New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-7808] Security subsystem, audit provider-module lacks "module" #9517
Conversation
I have not looked in detail yet, but this needs a management version bump and transformers |
@@ -54,7 +54,7 @@ public void registerAttributes(final ManagementResourceRegistration resourceRegi | |||
@Override | |||
public void registerChildren(ManagementResourceRegistration resourceRegistration) { | |||
super.registerChildren(resourceRegistration); | |||
resourceRegistration.registerSubModel(new MappingProviderModuleDefinition(Constants.PROVIDER_MODULE)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happened to MappingProviderResourceDefinition? From what I see this is the only place it is used but unless github is not showing correctly it has not been removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happened to MappingProviderResourceDefinition? From what I see this is the only place it is used but unless github is not showing correctly it has not been removed.
Good point. I thought, MappingProviderResourceDefinition
was still a parrent for some subclass, but now I see I mixed up MappingProviderResourceDefinition
with MappingModuleDefinition
. Let me have a look if the removal of MappingProviderResourceDefinition
is the best option.
@kabir, let me have look into it. |
Sorry, @ppalaga I got the versions wrong. The management version has been bumped already, but transformers are still needed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the whole point of this change? aren't we doing all new security stuff in elytron, security subsystem is legacy and as such shouldn't get any new functionality, let alone breaking existing.
@@ -328,6 +328,7 @@ private ModelNode getNoTextValueTypeDescription(final ModelNode parent) { | |||
static { | |||
final ParametersValidator delegate = new ParametersValidator(); | |||
delegate.registerValidator(CODE, new StringLengthValidator(1)); | |||
delegate.registerValidator(Constants.MODULE, new StringLengthValidator(1, true)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why? Whole LegacySupport class is there to provide backward compatibility for older version of the security subsystem
new stuff doesn't need that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, let me revert my changes in LegacySupport
. Obviously, my intention was to add the handling of the module
attribute everywhere where login module had it.
@@ -257,12 +257,12 @@ private boolean processAudit(OperationContext context, String securityDomain, Mo | |||
AuditInfo auditInfo = new AuditInfo(securityDomain); | |||
for (Property moduleProperty : node.asPropertyList()) { | |||
ModelNode module = moduleProperty.getValue(); | |||
String codeName = LoginModuleResourceDefinition.CODE.resolveModelAttribute(context, module).asString(); | |||
String codeName = ProviderModuleResourceDefinition.CODE.resolveModelAttribute(context, module).asString(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where does this make sense?
ProviderModuleResourceDefintion is never added? where are parsers? where are tests for that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ProviderModuleResourceDefinition.CODE
is the same instance as LoginModuleResourceDefinition.CODE
- see cccccda#diff-2ebc701847b6432addeb88287a919a21R40 . Hence the line 260 would work well also unchanged. I changed it so that the people that come after me do not need to wonder why audit is referring to login module, even if there is no direct relationship between audit and login module in the management model.
@ctomc strictly speaking, this is not a new functionality. It is rather an exposure of a functionality that was available internally (parser, writer, classloading - all is there) and in the XSD, but was forgotten (my understanding) to be exposed in the management model. |
Is there anything else missing? - Maybe some kind of test? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The subsystem test should be improved to include name and the new module attribute in securitysubsystemv30.xml. That way we see that it parses and marshalls the attribute correctly. Once that is done, SecurityDomainModelv30UnitTestCase should take care of that automatically.
Once you have done that I think the existing transformer test in SecurityDomainModelv30UnitTestCase will break, if not you have a bug :)
Then adjust the transformer tests in SecurityDomainModelv30UnitTestCase to provide a version for transformation to 7.0.0 (currently it only does 6.4.0)
@@ -74,5 +77,9 @@ protected void updateModel(OperationContext context, ModelNode operation) throws | |||
} | |||
} | |||
|
|||
static void registerTransformers_1_3_0(ResourceTransformationDescriptionBuilder parentBuilder) { | |||
ResourceTransformationDescriptionBuilder builder = parentBuilder.addChildResource(PATH_AUDIT); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'd just use PATH_AUDIT_CLASSIC if that works?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, worked
@@ -39,6 +41,7 @@ | |||
static final ListAttributeDefinition PROVIDER_MODULES = new LegacySupport.ProviderModulesAttributeDefinition(Constants.PROVIDER_MODULES, Constants.PROVIDER_MODULE); | |||
private static final OperationStepHandler LEGACY_ADD_HANDLER = new LegacySupport.LegacyModulesConverter(Constants.PROVIDER_MODULE, PROVIDER_MODULES); | |||
|
|||
protected static final PathElement PATH_AUDIT = PathElement.pathElement(Constants.AUDIT); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably not needed, see below
final String defaultModuleName = ModuleName.PICKETBOX.getName(); | ||
ResourceTransformationDescriptionBuilder builder = parentBuilder.addChildResource(PATH_PROVIDER_MODULE); | ||
builder.getAttributeBuilder() | ||
.setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(false, false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pass in true for the second param (discardUndefined), and remove the undefined model node from the values
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for telling me about that trick!
builder.getAttributeBuilder() | ||
.setDiscard(new DiscardAttributeChecker.DiscardAttributeValueChecker(false, false, | ||
new ModelNode(/* undefined */), new ModelNode(defaultModuleName)), MODULE) | ||
.addRejectCheck(new RejectAttributeChecker.DefaultRejectAttributeChecker() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it has been discarded because it was undefined or default, then I think here it should be enough to just use RejectAttributeChecker.DEFINED? Unless I am missing something, or you really really want the extra log message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should be enough to just use RejectAttributeChecker.DEFINED? Unless I am missing something, or you really really want the extra log message.
Yes, I like your proposal. It is simpler and the only diff is the log message. Let me try it.
@kabir f1c8608 replaces the previous iteration. I hope I addressed all I was supposed to:
I have added a new security-domain with a custom audit provider module to securitysubsystemv30.xml and I have adjusted the SecurityDomainModelv30UnitTestCase to check for the rejection.
I needed both to add the check for the rejection in SecurityDomainModelv30UnitTestCase and fix the path where the transformer hangs (the security-domain part was missing).
Done. Required a jboss-as-security vs. wildfly-security distinction depending on the controllerVersion - which is certainly nothing unexpected. I am not 100% sure if |
Looks like I should check the failing tests. |
In 6ea2b9e , I improved the @kabir is this good to merge now? |
@ppalaga I think it looks good now. Ping me once it has been backported |
https://github.com/jbossas/jboss-eap7/pull/1268 Thanks for guiding me through this! |
attribute
https://issues.jboss.org/browse/WFLY-7808
Related downstream issues: