();
+        assertEquals(2, nodes.size());
+
+        operation = new ModelNode();
+        operation.get(ClientConstants.OP_ADDR).add("subsystem","elytron").add(ElytronDescriptionConstants.KEY_STORE,"AutomaticKeystore");
+        operation.get(ClientConstants.OP).set(ElytronDescriptionConstants.READ_ALIAS);
+        operation.get(ElytronDescriptionConstants.ALIAS).set("firefly");
+        ModelNode firefly = assertSuccess(services.executeOperation(operation)).get(ClientConstants.RESULT);
+        assertEquals("firefly", firefly.get(ElytronDescriptionConstants.ALIAS).asString());
+        assertEquals(KeyStore.PrivateKeyEntry.class.getSimpleName(), firefly.get(ElytronDescriptionConstants.ENTRY_TYPE).asString());
+        assertTrue(firefly.get(ElytronDescriptionConstants.CERTIFICATE_CHAIN).isDefined());
+
+        operation = new ModelNode();
+        operation.get(ClientConstants.OP_ADDR).add("subsystem","elytron").add(ElytronDescriptionConstants.KEY_STORE,"AutomaticKeystore");
+        operation.get(ClientConstants.OP).set(ElytronDescriptionConstants.READ_ALIAS);
+        operation.get(ElytronDescriptionConstants.ALIAS).set("ca");
+        ModelNode ca = assertSuccess(services.executeOperation(operation)).get(ClientConstants.RESULT);
+        assertEquals("ca", ca.get(ElytronDescriptionConstants.ALIAS).asString());
+        assertEquals(KeyStore.TrustedCertificateEntry.class.getSimpleName(), ca.get(ElytronDescriptionConstants.ENTRY_TYPE).asString());
+    }
+
     @Test
     public void testGenerateKeyPair() throws Exception {
         addKeyStore();

diff --git a/elytron/src/test/java/org/wildfly/extension/elytron/SubsystemTransformerTestCase.java b/elytron/src/test/java/org/wildfly/extension/elytron/SubsystemTransformerTestCase.java
@@ -115,6 +115,8 @@ public void testRejectingTransformersEAP720() throws Exception {
                         FailedOperationTransformationConfig.REJECTED_RESOURCE)
                 .addFailedAttribute(SUBSYSTEM_ADDRESS.append(PathElement.pathElement(ElytronDescriptionConstants.TOKEN_REALM, "KeyMapTokenRealm")),
                         FailedOperationTransformationConfig.REJECTED_RESOURCE
+                ).addFailedAttribute(SUBSYSTEM_ADDRESS.append(PathElement.pathElement(ElytronDescriptionConstants.KEY_STORE, "automatic.keystore")),
+                        FailedOperationTransformationConfig.REJECTED_RESOURCE
                 ));
     }
 

diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-transformers-4.0-reject.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-transformers-4.0-reject.xml
@@ -32,6 +32,11 @@
                 <implementation type="JKS"/>
                 <file path="accounts.keystore.jks" relative-to="jboss.server.config.dir"/>
             </key-store>
+            <key-store name="automatic.keystore">
+                <credential-reference clear-text="elytron"/>
+                <implementation/>
+                <file path="accounts.keystore.jks" relative-to="jboss.server.config.dir"/>
+            </key-store>
         </key-stores>
         <key-managers>
             <key-manager name="key1" key-store="accounts.keystore">

diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/tls-ibm.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/tls-ibm.xml
@@ -43,6 +43,11 @@
                 <implementation type="JKS" />
                 <file path="target/not-existing.keystore" required="false"/>
             </key-store>
+            <key-store name="AutomaticKeystore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation/>
+                <file path="firefly.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
             <filtering-key-store name="FilteringKeyStore" key-store="FireflyKeystore" alias-filter="NONE:+firefly"/>
         </key-stores>
         <key-managers>

diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/tls-sun.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/tls-sun.xml
@@ -43,6 +43,11 @@
                 <implementation type="JKS" />
                 <file path="target/not-existing.keystore" required="false"/>
             </key-store>
+            <key-store name="AutomaticKeystore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation/>
+                <file path="firefly.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
             <filtering-key-store name="FilteringKeyStore" key-store="FireflyKeystore" alias-filter="NONE:+firefly"/>
         </key-stores>
         <key-managers>

diff --git a/pom.xml b/pom.xml
@@ -211,9 +211,9 @@
         <version.org.wildfly.openssl.wildfly-openssl-solaris-x86_64>${version.org.wildfly.openssl.natives}</version.org.wildfly.openssl.wildfly-openssl-solaris-x86_64>
         <version.org.wildfly.openssl.wildfly-openssl-windows-i386>${version.org.wildfly.openssl.natives}</version.org.wildfly.openssl.wildfly-openssl-windows-i386>
         <version.org.wildfly.openssl.wildfly-openssl-windows-x86_64>${version.org.wildfly.openssl.natives}</version.org.wildfly.openssl.wildfly-openssl-windows-x86_64>
-        <version.org.wildfly.security.elytron>1.8.0.CR1</version.org.wildfly.security.elytron>
+        <version.org.wildfly.security.elytron>1.8.0.CR2</version.org.wildfly.security.elytron>
         <version.org.wildfly.security.elytron-web>1.4.0.CR1</version.org.wildfly.security.elytron-web>
-        <version.org.wildfly.security.elytron.tool>1.5.0.Final</version.org.wildfly.security.elytron.tool>
+        <version.org.wildfly.security.elytron.tool>1.6.0.CR1</version.org.wildfly.security.elytron.tool>
         <version.xalan>2.7.1.jbossorg-2</version.xalan>
         <version.xml-resolver>1.2</version.xml-resolver>
     </properties>