Refactor secure admin domain element

Signed-off-by: Alexander Pinčuk <alexander.v.pinchuk@gmail.com>
eclipse-ee4j · Apr 4, 2023 · 5497595 · 5497595
1 parent 49d6815
commit 5497595
Show file tree

Hide file tree

Showing 21 changed files with 289 additions and 241 deletions.
diff --git a/...i/common/src/main/java/org/glassfish/admingui/common/security/AdminConsoleAuthModule.java b/...i/common/src/main/java/org/glassfish/admingui/common/security/AdminConsoleAuthModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Contributors to the Eclipse Foundation. All rights reserved.
+ * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation. All rights reserved.
  * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -130,7 +130,7 @@ public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy
 
             final String host = adminListener.getAddress();
             // Save the REST URL we need to authenticate the user.
-            this.restURL = (SecureAdmin.Util.isEnabled(secureAdmin) ? "https://" : "http://")
+            this.restURL = (SecureAdmin.isEnabled(secureAdmin) ? "https://" : "http://")
                     + (host.equals("0.0.0.0") ? "localhost" : host) + ":" + adminListener.getPort() + "/management/sessions";
         }
     }

diff --git a/appserver/admingui/common/src/main/java/org/glassfish/admingui/common/util/RestUtil.java b/appserver/admingui/common/src/main/java/org/glassfish/admingui/common/util/RestUtil.java
@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 Contributors to the Eclipse Foundation
  * Copyright (c) 2009, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -921,7 +922,7 @@ public static ClientBuilder initialize(ClientBuilder clientBuilder) {
 
             final SSLContext sslContext = habitat
                     .<SSLUtils>getService(SSLUtils.class)
-                    .getAdminSSLContext(SecureAdmin.Util.DASAlias(secureAdmin), null);
+                    .getAdminSSLContext(SecureAdmin.DASAlias(secureAdmin), null);
 
             // Instruct Jersey to use HostNameVerifier and SSLContext provided by us.
             clientBuilder

diff --git a/...eus/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java b/...eus/admin/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdmin.java
@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 Contributors to the Eclipse Foundation
  * Copyright (c) 2010, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -16,9 +17,10 @@
 
 package com.sun.enterprise.config.serverbeans;
 
-import java.util.Collections;
 import java.util.List;
+
 import org.glassfish.api.I18n;
+import org.glassfish.api.admin.ExecuteOn;
 import org.glassfish.api.admin.RuntimeType;
 import org.glassfish.config.support.Create;
 import org.glassfish.config.support.Delete;
@@ -28,171 +30,153 @@
 import org.jvnet.hk2.config.Attribute;
 import org.jvnet.hk2.config.ConfigBeanProxy;
 import org.jvnet.hk2.config.Configured;
-import org.jvnet.hk2.config.DuckTyped;
 import org.jvnet.hk2.config.Element;
 import org.jvnet.hk2.config.Transaction;
 
-@Configured
+import static com.sun.enterprise.config.serverbeans.SecureAdminHelperHolder.getSecureAdminHelper;
+
 /**
  * Represents the admin security settings for the domain.
- *
  */
+@Configured
 public interface SecureAdmin extends ConfigBeanProxy {
 
+    String DEFAULT_INSTANCE_ALIAS = "glassfish-instance";
+
+    String DEFAULT_ADMIN_ALIAS = "s1as";
+
+    String ADMIN_INDICATOR_HEADER_NAME = "X-GlassFish-admin";
+
+    String ADMIN_INDICATOR_DEFAULT_VALUE = "true";
+
+    String ADMIN_ONE_TIME_AUTH_TOKEN_HEADER_NAME = "X-GlassFish-authToken";
+
     @Element
-    @Create(value = "enable-secure-admin-principal", decorator = SecureAdminPrincipal.CrDecorator.class, i18n = @I18n("enable.secure.admin.principal.command"), cluster = @org.glassfish.api.admin.ExecuteOn(value = {
-            RuntimeType.DAS, RuntimeType.INSTANCE }))
-    @Delete(value = "disable-secure-admin-principal", resolver = SecureAdminPrincipal.Resolver.class, i18n = @I18n("disable.secure.admin.principal.command"), cluster = @org.glassfish.api.admin.ExecuteOn(value = {
-            RuntimeType.DAS, RuntimeType.INSTANCE }))
+    @Create(value = "enable-secure-admin-principal",
+            decorator = SecureAdminPrincipal.CrDecorator.class,
+            i18n = @I18n("enable.secure.admin.principal.command"),
+            cluster = @ExecuteOn(value = {RuntimeType.DAS, RuntimeType.INSTANCE }))
+    @Delete(value = "disable-secure-admin-principal",
+            resolver = SecureAdminPrincipal.Resolver.class,
+            i18n = @I18n("disable.secure.admin.principal.command"),
+            cluster = @ExecuteOn(value = {RuntimeType.DAS, RuntimeType.INSTANCE }))
     @Listing(value = "list-secure-admin-principals", i18n = @I18n("list.secure.admin.principals.command"))
-    public List<SecureAdminPrincipal> getSecureAdminPrincipal();
+    List<SecureAdminPrincipal> getSecureAdminPrincipal();
 
     @Element
-    @Create(value = "enable-secure-admin-internal-user", decorator = SecureAdminInternalUser.CrDecorator.class, i18n = @I18n("enable.secure.admin.internal.user.command"), cluster = @org.glassfish.api.admin.ExecuteOn(value = {
-            RuntimeType.DAS, RuntimeType.INSTANCE }))
-    @Delete(value = "disable-secure-admin-internal-user", resolver = TypeAndNameResolver.class, i18n = @I18n("disable.secure.admin.internal.user.command"), cluster = @org.glassfish.api.admin.ExecuteOn(value = {
-            RuntimeType.DAS, RuntimeType.INSTANCE }))
+    @Create(value = "enable-secure-admin-internal-user",
+            decorator = SecureAdminInternalUser.CrDecorator.class,
+            i18n = @I18n("enable.secure.admin.internal.user.command"),
+            cluster = @ExecuteOn(value = {RuntimeType.DAS, RuntimeType.INSTANCE }))
+    @Delete(value = "disable-secure-admin-internal-user",
+            resolver = TypeAndNameResolver.class,
+            i18n = @I18n("disable.secure.admin.internal.user.command"),
+            cluster = @ExecuteOn(value = {RuntimeType.DAS, RuntimeType.INSTANCE }))
     @Listing(value = "list-secure-admin-internal-users", i18n = @I18n("list.secure.admin.internal.user.command"))
-    public List<SecureAdminInternalUser> getSecureAdminInternalUser();
+    List<SecureAdminInternalUser> getSecureAdminInternalUser();
 
     /**
      * Gets whether admin security is turned on.
      *
-     * @return {@link String } containing the type
+     * @return {@link String} containing the type
      */
     @Attribute(defaultValue = "false", dataType = Boolean.class)
     String getEnabled();
 
     /**
      * Sets whether admin security is turned on.
      *
-     * @param value whether admin security should be on or off ("true" or "false")
+     * @param enabled whether admin security should be on or off ({@code true} or {@code false})
      */
-    void setEnabled(String value);
+    void setEnabled(String enabled);
 
-    @Attribute(defaultValue = Util.ADMIN_INDICATOR_DEFAULT_VALUE)
+    @Attribute(defaultValue = ADMIN_INDICATOR_DEFAULT_VALUE)
     String getSpecialAdminIndicator();
 
-    void setSpecialAdminIndicator(String value);
+    void setSpecialAdminIndicator(String adminIndicator);
 
-    @Attribute(defaultValue = Duck.DEFAULT_ADMIN_ALIAS)
+    @Attribute(defaultValue = DEFAULT_ADMIN_ALIAS)
     String dasAlias();
 
     void setDasAlias(String alias);
 
-    @Attribute(defaultValue = Duck.DEFAULT_INSTANCE_ALIAS)
+    @Attribute(defaultValue = DEFAULT_INSTANCE_ALIAS)
     String instanceAlias();
 
     void setInstanceAlias(String alias);
 
+    default String getInstanceAlias() {
+        return instanceAlias();
+    }
+
+    default String getDasAlias() {
+        return dasAlias();
+    }
+
     /**
-     * Returns the SecureAdminPrincipal corresponding to the Principal the instances use to authenticate themselves using
-     * SSL/TLS
+     * Reports whether secure admin is enabled.
      *
-     * @return the SecureAdminPrincipal for the instances
+     * @param secureAdmin the {@link SecureAdmin}, typically returned from {@code domain.getSecureAdmin()}
+     * @return {@code true} if secure admin is enabled; {@code false} otherwise
      */
-    @DuckTyped
-    String getInstanceAlias();
-
-    @DuckTyped
-    String getDasAlias();
-
-    @DuckTyped
-    boolean isEnabled();
-
-    class Duck {
-
-        public final static String DEFAULT_INSTANCE_ALIAS = "glassfish-instance";
-        public final static String DEFAULT_ADMIN_ALIAS = "s1as";
-
-        public static String getInstanceAlias(final SecureAdmin secureAdmin) {
-            return secureAdmin.instanceAlias();
-        }
-
-        public static String getDasAlias(final SecureAdmin secureAdmin) {
-            return secureAdmin.dasAlias();
-        }
+    static boolean isEnabled(final SecureAdmin secureAdmin) {
+        return (secureAdmin != null && Boolean.parseBoolean(secureAdmin.getEnabled()));
     }
 
-    public static class Util {
-
-        public static final String ADMIN_INDICATOR_HEADER_NAME = "X-GlassFish-admin";
-        public static final String ADMIN_INDICATOR_DEFAULT_VALUE = "true";
-        public static final String ADMIN_ONE_TIME_AUTH_TOKEN_HEADER_NAME = "X-GlassFish-authToken";
-
-        private static volatile SecureAdminHelper _secureAdminHelper = null;
-
-        /**
-         * Reports whether secure admin is enabled.
-         *
-         * @param secureAdmin the SecureAdmin, typically returned from domain.getSecureAdmin()
-         * @return true if secure admin is enabled; false otherwise
-         */
-        public static boolean isEnabled(final SecureAdmin secureAdmin) {
-            return (secureAdmin != null && Boolean.parseBoolean(secureAdmin.getEnabled()));
-        }
-
-        /**
-         * Returns the configured (which could be the default) value for the special admin indicator.
-         *
-         * @param secureAdmin the SecureAdmin, typically returned from domain.getSecureAdmin()
-         * @return the current value for the admin indicator
-         */
-        public static String configuredAdminIndicator(final SecureAdmin secureAdmin) {
-            return (secureAdmin == null ? ADMIN_INDICATOR_DEFAULT_VALUE : secureAdmin.getSpecialAdminIndicator());
-        }
+    /**
+     * Returns the configured (which could be the default) value for the special admin indicator.
+     *
+     * @param secureAdmin the {@link SecureAdmin}, typically returned from {@code domain.getSecureAdmin()}
+     * @return the current value for the admin indicator
+     */
+    static String configuredAdminIndicator(final SecureAdmin secureAdmin) {
+        return (secureAdmin == null ? ADMIN_INDICATOR_DEFAULT_VALUE : secureAdmin.getSpecialAdminIndicator());
+    }
 
-        public static String DASAlias(final SecureAdmin secureAdmin) {
-            return (secureAdmin == null) ? Duck.DEFAULT_ADMIN_ALIAS : secureAdmin.getDasAlias();
-        }
+    static String DASAlias(final SecureAdmin secureAdmin) {
+        return (secureAdmin == null) ? DEFAULT_ADMIN_ALIAS : secureAdmin.getDasAlias();
+    }
 
-        public static String instanceAlias(final SecureAdmin secureAdmin) {
-            return (secureAdmin == null) ? Duck.DEFAULT_INSTANCE_ALIAS : secureAdmin.getInstanceAlias();
-        }
+    static String instanceAlias(final SecureAdmin secureAdmin) {
+        return (secureAdmin == null) ? DEFAULT_INSTANCE_ALIAS : secureAdmin.getInstanceAlias();
+    }
 
-        public static List<SecureAdminInternalUser> secureAdminInternalUsers(final SecureAdmin secureAdmin) {
-            return (secureAdmin == null) ? Collections.EMPTY_LIST : secureAdmin.getSecureAdminInternalUser();
-        }
+    static SecureAdminInternalUser secureAdminInternalUser(final SecureAdmin secureAdmin) {
+        final List<SecureAdminInternalUser> secureAdminUsers = secureAdminInternalUsers(secureAdmin);
+        return (secureAdminUsers.isEmpty() ? null : secureAdminUsers.get(0));
+    }
 
-        public static SecureAdminInternalUser secureAdminInternalUser(final SecureAdmin secureAdmin) {
-            final List<SecureAdminInternalUser> secureAdminUsers = secureAdminInternalUsers(secureAdmin);
-            return (secureAdminUsers.isEmpty() ? null : secureAdminUsers.get(0));
-        }
+    private static List<SecureAdminInternalUser> secureAdminInternalUsers(final SecureAdmin secureAdmin) {
+        return (secureAdmin == null) ? List.of() : secureAdmin.getSecureAdminInternalUser();
+    }
 
-        public static boolean isUsingUsernamePasswordAuth(final SecureAdmin secureAdmin) {
-            return !secureAdminInternalUsers(secureAdmin).isEmpty();
-        }
+    static boolean isUsingUsernamePasswordAuth(final SecureAdmin secureAdmin) {
+        return !secureAdminInternalUsers(secureAdmin).isEmpty();
+    }
 
-        public static List<SecureAdminPrincipal> secureAdminPrincipals(final SecureAdmin secureAdmin, final ServiceLocator habitat) {
-            List<SecureAdminPrincipal> result = Collections.EMPTY_LIST;
-            if (secureAdmin != null) {
-                result = secureAdmin.getSecureAdminPrincipal();
-                if (result.isEmpty()) {
-                    try {
-                        final Transaction t = new Transaction();
-                        final SecureAdmin secureAdmin_w = t.enroll(secureAdmin);
-                        result = secureAdmin_w.getSecureAdminPrincipal();
-                        final SecureAdminPrincipal dasPrincipal = secureAdmin_w.createChild(SecureAdminPrincipal.class);
-                        dasPrincipal.setDn(secureAdminHelper(habitat).getDN(secureAdmin.dasAlias(), true));
-                        result.add(dasPrincipal);
-
-                        final SecureAdminPrincipal instancePrincipal = secureAdmin_w.createChild(SecureAdminPrincipal.class);
-                        instancePrincipal.setDn(secureAdminHelper(habitat).getDN(secureAdmin.instanceAlias(), true));
-                        result.add(instancePrincipal);
-                        t.commit();
-                    } catch (Exception ex) {
-                        throw new RuntimeException(ex);
-                    }
+    @SuppressWarnings("unused")
+    static List<SecureAdminPrincipal> secureAdminPrincipals(final SecureAdmin secureAdmin, final ServiceLocator habitat) {
+        List<SecureAdminPrincipal> principals = List.of();
+        if (secureAdmin != null) {
+            principals = secureAdmin.getSecureAdminPrincipal();
+            if (principals.isEmpty()) {
+                try {
+                    final Transaction tx = new Transaction();
+                    final SecureAdmin secureAdmin_w = tx.enroll(secureAdmin);
+                    principals = secureAdmin_w.getSecureAdminPrincipal();
+                    final SecureAdminPrincipal dasPrincipal = secureAdmin_w.createChild(SecureAdminPrincipal.class);
+                    dasPrincipal.setDn(getSecureAdminHelper(habitat).getDN(secureAdmin.dasAlias(), true));
+                    principals.add(dasPrincipal);
+
+                    final SecureAdminPrincipal instancePrincipal = secureAdmin_w.createChild(SecureAdminPrincipal.class);
+                    instancePrincipal.setDn(getSecureAdminHelper(habitat).getDN(secureAdmin.instanceAlias(), true));
+                    principals.add(instancePrincipal);
+                    tx.commit();
+                } catch (Exception ex) {
+                    throw new RuntimeException(ex);
                 }
             }
-            return result;
-        }
-
-        private static synchronized SecureAdminHelper secureAdminHelper(final ServiceLocator habitat) {
-            if (_secureAdminHelper == null) {
-                _secureAdminHelper = habitat.getService(SecureAdminHelper.class);
-            }
-            return _secureAdminHelper;
         }
+        return principals;
     }
 }
diff --git a/...min/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java b/...min/config-api/src/main/java/com/sun/enterprise/config/serverbeans/SecureAdminHelper.java
@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 Contributors to the Eclipse Foundation
  * Copyright (c) 2011, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -18,15 +19,16 @@
 
 import java.io.IOException;
 import java.security.KeyStoreException;
+
 import org.jvnet.hk2.annotations.Contract;
 
-@Contract()
 /**
- * Definition of some utility behavior that needs to be invoked from config classes in admin/config-api but implemented
- * elsewhere (in a module with dependencies that we do not want to add to admin/config-api).
+ * Definition of some utility behavior that needs to be invoked from config classes in admin/config-api but
+ * implemented elsewhere (in a module with dependencies that we do not want to add to admin/config-api).
  *
  * @author Tim Quinn
  */
+@Contract()
 public interface SecureAdminHelper {
 
     /**
@@ -36,35 +38,35 @@ public interface SecureAdminHelper {
      * @param isAlias whether the value is an alias or the DN itself
      * @return the DN
      */
-    public String getDN(String value, boolean isAlias) throws IOException, KeyStoreException;
+    String getDN(String value, boolean isAlias) throws IOException, KeyStoreException;
 
     /**
-     * Makes sure that the specified username is an admin user and that the specified password alias exists. Note that
-     * implementations of this method should not make sure that the username and the password pointed to by the alias
-     * actually match a valid admin user in the admin realm. That check is done by the normal authorization logic when the
-     * username and the actual password are used.
+     * Makes sure that the specified username is an admin user and that the specified password
+     * alias exists. Note that implementations of this method should not make sure that
+     * the username and the password pointed to by the alias actually match a valid
+     * admin user in the admin realm. That check is done by the normal authorization logic
+     * when the username and the actual password are used.
      *
-     * @param username
-     * @param passwordAlias
-     * @throws Exception if eiher the username or the password alias is not valid
+     * @param username the username
+     * @param passwordAlias a password alias
      */
-    public void validateInternalUsernameAndPasswordAlias(String username, String passwordAlias);
+    void validateInternalUsernameAndPasswordAlias(String username, String passwordAlias);
 
     /**
      * Reports whether any admin user exists which has an empty password.
      *
-     * @return true if any admin user exists with an empty password; false otherwise
-     * @throws Exception
+     * @return {@code true} if any admin user exists with an empty password; {@code false} otherwise
+     * @throws Exception if an error occurred
      */
-    public boolean isAnyAdminUserWithoutPassword() throws Exception;
+    boolean isAnyAdminUserWithoutPassword() throws Exception;
 
     /**
      * An exception indicating a user-correctable error that occurred as a secure admin command executed.
-     * <p>
-     * The secure admin commands can detect such errors and report just the exception's message and not the exception as
-     * well (which would clutter the report back to the admin client).
+     *
+     * <p>The secure admin commands can detect such errors and report just the exception's message
+     * and not the exception as well (which would clutter the report back to the admin client).
      */
-    public class SecureAdminCommandException extends RuntimeException {
+    class SecureAdminCommandException extends RuntimeException {
 
         public SecureAdminCommandException(String message) {
             super(message);