Skip to content

Commit

Permalink
Merge pull request #6172 from pedro-hos/WFCORE-4395
Browse files Browse the repository at this point in the history 
[WFCORE-4395] Move the JDBCRealm Mapper validation to model time check
  • Loading branch information
@yersan
yersan authored Oct 16, 2024
2 parents f8eca17 + 04f9193 commit 45005b6
Show file tree
Hide file tree
Showing 17 changed files with 512 additions and 73 deletions.
46 changes: 34 additions & 12 deletions elytron/src/main/java/org/wildfly/extension/elytron/JdbcRealmDefinition.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import static org.wildfly.extension.elytron._private.ElytronSubsystemMessages.ROOT_LOGGER;

import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
Expand All @@ -33,8 +32,10 @@
import org.jboss.as.controller.ObjectListAttributeDefinition;
import org.jboss.as.controller.ObjectTypeAttributeDefinition;
import org.jboss.as.controller.OperationContext;
import org.jboss.as.controller.OperationContext.Stage;
import org.jboss.as.controller.OperationFailedException;
import org.jboss.as.controller.OperationStepHandler;
import org.jboss.as.controller.PathAddress;
import org.jboss.as.controller.PathElement;
import org.jboss.as.controller.ResourceDefinition;
import org.jboss.as.controller.RunningMode;
Expand All @@ -43,11 +44,12 @@
import org.jboss.as.controller.SimpleResourceDefinition;
import org.jboss.as.controller.capability.RuntimeCapability;
import org.jboss.as.controller.operations.validation.CharsetValidator;
import org.jboss.as.controller.operations.validation.StringAllowedValuesValidator;
import org.jboss.as.controller.operations.validation.IntRangeValidator;
import org.jboss.as.controller.operations.validation.StringAllowedValuesValidator;
import org.jboss.as.controller.registry.AttributeAccess;
import org.jboss.as.controller.registry.ManagementResourceRegistration;
import org.jboss.as.controller.registry.OperationEntry;
import org.jboss.as.controller.registry.Resource;
import org.jboss.dmr.ModelNode;
import org.jboss.dmr.ModelType;
import org.jboss.msc.inject.InjectionException;
Expand Down Expand Up @@ -455,7 +457,7 @@ public PasswordKeyMapper toPasswordKeyMapper(OperationContext context, ModelNode
}

interface PasswordMapperObjectDefinition {
PasswordKeyMapper toPasswordKeyMapper(OperationContext context, ModelNode propertyNode) throws OperationFailedException, InvalidKeyException;
PasswordKeyMapper toPasswordKeyMapper(OperationContext context, ModelNode propertyNode) throws OperationFailedException;
}

static class AttributeMappingObjectDefinition {
Expand Down Expand Up @@ -591,6 +593,13 @@ private RealmAddHandler() {
super(SECURITY_REALM_RUNTIME_CAPABILITY);
}

@Override
protected void populateModel(OperationContext context, ModelNode operation, Resource resource)
throws OperationFailedException {
super.populateModel(context, operation, resource);
context.addStep(new JdbcRealmDefinitionValidation(), Stage.MODEL);
}

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model)
throws OperationFailedException {
Expand Down Expand Up @@ -653,6 +662,26 @@ private AttributeMapper[] resolveAttributeMappers(OperationContext context, Mode
}
}

private static class JdbcRealmDefinitionValidation implements OperationStepHandler {

@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {

ModelNode model = context.readResource(PathAddress.EMPTY_ADDRESS, false).getModel();
List<ModelNode> queries = model.get(PrincipalQueryAttributes.PRINCIPAL_QUERIES_7_0.getName()).asList();

for (ModelNode modelNode : queries) {
long mappersCount = modelNode.keys().stream()
.filter(PrincipalQueryAttributes.SUPPORTED_PASSWORD_MAPPERS::containsKey).count();

// We need to make sure that the principal-query has only one mapper
if (mappersCount > 1) {
throw ROOT_LOGGER.jdbcRealmOnlySingleKeyMapperAllowed();
}
}
}
}

private static KeyMapper resolveKeyMappers(OperationContext context, ModelNode authenticationQueryNode) throws OperationFailedException {
KeyMapper keyMapper = null;

Expand All @@ -669,17 +698,10 @@ private static KeyMapper resolveKeyMappers(OperationContext context, ModelNode a
continue;
}

if (keyMapper != null) {
throw ROOT_LOGGER.jdbcRealmOnlySingleKeyMapperAllowed();
}

try {
keyMapper = mapperResource.toPasswordKeyMapper(context, propertyNode);
} catch (InvalidKeyException e) {
throw new OperationFailedException("Invalid key type.", e);
}
keyMapper = mapperResource.toPasswordKeyMapper(context, propertyNode);
}

return keyMapper;
}

}
8 changes: 7 additions & 1 deletion elytron/src/test/java/org/wildfly/extension/elytron/ResolveExpressionAttributesTestCase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,8 @@ private void testJaspiConfiguration() {
}

private void testJdbcRealm() {
ModelNode jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealm").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);

ModelNode jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmBcrypt").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);

// Bcrypt password mapper
ModelNode mapper = jdbcRealm.get(ElytronDescriptionConstants.BCRYPT_MAPPER);
Expand All @@ -192,15 +193,18 @@ private void testJdbcRealm() {
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.SALT_ENCODING));

// Clear password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmClearPassword").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.CLEAR_PASSWORD_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));

// Simple digest password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmSimple").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.SIMPLE_DIGEST_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.HASH_ENCODING));

// Salted simple digest password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmSalted").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.SALTED_SIMPLE_DIGEST_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
assertEquals("3", getValue(mapper, ElytronDescriptionConstants.SALT_INDEX));
Expand All @@ -209,6 +213,7 @@ private void testJdbcRealm() {
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.SALT_ENCODING));

// Scram password mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcScram").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.SCRAM_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
assertEquals("3", getValue(mapper, ElytronDescriptionConstants.SALT_INDEX));
Expand All @@ -217,6 +222,7 @@ private void testJdbcRealm() {
assertEquals("hex", getValue(mapper, ElytronDescriptionConstants.SALT_ENCODING));

// Modular crypt mapper
jdbcRealm = serverModel.get(ElytronDescriptionConstants.JDBC_REALM).get("JdbcRealmModular").get(ElytronDescriptionConstants.PRINCIPAL_QUERY).get(0);
mapper = jdbcRealm.get(ElytronDescriptionConstants.MODULAR_CRYPT_MAPPER);
assertEquals("2", getValue(mapper, ElytronDescriptionConstants.PASSWORD_INDEX));
}
Expand Down
41 changes: 37 additions & 4 deletions elytron/src/test/resources/org/wildfly/extension/elytron/elytron-expressions.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,19 +57,52 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcScram">
<principal-query sql="SELECT" data-source="ExampleDS">
<scram-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" iteration-count-index="${exp.iteration:4}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}" algorithm="${exp.algorithm:scram-sha-1}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="${exp.password:2}"/>
<bcrypt-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" iteration-count-index="${exp.iteration:4}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="${exp.password:2}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" algorithm="${exp.algo:password-salt-digest-sha-1}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}"/>
<simple-digest-mapper password-index="${exp.password:2}" hash-encoding="${exp.encoding:hex}" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="${exp.password:2}" salt-index="${exp.salt:3}" iteration-count-index="${exp.iteration:4}" hash-encoding="${exp.encoding:hex}" salt-encoding="${exp.encoding:hex}" algorithm="${exp.algorithm:scram-sha-1}"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="${exp.password:2}" hash-encoding="${exp.encoding:hex}" algorithm="simple-digest-sha-1"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="${exp.password:2}"/>
</principal-query>
</jdbc-realm>

<properties-realm name="PropRealm" groups-attribute="${exp.groups:groups}">
<users-properties path="users-hashed.properties" relative-to="jboss.server.config.dir" digest-realm-name="${exp.digest.realm:FileRealm}" plain-text="${exp.plain:false}"/>
</properties-realm>
Expand Down
35 changes: 31 additions & 4 deletions elytron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-18.0.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,44 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
<bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<properties-realm name="PropRealm">
Expand Down
35 changes: 31 additions & 4 deletions ...ron/src/test/resources/org/wildfly/extension/elytron/elytron-subsystem-community-18.0.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,17 +51,44 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
<bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<properties-realm name="PropRealm">
Expand Down
35 changes: 31 additions & 4 deletions elytron/src/test/resources/org/wildfly/extension/elytron/legacy-elytron-subsystem-10.0.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,17 +43,44 @@
<scram-mapper algorithm="scram-sha-512" password-index="1" salt-index="2" iteration-count-index="10000"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealm">
<jdbc-realm name="JdbcRealmBcrypt">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
<bcrypt-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmClearPassword">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSalted">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<salted-simple-digest-mapper password-index="2" salt-index="3" algorithm="password-salt-digest-sha-1" hash-encoding="hex" salt-encoding="hex"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmSimple">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<simple-digest-mapper password-index="2" hash-encoding="hex" algorithm="simple-digest-sha-1"/>
<scram-mapper password-index="2" salt-index="3" iteration-count-index="4" hash-encoding="hex" salt-encoding="hex" algorithm="scram-sha-1"/>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<jdbc-realm name="JdbcRealmModular">
<principal-query sql="SELECT role, password, salt, ic FROM User WHERE username = ?" data-source="ExampleDS">
<attribute-mapping>
<attribute index="1" to="role"/>
</attribute-mapping>
<modular-crypt-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
<properties-realm name="PropRealm">
Expand Down
Loading

0 comments on commit 45005b6

Please sign in to comment.