[WFCORE-3596] Introduce named permission sets in the Elytron subsystem

core-galleon-pack/src/main/resources/feature_groups/elytron-common.xml

@@ -34,7 +34,7 @@
         <param name="simple-permission-mapper" value="default-permission-mapper" />
         <param name="mapping-mode" value="first" />
         <param name="permission-mappings"
-            value="[{principals=[anonymous]},{match-all=true,permissions=[class-name=org.wildfly.security.auth.permission.LoginPermission]}]" />
+            value="[{principals=[anonymous],permission-sets=[permission-set=default-permissions]},{match-all=true,permission-sets=[permission-set=login-permission,permission-set=default-permissions]}]" />
         <!-- <feature spec="subsystem.elytron.simple-permission-mapper.permission-mappings"> 
             <param name="principals" value="[anonymous]"/> </feature> <feature spec="subsystem.elytron.simple-permission-mapper.permission-mappings"> 
             <param name="match-all" value="true"/> <param name="permissions" value="[class-name=org.wildfly.security.auth.permission.LoginPermission]"/> 
@@ -61,4 +61,12 @@
         <param name="constant-role-mapper" value="super-user-mapper" />
         <param name="roles" value="[SuperUser]" />
     </feature>
+    <feature spec="subsystem.elytron.permission-set">
+        <param name="permission-set" value="login-permission" />
+        <param name="permissions" value="[class-name=org.wildfly.security.auth.permission.LoginPermission]" />
+    </feature>
+    <feature spec="subsystem.elytron.permission-set">
+        <param name="permission-set" value="default-permissions" />
+        <param name="permissions" value="[]" />
+    </feature>
 </feature-group-spec>

core-galleon-pack/src/main/resources/feature_groups/host-profile.xml

@@ -4,7 +4,7 @@
     <feature spec="subsystem.elytron">
         <param name="final-providers" value="combined-providers"/>
         <param name="disallowed-providers" value="[OracleUcrypto]"/>
-        <feature-group name="host-elytron-common">
+        <feature-group name="elytron-common">
             <include feature-id="subsystem.elytron.file-audit-log:file-audit-log=local-audit">
                 <param name="relative-to" value="jboss.domain.log.dir"/>
             </include>

elytron/src/main/java/org/wildfly/extension/elytron/Capabilities.java

@@ -19,6 +19,7 @@
 package org.wildfly.extension.elytron;
 
 import java.security.KeyStore;
+import java.security.Permissions;
 import java.security.Policy;
 import java.security.Provider;
 import java.util.function.Consumer;
@@ -127,6 +128,12 @@ public void accept(final ServiceBuilder serviceBuilder) {
             .Builder.of(PERMISSION_MAPPER_CAPABILITY, true, PermissionMapper.class)
             .build();
 
+    static final String PERMISSION_SET_CAPABILITY = CAPABILITY_BASE + "permission-set";
+
+    static final RuntimeCapability<Void> PERMISSION_SET_RUNTIME_CAPABILITY =  RuntimeCapability
+            .Builder.of(PERMISSION_SET_CAPABILITY, true, Permissions.class)
+            .build();
+
     static final String PRINCIPAL_TRANSFORMER_CAPABILITY = CAPABILITY_BASE + "principal-transformer";
 
     static final RuntimeCapability<Void> PRINCIPAL_TRANSFORMER_RUNTIME_CAPABILITY =  RuntimeCapability

elytron/src/main/java/org/wildfly/extension/elytron/ElytronDefinition.java

@@ -177,6 +177,9 @@ public void registerChildren(ManagementResourceRegistration resourceRegistration
         resourceRegistration.registerSubModel(PermissionMapperDefinitions.getSimplePermissionMapper());
         resourceRegistration.registerSubModel(PermissionMapperDefinitions.getConstantPermissionMapper());
 
+        // Permission Sets
+        resourceRegistration.registerSubModel(PermissionSetDefinition.getPermissionSet());
+
         // Principal Decoders
         resourceRegistration.registerSubModel(PrincipalDecoderDefinitions.getAggregatePrincipalDecoderDefinition());
         resourceRegistration.registerSubModel(PrincipalDecoderDefinitions.getConcatenatingPrincipalDecoder());

elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java

@@ -330,6 +330,8 @@ interface ElytronDescriptionConstants {
     String PERMISSION_MAPPER = "permission-mapper";
     String PERMISSION_MAPPING = "permission-mapping";
     String PERMISSION_MAPPINGS = "permission-mappings";
+    String PERMISSION_SET = "permission-set";
+    String PERMISSION_SETS = "permission-sets";
     String PLAIN_TEXT = "plain-text";
     String POLICY = "policy";
     String PORT = "port";

elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemParser1_0.java

@@ -89,7 +89,7 @@ private static class CustomPolicyDefinition {
             .build();
 
     PersistentResourceXMLDescription getMapperParser() {
-        return new MapperParser(true).getParser();
+        return new MapperParser(MapperParser.Version.VERSION_1_0).getParser();
     }
 
     PersistentResourceXMLDescription getDomainParser() {

elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemParser1_1.java

@@ -34,7 +34,7 @@ String getNameSpace() {
     }
 
     protected PersistentResourceXMLDescription getMapperParser() {
-        return new MapperParser().getParser();
+        return new MapperParser(MapperParser.Version.VERSION_1_1).getParser();
     }
 
 

elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemParser3_0.java

@@ -20,7 +20,9 @@
 
 import static org.jboss.as.controller.PersistentResourceXMLDescription.decorator;
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.CREDENTIAL_STORES;
+import static org.wildfly.extension.elytron.ElytronDescriptionConstants.PERMISSION_SETS;
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.SECURITY_PROPERTY;
+import static org.wildfly.extension.elytron.PermissionMapperDefinitions.PERMISSIONS;
 
 import org.jboss.as.controller.AttributeMarshallers;
 import org.jboss.as.controller.AttributeParsers;
@@ -34,6 +36,11 @@
  */
 class ElytronSubsystemParser3_0 extends ElytronSubsystemParser2_0 {
 
+    final PersistentResourceXMLDescription permissionSetParser = PersistentResourceXMLDescription.builder(PermissionSetDefinition.getPermissionSet().getPathElement())
+            .setXmlWrapperElement(PERMISSION_SETS)
+            .addAttribute(PERMISSIONS)
+            .build();
+
     @Override
     String getNameSpace() {
         return ElytronExtension.NAMESPACE_3_0;
@@ -54,6 +61,7 @@ public PersistentResourceXMLDescription getParserDescription() {
                 .addChild(getRealmParser())
                 .addChild(getCredentialSecurityFactoryParser())
                 .addChild(getMapperParser())
+                .addChild(getPermissionSetParser())
                 .addChild(getHttpParser())
                 .addChild(getSaslParser())
                 .addChild(getTlsParser())
@@ -62,4 +70,12 @@ public PersistentResourceXMLDescription getParserDescription() {
                 .addChild(getPolicyParser())
                 .build();
     }
+
+    protected PersistentResourceXMLDescription getMapperParser() {
+        return new MapperParser().getParser();
+    }
+
+    PersistentResourceXMLDescription getPermissionSetParser() {
+        return permissionSetParser;
+    }
 }

elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java

@@ -17,18 +17,24 @@
 package org.wildfly.extension.elytron;
 
 import org.jboss.as.controller.ModelVersion;
+import org.jboss.as.controller.PathAddress;
+import org.jboss.as.controller.PathElement;
 import org.jboss.as.controller.transform.ExtensionTransformerRegistration;
 import org.jboss.as.controller.transform.SubsystemTransformerRegistration;
+import org.jboss.as.controller.transform.TransformationContext;
+import org.jboss.as.controller.transform.description.AttributeConverter;
 import org.jboss.as.controller.transform.description.ChainedTransformationDescriptionBuilder;
+import org.jboss.as.controller.transform.description.ResourceTransformationDescriptionBuilder;
 import org.jboss.as.controller.transform.description.TransformationDescriptionBuilder;
+import org.jboss.dmr.ModelNode;
 
 /**
  * Registers transformers for the elytron subsystem.
  *
  * @author Brian Stansberry
  */
 public final class ElytronSubsystemTransformers implements ExtensionTransformerRegistration {
-    private static final ModelVersion ELYTRON_1_2_0 = ModelVersion.create(1, 1);
+    private static final ModelVersion ELYTRON_1_2_0 = ModelVersion.create(1, 2);
     private static final ModelVersion ELYTRON_2_0_0 = ModelVersion.create(2, 0);
     private static final ModelVersion ELYTRON_3_0_0 = ModelVersion.create(3, 0);
 
@@ -41,13 +47,64 @@ public String getSubsystemName() {
     public void registerTransformers(SubsystemTransformerRegistration registration) {
         ChainedTransformationDescriptionBuilder chainedBuilder = TransformationDescriptionBuilder.Factory.createChainedSubystemInstance(registration.getCurrentSubsystemVersion());
 
-        chainedBuilder.createBuilder(ELYTRON_3_0_0, ELYTRON_2_0_0);
+        ResourceTransformationDescriptionBuilder builderCurrentTo2_0_0 = chainedBuilder.createBuilder(ELYTRON_3_0_0, ELYTRON_2_0_0);
+        builderCurrentTo2_0_0.discardChildResource(PathElement.pathElement(ElytronDescriptionConstants.PERMISSION_SET));
+        builderCurrentTo2_0_0
+                .addChildResource(PathElement.pathElement(ElytronDescriptionConstants.SIMPLE_PERMISSION_MAPPER))
+                .getAttributeBuilder()
+                .setValueConverter(MAPPING_PERMISSION_SET_CONVERTER, ElytronDescriptionConstants.PERMISSION_MAPPINGS)
+                .end();
+        builderCurrentTo2_0_0
+                .addChildResource(PathElement.pathElement(ElytronDescriptionConstants.CONSTANT_PERMISSION_MAPPER))
+                .getAttributeBuilder()
+                .addRename(ElytronDescriptionConstants.PERMISSION_SETS, ElytronDescriptionConstants.PERMISSIONS)
+                .setValueConverter(CONSTANT_PERMISSION_SET_CONVERTER, ElytronDescriptionConstants.PERMISSION_SETS)
+                .end();
 
         // 2.0.0 to 1.2.0, aka EAP 7.1.0
         chainedBuilder.createBuilder(ELYTRON_2_0_0, ELYTRON_1_2_0);
         chainedBuilder.buildAndRegister(registration, new ModelVersion[] { ELYTRON_2_0_0, ELYTRON_1_2_0 });
 
     }
 
+    private static final AttributeConverter MAPPING_PERMISSION_SET_CONVERTER = new AttributeConverter.DefaultAttributeConverter() {
+        @Override
+        protected void convertAttribute(PathAddress address, String attributeName, ModelNode attributeValue, TransformationContext context) {
+            if (attributeValue.isDefined()) {
+                for (ModelNode permissionMapping : attributeValue.asList()) {
+                    if (permissionMapping.hasDefined(ElytronDescriptionConstants.PERMISSION_SETS)) {
+                        ModelNode permissionSets = permissionMapping.get(ElytronDescriptionConstants.PERMISSION_SETS);
+                        for (ModelNode permissionSet : permissionSets.asList()) {
+                            ModelNode permissionSetName = permissionSet.get(ElytronDescriptionConstants.PERMISSION_SET);
+                            PathAddress permissionSetAddress = address.getParent().append(ElytronDescriptionConstants.PERMISSION_SET, permissionSetName.asString());
+                            ModelNode permissions = context.readResourceFromRoot(permissionSetAddress).getModel().get(ElytronDescriptionConstants.PERMISSIONS);
+                            for (ModelNode permission: permissions.asList()) {
+                                permissionMapping.get(ElytronDescriptionConstants.PERMISSIONS).add(permission);
+                            }
+                        }
+                        permissionMapping.remove(ElytronDescriptionConstants.PERMISSION_SETS);
+                    }
+                }
+            }
+        }
+    };
+
+    private static final AttributeConverter CONSTANT_PERMISSION_SET_CONVERTER = new AttributeConverter.DefaultAttributeConverter() {
+        @Override
+        protected void convertAttribute(PathAddress address, String attributeName, ModelNode attributeValue, TransformationContext context) {
+            if (attributeValue.isDefined()) {
+                ModelNode allPermissions = new ModelNode();
+                for (ModelNode permissionSet : attributeValue.asList()) {
+                    ModelNode permissionSetName = permissionSet.get(ElytronDescriptionConstants.PERMISSION_SET);
+                    PathAddress permissionSetAddress = address.getParent().append(ElytronDescriptionConstants.PERMISSION_SET, permissionSetName.asString());
+                    ModelNode permissions = context.readResourceFromRoot(permissionSetAddress).getModel().get(ElytronDescriptionConstants.PERMISSIONS);
+                    for (ModelNode permission: permissions.asList()) {
+                        allPermissions.add(permission);
+                    }
+                }
+                attributeValue.set(allPermissions);
+            }
+        }
+    };
 
 }

elytron/src/main/java/org/wildfly/extension/elytron/MapperParser.java

@@ -52,7 +52,13 @@
  * @author Tomaz Cerar
  */
 class MapperParser {
-    private final boolean legacyVersion10;
+    enum Version {
+        VERSION_1_0,
+        VERSION_1_1,
+        CURRENT // permission-sets in permission-mappings and constant-permission-mappers
+    }
+
+    private final Version version;
 
     private PersistentResourceXMLDescription simpleMapperParser = PersistentResourceXMLDescription.builder(PermissionMapperDefinitions.getSimplePermissionMapper().getPathElement())
             .addAttribute(PermissionMapperDefinitions.MAPPING_MODE)
@@ -64,12 +70,22 @@ class MapperParser {
             .addAttribute(PermissionMapperDefinitions.PERMISSION_MAPPINGS_1_0)
             .build();
 
+    private PersistentResourceXMLDescription simpleMapperParser_1_1 = PersistentResourceXMLDescription.builder(PermissionMapperDefinitions.getSimplePermissionMapper().getPathElement())
+            .addAttribute(PermissionMapperDefinitions.MAPPING_MODE)
+            .addAttribute(PermissionMapperDefinitions.PERMISSION_MAPPINGS_1_1)
+            .build();
+
     private PersistentResourceXMLDescription logicalPermissionMapper = PersistentResourceXMLDescription.builder(PermissionMapperDefinitions.getLogicalPermissionMapper().getPathElement())
             .addAttribute(PermissionMapperDefinitions.LOGICAL_OPERATION)
             .addAttribute(PermissionMapperDefinitions.LEFT)
             .addAttribute(PermissionMapperDefinitions.RIGHT)
             .build();
     private PersistentResourceXMLDescription constantPermissionMapper = PersistentResourceXMLDescription.builder(PermissionMapperDefinitions.getConstantPermissionMapper().getPathElement())
+            .addAttribute(PermissionMapperDefinitions.PERMISSIONS)
+            .addAttribute(PermissionMapperDefinitions.PERMISSION_SETS)
+            .build();
+
+    private PersistentResourceXMLDescription constantPermissionMapper_1_0 = PersistentResourceXMLDescription.builder(PermissionMapperDefinitions.getConstantPermissionMapper().getPathElement())
             .addAttribute(PermissionMapperDefinitions.PERMISSIONS)
             .build();
 
@@ -171,23 +187,33 @@ public void marshallSingleElement(AttributeDefinition attribute, ModelNode prope
             .addAttribute(RoleMapperDefinitions.RIGHT)
             .build();
 
-    MapperParser(boolean legacyVersion10) {
-        this.legacyVersion10 = legacyVersion10;
+    MapperParser(Version version) {
+        this.version = version;
     }
 
     MapperParser() {
-        this.legacyVersion10 = false;
+        this.version = Version.CURRENT;
     }
 
     //1.0 version of parser is different at simple mapperParser
 
     private PersistentResourceXMLDescription getSimpleMapperParser() {
-        if (legacyVersion10) {
+        if (version.equals(Version.VERSION_1_0)) {
             return simpleMapperParser_1_0;
+        } else if (version.equals(Version.VERSION_1_1)) {
+            return simpleMapperParser_1_1;
         }
         return simpleMapperParser;
     }
 
+    private PersistentResourceXMLDescription getConstantPermissionMapperParser() {
+        if (version.equals(Version.VERSION_1_0) || version.equals(Version.VERSION_1_1)) {
+            return constantPermissionMapper_1_0;
+        } else {
+            return constantPermissionMapper;
+        }
+    }
+
 
     static PersistentResourceXMLDescription getCustomComponentParser(String componentType) {
         return PersistentResourceXMLDescription.builder(PathElement.pathElement(componentType))
@@ -203,7 +229,7 @@ public PersistentResourceXMLDescription getParser() {
                 .addChild(getCustomComponentParser(CUSTOM_PERMISSION_MAPPER))
                 .addChild(logicalPermissionMapper)
                 .addChild(getSimpleMapperParser())
-                .addChild(constantPermissionMapper)
+                .addChild(getConstantPermissionMapperParser())
                 .addChild(aggregatePrincipalDecoderParser)
                 .addChild(concatenatingPrincipalDecoderParser)
                 .addChild(constantPrincipalDecoderParser)