[WFCORE-2614] Validate the security domain resource at the end of Sta…

…ge.MODEL. 1 - Ensure no security realm is reference twice. 2 - Ensure the default security realm is one of the referenced realms.
wildfly-security-incubator · Apr 3, 2017 · 803c206 · 803c206
1 parent c438fea
commit 803c206
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 17 deletions.
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/DomainDefinition.java b/elytron/src/main/java/org/wildfly/extension/elytron/DomainDefinition.java
@@ -57,6 +57,7 @@
 import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
 import org.jboss.as.controller.SimpleResourceDefinition;
 import org.jboss.as.controller.StringListAttributeDefinition;
+import org.jboss.as.controller.OperationContext.Stage;
 import org.jboss.as.controller.capability.RuntimeCapability;
 import org.jboss.as.controller.registry.AttributeAccess;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
@@ -463,7 +464,7 @@ private DomainAddHandler() {
         protected void populateModel(final OperationContext context, final ModelNode operation, final Resource resource)
                 throws OperationFailedException {
             super.populateModel(context, operation, resource);
-            validateDefaultRealmInRealms(context, resource);
+            context.addStep(new DomainValidationHandler(), Stage.MODEL);
         }
 
         @Override
@@ -495,30 +496,41 @@ protected void recreateParentService(OperationContext context, PathAddress paren
         }
 
         protected void validateUpdatedModel(final OperationContext context, final Resource resource) throws OperationFailedException {
-            validateDefaultRealmInRealms(context, resource);
+            // Defer validation to end of model stage.
+            context.addStep(new DomainValidationHandler(), Stage.MODEL);
         }
 
     }
 
-    private static void validateDefaultRealmInRealms(final OperationContext context, final Resource resource) throws OperationFailedException {
-        ModelNode model = resource.getModel();
-        String defaultRealm = DomainDefinition.DEFAULT_REALM.resolveModelAttribute(context, model).asString();
-        List<ModelNode> realms = REALMS.resolveModelAttribute(context, model).asList();
+    private static class DomainValidationHandler implements OperationStepHandler {
+
+        @Override
+        public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
+            ModelNode model = context.readResource(PathAddress.EMPTY_ADDRESS).getModel();
+
+
+            List<ModelNode> realms = REALMS.resolveModelAttribute(context, model).asList();
 
-        for(ModelNode realm : realms) {
-            String realmName = REALM_NAME.resolveModelAttribute(context, realm).asString();
-            if (defaultRealm.equals(realmName)) {
-                return;
+            Set<String> realmNames = new HashSet<>(realms.size());
+
+            for(ModelNode realm : realms) {
+                String realmName = REALM_NAME.resolveModelAttribute(context, realm).asString();
+                if (realmNames.add(realmName) == false) {
+                    throw ROOT_LOGGER.realmRefererencedTwice(realmName);
+                }
             }
-        }
 
-        // validation failed
-        StringBuilder realmsStringBuilder = new StringBuilder();
-        for(ModelNode realm : realms) {
-            if (realmsStringBuilder.length() != 0) realmsStringBuilder.append(", ");
-            realmsStringBuilder.append(REALM_NAME.resolveModelAttribute(context, realm).asString());
+            String defaultRealm = DomainDefinition.DEFAULT_REALM.resolveModelAttribute(context, model).asString();
+            if (realmNames.contains(defaultRealm) == false) {
+                StringBuilder realmsStringBuilder = new StringBuilder();
+                for(String currentRealm : realmNames) {
+                    if (realmsStringBuilder.length() != 0) realmsStringBuilder.append(", ");
+                    realmsStringBuilder.append(currentRealm);
+                }
+                throw ROOT_LOGGER.defaultRealmNotReferenced(defaultRealm, realmsStringBuilder.toString());
+            }
         }
-        throw ROOT_LOGGER.defaultRealmNotReferenced(defaultRealm, realmsStringBuilder.toString());
     }
+
 }
 
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
@@ -290,6 +290,15 @@ public interface ElytronSubsystemMessages extends BasicLogger {
     @Message(id = 35, value = "Unable to load module '%s'.")
     OperationFailedException unableToLoadModule(String module, @Cause Exception cause);
 
+    /**
+     * A {@link OperationFailedException} for when validating a security domain fails due to the same realm being referenced twice.
+     *
+     * @param realmName the name of the security realm referenced twice.
+     * @return The {@link OperationFailedException} for the error.
+     */
+    @Message(id = 36, value = "Security realm '%s' has been referenced twice in the same security domain.")
+    OperationFailedException realmRefererencedTwice(String realmName);
+
 
     // CREDENTIAL_STORE section
     @Message(id = 909, value = "Credential store '%s' does not support given credential store entry type '%s'")