Use the defined authentication-context and recovery-authentication-co…

…ntext for the ElytronSubjectFactory on data sources

Add the authentication-context dependency to the ConnectionDefinitionService. For this simple approach the dependency is added to guard against the authentication-context being removed if it's in use by a resource-adapter. This should later be moved into a proper capability itself so the value of the authentication-context capability can be directly used.

connector/src/main/java/org/jboss/as/connector/_private/Capabilities.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2017 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.jboss.as.connector._private;
+
+import javax.sql.DataSource;
+
+import org.jboss.as.controller.capability.RuntimeCapability;
+
+/**
+ * Capabilities for the connector subsystems.
+ * <p>
+ * <strong>This is not to be used outside of the various connector subsystems.</strong>
+ * </p>
+ *
+ * @author <a href="mailto:jperkins@redhat.com">James R. Perkins</a>
+ */
+public interface Capabilities {
+    /**
+     * The name for the data-source capability
+     */
+    String DATA_SOURCE_CAPABILITY_NAME = "org.wildfly.data-source";
+
+    /**
+     * The name of the authentication-context capability provided by Elytron.
+     */
+    String AUTHENTICATION_CONTEXT_CAPABILITY = "org.wildfly.security.authentication-context";
+
+    /**
+     * The data-source capability
+     */
+    RuntimeCapability<Void> DATA_SOURCE_CAPABILITY = RuntimeCapability.Builder.of(DATA_SOURCE_CAPABILITY_NAME, true, DataSource.class)
+            .build();
+}

connector/src/main/java/org/jboss/as/connector/security/ElytronSubjectFactory.java

@@ -15,6 +15,7 @@
  */
 package org.jboss.as.connector.security;
 
+import org.jboss.as.connector._private.Capabilities;
 import org.jboss.as.controller.capability.RuntimeCapability;
 import org.jboss.as.server.CurrentServiceContainer;
 import org.jboss.jca.core.spi.security.SubjectFactory;
@@ -50,9 +51,7 @@
  * @author Flavia Rainone
  * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
  */
-public class ElytronSubjectFactory implements SubjectFactory {
-
-    private static final String AUTHENTICATION_CONTEXT_CAPABILITY =  "org.wildfly.security.authentication-context";
+public class ElytronSubjectFactory implements SubjectFactory, Capabilities {
 
     private static final RuntimeCapability<Void> AUTHENTICATION_CONTEXT_RUNTIME_CAPABILITY = RuntimeCapability
             .Builder.of(AUTHENTICATION_CONTEXT_CAPABILITY, true, AuthenticationContext.class)
@@ -61,36 +60,39 @@ public class ElytronSubjectFactory implements SubjectFactory {
     private static final AuthenticationContextConfigurationClient AUTH_CONFIG_CLIENT =
             AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
 
+    private final AuthenticationContext authenticationContext;
     private URI targetURI;
 
     /**
      * Constructor
      */
     public ElytronSubjectFactory() {
-        this(null);
+        this(null, null);
     }
 
     /**
      * Constructor.
      *
      * @param targetURI the {@link URI} of the target.
      */
-    public ElytronSubjectFactory(final URI targetURI) {
+    public ElytronSubjectFactory(final AuthenticationContext authenticationContext, final URI targetURI) {
         if (targetURI == null) {
             try {
                 // TODO remove this - used for testing only
                 this.targetURI = new URI("jdbc://localhost");
             } catch(URISyntaxException e) {}
         }
+        this.authenticationContext = authenticationContext;
         this.targetURI = targetURI;
     }
 
     /**
      * {@inheritDoc}
      */
     public Subject createSubject() {
-        // no authentication configuration name has been supplied - capture the current configuration.
-        final Subject subject = this.createSubject(AuthenticationContext.captureCurrent());
+        // If a authenticationContext was defined on the subsystem use that context, otherwise use capture the current
+        // configuration.
+        final Subject subject = this.createSubject(getAuthenticationContext());
         if (ROOT_LOGGER.isTraceEnabled()) {
             ROOT_LOGGER.subject(subject, Integer.toHexString(System.identityHashCode(subject)));
         }
@@ -108,7 +110,7 @@ public Subject createSubject(final String authenticationContextName) {
             context = (AuthenticationContext) container.getRequiredService(authContextServiceName).getValue();
         }
         else {
-            context = AuthenticationContext.captureCurrent();
+            context = getAuthenticationContext();
         }
         final Subject subject = this.createSubject(context);
         if (ROOT_LOGGER.isTraceEnabled()) {
@@ -184,4 +186,8 @@ public String toString() {
 
         return sb.toString();
     }
+
+    private AuthenticationContext getAuthenticationContext() {
+        return authenticationContext == null ? AuthenticationContext.captureCurrent() : authenticationContext;
+    }
 }

connector/src/main/java/org/jboss/as/connector/services/resourceadapters/deployment/AbstractResourceAdapterDeploymentService.java

@@ -625,7 +625,7 @@ protected org.jboss.jca.core.spi.security.SubjectFactory getSubjectFactory(
             final String securityDomain = securityMetadata.resolveSecurityDomain();
             if (((SecurityMetadata)securityMetadata).isElytronEnabled()) {
                 try {
-                    return new ElytronSubjectFactory(this.url.toURI());
+                    return new ElytronSubjectFactory(null, this.url.toURI());
                 } catch (URISyntaxException e) {
                     throw ConnectorLogger.ROOT_LOGGER.cannotDeploy(e);
                 }

connector/src/main/java/org/jboss/as/connector/subsystems/datasources/AbstractDataSourceAdd.java

@@ -29,6 +29,8 @@
 import static org.jboss.as.connector.subsystems.datasources.Constants.ENABLED;
 import static org.jboss.as.connector.subsystems.datasources.Constants.JNDI_NAME;
 import static org.jboss.as.connector.subsystems.datasources.Constants.JTA;
+import static org.jboss.as.connector.subsystems.datasources.Constants.RECOVERY_AUTHENTICATION_CONTEXT;
+import static org.jboss.as.connector.subsystems.datasources.Constants.RECOVERY_ELYTRON_ENABLED;
 import static org.jboss.as.connector.subsystems.datasources.Constants.SECURITY_DOMAIN;
 import static org.jboss.as.connector.subsystems.datasources.Constants.STATISTICS_ENABLED;
 import static org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from;
@@ -43,6 +45,7 @@
 import java.util.Collection;
 import java.util.List;
 
+import org.jboss.as.connector._private.Capabilities;
 import org.jboss.as.connector.logging.ConnectorLogger;
 import org.jboss.as.connector.services.datasources.statistics.DataSourceStatisticsService;
 import org.jboss.as.connector.services.driver.registry.DriverRegistry;
@@ -83,6 +86,7 @@
 import org.jboss.msc.service.ServiceTarget;
 import org.jboss.msc.service.ValueInjectionService;
 import org.jboss.security.SubjectFactory;
+import org.wildfly.security.auth.client.AuthenticationContext;
 
 /**
  * Abstract operation handler responsible for adding a DataSource.
@@ -195,6 +199,32 @@ void firstRuntimeStep(OperationContext context, ModelNode operation, ModelNode m
         dataSourceServiceBuilder.addDependency(driverServiceName, Driver.class,
                 dataSourceService.getDriverInjector());
 
+         // If the authentication context is defined, add the capability
+         if (ELYTRON_ENABLED.resolveModelAttribute(context, model).asBoolean()) {
+             if (model.hasDefined(AUTHENTICATION_CONTEXT.getName())) {
+                 dataSourceServiceBuilder.addDependency(
+                         context.getCapabilityServiceName(
+                                 Capabilities.AUTHENTICATION_CONTEXT_CAPABILITY,
+                                 AUTHENTICATION_CONTEXT.resolveModelAttribute(context, model).asString(),
+                                 AuthenticationContext.class),
+                         AuthenticationContext.class,
+                         dataSourceService.getAuthenticationContext()
+                 );
+             }
+         }
+         if (isXa() && RECOVERY_ELYTRON_ENABLED.resolveModelAttribute(context, model).asBoolean()) {
+             if (model.hasDefined(RECOVERY_AUTHENTICATION_CONTEXT.getName())) {
+                 dataSourceServiceBuilder.addDependency(
+                         context.getCapabilityServiceName(
+                                 Capabilities.AUTHENTICATION_CONTEXT_CAPABILITY,
+                                 RECOVERY_AUTHENTICATION_CONTEXT.resolveModelAttribute(context, model).asString(),
+                                 AuthenticationContext.class),
+                         AuthenticationContext.class,
+                         dataSourceService.getRecoveryAuthenticationContext()
+                 );
+             }
+         }
+
         dataSourceServiceBuilder.setInitialMode(ServiceController.Mode.NEVER);
 
         dataSourceServiceBuilder.install();
@@ -240,7 +270,7 @@ static void secondRuntimeStep(OperationContext context, ModelNode operation, Man
                 final Credential credential = dataSourceConfig.getRecovery().getCredential();
                 if (credential != null) {
                     final String securityDomainName = credential.getSecurityDomain();
-                    if (!RECOVERY_AUTHENTICATION_CONTEXT.resolveModelAttribute(context, model).asBoolean() && securityDomainName != null) {
+                    if (!RECOVERY_ELYTRON_ENABLED.resolveModelAttribute(context, model).asBoolean() && securityDomainName != null) {
                         builder.addDependency(SecurityDomainService.SERVICE_NAME.append(securityDomainName));
                     }
                 }

connector/src/main/java/org/jboss/as/connector/subsystems/datasources/AbstractDataSourceService.java

@@ -93,6 +93,7 @@
 import org.jboss.msc.service.StopContext;
 import org.jboss.msc.value.InjectedValue;
 import org.jboss.security.SubjectFactory;
+import org.wildfly.security.auth.client.AuthenticationContext;
 import org.wildfly.security.manager.WildFlySecurityManager;
 import org.wildfly.security.manager.action.ClearContextClassLoaderAction;
 import org.wildfly.security.manager.action.GetClassLoaderAction;
@@ -126,6 +127,8 @@ public static ServiceName getServiceName(ContextNames.BindInfo bindInfo) {
     private final InjectedValue<MetadataRepository> mdr = new InjectedValue<MetadataRepository>();
     private final InjectedValue<ServerSecurityManager> secManager = new InjectedValue<ServerSecurityManager>();
     private final InjectedValue<ResourceAdapterRepository> raRepository = new InjectedValue<ResourceAdapterRepository>();
+    private final InjectedValue<AuthenticationContext> authenticationContext = new InjectedValue<>();
+    private final InjectedValue<AuthenticationContext> recoveryAuthenticationContext = new InjectedValue<>();
 
 
     private final String dsName;
@@ -282,6 +285,14 @@ public Injector<ServerSecurityManager> getServerSecurityManager() {
         return secManager;
     }
 
+    Injector<AuthenticationContext> getAuthenticationContext() {
+        return authenticationContext;
+    }
+
+    Injector<AuthenticationContext> getRecoveryAuthenticationContext() {
+        return recoveryAuthenticationContext;
+    }
+
     protected String buildConfigPropsString(Map<String, String> configProps) {
         final StringBuffer valueBuf = new StringBuffer();
         for (Map.Entry<String, String> connProperty : configProps.entrySet()) {
@@ -440,7 +451,7 @@ protected org.jboss.jca.core.spi.security.SubjectFactory getSubjectFactory(
             final String securityDomain = credential.getSecurityDomain();
             if (((Credential) credential).isElytronEnabled()) {
                 try {
-                    return new ElytronSubjectFactory(new java.net.URI(this.dataSourceConfig.getConnectionUrl()));
+                    return new ElytronSubjectFactory(authenticationContext.getOptionalValue(), new java.net.URI(this.dataSourceConfig.getConnectionUrl()));
                 } catch (URISyntaxException e) {
                     throw ConnectorLogger.ROOT_LOGGER.cannotDeploy(e);
                 }

connector/src/main/java/org/jboss/as/connector/subsystems/datasources/DataSourceDefinition.java

@@ -49,6 +49,7 @@
 import java.util.List;
 import java.util.Map;
 
+import org.jboss.as.connector._private.Capabilities;
 import org.jboss.as.connector.logging.ConnectorLogger;
 import org.jboss.as.connector.subsystems.common.pool.PoolConfigurationRWHandler;
 import org.jboss.as.connector.subsystems.common.pool.PoolOperations;

connector/src/main/java/org/jboss/as/connector/subsystems/datasources/DataSourceRemove.java

@@ -27,6 +27,7 @@
 
 import javax.sql.DataSource;
 
+import org.jboss.as.connector._private.Capabilities;
 import org.jboss.as.controller.AbstractRemoveStepHandler;
 import org.jboss.as.controller.OperationContext;
 import org.jboss.as.controller.OperationFailedException;

connector/src/main/java/org/jboss/as/connector/subsystems/datasources/XaDataSourceDefinition.java

@@ -120,7 +120,7 @@ public void registerOperations(ManagementResourceRegistration resourceRegistrati
     @Override
     public void registerCapabilities(ManagementResourceRegistration resourceRegistration) {
         if (!deployed)
-            resourceRegistration.registerCapability(Capabilities.DATA_SOURCE_CAPABILITY);
+            resourceRegistration.registerCapability(org.jboss.as.connector._private.Capabilities.DATA_SOURCE_CAPABILITY);
     }
 
     @Override