Merge pull request #2486 from honza889/WFCORE-2891

[WFCORE-2891] attribute "required" into elytron kerberos-security-factory

elytron/src/main/java/org/wildfly/extension/elytron/CredentialSecurityFactoryParser.java

@@ -43,6 +43,7 @@
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.PRINCIPAL;
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.RELATIVE_TO;
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.REQUEST_LIFETIME;
+import static org.wildfly.extension.elytron.ElytronDescriptionConstants.REQUIRED;
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.SERVER;
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.VALUE;
 import static org.wildfly.extension.elytron.ElytronDescriptionConstants.WRAP_GSS_CREDENTIAL;
@@ -134,6 +135,9 @@ private void readKerberosSecurityFactory(ModelNode parentAddress, XMLExtendedStr
                     case WRAP_GSS_CREDENTIAL:
                         KerberosSecurityFactoryDefinition.WRAP_GSS_CREDENTIAL.parseAndSetParameter(value, add, reader);
                         break;
+                    case REQUIRED:
+                        KerberosSecurityFactoryDefinition.REQUIRED.parseAndSetParameter(value, add, reader);
+                        break;
                     case MECHANISM_NAMES:
                         for (String mechanismName : reader.getListAttributeValue(i)) {
                             KerberosSecurityFactoryDefinition.MECHANISM_NAMES.parseAndAddParameterElement(mechanismName, add, reader);
@@ -246,6 +250,7 @@ private boolean writeKerberosSecurityFactories(boolean started, ModelNode subsys
                 KerberosSecurityFactoryDefinition.OBTAIN_KERBEROS_TICKET.marshallAsAttribute(factory, false, writer);
                 KerberosSecurityFactoryDefinition.DEBUG.marshallAsAttribute(factory, false, writer);
                 KerberosSecurityFactoryDefinition.WRAP_GSS_CREDENTIAL.marshallAsAttribute(factory, false, writer);
+                KerberosSecurityFactoryDefinition.REQUIRED.marshallAsAttribute(factory, false, writer);
                 KerberosSecurityFactoryDefinition.MECHANISM_NAMES.getAttributeMarshaller().marshallAsAttribute(KerberosSecurityFactoryDefinition.MECHANISM_NAMES, factory, false, writer);
                 KerberosSecurityFactoryDefinition.MECHANISM_OIDS.getAttributeMarshaller().marshallAsAttribute(KerberosSecurityFactoryDefinition.MECHANISM_OIDS, factory, false, writer);
                 KerberosSecurityFactoryDefinition.OPTIONS.marshallAsElement(factory, writer);

elytron/src/main/java/org/wildfly/extension/elytron/KerberosSecurityFactoryDefinition.java

@@ -118,6 +118,12 @@ class KerberosSecurityFactoryDefinition {
             .setRestartAllServices()
             .build();
 
+    static final SimpleAttributeDefinition REQUIRED = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.REQUIRED, ModelType.BOOLEAN, true)
+            .setDefaultValue(new ModelNode(false))
+            .setAllowExpression(true)
+            .setRestartAllServices()
+            .build();
+
     private static final ModelNode mechanismsDefault = new ModelNode();
     private static final String[] mechanismAllowedValues = new String[]{"KRB5LEGACY","GENERIC","KRB5","KRB5V2","SPNEGO"};
     static {
@@ -162,7 +168,7 @@ public void marshallAsElement(AttributeDefinition attribute, ModelNode resourceM
             .build();
 
     static ResourceDefinition getKerberosSecurityFactoryDefinition() {
-        final AttributeDefinition[] attributes = new AttributeDefinition[] { PRINCIPAL, RELATIVE_TO, PATH,  MINIMUM_REMAINING_LIFETIME, REQUEST_LIFETIME, SERVER, OBTAIN_KERBEROS_TICKET, DEBUG, MECHANISM_NAMES, MECHANISM_OIDS, WRAP_GSS_CREDENTIAL, OPTIONS };
+        final AttributeDefinition[] attributes = new AttributeDefinition[] { PRINCIPAL, RELATIVE_TO, PATH,  MINIMUM_REMAINING_LIFETIME, REQUEST_LIFETIME, SERVER, OBTAIN_KERBEROS_TICKET, DEBUG, MECHANISM_NAMES, MECHANISM_OIDS, WRAP_GSS_CREDENTIAL, REQUIRED, OPTIONS };
         TrivialAddHandler<CredentialSecurityFactory> add = new TrivialAddHandler<CredentialSecurityFactory>(CredentialSecurityFactory.class, attributes, SECURITY_FACTORY_CREDENTIAL_RUNTIME_CAPABILITY) {
 
             @Override
@@ -174,6 +180,7 @@ protected ValueSupplier<CredentialSecurityFactory> getValueSupplier(ServiceBuild
                 final boolean obtainKerberosTicket = OBTAIN_KERBEROS_TICKET.resolveModelAttribute(context, model).asBoolean();
                 final boolean debug = DEBUG.resolveModelAttribute(context, model).asBoolean();
                 final boolean wrapGssCredential = WRAP_GSS_CREDENTIAL.resolveModelAttribute(context, model).asBoolean();
+                final boolean required = REQUIRED.resolveModelAttribute(context, model).asBoolean();
 
                 Stream<String> oidsFromNames = MECHANISM_NAMES.unwrap(context, model).stream()
                         .map(name -> OidsUtil.attributeNameToOid(OidsUtil.Category.GSS, name));
@@ -223,6 +230,7 @@ protected ValueSupplier<CredentialSecurityFactory> getValueSupplier(ServiceBuild
                         .setObtainKerberosTicket(obtainKerberosTicket)
                         .setDebug(debug)
                         .setWrapGssCredential(wrapGssCredential)
+                        .setCheckKeyTab(required)
                         .setOptions(options);
                     mechanismOids.forEach(builder::addMechanismOid);
 

elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties

@@ -299,6 +299,7 @@ elytron.kerberos-security-factory.server=If this for use server side or client s
 elytron.kerberos-security-factory.obtain-kerberos-ticket=Should the KerberosTicket also be obtained and associated with the credential. This is required to be true where credentials are delegated to the server.
 elytron.kerberos-security-factory.debug=Should the JAAS step of obtaining the credential have debug logging enabled.
 elytron.kerberos-security-factory.wrap-gss-credential=Should generated GSS credentials be wrapped to prevent improper disposal or not?
+elytron.kerberos-security-factory.required=Is the keytab file with adequate principal required to exist at the time the service starts?
 elytron.kerberos-security-factory.mechanism-names=The mechanism names the credential should be usable with. Names will be converted to OIDs and used together with OIDs from mechanism-oids attribute.
 elytron.kerberos-security-factory.mechanism-oids=The mechanism OIDs the credential should be usable with. Will be used together with OIDs derived from names from mechanism-names attribute.
 elytron.kerberos-security-factory.options=The Krb5LoginModule additional options.

elytron/src/main/resources/schema/wildfly-elytron_1_0.xsd

@@ -2237,6 +2237,13 @@
                         </xs:documentation>
                     </xs:annotation>
                 </xs:attribute>
+                <xs:attribute name="required" type="xs:boolean" default="false">
+                    <xs:annotation>
+                        <xs:documentation>
+                            Is the keytab file with adequate principal required to exist at the time the service starts?
+                        </xs:documentation>
+                    </xs:annotation>
+                </xs:attribute>
                 <xs:attribute name="mechanism-names" type="stringListType" default="KRB5 SPNEGO">
                     <xs:annotation>
                         <xs:documentation>

elytron/src/test/resources/org/wildfly/extension/elytron/credential-security-factories.xml

@@ -17,6 +17,7 @@
                                    obtain-kerberos-ticket="true"
                                    debug="true"
                                    wrap-gss-credential="true"
+                                   required="true"
                                    mechanism-names="KRB5 KRB5LEGACY"
                                    mechanism-oids="1.2.840.113554.1.2.2 1.3.6.1.5.5.2">
             <option key="a" value="b" />