Search in sources :

Example 6 with CredentialSource

use of org.wildfly.security.credential.source.CredentialSource in project wildfly-elytron by wildfly-security.

the class VaultCredentialStore method initialize.

public void initialize(final Map<String, String> attributes, final CredentialStore.ProtectionParameter protectionParameter, Provider[] providers) throws CredentialStoreException {
    if (!(protectionParameter instanceof CredentialStore.CredentialSourceProtectionParameter)) {
        throw log.invalidProtectionParameter(protectionParameter);
    }
    final CredentialSource credentialSource = ((CredentialStore.CredentialSourceProtectionParameter) protectionParameter).getCredentialSource();
    final SecretKey secretKey;
    try {
        secretKey = credentialSource.applyToCredential(SecretKeyCredential.class, "AES", SecretKeyCredential::getSecretKey);
    } catch (IOException e) {
        throw log.cannotAcquireCredentialFromStore(e);
    }
    if (secretKey == null) {
        throw log.cannotAcquireCredentialFromStore(null);
    }
    validateAttribute(attributes, validAttribtues);
    final String location = attributes.get(LOCATION);
    if (location != null) {
        final File locationFile = new File(location, "VAULT.dat");
        if (locationFile.exists()) {
            // try and load it
            SecurityVaultData data;
            try (final FileInputStream is = new FileInputStream(locationFile)) {
                try (final VaultObjectInputStream ois = new VaultObjectInputStream(is)) {
                    data = (SecurityVaultData) ois.readObject();
                }
            } catch (ClassNotFoundException | IOException e) {
                throw log.cannotAcquireCredentialFromStore(e);
            }
            if (data != null) {
                synchronized (this.data) {
                    this.data.clear();
                    this.data.putAll(data.getVaultData());
                }
            }
            this.location = locationFile;
            this.modifiable = locationFile.canWrite();
        }
    }
    this.adminKey = secretKey;
}
Also used : SecretKey(javax.crypto.SecretKey) IOException(java.io.IOException) File(java.io.File) FileInputStream(java.io.FileInputStream) CredentialSource(org.wildfly.security.credential.source.CredentialSource) SecretKeyCredential(org.wildfly.security.credential.SecretKeyCredential)

Example 7 with CredentialSource

use of org.wildfly.security.credential.source.CredentialSource in project wildfly-elytron by wildfly-security.

the class ElytronFilePasswordProvider method getPassword.

@Override
public String getPassword(SessionContext session, NamedResource resourceKey, int retryIndex) throws IOException {
    char[] password = null;
    if (credentialSourceSupplier != null) {
        CredentialSource credentialSource = null;
        try {
            credentialSource = credentialSourceSupplier.get();
        } catch (XMLStreamException e) {
            throw log.xmlFailedToCreateCredential(e);
        }
        password = credentialSource.applyToCredential(PasswordCredential.class, c -> c.getPassword().castAndApply(ClearPassword.class, ClearPassword::getPassword));
    } else if (credential != null) {
        password = credential.castAndApply(PasswordCredential.class, c -> c.getPassword().castAndApply(ClearPassword.class, ClearPassword::getPassword));
    }
    if (password == null) {
        throw log.xmlFailedToCreateCredential(new NullPointerException());
    }
    return new String(password);
}
Also used : NamedResource(org.apache.sshd.common.NamedResource) XMLStreamException(javax.xml.stream.XMLStreamException) FilePasswordProvider(org.apache.sshd.common.config.keys.FilePasswordProvider) PasswordCredential(org.wildfly.security.credential.PasswordCredential) ClearPassword(org.wildfly.security.password.interfaces.ClearPassword) IOException(java.io.IOException) SessionContext(org.apache.sshd.common.session.SessionContext) Credential(org.wildfly.security.credential.Credential) CredentialSource(org.wildfly.security.credential.source.CredentialSource) ElytronMessages.log(org.wildfly.security.auth.util.ElytronMessages.log) ExceptionSupplier(org.wildfly.common.function.ExceptionSupplier) ClearPassword(org.wildfly.security.password.interfaces.ClearPassword) XMLStreamException(javax.xml.stream.XMLStreamException) PasswordCredential(org.wildfly.security.credential.PasswordCredential) CredentialSource(org.wildfly.security.credential.source.CredentialSource)

Example 8 with CredentialSource

use of org.wildfly.security.credential.source.CredentialSource in project infinispan by infinispan.

the class ServerSecurityRealm method applyServerCredentials.

public void applyServerCredentials(MechanismConfiguration.Builder mechConfigurationBuilder, String serverPrincipal) {
    if (serverPrincipal != null) {
        CredentialSource credentialSource = serverIdentities.getCredentialSource(serverPrincipal);
        mechConfigurationBuilder.setServerCredentialSource(credentialSource);
    }
}
Also used : CredentialSource(org.wildfly.security.credential.source.CredentialSource)

Example 9 with CredentialSource

use of org.wildfly.security.credential.source.CredentialSource in project wildfly by wildfly.

the class AbstractDataSourceAdd method secondRuntimeStep.

static void secondRuntimeStep(OperationContext context, ModelNode operation, ManagementResourceRegistration datasourceRegistration, ModelNode model, boolean isXa) throws OperationFailedException {
    final ServiceTarget serviceTarget = context.getServiceTarget();
    final ModelNode address = operation.require(OP_ADDR);
    final String dsName = PathAddress.pathAddress(address).getLastElement().getValue();
    final String jndiName = JNDI_NAME.resolveModelAttribute(context, model).asString();
    final ServiceRegistry registry = context.getServiceRegistry(true);
    final List<ServiceName> serviceNames = registry.getServiceNames();
    final boolean elytronEnabled = ELYTRON_ENABLED.resolveModelAttribute(context, model).asBoolean();
    final ServiceName dataSourceServiceName = context.getCapabilityServiceName(Capabilities.DATA_SOURCE_CAPABILITY_NAME, dsName, DataSource.class);
    final ServiceController<?> dataSourceController = registry.getService(dataSourceServiceName);
    final ExceptionSupplier<CredentialSource, Exception> credentialSourceExceptionExceptionSupplier = dataSourceController.getService() instanceof AbstractDataSourceService ? ((AbstractDataSourceService) dataSourceController.getService()).getCredentialSourceSupplierInjector().getOptionalValue() : null;
    final ExceptionSupplier<CredentialSource, Exception> recoveryCredentialSourceExceptionExceptionSupplier = dataSourceController.getService() instanceof AbstractDataSourceService ? ((AbstractDataSourceService) dataSourceController.getService()).getRecoveryCredentialSourceSupplierInjector().getOptionalValue() : null;
    final boolean jta;
    if (isXa) {
        jta = true;
        final ModifiableXaDataSource dataSourceConfig;
        try {
            dataSourceConfig = xaFrom(context, model, dsName, credentialSourceExceptionExceptionSupplier, recoveryCredentialSourceExceptionExceptionSupplier);
        } catch (ValidateException e) {
            throw new OperationFailedException(ConnectorLogger.ROOT_LOGGER.failedToCreate("XaDataSource", operation, e.getLocalizedMessage()));
        }
        final ServiceName xaDataSourceConfigServiceName = XADataSourceConfigService.SERVICE_NAME_BASE.append(dsName);
        final XADataSourceConfigService xaDataSourceConfigService = new XADataSourceConfigService(dataSourceConfig);
        final ServiceBuilder<?> builder = serviceTarget.addService(xaDataSourceConfigServiceName, xaDataSourceConfigService);
        // add dependency on security domain service if applicable
        final DsSecurity dsSecurityConfig = dataSourceConfig.getSecurity();
        if (dsSecurityConfig != null) {
            final String securityDomainName = dsSecurityConfig.getSecurityDomain();
            if (!elytronEnabled && securityDomainName != null) {
                builder.requires(SECURITY_DOMAIN_SERVICE.append(securityDomainName));
            }
        }
        // add dependency on security domain service if applicable for recovery config
        if (dataSourceConfig.getRecovery() != null) {
            final Credential credential = dataSourceConfig.getRecovery().getCredential();
            if (credential != null) {
                final String securityDomainName = credential.getSecurityDomain();
                if (!RECOVERY_ELYTRON_ENABLED.resolveModelAttribute(context, model).asBoolean() && securityDomainName != null) {
                    builder.requires(SECURITY_DOMAIN_SERVICE.append(securityDomainName));
                }
            }
        }
        int propertiesCount = 0;
        for (ServiceName name : serviceNames) {
            if (xaDataSourceConfigServiceName.append("xa-datasource-properties").isParentOf(name)) {
                final ServiceController<?> xaConfigPropertyController = registry.getService(name);
                XaDataSourcePropertiesService xaPropService = (XaDataSourcePropertiesService) xaConfigPropertyController.getService();
                if (!ServiceController.State.UP.equals(xaConfigPropertyController.getState())) {
                    propertiesCount++;
                    xaConfigPropertyController.setMode(ServiceController.Mode.ACTIVE);
                    builder.addDependency(name, String.class, xaDataSourceConfigService.getXaDataSourcePropertyInjector(xaPropService.getName()));
                } else {
                    throw new OperationFailedException(ConnectorLogger.ROOT_LOGGER.serviceAlreadyStarted("Data-source.xa-config-property", name));
                }
            }
        }
        if (propertiesCount == 0) {
            throw ConnectorLogger.ROOT_LOGGER.xaDataSourcePropertiesNotPresent();
        }
        builder.install();
    } else {
        final ModifiableDataSource dataSourceConfig;
        try {
            dataSourceConfig = from(context, model, dsName, credentialSourceExceptionExceptionSupplier);
        } catch (ValidateException e) {
            throw new OperationFailedException(ConnectorLogger.ROOT_LOGGER.failedToCreate("DataSource", operation, e.getLocalizedMessage()));
        }
        jta = dataSourceConfig.isJTA();
        final ServiceName dataSourceCongServiceName = DataSourceConfigService.SERVICE_NAME_BASE.append(dsName);
        final DataSourceConfigService configService = new DataSourceConfigService(dataSourceConfig);
        final ServiceBuilder<?> builder = serviceTarget.addService(dataSourceCongServiceName, configService);
        // add dependency on security domain service if applicable
        final DsSecurity dsSecurityConfig = dataSourceConfig.getSecurity();
        if (dsSecurityConfig != null) {
            final String securityDomainName = dsSecurityConfig.getSecurityDomain();
            if (!elytronEnabled && securityDomainName != null) {
                builder.requires(SECURITY_DOMAIN_SERVICE.append(securityDomainName));
            }
        }
        for (ServiceName name : serviceNames) {
            if (dataSourceCongServiceName.append("connection-properties").isParentOf(name)) {
                final ServiceController<?> connPropServiceController = registry.getService(name);
                ConnectionPropertiesService connPropService = (ConnectionPropertiesService) connPropServiceController.getService();
                if (!ServiceController.State.UP.equals(connPropServiceController.getState())) {
                    connPropServiceController.setMode(ServiceController.Mode.ACTIVE);
                    builder.addDependency(name, String.class, configService.getConnectionPropertyInjector(connPropService.getName()));
                } else {
                    throw new OperationFailedException(ConnectorLogger.ROOT_LOGGER.serviceAlreadyStarted("Data-source.connectionProperty", name));
                }
            }
        }
        builder.install();
    }
    final ServiceName dataSourceServiceNameAlias = AbstractDataSourceService.SERVICE_NAME_BASE.append(jndiName).append(Constants.STATISTICS);
    if (dataSourceController != null) {
        if (!ServiceController.State.UP.equals(dataSourceController.getState())) {
            final boolean statsEnabled = STATISTICS_ENABLED.resolveModelAttribute(context, model).asBoolean();
            DataSourceStatisticsService statsService = new DataSourceStatisticsService(datasourceRegistration, statsEnabled);
            final ServiceBuilder statsServiceSB = serviceTarget.addService(dataSourceServiceName.append(Constants.STATISTICS), statsService);
            statsServiceSB.addAliases(dataSourceServiceNameAlias);
            statsServiceSB.requires(dataSourceServiceName);
            statsServiceSB.addDependency(CommonDeploymentService.getServiceName(ContextNames.bindInfoFor(jndiName)), CommonDeployment.class, statsService.getCommonDeploymentInjector());
            statsServiceSB.setInitialMode(ServiceController.Mode.PASSIVE);
            statsServiceSB.install();
            dataSourceController.setMode(ServiceController.Mode.ACTIVE);
        } else {
            throw new OperationFailedException(ConnectorLogger.ROOT_LOGGER.serviceAlreadyStarted("Data-source", dsName));
        }
    } else {
        throw new OperationFailedException(ConnectorLogger.ROOT_LOGGER.serviceNotAvailable("Data-source", dsName));
    }
    final DataSourceReferenceFactoryService referenceFactoryService = new DataSourceReferenceFactoryService();
    final ServiceName referenceFactoryServiceName = DataSourceReferenceFactoryService.SERVICE_NAME_BASE.append(dsName);
    final ServiceBuilder<?> referenceBuilder = serviceTarget.addService(referenceFactoryServiceName, referenceFactoryService).addDependency(dataSourceServiceName, DataSource.class, referenceFactoryService.getDataSourceInjector());
    referenceBuilder.install();
    final ContextNames.BindInfo bindInfo = ContextNames.bindInfoFor(jndiName);
    final BinderService binderService = new BinderService(bindInfo.getBindName());
    final ServiceBuilder<?> binderBuilder = serviceTarget.addService(bindInfo.getBinderServiceName(), binderService).addDependency(referenceFactoryServiceName, ManagedReferenceFactory.class, binderService.getManagedObjectInjector()).addDependency(bindInfo.getParentContextServiceName(), ServiceBasedNamingStore.class, binderService.getNamingStoreInjector()).addListener(new LifecycleListener() {

        private volatile boolean bound;

        public void handleEvent(final ServiceController<? extends Object> controller, final LifecycleEvent event) {
            switch(event) {
                case UP:
                    {
                        if (jta) {
                            SUBSYSTEM_DATASOURCES_LOGGER.boundDataSource(jndiName);
                        } else {
                            SUBSYSTEM_DATASOURCES_LOGGER.boundNonJTADataSource(jndiName);
                        }
                        bound = true;
                        break;
                    }
                case DOWN:
                    {
                        if (bound) {
                            if (jta) {
                                SUBSYSTEM_DATASOURCES_LOGGER.unboundDataSource(jndiName);
                            } else {
                                SUBSYSTEM_DATASOURCES_LOGGER.unBoundNonJTADataSource(jndiName);
                            }
                        }
                        break;
                    }
                case REMOVED:
                    {
                        SUBSYSTEM_DATASOURCES_LOGGER.debugf("Removed JDBC Data-source [%s]", jndiName);
                        break;
                    }
            }
        }
    });
    binderBuilder.setInitialMode(ServiceController.Mode.ACTIVE);
    binderBuilder.install();
}
Also used : ValidateException(org.jboss.jca.common.api.validator.ValidateException) DataSourceStatisticsService(org.jboss.as.connector.services.datasources.statistics.DataSourceStatisticsService) LifecycleListener(org.jboss.msc.service.LifecycleListener) ServiceBuilder(org.jboss.msc.service.ServiceBuilder) BinderService(org.jboss.as.naming.service.BinderService) LifecycleEvent(org.jboss.msc.service.LifecycleEvent) CredentialSource(org.wildfly.security.credential.source.CredentialSource) ContextNames(org.jboss.as.naming.deployment.ContextNames) Credential(org.jboss.jca.common.api.metadata.common.Credential) DsSecurity(org.jboss.jca.common.api.metadata.ds.DsSecurity) ServiceTarget(org.jboss.msc.service.ServiceTarget) OperationFailedException(org.jboss.as.controller.OperationFailedException) OperationFailedException(org.jboss.as.controller.OperationFailedException) ValidateException(org.jboss.jca.common.api.validator.ValidateException) ServiceName(org.jboss.msc.service.ServiceName) ServiceBasedNamingStore(org.jboss.as.naming.ServiceBasedNamingStore) ServiceRegistry(org.jboss.msc.service.ServiceRegistry) ModelNode(org.jboss.dmr.ModelNode)

Example 10 with CredentialSource

use of org.wildfly.security.credential.source.CredentialSource in project wildfly by wildfly.

the class SingleSignOnSessionFactoryServiceConfigurator method get.

@Override
public SingleSignOnSessionFactory get() {
    KeyStore store = this.keyStore.get();
    String alias = this.keyAlias;
    CredentialSource source = this.credentialSource.get();
    try {
        if (!store.containsAlias(alias)) {
            throw UndertowLogger.ROOT_LOGGER.missingKeyStoreEntry(alias);
        }
        if (!store.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
            throw UndertowLogger.ROOT_LOGGER.keyStoreEntryNotPrivate(alias);
        }
        PasswordCredential credential = source.getCredential(PasswordCredential.class);
        if (credential == null) {
            throw UndertowLogger.ROOT_LOGGER.missingCredential(source.toString());
        }
        ClearPassword password = credential.getPassword(ClearPassword.class);
        if (password == null) {
            throw UndertowLogger.ROOT_LOGGER.credentialNotClearPassword(credential.toString());
        }
        KeyStore.PrivateKeyEntry entry = (KeyStore.PrivateKeyEntry) store.getEntry(alias, new KeyStore.PasswordProtection(password.getPassword()));
        KeyPair keyPair = new KeyPair(entry.getCertificate().getPublicKey(), entry.getPrivateKey());
        Optional<SSLContext> context = Optional.ofNullable(this.sslContext).map(dependency -> dependency.get());
        return new DefaultSingleSignOnSessionFactory(this.manager.get(), keyPair, connection -> context.ifPresent(ctx -> connection.setSSLSocketFactory(ctx.getSocketFactory())));
    } catch (GeneralSecurityException | IOException e) {
        throw new IllegalArgumentException(e);
    }
}
Also used : ClearPassword(org.wildfly.security.password.interfaces.ClearPassword) KEY_ALIAS(org.wildfly.extension.undertow.ApplicationSecurityDomainSingleSignOnDefinition.Attribute.KEY_ALIAS) KeyPair(java.security.KeyPair) SSLContext(javax.net.ssl.SSLContext) FunctionalService(org.wildfly.clustering.service.FunctionalService) CredentialSource(org.wildfly.security.credential.source.CredentialSource) Function(java.util.function.Function) Supplier(java.util.function.Supplier) CREDENTIAL(org.wildfly.extension.undertow.ApplicationSecurityDomainSingleSignOnDefinition.Attribute.CREDENTIAL) OperationContext(org.jboss.as.controller.OperationContext) CompositeDependency(org.wildfly.clustering.service.CompositeDependency) DefaultSingleSignOnSessionFactory(org.wildfly.security.http.util.sso.DefaultSingleSignOnSessionFactory) GeneralSecurityException(java.security.GeneralSecurityException) CredentialSourceDependency(org.jboss.as.clustering.controller.CredentialSourceDependency) ServiceConfigurator(org.wildfly.clustering.service.ServiceConfigurator) PasswordCredential(org.wildfly.security.credential.PasswordCredential) ServiceTarget(org.jboss.msc.service.ServiceTarget) SupplierDependency(org.wildfly.clustering.service.SupplierDependency) UndertowLogger(org.wildfly.extension.undertow.logging.UndertowLogger) SingleSignOnSessionFactory(org.wildfly.security.http.util.sso.SingleSignOnSessionFactory) CommonUnaryRequirement(org.jboss.as.clustering.controller.CommonUnaryRequirement) ServiceBuilder(org.jboss.msc.service.ServiceBuilder) IOException(java.io.IOException) KeyStore(java.security.KeyStore) Service(org.jboss.msc.Service) SSL_CONTEXT(org.wildfly.extension.undertow.ApplicationSecurityDomainSingleSignOnDefinition.Attribute.SSL_CONTEXT) ServiceSupplierDependency(org.wildfly.clustering.service.ServiceSupplierDependency) KEY_STORE(org.wildfly.extension.undertow.ApplicationSecurityDomainSingleSignOnDefinition.Attribute.KEY_STORE) Consumer(java.util.function.Consumer) ResourceServiceConfigurator(org.jboss.as.clustering.controller.ResourceServiceConfigurator) OperationFailedException(org.jboss.as.controller.OperationFailedException) SingleSignOnManager(org.wildfly.security.http.util.sso.SingleSignOnManager) Optional(java.util.Optional) ClearPassword(org.wildfly.security.password.interfaces.ClearPassword) ModelNode(org.jboss.dmr.ModelNode) KeyPair(java.security.KeyPair) GeneralSecurityException(java.security.GeneralSecurityException) PasswordCredential(org.wildfly.security.credential.PasswordCredential) SSLContext(javax.net.ssl.SSLContext) IOException(java.io.IOException) KeyStore(java.security.KeyStore) DefaultSingleSignOnSessionFactory(org.wildfly.security.http.util.sso.DefaultSingleSignOnSessionFactory) CredentialSource(org.wildfly.security.credential.source.CredentialSource)

Aggregations

CredentialSource (org.wildfly.security.credential.source.CredentialSource)32 PasswordCredential (org.wildfly.security.credential.PasswordCredential)21 ClearPassword (org.wildfly.security.password.interfaces.ClearPassword)17 IOException (java.io.IOException)14 Provider (java.security.Provider)9 Credential (org.wildfly.security.credential.Credential)9 HashMap (java.util.HashMap)8 OperationFailedException (org.jboss.as.controller.OperationFailedException)8 ExceptionSupplier (org.wildfly.common.function.ExceptionSupplier)8 CredentialStoreCredentialSource (org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource)8 KeyStoreCredentialSource (org.wildfly.security.credential.source.impl.KeyStoreCredentialSource)8 LocalKerberosCredentialSource (org.wildfly.security.credential.source.impl.LocalKerberosCredentialSource)8 Password (org.wildfly.security.password.Password)8 ClearPasswordSpec (org.wildfly.security.password.spec.ClearPasswordSpec)8 GeneralSecurityException (java.security.GeneralSecurityException)7 KeyStore (java.security.KeyStore)7 Supplier (java.util.function.Supplier)6 ConfigXMLParseException (org.wildfly.client.config.ConfigXMLParseException)6 XMLLocation (org.wildfly.client.config.XMLLocation)6 OAuth2CredentialSource (org.wildfly.security.credential.source.OAuth2CredentialSource)6