From 988b171b4750a196ac344f4c4580a523894b5dc7 Mon Sep 17 00:00:00 2001 From: Cameron Rodriguez Date: Fri, 26 Aug 2022 17:02:29 -0400 Subject: [PATCH] [WFCORE-5279] Update capabilities, dependencies/dep processor [WFCORE-5279] commented out keystore/manager objects, added missing capability references [WFCORE-5279] Add missing deps, correct capability names [WFCORE-5279] Correct subsystem name for test cases [WFCORE-5279] Correct feature-pack ssl dep, test error codes [WFCORE-5279] Add processor for default SSL context --- feature-pack/pom.xml | 4 + .../elytron-tls-dependency/main/module.xml | 2 +- .../extension/elytron-tls/main/module.xml | 6 +- .../elytron/tls/subsystem/BaseAddHandler.java | 6 +- .../elytron/tls/subsystem/Capabilities.java | 4 +- ...CertificateAuthorityAccountDefinition.java | 10 +- .../tls/subsystem/ElytronTlsExtension.java | 5 + .../ElytronTlsSubsystemDefinition.java | 27 ++++- .../ElytronTlsSubsystemParser_1_0.java | 3 + .../tls/subsystem/KeyStoreDefinition.java | 9 +- .../elytron/tls/subsystem/KeyStoreParser.java | 4 +- .../elytron/tls/subsystem/ManagerParsers.java | 8 +- .../tls/subsystem/SSLContextDefinitions.java | 113 +++++++++++------- .../SSLContextDependencyProcessor.java | 40 +++++++ .../tls/subsystem/SSLContextParsers.java | 3 + .../tls/subsystem/SecurityActions.java | 2 +- ...TrivialCapabilityServiceRemoveHandler.java | 4 +- .../subsystem/TrivialResourceDefinition.java | 3 +- .../subsystem/LocalDescriptions.properties | 76 ++++++++++++ .../schema/elytron-tls-subsystem_1_0.xsd | 28 ++--- .../CertificateAuthoritiesTestCase.java | 4 +- .../ExpressionResolutionTestCase.java | 9 +- .../tls/subsystem/KeyStoresTestCase.java | 36 +++--- .../elytron/tls/subsystem/TlsTestCase.java | 32 ++--- 24 files changed, 306 insertions(+), 132 deletions(-) create mode 100644 subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDependencyProcessor.java diff --git a/feature-pack/pom.xml b/feature-pack/pom.xml index f8e972d..279399b 100644 --- a/feature-pack/pom.xml +++ b/feature-pack/pom.xml @@ -139,5 +139,9 @@ elytron-tls-subsystem provided + + org.wildfly.security + wildfly-elytron-ssl-common + \ No newline at end of file diff --git a/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/elytron-tls-dependency/main/module.xml b/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/elytron-tls-dependency/main/module.xml index 157059f..cce5640 100644 --- a/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/elytron-tls-dependency/main/module.xml +++ b/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/elytron-tls-dependency/main/module.xml @@ -20,7 +20,7 @@ - + diff --git a/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/extension/elytron-tls/main/module.xml b/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/extension/elytron-tls/main/module.xml index ac49df4..5115aed 100644 --- a/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/extension/elytron-tls/main/module.xml +++ b/feature-pack/src/main/resources/modules/system/layers/base/org/wildfly/extension/elytron-tls/main/module.xml @@ -24,6 +24,7 @@ + @@ -32,9 +33,10 @@ - + + - + diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/BaseAddHandler.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/BaseAddHandler.java index 2611513..d80f3e8 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/BaseAddHandler.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/BaseAddHandler.java @@ -17,7 +17,7 @@ */ package org.wildfly.extension.elytron.tls.subsystem; -import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.ELYTRON_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.ELYTRON_TLS_SUBSYSTEM_CAPABILITY_NAME; import java.util.Collections; import java.util.Set; @@ -36,7 +36,7 @@ * * @author Darran Lofthouse */ -class BaseAddHandler extends AbstractAddStepHandler implements org.wildfly.extension.elytron.tls.subsystem.ElytronOperationStepHandler { +class BaseAddHandler extends AbstractAddStepHandler implements ElytronOperationStepHandler { private final Set runtimeCapabilities; @@ -81,7 +81,7 @@ protected void recordCapabilitiesAndRequirements(OperationContext context, Model super.recordCapabilitiesAndRequirements(context, operation, resource); final String pathValue = context.getCurrentAddressValue(); for (RuntimeCapability r : runtimeCapabilities) { - context.registerAdditionalCapabilityRequirement(ELYTRON_CAPABILITY, r.isDynamicallyNamed() ? r.getDynamicName(pathValue) : r.getName(), null); + context.registerAdditionalCapabilityRequirement(ELYTRON_TLS_SUBSYSTEM_CAPABILITY_NAME, r.isDynamicallyNamed() ? r.getDynamicName(pathValue) : r.getName(), null); } } diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java index 5118ad8..8ff9bbf 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/Capabilities.java @@ -59,8 +59,8 @@ class Capabilities { private static final String WILDFLY_SECURITY_CAPABILITY_BASE = "org.wildfly.security."; - private static final String ELYTRON_TLS_SUBSYSTEM_CAPABILITY_NAME = "org.wildfly.extras.elytron-tls"; - + static final String ELYTRON_TLS_SUBSYSTEM_CAPABILITY_NAME = "org.wildfly.extras.elytron-tls"; + static final RuntimeCapability ELYTRON_TLS_RUNTIME_CAPABILITY = RuntimeCapability.Builder .of(ELYTRON_TLS_SUBSYSTEM_CAPABILITY_NAME) .addRequirements(ElytronTlsExtension.WELD_CAPABILITY_NAME) diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java index 779c676..7606d3e 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthorityAccountDefinition.java @@ -101,7 +101,7 @@ class CertificateAuthorityAccountDefinition extends SimpleResourceDefinition { static final SimpleAttributeDefinition KEY_STORE = new SimpleAttributeDefinitionBuilder(Constants.KEY_STORE, ModelType.STRING, false) .setAttributeGroup(Constants.ACCOUNT_KEY) .setMinSize(1) - .setAlternatives(Constants.KEY_STORE_OBJECT) + // .setAlternatives(Constants.KEY_STORE_OBJECT) .setRestartAllServices() .setCapabilityReference(KEY_STORE_CAPABILITY, CERTIFICATE_AUTHORITY_ACCOUNT_CAPABILITY) .build(); @@ -113,6 +113,7 @@ class CertificateAuthorityAccountDefinition extends SimpleResourceDefinition { .setMinSize(1) .setAlternatives(Constants.KEY_STORE) .setRestartAllServices() + .setCapabilityReference(KEY_STORE_CAPABILITY, CERTIFICATE_AUTHORITY_ACCOUNT_CAPABILITY) .build(); static final SimpleAttributeDefinition ALIAS = new SimpleAttributeDefinitionBuilder(Constants.ALIAS, ModelType.STRING, false) @@ -126,7 +127,7 @@ class CertificateAuthorityAccountDefinition extends SimpleResourceDefinition { .setAttributeGroup(Constants.ACCOUNT_KEY) .build(); - private static final AttributeDefinition[] ATTRIBUTES = new AttributeDefinition[] { CERTIFICATE_AUTHORITY, CONTACT_URLS, KEY_STORE, KEY_STORE_OBJECT, ALIAS, CREDENTIAL_REFERENCE }; + private static final AttributeDefinition[] ATTRIBUTES = new AttributeDefinition[] { CERTIFICATE_AUTHORITY, CONTACT_URLS, KEY_STORE, /* KEY_STORE_OBJECT, */ ALIAS, CREDENTIAL_REFERENCE }; static final SimpleAttributeDefinition AGREE_TO_TERMS_OF_SERVICE = new SimpleAttributeDefinitionBuilder(Constants.AGREE_TO_TERMS_OF_SERVICE, ModelType.BOOLEAN, false) .setAllowExpression(true) @@ -197,7 +198,7 @@ protected void performRuntime(OperationContext context, ModelNode operation, Res final String alias = ALIAS.resolveModelAttribute(context, model).asString(); String keyStoreName = KEY_STORE.resolveModelAttribute(context, model).asString(); - final ModelNode keyStoreObject = KEY_STORE_OBJECT.resolveModelAttribute(context, model); + /* final ModelNode keyStoreObject = KEY_STORE_OBJECT.resolveModelAttribute(context, model); if (keyStoreName == null) { if (keyStoreObject == null) { LOGGER.missingKeyStoreDefinition(); @@ -207,6 +208,9 @@ protected void performRuntime(OperationContext context, ModelNode operation, Res if (keyStoreObject != null) { LOGGER.multipleKeystoreDefinitions(); } + } */ + if (keyStoreName == null) { + LOGGER.missingKeyStoreDefinition(); } final String finalKeyStoreName = keyStoreName; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java index 5425c01..3f866b7 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsExtension.java @@ -20,6 +20,8 @@ import java.util.concurrent.atomic.AtomicReference; +import javax.net.ssl.SSLContext; + import org.jboss.as.controller.Extension; import org.jboss.as.controller.ExtensionContext; import org.jboss.as.controller.ModelVersion; @@ -32,6 +34,7 @@ import org.jboss.as.controller.parsing.ExtensionParsingContext; import org.jboss.as.controller.registry.ImmutableManagementResourceRegistration; import org.jboss.as.controller.registry.ManagementResourceRegistration; +import org.jboss.as.server.deployment.AttachmentKey; import org.jboss.msc.service.ServiceController; import org.jboss.msc.service.ServiceName; import org.jboss.msc.service.ServiceRegistry; @@ -63,6 +66,8 @@ public class ElytronTlsExtension implements Extension { public static final String WELD_CAPABILITY_NAME = "org.wildfly.weld"; + public static final AttachmentKey SSL_CONTEXT_KEY = AttachmentKey.create(SSLContext.class); + private static final String RESOURCE_NAME = ElytronTlsExtension.class.getPackage().getName() + ".LocalDescriptions"; protected static final ModelVersion VERSION_1_0_0 = ModelVersion.create(1, 0, 0); diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java index 1068dec..943bb8c 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemDefinition.java @@ -18,6 +18,10 @@ import static org.jboss.as.controller.OperationContext.Stage.RUNTIME; import static org.jboss.as.server.deployment.Phase.DEPENDENCIES; +import static org.jboss.as.server.deployment.Phase.STRUCTURE; +import static org.jboss.as.server.deployment.Phase.STRUCTURE_ELYTRON_EXPRESSION_RESOLVER; +import static org.jboss.as.server.deployment.Phase.CONFIGURE_DEFAULT_SSL_CONTEXT; +import static org.jboss.as.server.deployment.Phase.CONFIGURE_MODULE; import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.ELYTRON_TLS_RUNTIME_CAPABILITY; import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.PROVIDERS_CAPABILITY; import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.SSL_CONTEXT_CAPABILITY; @@ -66,9 +70,11 @@ import org.jboss.msc.service.ServiceTarget; import org.wildfly.extension.elytron.tls.subsystem._private.ElytronTLSLogger; import org.wildfly.extension.elytron.tls.subsystem.deployment.DependencyProcessor; +import org.wildfly.extension.elytron.tls.subsystem.expression.DeploymentExpressionResolverProcessor; /** * @author Kabir Khan + * @author Cameron Rodriguez */ public class ElytronTlsSubsystemDefinition extends PersistentResourceDefinition { @@ -254,12 +260,21 @@ protected void performBoottime(OperationContext context, ModelNode operation, Mo serviceBuilder.setInstance(defaultSSLContextService).install(); } - context.addStep(new AbstractDeploymentChainStep() { - public void execute(DeploymentProcessorTarget processorTarget) { - final int DEPENDENCIES_TEMPLATE = 6304; - processorTarget.addDeploymentProcessor(ElytronTlsExtension.SUBSYSTEM_NAME, DEPENDENCIES, DEPENDENCIES_TEMPLATE, new DependencyProcessor()); - } - }, RUNTIME); + if(context.isNormalServer()){ + context.addStep(new AbstractDeploymentChainStep() { + @Override + public void execute(DeploymentProcessorTarget processorTarget) { + final int DEPENDENCIES_ELYTRON_TLS = 0x0C60; + final int STRUCTURE_ELYTRON_TLS_EXPRESSION_RESOLVER = 0x0490; + + processorTarget.addDeploymentProcessor(ElytronTlsExtension.SUBSYSTEM_NAME, STRUCTURE, STRUCTURE_ELYTRON_TLS_EXPRESSION_RESOLVER, new DeploymentExpressionResolverProcessor()); + processorTarget.addDeploymentProcessor(ElytronTlsExtension.SUBSYSTEM_NAME, DEPENDENCIES, DEPENDENCIES_ELYTRON_TLS, new DependencyProcessor()); + if (defaultSSLContext != null) { + processorTarget.addDeploymentProcessor(ElytronTlsExtension.SUBSYSTEM_NAME, CONFIGURE_MODULE, CONFIGURE_DEFAULT_SSL_CONTEXT, new SSLContextDependencyProcessor()); + } + } + }, RUNTIME); + } ElytronTLSLogger.LOGGER.activatingSubsystem(); } diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java index e414db7..d2fc720 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ElytronTlsSubsystemParser_1_0.java @@ -25,7 +25,10 @@ import org.jboss.as.controller.PersistentResourceXMLParser; /** + * A parser for the Elytron TLS subsystem. + * * @author Kabir Khan + * @author Cameron Rodriguez */ public class ElytronTlsSubsystemParser_1_0 extends PersistentResourceXMLParser { diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java index d623d98..9a6e4f9 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreDefinition.java @@ -44,7 +44,6 @@ import java.text.SimpleDateFormat; import java.util.Date; -import org.jboss.as.controller.AbstractWriteAttributeHandler; import org.jboss.as.controller.AttributeDefinition; import org.jboss.as.controller.ObjectTypeAttributeDefinition; import org.jboss.as.controller.OperationContext; @@ -80,7 +79,7 @@ */ final class KeyStoreDefinition extends SimpleResourceDefinition { - static final ServiceUtil KEY_STORE_UTIL = ServiceUtil.newInstance(KEY_STORE_RUNTIME_CAPABILITY, Constants.KEY_STORE_OBJECT, KeyStore.class); + static final ServiceUtil KEY_STORE_UTIL = ServiceUtil.newInstance(KEY_STORE_RUNTIME_CAPABILITY, Constants.KEY_STORE, KeyStore.class); static final SimpleAttributeDefinition TYPE = new SimpleAttributeDefinitionBuilder(Constants.TYPE, ModelType.STRING, true) .setAttributeGroup(Constants.IMPLEMENTATION) @@ -121,7 +120,7 @@ final class KeyStoreDefinition extends SimpleResourceDefinition { // Resource Resolver - private static final StandardResourceDescriptionResolver RESOURCE_RESOLVER = ElytronTlsExtension.getResourceDescriptionResolver(Constants.KEY_STORE_OBJECT); + private static final StandardResourceDescriptionResolver RESOURCE_RESOLVER = ElytronTlsExtension.getResourceDescriptionResolver(Constants.KEY_STORE); // Runtime Attributes @@ -151,10 +150,10 @@ final class KeyStoreDefinition extends SimpleResourceDefinition { private static final KeyStoreAddHandler ADD = new KeyStoreAddHandler(); private static final OperationStepHandler REMOVE = new TrivialCapabilityServiceRemoveHandler(ADD, KEY_STORE_RUNTIME_CAPABILITY); - private static final AbstractWriteAttributeHandler WRITE = new ElytronReloadRequiredWriteAttributeHandler(CONFIG_ATTRIBUTES); + private static final ElytronReloadRequiredWriteAttributeHandler WRITE = new ElytronReloadRequiredWriteAttributeHandler(CONFIG_ATTRIBUTES); KeyStoreDefinition() { - super(new Parameters(PathElement.pathElement(Constants.KEY_STORE_OBJECT), RESOURCE_RESOLVER) + super(new Parameters(PathElement.pathElement(Constants.KEY_STORE), RESOURCE_RESOLVER) .setAddHandler(ADD) .setRemoveHandler(REMOVE) .setAddRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES) diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java index d4f1c6f..f9d0fa3 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoreParser.java @@ -16,7 +16,7 @@ package org.wildfly.extension.elytron.tls.subsystem; -import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_STORE_OBJECT; +import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_STORE; import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_STORES; import org.jboss.as.controller.PathElement; @@ -25,7 +25,7 @@ class KeyStoreParser { - final PersistentResourceXMLDescription keyStoreParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(KEY_STORE_OBJECT)) + final PersistentResourceXMLDescription keyStoreParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(KEY_STORE)) .setXmlWrapperElement(KEY_STORES) .addAttribute(KeyStoreDefinition.CREDENTIAL_REFERENCE) .addAttribute(KeyStoreDefinition.TYPE) diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java index 0e1fe19..d0c8917 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/ManagerParsers.java @@ -16,9 +16,9 @@ package org.wildfly.extension.elytron.tls.subsystem; -import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_MANAGER_OBJECT; +import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_MANAGER; import static org.wildfly.extension.elytron.tls.subsystem.Constants.KEY_MANAGERS; -import static org.wildfly.extension.elytron.tls.subsystem.Constants.TRUST_MANAGER_OBJECT; +import static org.wildfly.extension.elytron.tls.subsystem.Constants.TRUST_MANAGER; import static org.wildfly.extension.elytron.tls.subsystem.Constants.TRUST_MANAGERS; import org.jboss.as.controller.PathElement; @@ -27,7 +27,7 @@ class ManagerParsers { - final PersistentResourceXMLDescription keyManagerParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(KEY_MANAGER_OBJECT)) + final PersistentResourceXMLDescription keyManagerParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(KEY_MANAGER)) .setXmlWrapperElement(KEY_MANAGERS) .addAttribute(SSLContextDefinitions.ALGORITHM) .addAttribute(SSLContextDefinitions.KEY_STORE) @@ -39,7 +39,7 @@ class ManagerParsers { .addAttribute(CredentialReference.getAttributeDefinition()) .build(); - final PersistentResourceXMLDescription trustManagerParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(TRUST_MANAGER_OBJECT)) + final PersistentResourceXMLDescription trustManagerParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(TRUST_MANAGER)) .setXmlWrapperElement(TRUST_MANAGERS) .addAttribute(SSLContextDefinitions.ALGORITHM) .addAttribute(SSLContextDefinitions.KEY_STORE) diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDefinitions.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDefinitions.java index 22ea0d4..d0f428e 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDefinitions.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDefinitions.java @@ -120,6 +120,9 @@ import org.wildfly.security.ssl.X509RevocationTrustManager; +/** + * @author Cameron Rodriguez + */ public class SSLContextDefinitions { static final ServiceUtil SERVER_SERVICE_UTIL = ServiceUtil.newInstance(SSL_CONTEXT_RUNTIME_CAPABILITY, Constants.SERVER_SSL_CONTEXT, SSLContext.class); @@ -282,10 +285,23 @@ public class SSLContextDefinitions { static final SimpleAttributeDefinition KEY_STORE = new SimpleAttributeDefinitionBuilder(Constants.KEY_STORE, ModelType.STRING, true) .setMinSize(1) .setRequired(true) - .setAlternatives(Constants.KEY_STORE_OBJECT) + // .setAlternatives(Constants.KEY_STORE_OBJECT) .setFlags(AttributeAccess.Flag.RESTART_RESOURCE_SERVICES) .setAllowExpression(false) .build(); + + static final SimpleAttributeDefinition keystoreKMDefinition = new SimpleAttributeDefinitionBuilder(KEY_STORE) + .setCapabilityReference(KEY_STORE_CAPABILITY, KEY_MANAGER_CAPABILITY) + .setAllowExpression(false) + .setRestartAllServices() + .build(); + + static final SimpleAttributeDefinition keystoreTMDefinition = new SimpleAttributeDefinitionBuilder(KEY_STORE) + .setCapabilityReference(KEY_STORE_CAPABILITY, TRUST_MANAGER_CAPABILITY) + .setAllowExpression(false) + .setRestartAllServices() + .build(); + static final ObjectTypeAttributeDefinition KEY_STORE_OBJECT = new ObjectTypeAttributeDefinition.Builder(Constants.KEY_STORE_OBJECT, TYPE, PATH, RELATIVE_TO, REQUIRED, CREDENTIAL_REFERENCE, ALIAS_FILTER, KeyStoreDefinition.PROVIDER_NAME, KeyStoreDefinition.PROVIDERS) @@ -296,14 +312,13 @@ public class SSLContextDefinitions { .setRestartAllServices() .build(); - - static final SimpleAttributeDefinition keystoreKMDefinition = new SimpleAttributeDefinitionBuilder(KEY_STORE) - .setCapabilityReference(KEY_STORE_CAPABILITY, KEY_MANAGER_CAPABILITY) + static final ObjectTypeAttributeDefinition keystoreKMObjectDefinition = new ObjectTypeAttributeDefinition.Builder(Constants.KEY_STORE_OBJECT, KEY_STORE_OBJECT) + .setCapabilityReference(KEY_STORE_CAPABILITY, TRUST_MANAGER_CAPABILITY) .setAllowExpression(false) .setRestartAllServices() .build(); - - static final SimpleAttributeDefinition keystoreTMDefinition = new SimpleAttributeDefinitionBuilder(KEY_STORE) + + static final ObjectTypeAttributeDefinition keystoreTMObjectDefinition = new ObjectTypeAttributeDefinition.Builder(Constants.KEY_STORE_OBJECT, KEY_STORE_OBJECT) .setCapabilityReference(KEY_STORE_CAPABILITY, TRUST_MANAGER_CAPABILITY) .setAllowExpression(false) .setRestartAllServices() @@ -313,7 +328,7 @@ public class SSLContextDefinitions { static final SimpleAttributeDefinition RESPONDER_KEYSTORE = new SimpleAttributeDefinitionBuilder(Constants.RESPONDER_KEYSTORE, ModelType.STRING, true) .setRequired(false) - .setAlternatives(Constants.RESPONDER_KEYSTORE_OBJECT) + // .setAlternatives(Constants.RESPONDER_KEYSTORE_OBJECT) .setRequires(Constants.RESPONDER_CERTIFICATE) .setAllowExpression(true) .setRestartAllServices() @@ -324,6 +339,7 @@ public class SSLContextDefinitions { .setRequired(false) .setAlternatives(Constants.RESPONDER_KEYSTORE) .setRequires(Constants.RESPONDER_CERTIFICATE) + .setAllowExpression(true) .setRestartAllServices() .build(); @@ -376,7 +392,7 @@ public class SSLContextDefinitions { .build(); static final ObjectTypeAttributeDefinition OCSP = new ObjectTypeAttributeDefinition.Builder(Constants.OCSP, RESPONDER, PREFER_CRLS, - RESPONDER_CERTIFICATE, RESPONDER_KEYSTORE, RESPONDER_KEYSTORE_OBJECT) + RESPONDER_CERTIFICATE, RESPONDER_KEYSTORE/* , RESPONDER_KEYSTORE_OBJECT */) .setRequired(false) .setRestartAllServices() .build(); @@ -385,17 +401,18 @@ public class SSLContextDefinitions { static final SimpleAttributeDefinition KEY_MANAGER = new SimpleAttributeDefinitionBuilder(Constants.KEY_MANAGER, ModelType.STRING, true) .setMinSize(1) - .setAlternatives(Constants.KEY_MANAGER_OBJECT) + // .setAlternatives(Constants.KEY_MANAGER_OBJECT) .setCapabilityReference(KEY_MANAGER_CAPABILITY, SSL_CONTEXT_CAPABILITY) .setAllowExpression(false) .setRestartAllServices() .build(); static final ObjectTypeAttributeDefinition KEY_MANAGER_OBJECT = new ObjectTypeAttributeDefinition.Builder(Constants.KEY_MANAGER_OBJECT, - ALGORITHM, providersKMDefinition, PROVIDER_NAME, keystoreKMDefinition, KEY_STORE_OBJECT, ALIAS_FILTER, CREDENTIAL_REFERENCE, - GENERATE_SELF_SIGNED_CERTIFICATE_HOST) + ALGORITHM, providersKMDefinition, PROVIDER_NAME, keystoreKMDefinition, keystoreKMObjectDefinition, ALIAS_FILTER, CREDENTIAL_REFERENCE, + GENERATE_SELF_SIGNED_CERTIFICATE_HOST) .setRequired(true) .setAlternatives(Constants.KEY_MANAGER) + .setCapabilityReference(KEY_MANAGER_CAPABILITY, SSL_CONTEXT_CAPABILITY) .setAllowExpression(false) .setRestartAllServices() .build(); @@ -405,16 +422,17 @@ public class SSLContextDefinitions { static final SimpleAttributeDefinition TRUST_MANAGER = new SimpleAttributeDefinitionBuilder(Constants.TRUST_MANAGER, ModelType.STRING, true) .setMinSize(1) - .setAlternatives(Constants.TRUST_MANAGER_OBJECT) + // .setAlternatives(Constants.TRUST_MANAGER_OBJECT) .setCapabilityReference(TRUST_MANAGER_CAPABILITY, SSL_CONTEXT_CAPABILITY) .setAllowExpression(false) .setRestartAllServices() .build(); static final ObjectTypeAttributeDefinition TRUST_MANAGER_OBJECT = new ObjectTypeAttributeDefinition.Builder(Constants.TRUST_MANAGER_OBJECT, ALGORITHM, - PROVIDER_NAME, providersTMDefinition, keystoreTMDefinition, KEY_STORE_OBJECT, ALIAS_FILTER, CERTIFICATE_REVOCATION_LIST, + PROVIDER_NAME, providersTMDefinition, keystoreTMDefinition, keystoreTMObjectDefinition, ALIAS_FILTER, CERTIFICATE_REVOCATION_LIST, CERTIFICATE_REVOCATION_LISTS, OCSP, SOFT_FAIL, ONLY_LEAF_CERT, MAXIMUM_CERT_PATH) .setAlternatives(Constants.TRUST_MANAGER) + .setCapabilityReference(TRUST_MANAGER_CAPABILITY, SSL_CONTEXT_CAPABILITY) .setAllowExpression(false) .setRestartAllServices() .build(); @@ -442,11 +460,11 @@ public class SSLContextDefinitions { static ResourceDefinition getKeyManagerDefinition() { - final StandardResourceDescriptionResolver RESOURCE_RESOLVER = ElytronTlsExtension.getResourceDescriptionResolver(Constants.KEY_MANAGER_OBJECT); + final StandardResourceDescriptionResolver RESOURCE_RESOLVER = ElytronTlsExtension.getResourceDescriptionResolver(Constants.KEY_MANAGER); final ObjectTypeAttributeDefinition credentialReferenceDefinition = CredentialReference.getAttributeDefinition(true); AttributeDefinition[] attributes = new AttributeDefinition[]{ALGORITHM, providersKMDefinition, PROVIDER_NAME, - keystoreKMDefinition, ALIAS_FILTER, credentialReferenceDefinition, GENERATE_SELF_SIGNED_CERTIFICATE_HOST}; + keystoreKMDefinition, /* keystoreKMObjectDefinition */ ALIAS_FILTER, credentialReferenceDefinition, GENERATE_SELF_SIGNED_CERTIFICATE_HOST}; AbstractAddStepHandler add = new TrivialAddHandler(KeyManager.class, attributes, KEY_MANAGER_RUNTIME_CAPABILITY) { @@ -470,12 +488,12 @@ protected ValueSupplier getValueSupplier(ServiceBuilder context, providersName); Supplier pathManagerSupplier = serviceBuilder.requires(PATH_MANAGER_CAPABILITY.getCapabilityServiceName()); - final ModelNode keyStoreObject = KEY_STORE_OBJECT.resolveModelAttribute(context, model); + // final ModelNode keyStoreObject = keystoreKMObjectDefinition.resolveModelAttribute(context, model); final String keyStoreName = keystoreKMDefinition.resolveModelAttribute(context, model).asStringOrNull(); final ModifiableKeyStoreService keyStoreService = getModifiableKeyStoreService(context, keyStoreName); ExceptionSupplier keyStoreSupplier; - if (keyStoreName != null) { + /* if (keyStoreName != null) { if (keyStoreObject != null) { throw LOGGER.multipleKeystoreDefinitions(); } @@ -485,7 +503,8 @@ protected ValueSupplier getValueSupplier(ServiceBuilder LOGGER.missingKeyStoreDefinition(); } keyStoreSupplier = createKeyStore(serviceBuilder, context, keyStoreObject, pathManagerSupplier, providersSupplier); - } + } */ + keyStoreSupplier = new SSLContextExceptionSupplier<>(KEY_STORE_CAPABILITY, KeyStore.class, serviceBuilder, context, keyStoreName); final String algorithm = algorithmName != null ? algorithmName : KeyManagerFactory.getDefaultAlgorithm(); DelegatingKeyManager delegatingKeyManager = new DelegatingKeyManager(); @@ -521,7 +540,8 @@ protected ValueSupplier getValueSupplier(ServiceBuilder if (cs != null) { password = cs.getCredential(PasswordCredential.class).getPassword(ClearPassword.class).getPassword(); } else { - throw new StartException(LOGGER.keyStorePasswordCannotBeResolved(keyStoreName == null ? keyStoreObject.asStringOrNull() : keyStoreName)); + // throw new StartException(LOGGER.keyStorePasswordCannotBeResolved(keyStoreName == null ? keyStoreObject.asStringOrNull() : keyStoreName)); + throw new StartException(LOGGER.keyStorePasswordCannotBeResolved(keyStoreName)); } if (LOGGER.isTraceEnabled()) { LOGGER.tracef( @@ -575,9 +595,9 @@ public T get() throws E { } }; - final ServiceUtil KEY_MANAGER_UTIL = ServiceUtil.newInstance(KEY_MANAGER_RUNTIME_CAPABILITY, Constants.KEY_MANAGER_OBJECT, KeyManager.class); + final ServiceUtil KEY_MANAGER_UTIL = ServiceUtil.newInstance(KEY_MANAGER_RUNTIME_CAPABILITY, Constants.KEY_MANAGER, KeyManager.class); return TrivialResourceDefinition.builder() - .setPathKey(Constants.KEY_MANAGER_OBJECT) + .setPathKey(Constants.KEY_MANAGER) .setAddHandler(add) .setAttributes(attributes) .setRuntimeCapabilities(KEY_MANAGER_RUNTIME_CAPABILITY) @@ -589,11 +609,10 @@ public T get() throws E { static ResourceDefinition getTrustManagerDefinition() { - final StandardResourceDescriptionResolver RESOURCE_RESOLVER = ElytronTlsExtension.getResourceDescriptionResolver(Constants.TRUST_MANAGER_OBJECT); - final ObjectTypeAttributeDefinition credentialReferenceDefinition = CredentialReference.getAttributeDefinition(true); + final StandardResourceDescriptionResolver RESOURCE_RESOLVER = ElytronTlsExtension.getResourceDescriptionResolver(Constants.TRUST_MANAGER); AttributeDefinition[] attributes = new AttributeDefinition[]{ALGORITHM, providersTMDefinition, PROVIDER_NAME, - keystoreTMDefinition, ALIAS_FILTER, credentialReferenceDefinition, CERTIFICATE_REVOCATION_LIST, CERTIFICATE_REVOCATION_LISTS, OCSP, SOFT_FAIL, ONLY_LEAF_CERT, MAXIMUM_CERT_PATH}; + keystoreTMDefinition, /* keystoreTMObjectDefinition, */ ALIAS_FILTER, CERTIFICATE_REVOCATION_LIST, CERTIFICATE_REVOCATION_LISTS, OCSP, SOFT_FAIL, ONLY_LEAF_CERT, MAXIMUM_CERT_PATH}; AbstractAddStepHandler add = new TrivialAddHandler(TrustManager.class, attributes, TRUST_MANAGER_RUNTIME_CAPABILITY) { @@ -608,11 +627,11 @@ protected ValueSupplier getValueSupplier(ServiceBuilder pathManagerSupplier = serviceBuilder.requires(PATH_MANAGER_CAPABILITY.getCapabilityServiceName()); - final ModelNode keyStoreObject = KEY_STORE_OBJECT.resolveModelAttribute(context, model); + // final ModelNode keyStoreObject = keystoreTMObjectDefinition.resolveModelAttribute(context, model); final String keyStoreName = keystoreTMDefinition.resolveModelAttribute(context, model).asStringOrNull(); final ExceptionSupplier keyStoreSupplier; - if (keyStoreName != null) { + /* if (keyStoreName != null) { if (keyStoreObject != null) { throw LOGGER.multipleKeystoreDefinitions(); } @@ -622,7 +641,8 @@ protected ValueSupplier getValueSupplier(ServiceBuilder(KEY_STORE_CAPABILITY, KeyStore.class, serviceBuilder, context, keyStoreName); final String algorithm = algorithmName != null ? algorithmName : TrustManagerFactory.getDefaultAlgorithm(); @@ -708,7 +728,7 @@ private ValueSupplier createX509RevocationTrustManager(ServiceBuil boolean preferCrls = PREFER_CRLS.resolveModelAttribute(context, ocspNode).asBoolean(false); String responder = RESPONDER.resolveModelAttribute(context, ocspNode).asStringOrNull(); String responderCertAlias = RESPONDER_CERTIFICATE.resolveModelAttribute(context, ocspNode).asStringOrNull(); - String responderKeystore = RESPONDER_KEYSTORE_OBJECT.resolveModelAttribute(context, ocspNode).asStringOrNull(); + String responderKeystore = RESPONDER_KEYSTORE.resolveModelAttribute(context, ocspNode).asStringOrNull(); final ExceptionSupplier responderStoreSupplier = responderKeystore != null ? new SSLContextExceptionSupplier<>(KEY_STORE_CAPABILITY, KeyStore.class, serviceBuilder, context, responderKeystore) @@ -899,10 +919,10 @@ public T get() throws E { } }; - ResourceDescriptionResolver resolver = ElytronTlsExtension.getResourceDescriptionResolver(Constants.TRUST_MANAGER_OBJECT); - final ServiceUtil TRUST_MANAGER_UTIL = ServiceUtil.newInstance(TRUST_MANAGER_RUNTIME_CAPABILITY, Constants.TRUST_MANAGER_OBJECT, TrustManager.class); + ResourceDescriptionResolver resolver = ElytronTlsExtension.getResourceDescriptionResolver(Constants.TRUST_MANAGER); + final ServiceUtil TRUST_MANAGER_UTIL = ServiceUtil.newInstance(TRUST_MANAGER_RUNTIME_CAPABILITY, Constants.TRUST_MANAGER, TrustManager.class); return TrivialResourceDefinition.builder() - .setPathKey(Constants.TRUST_MANAGER_OBJECT) + .setPathKey(Constants.TRUST_MANAGER) .setResourceDescriptionResolver(resolver) .setAddHandler(add) .setAttributes(attributes) @@ -974,9 +994,6 @@ protected ServiceUtil getSSLContextServiceUtil() { static ResourceDefinition getClientSSLContextDefinition(boolean serverOrHostController) { - final ObjectTypeAttributeDefinition credentialReferenceDefinition = CredentialReference.getAttributeDefinition(true); - - final SimpleAttributeDefinition providersDefinition = new SimpleAttributeDefinitionBuilder(PROVIDERS) .setCapabilityReference(PROVIDERS_CAPABILITY, SSL_CONTEXT_CAPABILITY) .setAllowExpression(false) @@ -984,7 +1001,7 @@ static ResourceDefinition getClientSSLContextDefinition(boolean serverOrHostCont .build(); final AttributeDefinition[] attributes = new AttributeDefinition[]{CIPHER_SUITE_FILTER, CIPHER_SUITE_NAMES, - PROTOCOLS, KEY_MANAGER_OBJECT, KEY_MANAGER, TRUST_MANAGER_OBJECT, TRUST_MANAGER, + PROTOCOLS, /* KEY_MANAGER_OBJECT, */ KEY_MANAGER, /* TRUST_MANAGER_OBJECT, */ TRUST_MANAGER, PROVIDER_NAME, providersDefinition}; AbstractAddStepHandler add = new TrivialAddHandler(SSLContext.class, attributes, SSL_CONTEXT_RUNTIME_CAPABILITY) { @@ -1003,22 +1020,24 @@ protected ValueSupplier getValueSupplier(ServiceBuilder SSLContextExceptionSupplier trustManagerSupplier; final String keyManagerName = KEY_MANAGER.resolveModelAttribute(context, model).asStringOrNull(); - final ModelNode keyManagerObject = KEY_MANAGER_OBJECT.resolveModelAttribute(context, model); + /* final ModelNode keyManagerObject = KEY_MANAGER_OBJECT.resolveModelAttribute(context, model); if (keyManagerObject.isDefined()) { keyManagerSupplier = (SSLContextExceptionSupplier) createKeyManager(serviceBuilder, context, keyManagerObject, pathManagerSupplier, providersSupplier); } else { // Use reference keyManagerSupplier = new SSLContextExceptionSupplier<>(KEY_MANAGER_CAPABILITY, KeyManager.class, serviceBuilder, context, keyManagerName); - } + } */ + keyManagerSupplier = new SSLContextExceptionSupplier<>(KEY_MANAGER_CAPABILITY, KeyManager.class, serviceBuilder, context, keyManagerName); final String trustManagerName = TRUST_MANAGER.resolveModelAttribute(context, model).asStringOrNull(); - final ModelNode trustManagerObject = TRUST_MANAGER_OBJECT.resolveModelAttribute(context, model); + /* final ModelNode trustManagerObject = TRUST_MANAGER_OBJECT.resolveModelAttribute(context, model); if (trustManagerObject.isDefined()) { trustManagerSupplier = (SSLContextExceptionSupplier) createTrustManager(serviceBuilder, context, trustManagerObject, pathManagerSupplier, providersSupplier); } else { trustManagerSupplier = new SSLContextExceptionSupplier<>(TRUST_MANAGER_CAPABILITY, TrustManager.class, serviceBuilder, context, trustManagerName); - } + } */ + trustManagerSupplier = new SSLContextExceptionSupplier<>(TRUST_MANAGER_CAPABILITY, TrustManager.class, serviceBuilder, context, trustManagerName); final SSLContextExceptionSupplier finalKeyManagerSupplier = keyManagerSupplier; final SSLContextExceptionSupplier finalTrustManagerSupplier = trustManagerSupplier; @@ -1097,7 +1116,7 @@ static ResourceDefinition getServerSSLContextDefinition(boolean serverOrHostCont .build(); final AttributeDefinition[] attributes = new AttributeDefinition[]{CIPHER_SUITE_FILTER, CIPHER_SUITE_NAMES, - PROTOCOLS, KEY_MANAGER_OBJECT, credentialReferenceDefinition, keyManagerDefinition, TRUST_MANAGER_OBJECT, TRUST_MANAGER, PROVIDER_NAME, + PROTOCOLS, /* KEY_MANAGER_OBJECT, */ keyManagerDefinition, /* TRUST_MANAGER_OBJECT, */ TRUST_MANAGER, PROVIDER_NAME, providersDefinition, WANT_CLIENT_AUTH, NEED_CLIENT_AUTH, AUTHENTICATION_OPTIONAL, USE_CIPHER_SUITES_ORDER, MAXIMUM_SESSION_CACHE_SIZE, SESSION_TIMEOUT, WRAP}; @@ -1129,22 +1148,24 @@ protected ValueSupplier getValueSupplier(ServiceBuilder SSLContextExceptionSupplier trustManagerSupplier; final String keyManagerName = keyManagerDefinition.resolveModelAttribute(context, model).asStringOrNull(); - final ModelNode keyManagerObject = KEY_MANAGER_OBJECT.resolveModelAttribute(context, model); + /* final ModelNode keyManagerObject = KEY_MANAGER_OBJECT.resolveModelAttribute(context, model); if (keyManagerObject.isDefined()) { keyManagerSupplier = (SSLContextExceptionSupplier) createKeyManager(serviceBuilder, context, keyManagerObject, pathManagerSupplier, providersSupplier); } else { // Use reference keyManagerSupplier = new SSLContextExceptionSupplier<>(KEY_MANAGER_CAPABILITY, KeyManager.class, serviceBuilder, context, keyManagerName); - } + } */ + keyManagerSupplier = new SSLContextExceptionSupplier<>(KEY_MANAGER_CAPABILITY, KeyManager.class, serviceBuilder, context, keyManagerName); final String trustManagerName = TRUST_MANAGER.resolveModelAttribute(context, model).asStringOrNull(); - final ModelNode trustManagerObject = TRUST_MANAGER_OBJECT.resolveModelAttribute(context, model); + /* final ModelNode trustManagerObject = TRUST_MANAGER_OBJECT.resolveModelAttribute(context, model); if (trustManagerObject.isDefined()) { trustManagerSupplier = (SSLContextExceptionSupplier) createTrustManager(serviceBuilder, context, keyManagerObject, pathManagerSupplier, providersSupplier); } else { trustManagerSupplier = new SSLContextExceptionSupplier<>(TRUST_MANAGER_CAPABILITY, TrustManager.class, serviceBuilder, context, trustManagerName); - } + } */ + trustManagerSupplier = new SSLContextExceptionSupplier<>(TRUST_MANAGER_CAPABILITY, TrustManager.class, serviceBuilder, context, trustManagerName); final SSLContextExceptionSupplier finalKeyManagerSupplier = keyManagerSupplier; final SSLContextExceptionSupplier finalTrustManagerSupplier = trustManagerSupplier; @@ -1221,7 +1242,7 @@ private static ExceptionSupplier createTrustManager(Ser final String aliasFilter = ALIAS_FILTER.resolveModelAttribute(context, model).asStringOrNull(); final String providerName = PROVIDER_NAME.resolveModelAttribute(context, model).asStringOrNull(); - final ModelNode keyStoreObject = KEY_STORE_OBJECT.resolveModelAttribute(context, model); + final ModelNode keyStoreObject = keystoreTMObjectDefinition.resolveModelAttribute(context, model); final String keyStoreName = keystoreTMDefinition.resolveModelAttribute(context, model).asStringOrNull(); ExceptionSupplier keyStoreSupplier; @@ -1491,7 +1512,7 @@ private static ExceptionSupplier createKeyManager(Service final String generateSelfSignedCertificateHost = GENERATE_SELF_SIGNED_CERTIFICATE_HOST.resolveModelAttribute(context, model).asStringOrNull(); final String providerName = PROVIDER_NAME.resolveModelAttribute(context, model).asStringOrNull(); - final ModelNode keyStoreObject = KEY_STORE_OBJECT.resolveModelAttribute(context, model); + final ModelNode keyStoreObject = keystoreKMObjectDefinition.resolveModelAttribute(context, model); final String keyStoreName = keystoreKMDefinition.resolveModelAttribute(context, model).asStringOrNull(); final ModifiableKeyStoreService keyStoreService = getModifiableKeyStoreService(context, keyStoreName); ExceptionSupplier keyStoreSupplier; diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDependencyProcessor.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDependencyProcessor.java new file mode 100644 index 0000000..5aa8479 --- /dev/null +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextDependencyProcessor.java @@ -0,0 +1,40 @@ +/* + * Copyright 2018 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.extension.elytron.tls.subsystem; + +import javax.net.ssl.SSLContext; + +import org.jboss.as.server.deployment.DeploymentPhaseContext; +import org.jboss.as.server.deployment.DeploymentUnitProcessingException; +import org.jboss.as.server.deployment.DeploymentUnitProcessor; + +/** + * A simple {@link DeploymentUnitProcessor} to ensure deployments wait until the default {@link SSLContext} has been registered. + * + * @author Darran Lofthouse + */ +class SSLContextDependencyProcessor implements DeploymentUnitProcessor { + + /** + * @see org.jboss.as.server.deployment.DeploymentUnitProcessor#deploy(org.jboss.as.server.deployment.DeploymentPhaseContext) + */ + @Override + public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException { + phaseContext.addDeploymentDependency(DefaultSSLContextService.SERVICE_NAME, ElytronTlsExtension.SSL_CONTEXT_KEY); + } + +} diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java index 3dbeb5c..807e49e 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SSLContextParsers.java @@ -26,6 +26,9 @@ import org.jboss.as.controller.PathElement; import org.jboss.as.controller.PersistentResourceXMLDescription; +/** + * @author Cameron Rodriguez + */ class SSLContextParsers { final PersistentResourceXMLDescription clientSslContextParser_1_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(CLIENT_SSL_CONTEXT)) diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SecurityActions.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SecurityActions.java index 46c9618..5afcd3b 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SecurityActions.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/SecurityActions.java @@ -23,7 +23,7 @@ import org.wildfly.security.manager.WildFlySecurityManager; /** - * Wrapper around {@link AccessController#doPrivileged(PrivilegedAction)} for the 'org.wildfly.extension.elytron' package. + * Wrapper around {@link AccessController#doPrivileged(PrivilegedAction)} for the 'org.wildfly.extension.elytron.tls.subsystem' package. * * @author Darran Lofthouse */ diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialCapabilityServiceRemoveHandler.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialCapabilityServiceRemoveHandler.java index 39cd453..499316b 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialCapabilityServiceRemoveHandler.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialCapabilityServiceRemoveHandler.java @@ -17,7 +17,7 @@ */ package org.wildfly.extension.elytron.tls.subsystem; -import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.ELYTRON_CAPABILITY; +import static org.wildfly.extension.elytron.tls.subsystem.Capabilities.ELYTRON_TLS_SUBSYSTEM_CAPABILITY_NAME; import java.util.Arrays; import java.util.HashSet; @@ -60,7 +60,7 @@ protected void recordCapabilitiesAndRequirements(OperationContext context, Model super.recordCapabilitiesAndRequirements(context, operation, resource); final String pathValue = context.getCurrentAddressValue(); for (RuntimeCapability r : allCapabilities) { - context.deregisterCapabilityRequirement(ELYTRON_CAPABILITY, r.isDynamicallyNamed() ? r.getDynamicName(pathValue) : r.getName()); + context.deregisterCapabilityRequirement(ELYTRON_TLS_SUBSYSTEM_CAPABILITY_NAME, r.isDynamicallyNamed() ? r.getDynamicName(pathValue) : r.getName()); } } diff --git a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialResourceDefinition.java b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialResourceDefinition.java index 8203368..a12c0e1 100644 --- a/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialResourceDefinition.java +++ b/subsystem/src/main/java/org/wildfly/extension/elytron/tls/subsystem/TrivialResourceDefinition.java @@ -25,7 +25,6 @@ import org.jboss.as.controller.AbstractAddStepHandler; import org.jboss.as.controller.AbstractRemoveStepHandler; -import org.jboss.as.controller.AbstractWriteAttributeHandler; import org.jboss.as.controller.AttributeDefinition; import org.jboss.as.controller.OperationDefinition; import org.jboss.as.controller.OperationStepHandler; @@ -77,7 +76,7 @@ private TrivialResourceDefinition(String pathKey, ResourceDescriptionResolver re @Override public void registerAttributes(ManagementResourceRegistration resourceRegistration) { if (attributes != null && attributes.length > 0) { - AbstractWriteAttributeHandler writeHandler = new ElytronReloadRequiredWriteAttributeHandler(attributes); + ElytronReloadRequiredWriteAttributeHandler writeHandler = new ElytronReloadRequiredWriteAttributeHandler(attributes); for (AttributeDefinition current : attributes) { resourceRegistration.registerReadWriteAttribute(current, null, writeHandler); } diff --git a/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties b/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties index 9ef6aeb..394ef38 100644 --- a/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties +++ b/subsystem/src/main/resources/org/wildfly/extension/elytron/tls/subsystem/LocalDescriptions.properties @@ -224,6 +224,82 @@ elytron-tls.key-store.alias.certificate-chain.signature-algorithm=The algorithm elytron-tls.key-store.alias.certificate-chain.signature=The signature of the certificate. elytron-tls.key-store.alias.certificate-chain.version=The certificate version. +elytron-tls.modifiable-key-store.read-alias=Read an alias from a KeyStore. +elytron-tls.modifiable-key-store.read-alias.alias=The alias of the KeyStore item to read. +elytron-tls.modifiable-key-store.read-alias.verbose=Whether or not to include the public key and encoded form of a certificate in the output. The default value is true. +elytron-tls.modifiable-key-store.read-aliases=Read aliases from a KeyStore. +elytron-tls.modifiable-key-store.read-aliases.recursive=Include information about each alias in the KeyStore. The default value is false. +elytron-tls.modifiable-key-store.read-aliases.verbose=Whether or not to include the public key and encoded form of a certificate in the output. The default value is true. +elytron-tls.modifiable-key-store.remove-alias=Remove an alias from a KeyStore. +elytron-tls.modifiable-key-store.remove-alias.alias=The alias of the KeyStore item to remove. + +elytron-tls.modifiable-key-store.generate-key-pair=Generate a key pair and wrap the resulting public key in a self-signed X.509 certificate. The generated private key and self-signed certificate will be added to the KeyStore. +elytron-tls.modifiable-key-store.generate-key-pair.alias=The alias of the new KeyStore entry. +elytron-tls.modifiable-key-store.generate-key-pair.algorithm=The algorithm to be used to generate the key pair. +elytron-tls.modifiable-key-store.generate-key-pair.key-size=The key size to use when generating the key pair. +elytron-tls.modifiable-key-store.generate-key-pair.signature-algorithm=The signature algorithm name to use when signing the self-signed certificate. +elytron-tls.modifiable-key-store.generate-key-pair.distinguished-name=The DN to use as both the subject DN and the issuer DN. +elytron-tls.modifiable-key-store.generate-key-pair.not-before=The starting date and time the self-signed certificate is valid. +elytron-tls.modifiable-key-store.generate-key-pair.validity=The number of days for which the self-signed certificate should be considered valid. The default value is 90 days. +elytron-tls.modifiable-key-store.generate-key-pair.extensions=The list of X.509 certificate extensions to include in the self-signed certificate. +elytron-tls.modifiable-key-store.generate-key-pair.credential-reference=The credential reference to be used to protect the generated private key. + +elytron-tls.modifiable-key-store.generate-certificate-signing-request=Generate a PKCS #10 certificate signing request. +elytron-tls.modifiable-key-store.generate-certificate-signing-request.alias=The alias that identifies the PrivateKeyEntry to use to generate the certificate signing request. +elytron-tls.modifiable-key-store.generate-certificate-signing-request.signature-algorithm=The signature algorithm name to use when signing the certificate signing request. +elytron-tls.modifiable-key-store.generate-certificate-signing-request.distinguished-name=The DN to use in the certificate signing request. If not specified, the DN from the certificate will be used. +elytron-tls.modifiable-key-store.generate-certificate-signing-request.extensions=The list of X.509 certificate extensions to include in the certificate signing request. +elytron-tls.modifiable-key-store.generate-certificate-signing-request.credential-reference=The credential reference to be used to access the private key. +elytron-tls.modifiable-key-store.generate-certificate-signing-request.path=The path to the file where the certificate signing request should be stored. +elytron-tls.modifiable-key-store.generate-certificate-signing-request.relative-to=The base path of the certificate signing request file. + +elytron-tls.modifiable-key-store.extensions.name=The name of the X.509 certificate extension. +elytron-tls.modifiable-key-store.extensions.critical=Specifies whether the X.509 certificate extension should be marked as critical. The default value is false. +elytron-tls.modifiable-key-store.extensions.value=The value of the X.509 certificate extension. +elytron-tls.modifiable-key-store.credential-reference.store=The name of the credential store holding the alias to the credential. +elytron-tls.modifiable-key-store.credential-reference.alias=The alias which denotes the stored secret or credential in the store. +elytron-tls.modifiable-key-store.credential-reference.type=The type of credential this reference is denoting. +elytron-tls.modifiable-key-store.credential-reference.clear-text=Secret specified using clear text. + +elytron-tls.modifiable-key-store.import-certificate=Import a certificate or certificate chain from a file into a KeyStore entry. +elytron-tls.modifiable-key-store.import-certificate.alias=The alias that identifies the KeyStore entry. +elytron-tls.modifiable-key-store.import-certificate.credential-reference=The credential reference to be used to access the private key. +elytron-tls.modifiable-key-store.import-certificate.path=The path to the file that contains the certificate or certificate chain to import in binary encoding format or printable encoding format. +elytron-tls.modifiable-key-store.import-certificate.relative-to=The base path of the certificate file. +elytron-tls.modifiable-key-store.import-certificate.trust-cacerts=Specifies whether certificates from the cacerts file should be included when creating / validating the certificate chain. +elytron-tls.modifiable-key-store.import-certificate.validate=Specifies whether to validate that the top-most certificate is actually trusted when importing a certificate chain or whether to validate the certificate is actually trusted when importing a certificate. The default value is true. When this is set to true and validation fails, the certificate or certificate chain will not be imported into a KeyStore entry. + +elytron-tls.modifiable-key-store.export-certificate=Export a certificate from a KeyStore entry to a file. +elytron-tls.modifiable-key-store.export-certificate.alias=The alias that identifies the KeyStore entry. +elytron-tls.modifiable-key-store.export-certificate.path=The path to the file to export the certificate to. +elytron-tls.modifiable-key-store.export-certificate.relative-to=The base path of the export file. +elytron-tls.modifiable-key-store.export-certificate.pem=Specifies whether to export the certificate in printable encoding format. If not specified, the certificate will be exported in binary encoding format. + +elytron-tls.modifiable-key-store.change-alias=Move an existing KeyStore entry to a new alias. +elytron-tls.modifiable-key-store.change-alias.alias=The alias that identifies the existing KeyStore entry to move. +elytron-tls.modifiable-key-store.change-alias.new-alias=The new alias to use. +elytron-tls.modifiable-key-store.change-alias.credential-reference=The credential reference to be used to access the existing KeyStore entry, if needed. + +elytron-tls.modifiable-key-store.obtain-certificate=Obtain a signed certificate from a certificate authority and store it in a KeyStore entry. +elytron-tls.modifiable-key-store.obtain-certificate.alias=The alias of the KeyStore entry. +elytron-tls.modifiable-key-store.obtain-certificate.domain-names=The list of DNS name(s) to request the certificate for. +elytron-tls.modifiable-key-store.obtain-certificate.certificate-authority-account=A reference to the certificate authority account information that should be used to obtain the certificate. +elytron-tls.modifiable-key-store.obtain-certificate.agree-to-terms-of-service=Indicates whether or not the user agrees to the certificate authority terms of service. +elytron-tls.modifiable-key-store.obtain-certificate.staging=Indicates whether or not the certificate authority staging URL should be used. This should only be set to true for testing purposes. This should never be set to true in a production environment. +elytron-tls.modifiable-key-store.obtain-certificate.algorithm=The algorithm to be used to generate the key pair. The default value is RSA. +elytron-tls.modifiable-key-store.obtain-certificate.key-size=The key size to use when generating the key pair. The default value is 2048. +elytron-tls.modifiable-key-store.obtain-certificate.credential-reference=The credential reference to be used to protect the generated private key. + +elytron-tls.modifiable-key-store.revoke-certificate=Revoke a signed certificate. +elytron-tls.modifiable-key-store.revoke-certificate.alias=The alias that identifies the KeyStore entry that contains the certificate to be revoked. +elytron-tls.modifiable-key-store.revoke-certificate.reason=The reason for revocation. +elytron-tls.modifiable-key-store.revoke-certificate.certificate-authority-account=A reference to the certificate authority account information that should be uesd to revoke the certificate. +elytron-tls.modifiable-key-store.revoke-certificate.staging=Indicates whether or not the certificate authority staging URL should be used. This should only be set to true for testing purposes. This should never be set to true in a production environment. + +elytron-tls.modifiable-key-store.should-renew-certificate=Check if a signed certificate is due for renewal. +elytron-tls.modifiable-key-store.should-renew-certificate.alias=The alias that identifies the KeyStore entry that contains the certificate to check. +elytron-tls.modifiable-key-store.should-renew-certificate.expiration=The number of days to expiry to be checked. + ################## # Managers # diff --git a/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd b/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd index 248e543..5dca1f6 100644 --- a/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd +++ b/subsystem/src/main/resources/schema/elytron-tls-subsystem_1_0.xsd @@ -287,13 +287,13 @@ - + @@ -301,13 +301,13 @@ - + @@ -435,13 +435,13 @@ - + @@ -449,13 +449,13 @@ - + @@ -582,13 +582,13 @@ - + @@ -649,13 +649,13 @@ - + @@ -744,13 +744,13 @@ - + diff --git a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthoritiesTestCase.java b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthoritiesTestCase.java index 1679193..4b4a5f5 100644 --- a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthoritiesTestCase.java +++ b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/CertificateAuthoritiesTestCase.java @@ -224,7 +224,7 @@ public void testCreateAccountWithEmptyStagingUrlAndStagingValueTrue() throws Exc ModelNode result = services.executeOperation(operation); assertFailed(result); String failureDescription = result.get(FAILURE_DESCRIPTION).asString(); - assertTrue(failureDescription.contains("WFLYELY01043") && failureDescription.contains("ELY10057")); + assertTrue(failureDescription.contains("ELYTLS1043") && failureDescription.contains("ELY10057")); } finally { removeCertificateAuthorityAccount(); removeCertificateAuthority(); @@ -277,7 +277,7 @@ public void testCreateAccountWithoutAgreeingToTermsOfService() throws Exception ModelNode result = services.executeOperation(operation); assertFailed(result); String failureDescription = result.get(FAILURE_DESCRIPTION).asString(); - assertTrue(failureDescription.contains("WFLYELY01043") && failureDescription.contains("must agree to terms of service")); + assertTrue(failureDescription.contains("ELYTLS1043") && failureDescription.contains("must agree to terms of service")); } finally { removeCertificateAuthorityAccount(); removeCertificateAuthority(); diff --git a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolutionTestCase.java b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolutionTestCase.java index da7836f..b069b04 100644 --- a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolutionTestCase.java +++ b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/ExpressionResolutionTestCase.java @@ -160,7 +160,7 @@ private void testExpectedAliases(KernelServices services, String resourceType, S String... expectedAliases) throws Exception { ModelNode readAliases = new ModelNode(); - readAliases.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(resourceType, resourceName); + readAliases.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(resourceType, resourceName); readAliases.get(ClientConstants.OP).set(Constants.READ_ALIASES); ModelNode readAliasesResult = assertSuccess(services.executeOperation(readAliases)); @@ -203,6 +203,9 @@ public void testExpressionEncryptionOperations() throws Exception { add.get(Constants.PATH).set(testStorePath); add.get(Constants.POPULATE).set(false); + System.out.println("string is"); + System.out.println(add.get(ClientConstants.OP_ADDR)); + assertSuccess(services.executeOperation(add)); // Generate one and export it. @@ -290,7 +293,7 @@ private static void testCreateExpression(KernelServices services, SecretKey secr assertEquals("Successful descryption", CLEAR_TEXT, decrypted); } else { assertTrue("Failure expected", result.get(OUTCOME).asString().equals(ClientConstants.FAILED)); - assertTrue("Expected Error Code", result.get(ClientConstants.FAILURE_DESCRIPTION).asString().contains("WFLYELY00920:")); + assertTrue("Expected Error Code", result.get(ClientConstants.FAILURE_DESCRIPTION).asString().contains("ELYTLS0920:")); } } @@ -362,7 +365,7 @@ public void testExpressionEncryptionCycle() throws Exception { ModelNode result = services.executeOperation(composite); assertTrue("Failure expected", result.get(OUTCOME).asString().equals(ClientConstants.FAILED)); assertTrue("Expected Error Code (Cycle Detected)", - result.get(ClientConstants.FAILURE_DESCRIPTION).asString().contains("WFLYELY00043:")); + result.get(ClientConstants.FAILURE_DESCRIPTION).asString().contains("ELYTLS0043:")); csUtilOne.cleanUp(); csUtilTwo.cleanUp(); diff --git a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoresTestCase.java b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoresTestCase.java index 88e91e2..0b0c343 100644 --- a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoresTestCase.java +++ b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/KeyStoresTestCase.java @@ -623,7 +623,7 @@ public void testGenerateKeyPair() throws Exception { ZonedDateTime startTime = ZonedDateTime.now().withNano(0); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.GENERATE_KEY_PAIR); operation.get(Constants.ALIAS).set("bsmith"); operation.get(Constants.ALGORITHM).set("RSA"); @@ -707,7 +707,7 @@ public void testGenerateCertificateSigningRequest() throws Exception { try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.GENERATE_CERTIFICATE_SIGNING_REQUEST); operation.get(Constants.ALIAS).set("ssmith"); operation.get(Constants.SIGNATURE_ALGORITHM).set("SHA512withRSA"); @@ -765,7 +765,7 @@ private void testImportCertificateReply(String replyFileName) throws Exception { assertEquals(1, alias.get(Constants.CERTIFICATE_CHAIN).asList().size()); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.IMPORT_CERTIFICATE); operation.get(Constants.ALIAS).set("ssmith"); operation.get(CredentialReference.CREDENTIAL_REFERENCE).get(CredentialReference.CLEAR_TEXT).set(KEY_PASSWORD); @@ -817,7 +817,7 @@ private void testImportUntrustedCertificateReply(boolean validate) throws Except assertEquals(1, aliasBefore.getCertificateChain().length); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.IMPORT_CERTIFICATE); operation.get(Constants.ALIAS).set("ssmith"); operation.get(CredentialReference.CREDENTIAL_REFERENCE).get(CredentialReference.CLEAR_TEXT).set(KEY_PASSWORD); @@ -865,7 +865,7 @@ public void testImportTrustedCertificate() throws Exception { int numAliasesBefore = readAliases().size(); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.IMPORT_CERTIFICATE); operation.get(Constants.ALIAS).set("intermediateCA"); Path resources = Paths.get(KeyStoresTestCase.class.getResource(".").toURI()); @@ -909,7 +909,7 @@ private void testImportUntrustedCertificate(boolean validate) throws Exception { int numAliasesBefore = readAliases().size(); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.IMPORT_CERTIFICATE); operation.get(Constants.ALIAS).set("anotherCA"); Path resources = Paths.get(KeyStoresTestCase.class.getResource(".").toURI()); @@ -951,7 +951,7 @@ public void testExportCertificate() throws Exception { try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.EXPORT_CERTIFICATE); operation.get(Constants.ALIAS).set("ssmith"); operation.get(Constants.PATH).set(resources + certificateFileName); @@ -980,7 +980,7 @@ public void testExportCertificatePem() throws Exception { try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.EXPORT_CERTIFICATE); operation.get(Constants.ALIAS).set("ssmith"); operation.get(Constants.PATH).set(resources + certificateFileName); @@ -1029,7 +1029,7 @@ public void testChangeAlias() throws Exception { KeyStore.PrivateKeyEntry aliasBefore = (KeyStore.PrivateKeyEntry) keyStore.getEntry("ssmith", new KeyStore.PasswordProtection(KEY_PASSWORD.toCharArray())); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.CHANGE_ALIAS); operation.get(Constants.ALIAS).set("ssmith"); operation.get(Constants.NEW_ALIAS).set("sallysmith"); @@ -1059,7 +1059,7 @@ public void testStoreFileDoesNotExist() throws Exception { assertSuccess(services.executeOperation(operation)); try { operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.STORE); assertSuccess(services.executeOperation(operation)); assertTrue(file.exists()); @@ -1091,7 +1091,7 @@ public void testObtainCertificateWithoutAgreeingToTermsOfService() throws Except assertFalse(keyStore.containsAlias(alias)); try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.OBTAIN_CERTIFICATE); operation.get(Constants.ALIAS).set(alias); operation.get(Constants.DOMAIN_NAMES).add("www.example.com"); @@ -1147,7 +1147,7 @@ public void testObtainCertificateWithUnsupportedPublicKey() throws Exception { server = setupTestObtainCertificateWithUnsupportedPublicKey(); try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.OBTAIN_CERTIFICATE); operation.get(Constants.ALIAS).set("server"); operation.get(Constants.DOMAIN_NAMES).add("iraclzlcqgaymrc.com"); @@ -1170,7 +1170,7 @@ public void testObtainCertificateWithUnsupportedPublicKey() throws Exception { private void obtainCertificate(String keyAlgorithmName, int keySize, String domainName, String alias, KeyStore keyStore) throws Exception { try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.OBTAIN_CERTIFICATE); operation.get(Constants.ALIAS).set(alias); operation.get(Constants.DOMAIN_NAMES).add(domainName); @@ -1248,7 +1248,7 @@ private ModelNode shouldRenewCertificate(ZonedDateTime notValidBeforeDate, Zoned try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.SHOULD_RENEW_CERTIFICATE); operation.get(Constants.ALIAS).set(alias); operation.get(Constants.EXPIRATION).set(expiration); @@ -1271,7 +1271,7 @@ private void revokeCertificate(String alias, String reason) throws Exception { assertTrue(keyStore.containsAlias(alias)); try { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("key-store", ACCOUNTS_KEYSTORE_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("key-store", ACCOUNTS_KEYSTORE_NAME); operation.get(ClientConstants.OP).set(Constants.REVOKE_CERTIFICATE); operation.get(Constants.ALIAS).set(alias); if (reason != null) { @@ -1403,7 +1403,7 @@ private ModelNode getAddKeyStoreUsingNonExistingFileOperation(boolean required, private void addCertificateAuthorityWithoutStagingUrl() { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("certificate-authority", CERTIFICATE_AUTHORITY_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("certificate-authority", CERTIFICATE_AUTHORITY_NAME); operation.get(ClientConstants.OP).set(ClientConstants.ADD); operation.get(Constants.URL).set(SIMULATED_LETS_ENCRYPT_ENDPOINT); assertSuccess(services.executeOperation(operation)); @@ -1412,7 +1412,7 @@ private void addCertificateAuthorityWithoutStagingUrl() { private void addCertificateAuthorityAccountWithCustomCA(String alias, String contactURL) throws Exception { ModelNode operation = new ModelNode(); operation.get(ClientConstants.OPERATION_HEADERS).get("allow-resource-service-restart").set(Boolean.TRUE); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("certificate-authority-account", CERTIFICATE_AUTHORITY_ACCOUNT_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("certificate-authority-account", CERTIFICATE_AUTHORITY_ACCOUNT_NAME); operation.get(ClientConstants.OP).set(ClientConstants.ADD); operation.get(Constants.CONTACT_URLS).add(contactURL); operation.get(Constants.CERTIFICATE_AUTHORITY).set(CERTIFICATE_AUTHORITY_NAME); @@ -1425,7 +1425,7 @@ private void addCertificateAuthorityAccountWithCustomCA(String alias, String con private void removeCertificateAuthority() { ModelNode operation; operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("certificate-authority", CERTIFICATE_AUTHORITY_NAME); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add("certificate-authority", CERTIFICATE_AUTHORITY_NAME); operation.get(ClientConstants.OP).set(ClientConstants.REMOVE_OPERATION); assertSuccess(services.executeOperation(operation)); } diff --git a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/TlsTestCase.java b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/TlsTestCase.java index fad7200..88e7c48 100644 --- a/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/TlsTestCase.java +++ b/subsystem/src/test/java/org/wildfly/extension/elytron/tls/subsystem/TlsTestCase.java @@ -499,7 +499,7 @@ public void testRevocationLists() throws Throwable { Assert.assertNotNull(trustManager); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.TRUST_MANAGER_OBJECT, "trust-with-crl"); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.TRUST_MANAGER, "trust-with-crl"); operation.get(ClientConstants.OP).set(Constants.RELOAD_CERTIFICATE_REVOCATION_LIST); assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); } @@ -511,7 +511,7 @@ public void testMultipleRevocationLists() throws Throwable { Assert.assertNotNull(trustManager); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.TRUST_MANAGER_OBJECT, "trust-with-multiple-crls"); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.TRUST_MANAGER, "trust-with-multiple-crls"); operation.get(ClientConstants.OP).set(Constants.RELOAD_CERTIFICATE_REVOCATION_LIST); assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); } @@ -534,7 +534,7 @@ public void testRevocationListsDp() throws Throwable { MatcherAssert.assertThat(trustManager, CoreMatchers.instanceOf(X509RevocationTrustManager.class)); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.TRUST_MANAGER_OBJECT, "trust-with-crl-dp"); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.TRUST_MANAGER, "trust-with-crl-dp"); operation.get(ClientConstants.OP).set(Constants.RELOAD_CERTIFICATE_REVOCATION_LIST); assertEquals(FAILED, services.executeOperation(operation).get(OUTCOME).asString()); // not realoadable } @@ -546,7 +546,7 @@ public void testRevocationListsDpOnlyDeprecatedMaximumCertPath() throws Throwabl MatcherAssert.assertThat(trustManager, CoreMatchers.instanceOf(X509RevocationTrustManager.class)); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.TRUST_MANAGER_OBJECT, "trust-with-crl-dp-deprecated-max-cert-path"); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.TRUST_MANAGER, "trust-with-crl-dp-deprecated-max-cert-path"); operation.get(ClientConstants.OP).set(Constants.RELOAD_CERTIFICATE_REVOCATION_LIST); assertEquals(FAILED, services.executeOperation(operation).get(OUTCOME).asString()); // not reloadable } @@ -561,7 +561,7 @@ public void testCertificateRevocationListsDp() throws Throwable { MatcherAssert.assertThat(trustManager, CoreMatchers.instanceOf(X509RevocationTrustManager.class)); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.TRUST_MANAGER_OBJECT, "trust-with-crls-dp"); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.TRUST_MANAGER, "trust-with-crls-dp"); operation.get(ClientConstants.OP).set(Constants.RELOAD_CERTIFICATE_REVOCATION_LIST); assertEquals(FAILED, services.executeOperation(operation).get(OUTCOME).asString()); // not realoadable } @@ -586,7 +586,7 @@ public void testReloadTrustManager() throws Throwable { Files.copy(Paths.get(TRUST_FILE.toString()), initTestFilePath, StandardCopyOption.REPLACE_EXISTING); ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.KEY_STORE_OBJECT, INIT_TEST_TRUSTSTORE); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.KEY_STORE, INIT_TEST_TRUSTSTORE); operation.get(ClientConstants.OP).set(ClientConstants.ADD); operation.get(Constants.PATH).set(resources + INIT_TEST_FILE); operation.get(Constants.TYPE).set("JKS"); @@ -594,9 +594,9 @@ public void testReloadTrustManager() throws Throwable { Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.TRUST_MANAGER_OBJECT, INIT_TEST_TRUSTMANAGER); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.TRUST_MANAGER, INIT_TEST_TRUSTMANAGER); operation.get(ClientConstants.OP).set(ClientConstants.ADD); - operation.get(Constants.KEY_STORE_OBJECT).set(INIT_TEST_TRUSTSTORE); + operation.get(Constants.KEY_STORE).set(INIT_TEST_TRUSTSTORE); Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); ServiceName serviceName = Capabilities.TRUST_MANAGER_RUNTIME_CAPABILITY.getCapabilityServiceName(INIT_TEST_TRUSTMANAGER); @@ -618,12 +618,12 @@ public void testReloadTrustManager() throws Throwable { createTemporaryKeyStoreFile(trustStore, new File(WORKING_DIRECTORY_LOCATION + INIT_TEST_FILE)); operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.KEY_STORE_OBJECT, INIT_TEST_TRUSTSTORE); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.KEY_STORE, INIT_TEST_TRUSTSTORE); operation.get(ClientConstants.OP).set(Constants.LOAD); Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.TRUST_MANAGER_OBJECT, INIT_TEST_TRUSTMANAGER); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.TRUST_MANAGER, INIT_TEST_TRUSTMANAGER); operation.get(ClientConstants.OP).set(Constants.INIT); Assert.assertEquals(SUCCESS, services.executeOperation(operation).get(OUTCOME).asString()); @@ -769,20 +769,20 @@ private void checkProtocolConfiguration(Map protocolChecker, S private void testSessionsReading(String serverContextName, String clientContextName, String expectedServerPrincipal, String expectedClientPrincipal) { ModelNode operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.SERVER_SSL_CONTEXT, serverContextName); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.SERVER_SSL_CONTEXT, serverContextName); operation.get(ClientConstants.OP).set(ClientConstants.READ_ATTRIBUTE_OPERATION); operation.get(ClientConstants.NAME).set(Constants.ACTIVE_SESSION_COUNT); Assert.assertEquals("active session count", 1, services.executeOperation(operation).get(ClientConstants.RESULT).asInt()); operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.SERVER_SSL_CONTEXT, serverContextName); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.SERVER_SSL_CONTEXT, serverContextName); operation.get(ClientConstants.OP).set(ClientConstants.READ_CHILDREN_NAMES_OPERATION); operation.get(ClientConstants.CHILD_TYPE).set(Constants.SSL_SESSION); List sessions = services.executeOperation(operation).get(ClientConstants.RESULT).asList(); Assert.assertEquals("session count in list", 1, sessions.size()); operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.SERVER_SSL_CONTEXT, serverContextName).add(Constants.SSL_SESSION, sessions.get(0).asString()); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.SERVER_SSL_CONTEXT, serverContextName).add(Constants.SSL_SESSION, sessions.get(0).asString()); operation.get(ClientConstants.OP).set(ClientConstants.READ_ATTRIBUTE_OPERATION); operation.get(ClientConstants.NAME).set(Constants.PEER_CERTIFICATES); ModelNode result = services.executeOperation(operation).get(ClientConstants.RESULT); @@ -795,20 +795,20 @@ private void testSessionsReading(String serverContextName, String clientContextN } operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.CLIENT_SSL_CONTEXT, clientContextName); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.CLIENT_SSL_CONTEXT, clientContextName); operation.get(ClientConstants.OP).set(ClientConstants.READ_ATTRIBUTE_OPERATION); operation.get(ClientConstants.NAME).set(Constants.ACTIVE_SESSION_COUNT); Assert.assertEquals("active session count", 1, services.executeOperation(operation).get(ClientConstants.RESULT).asInt()); operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.CLIENT_SSL_CONTEXT, clientContextName); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.CLIENT_SSL_CONTEXT, clientContextName); operation.get(ClientConstants.OP).set(ClientConstants.READ_CHILDREN_NAMES_OPERATION); operation.get(ClientConstants.CHILD_TYPE).set(Constants.SSL_SESSION); sessions = services.executeOperation(operation).get(ClientConstants.RESULT).asList(); Assert.assertEquals("session count in list", 1, sessions.size()); operation = new ModelNode(); - operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add(Constants.CLIENT_SSL_CONTEXT, clientContextName).add(Constants.SSL_SESSION, sessions.get(0).asString()); + operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron-tls").add(Constants.CLIENT_SSL_CONTEXT, clientContextName).add(Constants.SSL_SESSION, sessions.get(0).asString()); operation.get(ClientConstants.OP).set(ClientConstants.READ_ATTRIBUTE_OPERATION); operation.get(ClientConstants.NAME).set(Constants.PEER_CERTIFICATES); result = services.executeOperation(operation).get(ClientConstants.RESULT);