Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAYARA-3793 certificate group mapping #4272

Merged
merged 2 commits into from Oct 22, 2019

Conversation

@dmatej
Copy link
Contributor

dmatej commented Oct 12, 2019

Description

This is a feature allowing group and role mapping based on the certificate's DN parts.

Important Info

Blockers

#4263 - contains test for the CertificateRealm

Testing

New tests

CertificateRealmITest

Testing Performed

Test suites executed

  • Quicklook - OK
  • Payara Samples - ?
  • Java EE7 Samples - OK
  • Java EE8 Samples - ?
  • Payara Private Tests - OK
  • Payara Microprofile TCKs Runner - ?
  • Jakarta TCKs - ?
  • Mojarra - ?
  • Cargo Tracker - ?

Testing Environment

Kubuntu 19.04

@dmatej

This comment has been minimized.

Copy link
Contributor Author

dmatej commented Oct 12, 2019

Jenkins test please

@dmatej dmatej force-pushed the dmatej:PAYARA-3793-certificate-role-mapping branch from 7da9bed to 7dd03b9 Oct 15, 2019
@dmatej dmatej changed the title Payara 3793 certificate role mapping Payara 3793 certificate group mapping Oct 15, 2019
@dmatej dmatej marked this pull request as ready for review Oct 18, 2019
@dmatej

This comment has been minimized.

Copy link
Contributor Author

dmatej commented Oct 18, 2019

Jenkins test please

@dmatej dmatej force-pushed the dmatej:PAYARA-3793-certificate-role-mapping branch from 7dd03b9 to a56b4ef Oct 18, 2019
@dmatej dmatej self-assigned this Oct 18, 2019
@dmatej dmatej requested a review from Pandrex247 Oct 18, 2019
@dmatej

This comment has been minimized.

Copy link
Contributor Author

dmatej commented Oct 20, 2019

Jenkins test please

@MarkWareham MarkWareham changed the title Payara 3793 certificate group mapping PAYARA-3793 certificate group mapping Oct 21, 2019
@dmatej dmatej requested review from cubastanley and AlanRoth Oct 21, 2019
Copy link
Contributor

cubastanley left a comment

Looks fine, just these final variable names - pretty sure its a Payara convention for final variables to have names in the format VARIABLE_NAME rather than standard camel case. There are more than the one's I've highlighted - Approved anyway as it's purely cosmetic but it is a convention that I feel should be followed

private final boolean useCertificate;
private final SecurityContext securityContext;
Comment on lines +62 to +63

This comment has been minimized.

Copy link
@cubastanley

cubastanley Oct 21, 2019

Contributor

For the sake of consistency these variables should be refactored to reflect the fact that they're constant (i.e. USE_CERTIFICATE)

This comment has been minimized.

Copy link
@dmatej

dmatej Oct 21, 2019

Author Contributor

They are not constants! They are only final, not static final. They don't change for the life of the instance, but each instance has it's own field ;)

This comment has been minimized.

Copy link
@AlanRoth

AlanRoth Oct 21, 2019

Contributor

I don't think we have a naming rule in sonar for class level private final fields, we do for public final fields and for private final static fields, so technically David is right 😄. Confusingly, we do have a naming rule for local final fields (https://sonarcloud.io/organizations/payara/rules?languages=java&open=squid%3AS4174&q=final&tags=convention)

This comment has been minimized.

Copy link
@cubastanley

cubastanley Oct 21, 2019

Contributor

Yeah no David's point makes sense I'm happy for it to stay as is ( ͡~ ͜ʖ ͡°)

This comment has been minimized.

Copy link
@dmatej

dmatej Oct 21, 2019

Author Contributor

@AlanRoth Interesting rule, I'm sure not standard and it may start great confusion, perhaps that's why it is not active in any profile :D
Nice example is here: https://softwareengineering.stackexchange.com/questions/252243/naming-convention-final-fields-not-static

private final String prname;
private final String name;
private final Codec codec;
private final SecurityContextUtil secContextUtil;
private final GlassFishORBHelper orbHelper;
private final SecurityMechanismSelector smSelector;
Comment on lines +151 to +156

This comment has been minimized.

Copy link
@cubastanley

cubastanley Oct 21, 2019

Contributor

Same as previous comment

*
* @author Harish Prabandham
*/
public class Group extends PrincipalImpl {


private static final long serialVersionUID = -3087471149205106412L;

This comment has been minimized.

Copy link
@cubastanley

cubastanley Oct 21, 2019

Contributor

Same as above

This comment has been minimized.

Copy link
@pzygielo

pzygielo Oct 21, 2019

Contributor

Same as above

Hmmm. Same as above -> about upper/camel case?
(There is no freedom in choosing this name, it's specified by Serializable).

This comment has been minimized.

Copy link
@cubastanley

cubastanley Oct 21, 2019

Contributor

Indeed, yes

This comment has been minimized.

Copy link
@dmatej
@dmatej dmatej added the DO NOT MERGE label Oct 21, 2019
final LdapName dn = getLdapName(principal);
_logger.log(Level.FINE, "dn={0}", dn);
final String principalName = getPrincipalName(dn);
_logger.log(Level.FINE, "Certificate realm is setting up security context for principal: '{0}'", principalName);

This comment has been minimized.

Copy link
@dmatej

dmatej Oct 21, 2019

Author Contributor

Tricky bug ... apostrophes in '{0}' prevent replacement of the value.

This comment has been minimized.

Copy link
@dmatej

dmatej Oct 21, 2019

Author Contributor

I'm starting to hate JUL pretty much ... :-(
And I know one way how to speed up anything in Payara :D

dmatej added 2 commits Oct 10, 2019
- automatic, semiautomatic and manual changes
- reduced visibility of realm.init methods to same as in parent
- some comments changed to javadocs
- enhanced loops (automatically)
- removed copypasted javadocs, removed commented out code
- correct generics on some places

- OIDs class transformed to OID enum
- JDBCRealm
  - renamed cr to connectorRuntimeDescriptor
- PamRealm
  - deprecated PAM.getGroupsOfUser method replaced with it's content:
    new UnixUser(username).getGroups()
- BaseRealm
  - removed deprecated constant - copy from parent class.
- AbstractStatefulRealm
  - addAssignGroups reimplemented
- ClientCertificateLoginModule
  - reduced logging complexity
  - removed redundant catch block
- LoginException
  - added constructor with cause
- CertificateRealm
  - OID_MAP moved to OID enum
  - using same constant for realm property: COMMON_NAME_AS_PRINCIPAL_NAME
- Util
  - removed getDefaultHabitat method - potential cause of NPE if called sooner
    than Globals initialized. Replaced with direct usage of Globals.
- realm can be configured to use some parts of DN as group names
@dmatej dmatej force-pushed the dmatej:PAYARA-3793-certificate-role-mapping branch from a56b4ef to 3de360d Oct 22, 2019
@dmatej dmatej removed the DO NOT MERGE label Oct 22, 2019
@dmatej

This comment has been minimized.

Copy link
Contributor Author

dmatej commented Oct 22, 2019

Jenkins test please

@dmatej dmatej merged commit e97caae into payara:master Oct 22, 2019
58 checks passed
58 checks passed
Payara Quick Build and Test Quick build and test passed!
Details
security/snyk - api/payara-api/pom.xml (payara-ci) No new issues
Details
security/snyk - api/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/admin/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/admingui/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/ant-tasks/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/appclient/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/batch/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/common/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/concurrent/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/connectors/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/core/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/deployment/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/distributions/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/ejb/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/extras/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/featuresets/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/flashlight/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/grizzly/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/ha/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/installer/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/jdbc/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/jms/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/load-balancer/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/orb/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/osgi-platforms/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/packager/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/payara-appserver-modules/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/persistence/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/registration/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/resources/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/security/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/tests/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/transaction/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/web/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/webservices/pom.xml (payara-ci) No new issues
Details
security/snyk - copyright/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/admin/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/cluster/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/common/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/core/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/deployment/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/diagnostics/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/distributions/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/flashlight/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/grizzly/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/hk2/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/osgi-platforms/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/packager/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/payara-modules/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/resources-l10n/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/resources/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/security/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/test-utils/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/tests/pom.xml (payara-ci) No new issues
Details
security/snyk - pom.xml (payara-ci) No new issues
Details
@dmatej dmatej deleted the dmatej:PAYARA-3793-certificate-role-mapping branch Oct 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.