New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ELY-1460] External CS, PKCS11 can't be configured with externalPath #1051
Conversation
Regarding discussion on JBEAP, this PR is, I would say, sustaining style fix introducing smallest change to fix the issue. But as this PR target master branch, could we consider proper solution to fix the issue - removing feature "if location is not set in CLI, default credential-store name is used as location"? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure this is the correct fox for this problem, this change means if an invalid location is specified it would also be silently ignored.
Within this class if useExternalStorage gets set to true we should be using externalStorage - I think we need to backtrack higher up to the point where we don't want external storage but are somehow switching it on.
@darranl When useExternalStorage=true we use "location" to setupExternalStorage for filebased external storage and load the KeyStore from "externalPath" [1]. The problem here is that for non-filebased type like PKCS11 we expect "location" to be null which is not the case because the default credential-store name is used as "location" when not set. I've also noted that in KeyStoreCredentialStore we have [2], but we don't check the keyStoreType here [3]. [1] https://github.com/ivassile/wildfly-elytron/blob/648b369d873b2b0c1c080336170ead9f16e49a41/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java#L835 |
There exists documentation JIRA to ensure we have location explicitely set. [1] I think rather javadoc [2] is incorrect. External CS can be in theory used for other non-filebased keystores, not only PKCS11. Also I think we should not default |
I think a bug like this needs to be two steps: -
From what I can tell this API already has sufficient parameters available to it to drive correct behaviour.
Configurations that already break using the management model I tend not to worry too much about as it is impossible for anyone to already be using them, but permutations of configuration that could be in use we must preserve. On the management model we do have the option open to us to add new optional attributes to further control the behaviour. If the current attributes are not correct we could also add new attributes which are alternatives to the current attributes and deprecate the old ones - we don't want to be jumping to deprecating everything on day 1 but if the bug is in the model design we should be looking at a compatible fix in that area. But overall I think ignoring a value that is many cases must be set correctly within the core Elytron implementation to compensate for a model issue I think is the wrong place. I worked through some similar configuration issues this week and I think the risk here is the user accidentally ends up with an empty credential store rather than a clear error saying the credential store could not be loaded - they then end up having to debug why their successfully configured credential store contains no credentials. |
This issue will require elytron and elytron subsystem changes so I created core/JBEAP issues: I'll work on removing the requirement "if location is not set in CLI, default credential-store name is used as location" in elytron subsystem. In Elytron, when useExternalStorage=true and externalPath is null we should not default externalPath to location, but throw an exception. |
Implemented: "When useExternalStorage=true and externalPath is null we should not default externalPath to location, but throw an exception."
@ivassile Do we have an update on where we are with this one? Do you need to us to make some time to discuss the options? |
@darranl I thought that with this new PR and the PR [1] submitted for WFCORE-3458, the issue is completely fixed in Elytron Subsystem and Elytron. Let me know if you think that the change is not sufficient to resolve the problem. |
Ah, I missed the updated code - yes this does look ready for re-review, thank you. |
@mchoma Have you had a chance to look at the pair of PRs? I think we are ready to get on with merging. |
I think this fix is OK |
wildfly-elytron: https://issues.jboss.org/browse/ELY-1460
JBEAP: https://issues.jboss.org/browse/JBEAP-13441