Skip to content

Commit

Permalink
[WFCORE-4395] Move the JDBCRealm Mapper validation to model time check
Browse files Browse the repository at this point in the history
  • Loading branch information
pedro-hos committed Sep 18, 2024
1 parent ac36091 commit 04f9193
Show file tree
Hide file tree
Showing 17 changed files with 512 additions and 73 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import static org.wildfly.extension.elytron._private.ElytronSubsystemMessages.ROOT_LOGGER;

import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
Expand All @@ -33,8 +32,10 @@
import org.jboss.as.controller.ObjectListAttributeDefinition;
import org.jboss.as.controller.ObjectTypeAttributeDefinition;
import org.jboss.as.controller.OperationContext;
import org.jboss.as.controller.OperationContext.Stage;
import org.jboss.as.controller.OperationFailedException;
import org.jboss.as.controller.OperationStepHandler;
import org.jboss.as.controller.PathAddress;
import org.jboss.as.controller.PathElement;
import org.jboss.as.controller.ResourceDefinition;
import org.jboss.as.controller.RunningMode;
Expand All @@ -43,11 +44,12 @@
import org.jboss.as.controller.SimpleResourceDefinition;
import org.jboss.as.controller.capability.RuntimeCapability;
import org.jboss.as.controller.operations.validation.CharsetValidator;
import org.jboss.as.controller.operations.validation.StringAllowedValuesValidator;
import org.jboss.as.controller.operations.validation.IntRangeValidator;
import org.jboss.as.controller.operations.validation.StringAllowedValuesValidator;
import org.jboss.as.controller.registry.AttributeAccess;
import org.jboss.as.controller.registry.ManagementResourceRegistration;
import org.jboss.as.controller.registry.OperationEntry;
import org.jboss.as.controller.registry.Resource;
import org.jboss.dmr.ModelNode;
import org.jboss.dmr.ModelType;
import org.jboss.msc.inject.InjectionException;
Expand Down Expand Up @@ -455,7 +457,7 @@ public PasswordKeyMapper toPasswordKeyMapper(OperationContext context, ModelNode
}

interface PasswordMapperObjectDefinition {
PasswordKeyMapper toPasswordKeyMapper(OperationContext context, ModelNode propertyNode) throws OperationFailedException, InvalidKeyException;
PasswordKeyMapper toPasswordKeyMapper(OperationContext context, ModelNode propertyNode) throws OperationFailedException;
}

static class AttributeMappingObjectDefinition {
Expand Down Expand Up @@ -591,6 +593,13 @@ private RealmAddHandler() {
super(SECURITY_REALM_RUNTIME_CAPABILITY);
}

@Override
protected void populateModel(OperationContext context, ModelNode operation, Resource resource)
throws OperationFailedException {
super.populateModel(context, operation, resource);
context.addStep(new JdbcRealmDefinitionValidation(), Stage.MODEL);
}

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model)
throws OperationFailedException {
Expand Down Expand Up @@ -653,6 +662,26 @@ private AttributeMapper[] resolveAttributeMappers(OperationContext context, Mode
}
}

private static class JdbcRealmDefinitionValidation implements OperationStepHandler {

@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {

ModelNode model = context.readResource(PathAddress.EMPTY_ADDRESS, false).getModel();
List<ModelNode> queries = model.get(PrincipalQueryAttributes.PRINCIPAL_QUERIES_7_0.getName()).asList();

for (ModelNode modelNode : queries) {
long mappersCount = modelNode.keys().stream()
.filter(PrincipalQueryAttributes.SUPPORTED_PASSWORD_MAPPERS::containsKey).count();

// We need to make sure that the principal-query has only one mapper
if (mappersCount > 1) {
throw ROOT_LOGGER.jdbcRealmOnlySingleKeyMapperAllowed();
}
}
}
}

private static KeyMapper resolveKeyMappers(OperationContext context, ModelNode authenticationQueryNode) throws OperationFailedException {
KeyMapper keyMapper = null;

Expand All @@ -669,17 +698,10 @@ private static KeyMapper resolveKeyMappers(OperationContext context, ModelNode a
continue;
}

if (keyMapper != null) {
throw ROOT_LOGGER.jdbcRealmOnlySingleKeyMapperAllowed();
}

try {
keyMapper = mapperResource.toPasswordKeyMapper(context, propertyNode);
} catch (InvalidKeyException e) {
throw new OperationFailedException("Invalid key type.", e);
}
keyMapper = mapperResource.toPasswordKeyMapper(context, propertyNode);
}

return keyMapper;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,8 @@ private void testJaspiConfiguration() {
}

private void testJdbcRealm() {
ModelNode jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealm").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);

ModelNode jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmBcrypt").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);

// Bcrypt password mapper
ModelNode mapper = jdbcRealm.get(ElytronDescriptionConstants.BCRYPT_MAPPER);
Expand All @@ -192,15 +193,18 @@ private void testJdbcRealm() {
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.SALT_ENCODING));

// Clear password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmClearPassword").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.CLEAR_PASSWORD_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));

// Simple digest password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmSimple").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.SIMPLE_DIGEST_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.HASH_ENCODING));

// Salted simple digest password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmSalted").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.SALTED_SIMPLE_DIGEST_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
assertEquals("3", getValue(mapper, ElytronDescriptionConstants.SALT_INDEX));
Expand All @@ -209,6 +213,7 @@ private void testJdbcRealm() {
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.SALT_ENCODING));

// Scram password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcScram").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.SCRAM_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
assertEquals("3", getValue(mapper, ElytronDescriptionConstants.SALT_INDEX));
Expand All @@ -217,6 +222,7 @@ private void testJdbcRealm() {
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.SALT_ENCODING));

// Modular crypt mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmModular").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.MODULAR_CRYPT_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,19 +57,52 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcScram">
<principal-query sql="SELECT" data-source="ExampleDS">
<scram-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" iteration-count-index="${exp.iteration:4}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}" algorithm="${exp.algorithm:scram-sha-1}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="${exp.password:2}"/>
<bcrypt-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" iteration-count-index="${exp.iteration:4}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="${exp.password:2}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" algorithm="${exp.algo:password-salt-digest-sha-1}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}"/>
<simple-digest-mapper password-index="${exp.password:2}" hash-encoding="${exp.encoding:hex}" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" iteration-count-index="${exp.iteration:4}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}" algorithm="${exp.algorithm:scram-sha-1}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="${exp.password:2}" hash-encoding="${exp.encoding:hex}" algorithm="simple-digest-sha-1"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="${exp.password:2}"/>
</principal-query>
</jdbc-realm>

<properties-realm name="PropRealm" groups-attribute="${exp.groups:groups}">
<users-properties path="users-hashed.properties" relative-to="jboss.server.config.dir" digest-realm-name="${exp.digest.realm:FileRealm}" plain-text="${exp.plain:false}"/>
</properties-realm>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,44 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
<bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<properties-realm name="PropRealm">
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,17 +51,44 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
<bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<properties-realm name="PropRealm">
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,17 +43,44 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
<bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<properties-realm name="PropRealm">
Expand Down
Loading

0 comments on commit 04f9193

Please sign in to comment.