From 11fd1d4fda24731bc6be5429fe626380923dee56 Mon Sep 17 00:00:00 2001
From: Stefan Guilhen <sguilhen@redhat.com>
Date: Tue, 20 Jun 2017 12:53:43 -0300
Subject: [PATCH] [WFLY-8973] Added missing access constraints to the elytron
 integration resources and attributes in the legacy security subsystem.

---
 .../src/main/java/org/jboss/as/security/Constants.java |  1 +
 .../as/security/elytron/BasicResourceDefinition.java   | 10 +++++++++-
 .../elytron/ElytronIntegrationResourceDefinitions.java |  3 +++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/security/subsystem/src/main/java/org/jboss/as/security/Constants.java b/security/subsystem/src/main/java/org/jboss/as/security/Constants.java
index c30c04b9fe27..53c2d4e920bb 100644
--- a/security/subsystem/src/main/java/org/jboss/as/security/Constants.java
+++ b/security/subsystem/src/main/java/org/jboss/as/security/Constants.java
@@ -129,4 +129,5 @@ public interface Constants {
     String ELYTRON_KEY_MANAGER = "elytron-key-manager";
     String ELYTRON_TRUST_MANAGER = "elytron-trust-manager";
     String LEGACY_JSSE_CONFIG = "legacy-jsse-config";
+    String ELYTRON_SECURITY = "elytron-security";
 }
diff --git a/security/subsystem/src/main/java/org/jboss/as/security/elytron/BasicResourceDefinition.java b/security/subsystem/src/main/java/org/jboss/as/security/elytron/BasicResourceDefinition.java
index bc9cb1c43e48..e5f51c2a3f16 100644
--- a/security/subsystem/src/main/java/org/jboss/as/security/elytron/BasicResourceDefinition.java
+++ b/security/subsystem/src/main/java/org/jboss/as/security/elytron/BasicResourceDefinition.java
@@ -22,10 +22,15 @@
 import org.jboss.as.controller.RestartParentWriteAttributeHandler;
 import org.jboss.as.controller.ServiceRemoveStepHandler;
 import org.jboss.as.controller.SimpleResourceDefinition;
+import org.jboss.as.controller.access.constraint.ApplicationTypeConfig;
+import org.jboss.as.controller.access.constraint.SensitivityClassification;
+import org.jboss.as.controller.access.management.ApplicationTypeAccessConstraintDefinition;
+import org.jboss.as.controller.access.management.SensitiveTargetAccessConstraintDefinition;
 import org.jboss.as.controller.capability.RuntimeCapability;
 import org.jboss.as.controller.descriptions.ResourceDescriptionResolver;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
 import org.jboss.as.controller.registry.OperationEntry;
+import org.jboss.as.security.Constants;
 import org.jboss.as.security.SecurityExtension;
 import org.jboss.msc.service.ServiceName;
 
@@ -47,7 +52,10 @@ class BasicResourceDefinition extends SimpleResourceDefinition {
                 .setRemoveHandler(new ServiceRemoveStepHandler(add, runtimeCapabilities))
                 .setAddRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES)
                 .setRemoveRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES)
-                .setCapabilities(runtimeCapabilities));
+                .setCapabilities(runtimeCapabilities)
+                .addAccessConstraints(new SensitiveTargetAccessConstraintDefinition(new SensitivityClassification(SecurityExtension.SUBSYSTEM_NAME, Constants.ELYTRON_SECURITY, true, true, true)),
+                    new ApplicationTypeAccessConstraintDefinition(new ApplicationTypeConfig(SecurityExtension.SUBSYSTEM_NAME, Constants.ELYTRON_SECURITY, false))));
+
 
         this.pathKey = pathKey;
         this.firstCapability = runtimeCapabilities[0];
diff --git a/security/subsystem/src/main/java/org/jboss/as/security/elytron/ElytronIntegrationResourceDefinitions.java b/security/subsystem/src/main/java/org/jboss/as/security/elytron/ElytronIntegrationResourceDefinitions.java
index d9c736010296..d93a08ddbe92 100644
--- a/security/subsystem/src/main/java/org/jboss/as/security/elytron/ElytronIntegrationResourceDefinitions.java
+++ b/security/subsystem/src/main/java/org/jboss/as/security/elytron/ElytronIntegrationResourceDefinitions.java
@@ -34,6 +34,7 @@
 import org.jboss.as.controller.ResourceDefinition;
 import org.jboss.as.controller.SimpleAttributeDefinition;
 import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.as.controller.access.management.SensitiveTargetAccessConstraintDefinition;
 import org.jboss.as.controller.operations.validation.StringLengthValidator;
 import org.jboss.as.controller.registry.AttributeAccess;
 import org.jboss.as.security.Constants;
@@ -60,6 +61,7 @@ public class ElytronIntegrationResourceDefinitions {
                     .setFlags(AttributeAccess.Flag.RESTART_ALL_SERVICES)
                     .setValidator(new StringLengthValidator(1))
                     .setAllowExpression(false)
+                    .setAccessConstraints(SensitiveTargetAccessConstraintDefinition.SECURITY_DOMAIN_REF)
                     .build();
 
     public static final SimpleAttributeDefinition LEGACY_JSSE_CONFIG =
@@ -67,6 +69,7 @@ public class ElytronIntegrationResourceDefinitions {
                     .setFlags(AttributeAccess.Flag.RESTART_ALL_SERVICES)
                     .setValidator(new StringLengthValidator(1))
                     .setAllowExpression(false)
+                    .setAccessConstraints(SensitiveTargetAccessConstraintDefinition.SECURITY_DOMAIN_REF)
                     .build();
 
     /**