Merge pull request #3379 from wildfly-security-incubator/WFCORE-3945

[WFCORE-3945] Remove the application-http-authentication http-authentication-factory from the default configuration.
wildfly · Jul 13, 2018 · c55a1e0 · c55a1e0
2 parents 1ed456c + b15d9d9
commit c55a1e0
Show file tree

Hide file tree

Showing 19 changed files with 569 additions and 123 deletions.
diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/SecurityCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/SecurityCommand.java
@@ -120,6 +120,7 @@ public interface FailureConsumer {
     public static final String OPT_SERVER_NAME = "server-name";
     public static final String OPT_NO_OVERRIDE_SECURITY_REALM = "no-override-security-realm";
     public static final String OPT_SECURITY_DOMAIN = "security-domain";
+    public static final String OPT_REFERENCED_SECURITY_DOMAIN = "referenced-security-domain";
 
     private final CommandContext ctx;
     private final AtomicReference<EmbeddedProcessLaunch> embeddedServerRef;
@@ -141,8 +142,8 @@ public List<Command> getCommands() {
         commands.add(new ManagementEnableSASLCommand());
         commands.add(new ManagementEnableHTTPCommand());
         commands.add(new ManagementReorderSASLCommand());
-        commands.add(new HTTPServerEnableAuthCommand());
-        commands.add(new HTTPServerDisableAuthCommand());
+        commands.add(new HTTPServerEnableAuthCommand(ctx));
+        commands.add(new HTTPServerDisableAuthCommand(ctx));
         return commands;
     }
 
@@ -207,8 +208,7 @@ protected List<String> getItems(CLICompleterInvocation completerInvocation) {
 
                 try {
                     return ElytronUtil.getMechanisms(completerInvocation.getCommandContext(),
-                            cmd.getFactorySpec(),
-                            cmd.getTargetedFactory(completerInvocation.getCommandContext()));
+                            cmd.getFactorySpec());
                 } catch (Exception ex) {
                     return Collections.emptyList();
                 }
@@ -274,6 +274,14 @@ protected List<String> getItems(CLICompleterInvocation completerInvocation) {
             }
         }
 
+        public static class ReferencedSecurityDomainCompleter extends AbstractCompleter {
+
+            @Override
+            protected List<String> getItems(CLICompleterInvocation completerInvocation) {
+                return ElytronUtil.getSecurityDomainNames(completerInvocation.getCommandContext().getModelControllerClient());
+            }
+        }
+
         public static class MechanismsCompleter extends AbstractCommaCompleter {
 
             @Override

diff --git a/...va/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractDisableAuthenticationCommand.java b/...va/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractDisableAuthenticationCommand.java
@@ -26,7 +26,6 @@
 import org.jboss.as.cli.CommandContext;
 import org.jboss.as.cli.CommandFormatException;
 import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand;
-import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM;
 import org.jboss.as.cli.impl.aesh.cmd.security.model.ElytronUtil;
 import org.jboss.dmr.ModelNode;
 import org.wildfly.core.cli.command.DMRCommand;
@@ -40,9 +39,6 @@
  */
 @CommandDefinition(name = "abstract-auth-disable", description = "")
 public abstract class AbstractDisableAuthenticationCommand implements Command<CLICommandInvocation>, DMRCommand {
-    @Option(name = OPT_MECHANISM,
-            completer = SecurityCommand.OptionCompleters.MechanismDisableCompleter.class)
-    String mechanism;
 
     @Option(name = OPT_NO_RELOAD, hasValue = false)
     boolean noReload;
@@ -63,6 +59,8 @@ public AuthFactorySpec getFactorySpec() {
 
     protected abstract String getSecuredEndpoint(CommandContext ctx);
 
+    protected abstract String getMechanism();
+
     @Override
     public CommandResult execute(CLICommandInvocation commandInvocation) throws CommandException, InterruptedException {
         CommandContext ctx = commandInvocation.getCommandContext();
@@ -75,7 +73,7 @@ public CommandResult execute(CLICommandInvocation commandInvocation) throws Comm
 
         SecurityCommand.execute(ctx, request, SecurityCommand.DEFAULT_FAILURE_CONSUMER, noReload);
         commandInvocation.getCommandContext().printLine("Command success.");
-        if (mechanism == null) {
+        if (getMechanism() == null) {
             commandInvocation.getCommandContext().printLine(factorySpec.getName()
                     + " authentication disabled for " + getSecuredEndpoint(commandInvocation.getCommandContext()));
         } else {
@@ -102,11 +100,11 @@ public ModelNode buildSecurityRequest(CommandContext context) throws Exception {
         if (mn == null) {
             throw new CommandException("Invalid factory " + authFactory);
         }
-        if (mechanism == null) {
+        if (getMechanism() == null) {
             return disableFactory(context);
         }
         Set<String> set = new HashSet<>();
-        set.add(mechanism);
+        set.add(getMechanism());
         return ElytronUtil.removeMechanisms(context, mn, authFactory, factorySpec, set);
     }
 

diff --git a/...ava/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractEnableAuthenticationCommand.java b/...ava/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractEnableAuthenticationCommand.java
@@ -36,7 +36,6 @@
 import org.jboss.as.cli.impl.aesh.cmd.RelativeFile;
 import org.jboss.as.cli.impl.aesh.cmd.RelativeFilePathConverter;
 import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_GROUP_PROPERTIES_FILE;
-import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM;
 import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_NEW_AUTH_FACTORY_NAME;
 import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_NEW_SECURITY_DOMAIN_NAME;
 import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_NO_RELOAD;
@@ -72,10 +71,6 @@
 @CommandDefinition(name = "abstract-auth-enable", description = "")
 public abstract class AbstractEnableAuthenticationCommand implements Command<CLICommandInvocation>, DMRCommand {
 
-    @Option(name = OPT_MECHANISM,
-            completer = SecurityCommand.OptionCompleters.MechanismCompleter.class)
-    String mechanism;
-
     @Option(name = OPT_FILE_SYSTEM_REALM_NAME, activator = OptionActivators.FilesystemRealmActivator.class,
             completer = SecurityCommand.OptionCompleters.FileSystemRealmCompleter.class)
     String fileSystemRealmName;
@@ -138,6 +133,8 @@ public AuthFactorySpec getFactorySpec() {
         return factorySpec;
     }
 
+    protected abstract String getMechanism();
+
     protected abstract void secure(CommandContext ctx, AuthSecurityBuilder builder) throws Exception;
 
     protected abstract String getOOTBFactory(CommandContext ctx) throws Exception;
@@ -146,14 +143,6 @@ public AuthFactorySpec getFactorySpec() {
 
     protected abstract String getEnabledFactory(CommandContext ctx) throws Exception;
 
-    public String getTargetedFactory(CommandContext ctx) throws Exception {
-        String factory = getEnabledFactory(ctx);
-        if (factory == null) {
-            factory = getOOTBFactory(ctx);
-        }
-        return factory;
-    }
-
     @Override
     public CommandResult execute(CLICommandInvocation commandInvocation) throws CommandException, InterruptedException {
         CommandContext ctx = commandInvocation.getCommandContext();
@@ -168,10 +157,14 @@ public CommandResult execute(CLICommandInvocation commandInvocation) throws Comm
             commandInvocation.getCommandContext().printLine("Command success.");
             commandInvocation.getCommandContext().printLine("Authentication configured for "
                     + getSecuredEndpoint(commandInvocation.getCommandContext()));
-            commandInvocation.getCommandContext().printLine(factorySpec.getName()
-                    + " authentication-factory=" + builder.getAuthFactory().getName());
-            commandInvocation.getCommandContext().printLine("security-domain="
-                    + builder.getAuthFactory().getSecurityDomain().getName());
+            if (builder.getReferencedSecurityDomain() != null) {
+                commandInvocation.getCommandContext().printLine("security domain=" + builder.getReferencedSecurityDomain());
+            } else {
+                commandInvocation.getCommandContext().printLine(factorySpec.getName()
+                        + " authentication-factory=" + builder.getAuthFactory().getName());
+                commandInvocation.getCommandContext().printLine("security-domain="
+                        + builder.getAuthFactory().getSecurityDomain().getName());
+            }
         } else {
             commandInvocation.getCommandContext().
                     printLine("Authentication is already enabled for " + getSecuredEndpoint(commandInvocation.getCommandContext()));
@@ -189,7 +182,7 @@ public ModelNode buildRequest(CommandContext context) throws CommandFormatExcept
         }
     }
 
-    private AuthSecurityBuilder buildSecurityRequest(CommandContext context) throws Exception {
+    protected AuthSecurityBuilder buildSecurityRequest(CommandContext context) throws Exception {
         AuthSecurityBuilder builder = buildSecurityBuilder(context);
         //OOTB
         if (builder == null) {
@@ -304,29 +297,28 @@ protected static MechanismConfiguration buildUserPasswordConfiguration(RelativeF
     private AuthMechanism buildAuthMechanism(CommandContext context)
             throws Exception {
         AuthMechanism mec = null;
-        if (mechanism == null) {
+        if (getMechanism() == null) {
             return null;
         }
         List<String> available = ElytronUtil.getAvailableMechanisms(context,
-                getFactorySpec(),
-                getTargetedFactory(context));
-        if (!available.contains(mechanism)) {
-            throw new CommandException("Unavialable mechanism " + mechanism);
+                getFactorySpec());
+        if (!available.contains(getMechanism())) {
+            throw new CommandException("Unavailable mechanism " + getMechanism());
         }
 
-        if (ElytronUtil.getMechanismsWithRealm().contains(mechanism)) {
+        if (ElytronUtil.getMechanismsWithRealm().contains(getMechanism())) {
             MechanismConfiguration config = buildUserPasswordConfiguration(userPropertiesFile,
                     fileSystemRealmName, userRoleDecoder, exposedRealm,
                     groupPropertiesFile, propertiesRealmName, relativeTo);
-            mec = new AuthMechanism(mechanism, config);
-        } else if (ElytronUtil.getMechanismsWithTrustStore().contains(mechanism)) {
+            mec = new AuthMechanism(getMechanism(), config);
+        } else if (ElytronUtil.getMechanismsWithTrustStore().contains(getMechanism())) {
             MechanismConfiguration config = buildExternalConfiguration(context, keyStoreName, keyStoreRealmName, roles);
-            mec = new AuthMechanism(mechanism, config);
-        } else if (ElytronUtil.getMechanismsLocalUser().contains(mechanism)) {
+            mec = new AuthMechanism(getMechanism(), config);
+        } else if (ElytronUtil.getMechanismsLocalUser().contains(getMechanism())) {
             MechanismConfiguration config = buildLocalUserConfiguration(context, superUser);
-            mec = new AuthMechanism(mechanism, config);
+            mec = new AuthMechanism(getMechanism(), config);
         } else {
-            mec = new AuthMechanism(mechanism, new EmptyConfiguration());
+            mec = new AuthMechanism(getMechanism(), new EmptyConfiguration());
         }
         return mec;
     }

diff --git a/...rg/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtDisableAuthenticationCommand.java b/...rg/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtDisableAuthenticationCommand.java
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+ */
+package org.jboss.as.cli.impl.aesh.cmd.security.auth;
+
+import org.aesh.command.CommandDefinition;
+import org.aesh.command.option.Option;
+import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand;
+import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM;
+import org.jboss.as.cli.impl.aesh.cmd.security.model.AuthFactorySpec;
+
+/**
+ *
+ * @author [email protected]
+ */
+@CommandDefinition(name = "abstract-management-auth-disable", description = "")
+public abstract class AbstractMgmtDisableAuthenticationCommand extends AbstractDisableAuthenticationCommand {
+
+    @Option(name = OPT_MECHANISM,
+            completer = SecurityCommand.OptionCompleters.MechanismDisableCompleter.class)
+    String mechanism;
+
+    public AbstractMgmtDisableAuthenticationCommand(AuthFactorySpec factorySpec) {
+        super(factorySpec);
+    }
+
+    @Override
+    protected String getMechanism() {
+        return mechanism;
+    }
+
+}
diff --git a/...org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtEnableAuthenticationCommand.java b/...org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtEnableAuthenticationCommand.java
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+ */
+package org.jboss.as.cli.impl.aesh.cmd.security.auth;
+
+import org.aesh.command.CommandDefinition;
+import org.aesh.command.option.Option;
+import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand;
+import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM;
+import org.jboss.as.cli.impl.aesh.cmd.security.model.AuthFactorySpec;
+
+/**
+ *
+ * @author [email protected]
+ */
+@CommandDefinition(name = "abstract-management-auth-enable", description = "")
+public abstract class AbstractMgmtEnableAuthenticationCommand extends AbstractEnableAuthenticationCommand {
+
+    @Option(name = OPT_MECHANISM,
+            completer = SecurityCommand.OptionCompleters.MechanismCompleter.class)
+    String mechanism;
+
+    public AbstractMgmtEnableAuthenticationCommand(AuthFactorySpec factorySpec) {
+        super(factorySpec);
+    }
+
+    @Override
+    protected String getMechanism() {
+        return mechanism;
+    }
+
+}