Merge pull request #10675 from tadamski/WFLY-9107

[WFLY-9107] IIOP security configuration and tests refactor

feature-pack/src/main/resources/content/appclient/configuration/appclient.xml

@@ -115,7 +115,9 @@
                               managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:ejb3:3.0"/>
-        <subsystem xmlns="urn:jboss:domain:iiop-openjdk:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">
+            <orb socket-binding="iiop"/>
+        </subsystem>
         <subsystem xmlns="urn:jboss:domain:jca:2.0">
             <archive-validation enabled="false" />
             <bean-validation enabled="true" />

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPExtension.java

@@ -51,7 +51,8 @@ public class IIOPExtension implements Extension {
 
     private static final String RESOURCE_NAME = IIOPExtension.class.getPackage().getName() + ".LocalDescriptions";
 
-    static final ModelVersion CURRENT_MODEL_VERSION = ModelVersion.create(2,0,0);
+    static final ModelVersion CURRENT_MODEL_VERSION = ModelVersion.create(2,1,0);
+    static final ModelVersion VERSION_2 = ModelVersion.create(2,0,0);
     static final ModelVersion VERSION_1 = ModelVersion.create(1);
 
 
@@ -69,14 +70,15 @@ public void initialize(ExtensionContext context) {
         final SubsystemRegistration subsystem = context.registerSubsystem(SUBSYSTEM_NAME, CURRENT_MODEL_VERSION);
         final ManagementResourceRegistration subsystemRegistration = subsystem.registerSubsystemModel(IIOPRootDefinition.INSTANCE);
         subsystemRegistration.registerOperationHandler(GenericSubsystemDescribeHandler.DEFINITION, GenericSubsystemDescribeHandler.INSTANCE);
-        subsystem.registerXMLElementWriter(new IIOPSubsystemParser_2_0());
+        subsystem.registerXMLElementWriter(new IIOPSubsystemParser_2_1());
 
     }
 
     @Override
     public void initializeParsers(ExtensionParsingContext context) {
         context.setSubsystemXmlMapping(SUBSYSTEM_NAME,Namespace.IIOP_OPENJDK_1_0.getUriString(), IIOPSubsystemParser_1::new);
         context.setSubsystemXmlMapping(SUBSYSTEM_NAME,Namespace.IIOP_OPENJDK_2_0.getUriString(), IIOPSubsystemParser_2_0::new);
+        context.setSubsystemXmlMapping(SUBSYSTEM_NAME,Namespace.IIOP_OPENJDK_2_1.getUriString(), IIOPSubsystemParser_2_1::new);
     }
 
 }

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPRootDefinition.java

@@ -78,7 +78,7 @@ class IIOPRootDefinition extends PersistentResourceDefinition {
 
     protected static final AttributeDefinition SOCKET_BINDING = new SimpleAttributeDefinitionBuilder(
             Constants.ORB_SOCKET_BINDING, ModelType.STRING, true).setAttributeGroup(Constants.ORB)
-            .setDefaultValue(new ModelNode().set("iiop")).setFlags(AttributeAccess.Flag.RESTART_ALL_SERVICES)
+            .setFlags(AttributeAccess.Flag.RESTART_ALL_SERVICES)
             .addAccessConstraint(SensitiveTargetAccessConstraintDefinition.SOCKET_BINDING_REF).build();
 
     protected static final AttributeDefinition SSL_SOCKET_BINDING = new SimpleAttributeDefinitionBuilder(

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPSubsystemAdd.java

@@ -192,10 +192,19 @@ public void execute(DeploymentProcessorTarget processorTarget) {
             builder.addDependency(authContextServiceName);
         }
 
+        final boolean serverRequiresSsl = IIOPRootDefinition.SERVER_REQUIRES_SSL.resolveModelAttribute(context, model).asBoolean();
+
         // inject the socket bindings that specify IIOP and IIOP/SSL ports.
         String socketBinding = props.getProperty(Constants.ORB_SOCKET_BINDING);
-        builder.addDependency(SocketBinding.JBOSS_BINDING_NAME.append(socketBinding), SocketBinding.class,
-                orbService.getIIOPSocketBindingInjector());
+        if (socketBinding != null) {
+            if (!serverRequiresSsl) {
+                builder.addDependency(SocketBinding.JBOSS_BINDING_NAME.append(socketBinding), SocketBinding.class,
+                        orbService.getIIOPSocketBindingInjector());
+            } else {
+                IIOPLogger.ROOT_LOGGER.wontUseCleartextSocket();
+            }
+        }
+
 
         String sslSocketBinding = props.getProperty(Constants.ORB_SSL_SOCKET_BINDING);
         if(sslSocketBinding != null) {
@@ -205,7 +214,7 @@ public void execute(DeploymentProcessorTarget processorTarget) {
 
         // create the IOR security config metadata service.
         final IORSecurityConfigMetaData securityConfigMetaData = this.createIORSecurityConfigMetaData(context,
-                model, sslConfigured);
+                model, sslConfigured, serverRequiresSsl);
         final IORSecConfigMetaDataService securityConfigMetaDataService = new IORSecConfigMetaDataService(securityConfigMetaData);
         context.getServiceTarget()
                 .addService(IORSecConfigMetaDataService.SERVICE_NAME, securityConfigMetaDataService)
@@ -217,21 +226,21 @@ public void execute(DeploymentProcessorTarget processorTarget) {
         builder.setInitialMode(ServiceController.Mode.ACTIVE).install();
 
         // create the service the initializes the Root POA.
-        CorbaPOAService rootPOAService = new CorbaPOAService("RootPOA", "poa");
+        CorbaPOAService rootPOAService = new CorbaPOAService("RootPOA", "poa", serverRequiresSsl);
         context.getServiceTarget().addService(CorbaPOAService.ROOT_SERVICE_NAME, rootPOAService)
                 .addDependency(CorbaORBService.SERVICE_NAME, ORB.class, rootPOAService.getORBInjector())
                 .setInitialMode(ServiceController.Mode.ACTIVE).install();
 
         // create the service the initializes the interface repository POA.
-        final CorbaPOAService irPOAService = new CorbaPOAService("IRPOA", "irpoa", IdAssignmentPolicyValue.USER_ID, null, null,
+        final CorbaPOAService irPOAService = new CorbaPOAService("IRPOA", "irpoa", serverRequiresSsl, IdAssignmentPolicyValue.USER_ID, null, null,
                 LifespanPolicyValue.PERSISTENT, null, null, null);
         context.getServiceTarget()
                 .addService(CorbaPOAService.INTERFACE_REPOSITORY_SERVICE_NAME, irPOAService)
                 .addDependency(CorbaPOAService.ROOT_SERVICE_NAME, POA.class, irPOAService.getParentPOAInjector())
                 .setInitialMode(ServiceController.Mode.ACTIVE).install();
 
         // create the service that initializes the naming service POA.
-        final CorbaPOAService namingPOAService = new CorbaPOAService("Naming", null, IdAssignmentPolicyValue.USER_ID, null,
+        final CorbaPOAService namingPOAService = new CorbaPOAService("Naming", null, serverRequiresSsl, IdAssignmentPolicyValue.USER_ID, null,
                 null, LifespanPolicyValue.PERSISTENT, null, null, null);
         context.getServiceTarget()
                 .addService(CorbaPOAService.SERVICE_NAME.append("namingpoa"), namingPOAService)
@@ -383,7 +392,7 @@ private boolean setupSSLFactories(final Properties props) throws OperationFailed
         return sslConfigured;
     }
 
-    private IORSecurityConfigMetaData createIORSecurityConfigMetaData(final OperationContext context, final ModelNode resourceModel, final boolean sslConfigured)
+    private IORSecurityConfigMetaData createIORSecurityConfigMetaData(final OperationContext context, final ModelNode resourceModel, final boolean sslConfigured, final boolean serverRequiresSsl)
             throws OperationFailedException {
         final IORSecurityConfigMetaData securityConfigMetaData = new IORSecurityConfigMetaData();
 
@@ -399,8 +408,6 @@ private IORSecurityConfigMetaData createIORSecurityConfigMetaData(final Operatio
         asContextMetaData.setRequired(IIOPRootDefinition.REQUIRED.resolveModelAttribute(context, resourceModel).asBoolean());
         securityConfigMetaData.setAsContext(asContextMetaData);
 
-        final boolean serverRequiresSsl = IIOPRootDefinition.SERVER_REQUIRES_SSL.resolveModelAttribute(context, resourceModel).asBoolean();
-
         final IORTransportConfigMetaData transportConfigMetaData = new IORTransportConfigMetaData();
         final ModelNode integrityNode = IIOPRootDefinition.INTEGRITY.resolveModelAttribute(context, resourceModel);
         if(integrityNode.isDefined()){

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPSubsystemParser_2_1.java

@@ -0,0 +1,53 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2018, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+/ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.wildfly.iiop.openjdk;
+
+
+import static org.jboss.as.controller.PersistentResourceXMLDescription.builder;
+
+import org.jboss.as.controller.AttributeDefinition;
+import org.jboss.as.controller.PersistentResourceXMLDescription;
+import org.jboss.as.controller.PersistentResourceXMLParser;
+
+/**
+ * <p>
+ * This class implements a parser for the IIOP subsystem.
+ * </p>
+ *
+ * @author <a href="mailto:tadamski@redhat.com">Tomasz Adamski</a>
+ */
+public class IIOPSubsystemParser_2_1 extends PersistentResourceXMLParser {
+
+
+    IIOPSubsystemParser_2_1() {
+    }
+
+    @Override
+    public PersistentResourceXMLDescription getParserDescription() {
+        return builder(IIOPRootDefinition.INSTANCE.getPathElement(), Namespace.IIOP_OPENJDK_2_1.getUriString())
+                .setMarshallDefaultValues(true)
+                .addAttributes(IIOPRootDefinition.ALL_ATTRIBUTES.toArray(new AttributeDefinition[0]))
+                .build();
+    }
+
+}

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPTransformers.java

@@ -23,6 +23,7 @@
 package org.wildfly.iiop.openjdk;
 
 import static org.wildfly.iiop.openjdk.IIOPExtension.CURRENT_MODEL_VERSION;
+import static org.wildfly.iiop.openjdk.IIOPExtension.VERSION_2;
 import static org.wildfly.iiop.openjdk.IIOPExtension.VERSION_1;
 
 import java.util.Map;
@@ -32,6 +33,7 @@
 import org.jboss.as.controller.transform.ExtensionTransformerRegistration;
 import org.jboss.as.controller.transform.SubsystemTransformerRegistration;
 import org.jboss.as.controller.transform.TransformationContext;
+import org.jboss.as.controller.transform.description.AttributeConverter;
 import org.jboss.as.controller.transform.description.ChainedTransformationDescriptionBuilder;
 import org.jboss.as.controller.transform.description.DiscardAttributeChecker;
 import org.jboss.as.controller.transform.description.RejectAttributeChecker;
@@ -53,6 +55,10 @@ public String getSubsystemName() {
     public void registerTransformers(SubsystemTransformerRegistration subsystemRegistration) {
         ChainedTransformationDescriptionBuilder chained = ResourceTransformationDescriptionBuilder.Factory.createChainedSubystemInstance(CURRENT_MODEL_VERSION);
 
+        ResourceTransformationDescriptionBuilder builder_2_0 = chained.createBuilder(CURRENT_MODEL_VERSION, VERSION_2);
+        builder_2_0.getAttributeBuilder()
+                .setValueConverter(new AttributeConverter.DefaultValueAttributeConverter(IIOPRootDefinition.SOCKET_BINDING), IIOPRootDefinition.SOCKET_BINDING);
+
         /*
         --- Problems for relative address to root []:
         Missing attributes in current: []; missing in legacy [server-requires-ssl, server-ssl-context, client-requires-ssl, authentication-context, client-ssl-context]
@@ -65,8 +71,8 @@ public void registerTransformers(SubsystemTransformerRegistration subsystemRegis
         Different 'default' for attribute 'trust-in-target'. Current: undefined; legacy: "none"
         Missing parameters for operation 'add' in current: []; missing in legacy [server-requires-ssl, server-ssl-context, client-requires-ssl, authentication-context, client-ssl-context]
          */
-        ResourceTransformationDescriptionBuilder builder = chained.createBuilder(CURRENT_MODEL_VERSION, VERSION_1);
-        builder.getAttributeBuilder()
+        ResourceTransformationDescriptionBuilder builder_1_0 = chained.createBuilder(VERSION_2, VERSION_1);
+        builder_1_0.getAttributeBuilder()
                 .setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(IIOPRootDefinition.CLIENT_REQUIRES_SSL.getDefaultValue()), IIOPRootDefinition.CLIENT_REQUIRES_SSL)
                 .setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(IIOPRootDefinition.SERVER_REQUIRES_SSL.getDefaultValue()), IIOPRootDefinition.SERVER_REQUIRES_SSL)
                 .setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(IIOPRootDefinition.INTEROP_IONA.getDefaultValue()), IIOPRootDefinition.INTEROP_IONA)
@@ -86,6 +92,7 @@ public String getRejectionLogMessage(Map<String, ModelNode> map) {
         ;
 
         chained.buildAndRegister(subsystemRegistration, new ModelVersion[]{
+                VERSION_2,
                 VERSION_1
         });
     }

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/Namespace.java

@@ -33,9 +33,10 @@ enum Namespace {
 
     UNKNOWN(null),
     IIOP_OPENJDK_1_0("urn:jboss:domain:iiop-openjdk:1.0"),
-    IIOP_OPENJDK_2_0("urn:jboss:domain:iiop-openjdk:2.0");
+    IIOP_OPENJDK_2_0("urn:jboss:domain:iiop-openjdk:2.0"),
+    IIOP_OPENJDK_2_1("urn:jboss:domain:iiop-openjdk:2.1");
 
-    static final Namespace CURRENT = IIOP_OPENJDK_2_0;
+    static final Namespace CURRENT = IIOP_OPENJDK_2_1;
 
 
     private final String namespaceURI;

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/logging/IIOPLogger.java

@@ -411,4 +411,11 @@ public interface IIOPLogger extends BasicLogger {
 
     @Message(id = 114, value = "Elytron security initializer not supported in previous iiop-openjdk versions and can't be converted")
     String elytronInitializerNotSupportedInPreviousVersions();
+
+    @Message(id = 115, value = "No IIOP socket bindings have been configured")
+    IllegalStateException noSocketBindingsConfigured();
+
+    @LogMessage(level = WARN)
+    @Message(id = 117, value = "CLEARTEXT in IIOP subsystem won't be used because server-requires-ssl parameter have been set to true")
+    void wontUseCleartextSocket();
 }

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/service/CorbaORBService.java

@@ -102,14 +102,22 @@ public void start(StartContext context) throws StartException {
             properties.setProperty(ORBConstants.IOR_TO_SOCKET_INFO_CLASS_PROPERTY, CSIV2IORToSocketInfo.class.getName());
 
             // set the IIOP and IIOP/SSL ports from the respective socket bindings.
-            if (this.iiopSocketBindingInjector.getValue()!= null) {
+            final SocketBinding socketBinding = iiopSocketBindingInjector.getOptionalValue();
+            final SocketBinding sslSocketBinding = this.iiopSSLSocketBindingInjector.getOptionalValue();
+
+            if (socketBinding == null && sslSocketBinding == null) {
+                throw IIOPLogger.ROOT_LOGGER.noSocketBindingsConfigured();
+            }
+
+            if (socketBinding != null) {
                 InetSocketAddress address = this.iiopSocketBindingInjector.getValue().getSocketAddress();
                 properties.setProperty(ORBConstants.SERVER_HOST_PROPERTY, address.getAddress().getHostAddress());
                 properties.setProperty(ORBConstants.SERVER_PORT_PROPERTY, String.valueOf(address.getPort()));
                 properties.setProperty(ORBConstants.PERSISTENT_SERVER_PORT_PROPERTY, String.valueOf(address.getPort()));
             }
-            if (this.iiopSSLSocketBindingInjector.getOptionalValue() != null) {
+            if (sslSocketBinding != null) {
                 InetSocketAddress address = this.iiopSSLSocketBindingInjector.getValue().getSocketAddress();
+                properties.setProperty(ORBConstants.SERVER_HOST_PROPERTY, address.getAddress().getHostAddress());
                 properties.setProperty(Constants.ORB_SSL_PORT, String.valueOf(address.getPort()));
                 final String sslSocket = new StringBuilder().append(Constants.SSL_SOCKET_TYPE).append(':')
                         .append(String.valueOf(address.getPort())).toString();

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/service/CorbaPOAService.java

@@ -25,6 +25,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.sun.corba.se.spi.extension.ZeroPortPolicy;
 import org.jboss.msc.inject.Injector;
 import org.jboss.msc.service.Service;
 import org.jboss.msc.service.ServiceName;
@@ -88,6 +89,8 @@ public class CorbaPOAService implements Service<POA> {
 
     private final ThreadPolicyValue threadPolicyValue;
 
+    private final boolean sslRequired;
+
     /**
      * <p>
      * Creates a {@code CorbaPOAService} with the specified POA name and binding name. The {@code POA} created by this
@@ -98,8 +101,8 @@ public class CorbaPOAService implements Service<POA> {
      * @param bindingName the JNDI context name where the created {@code POA} will be bound. If null, the JNDI binding
      *                    won't be performed.
      */
-    public CorbaPOAService(String poaName, String bindingName) {
-        this(poaName, bindingName, null, null, null, null, null, null, null);
+    public CorbaPOAService(String poaName, String bindingName, boolean sslRequired) {
+        this(poaName, bindingName, sslRequired, null, null, null, null, null, null, null);
     }
 
     /**
@@ -125,12 +128,13 @@ public CorbaPOAService(String poaName, String bindingName) {
      * @param threadPolicyValue             the {@code ThreadPolicyValue} that will be associated with the created {@code POA}. Can
      *                                      be null.
      */
-    public CorbaPOAService(String poaName, String bindingName, IdAssignmentPolicyValue idAssignmentPolicyValue,
+    public CorbaPOAService(String poaName, String bindingName, boolean sslRequired, IdAssignmentPolicyValue idAssignmentPolicyValue,
                            IdUniquenessPolicyValue idUniquenessPolicyValue, ImplicitActivationPolicyValue implicitActivationPolicyValue,
                            LifespanPolicyValue lifespanPolicyValue, RequestProcessingPolicyValue requestProcessingPolicyValue,
                            ServantRetentionPolicyValue servantRetentionPolicyValue, ThreadPolicyValue threadPolicyValue) {
         this.poaName = poaName;
         this.bindingName = bindingName;
+        this.sslRequired = sslRequired;
         this.idAssignmentPolicyValue = idAssignmentPolicyValue;
         this.idUniquenessPolicyValue = idUniquenessPolicyValue;
         this.implicitActivationPolicyValue = implicitActivationPolicyValue;
@@ -218,7 +222,8 @@ public Injector<POA> getParentPOAInjector() {
      */
     private Policy[] createPolicies(POA poa) {
         List<Policy> policies = new ArrayList<Policy>();
-
+        if(this.sslRequired)
+            policies.add(ZeroPortPolicy.getPolicy());
         if (this.idAssignmentPolicyValue != null)
             policies.add(poa.create_id_assignment_policy(this.idAssignmentPolicyValue));
         if (this.idUniquenessPolicyValue != null)