Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8062

Some OSH's in the Elytron subsystem don't validate the server type before registering steps

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 11.0.0.Alpha1
    • None
    • Security
    • None
    • Hide

      Boot a domain server and execute the following CLI commands:

      /profile=full/subsystem=elytron/filesystem-realm=mavenRealm:add(path=fs-realm-users,relative-to=jboss.domain.config.dir)
      /profile=full//subsystem=elytron/filesystem-realm=mavenRealm/identity=test-admin:add()
      
      Show
      Boot a domain server and execute the following CLI commands: /profile=full/subsystem=elytron/filesystem-realm=mavenRealm:add(path=fs-realm-users,relative-to=jboss.domain.config.dir) /profile=full //subsystem=elytron/filesystem-realm=mavenRealm/identity=test-admin:add()

      In the Elytron subsystem there are implementations of org.jboss.as.controller.OperationStepHandler that do not check the state of the OperationContext before registering runtime steps. This is an issue for domain servers as the steps will be registered on the host-controller even if the operations is being executed on a profile.

      For example:

      @Override
      public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
          context.addStep(operation, (parentContext, parentOperation) -> {
              ModifiableRealmIdentity realmIdentity = getRealmIdentity(parentContext);
              List<ModelNode> modelNodes = parentOperation.asList();
              Property passwordProperty = modelNodes.get(2).asProperty();
              PathAddress currentAddress = parentContext.getCurrentAddress();
              String principalName = currentAddress.getLastElement().getValue();
      
              try {
                  realmIdentity.setCredentials(Collections.singleton(new PasswordCredential(createPassword(parentContext, principalName, passwordProperty))));
              } catch (NoSuchAlgorithmException | InvalidKeySpecException | RealmUnavailableException e) {
                  throw ROOT_LOGGER.couldNotCreatePassword(e);
              }
              parentContext.completeStep(NOOP_RESULT_HANDLER);
          }, OperationContext.Stage.RUNTIME);
      }
      

      Should check the context.isDefaultRequiresRuntime():

      @Override
      public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
          if (context.isDefaultRequiresRuntime()) {
              context.addStep(operation, (parentContext, parentOperation) -> {
                  ModifiableRealmIdentity realmIdentity = getRealmIdentity(parentContext);
                  List<ModelNode> modelNodes = parentOperation.asList();
                  Property passwordProperty = modelNodes.get(2).asProperty();
                  PathAddress currentAddress = parentContext.getCurrentAddress();
                  String principalName = currentAddress.getLastElement().getValue();
      
                  try {
                      realmIdentity.setCredentials(Collections.singleton(new PasswordCredential(createPassword(parentContext, principalName, passwordProperty))));
                  } catch (NoSuchAlgorithmException | InvalidKeySpecException | RealmUnavailableException e) {
                      throw ROOT_LOGGER.couldNotCreatePassword(e);
                  }
                  parentContext.completeStep(NOOP_RESULT_HANDLER);
              }, OperationContext.Stage.RUNTIME);
          }
      }
      

      The handlers should be analyzed to ensure they check the state before registering runtime steps.

            jperkins-rhn James Perkins
            jperkins-rhn James Perkins
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: