diff --git a/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java b/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java index b47af145d..146812274 100644 --- a/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java +++ b/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java @@ -28,6 +28,7 @@ public class LegacySecurityConfiguration { public static final String DEFAULT_ELYTRON_APPLICATION_DOMAIN_NAME = "migration-defaultApplicationDomain"; public static final String DEFAULT_ELYTRON_APPLICATION_HTTP_AUTHENTICATION_FACTORY_NAME = "migration-defaultApplicationHttpAuthenticationFactory"; + public static final String DEFAULT_ELYTRON_APPLICATION_SASL_AUTHENTICATION_FACTORY_NAME = "migration-defaultApplicationSaslAuthenticationFactory"; private final JBossServerConfiguration targetConfiguration; private final Map legacySecurityRealms = new HashMap<>(); @@ -92,7 +93,7 @@ public String getDefaultElytronManagementHttpAuthenticationFactoryName() { } public String getDefaultElytronApplicationSaslAuthenticationFactoryName() { - return "migration-defaultApplicationSaslAuthenticationFactory"; + return DEFAULT_ELYTRON_APPLICATION_SASL_AUTHENTICATION_FACTORY_NAME; } public String getDefaultElytronManagementSaslAuthenticationFactoryName() { diff --git a/servers/wildfly27.0/src/main/java/org/jboss/migration/wfly/task/subsystem/keycloak/MigrateKeycloakSubsystem.java b/servers/wildfly27.0/src/main/java/org/jboss/migration/wfly/task/subsystem/keycloak/MigrateKeycloakSubsystem.java index 23ba8fb5c..9cd0f0e72 100644 --- a/servers/wildfly27.0/src/main/java/org/jboss/migration/wfly/task/subsystem/keycloak/MigrateKeycloakSubsystem.java +++ b/servers/wildfly27.0/src/main/java/org/jboss/migration/wfly/task/subsystem/keycloak/MigrateKeycloakSubsystem.java @@ -33,6 +33,7 @@ import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.HTTP_AUTHENTICATION_FACTORY; import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.MODULE; import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.REALM; +import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SASL_AUTHENTICATION_FACTORY; import static org.jboss.as.domain.management.ModelDescriptionConstants.SECURITY_DOMAIN; import static org.jboss.migration.wfly.task.security.MigrateLegacySecurityDomainsToElytron.UpdateSubsystems.APPLICATION_SECURITY_DOMAIN; @@ -53,11 +54,14 @@ protected static class MigrateKeycloakSubsystemSubtaskBuilder extends Migrate private static final String CONSTANT_REALM_MAPPER = "constant-realm-mapper"; private static final String CUSTOM_REALM = "custom-realm"; private static final String DEFAULT_MIGRATED_APPLICATION_HTTP_AUTHENTICATION_FACTORY = LegacySecurityConfiguration.DEFAULT_ELYTRON_APPLICATION_HTTP_AUTHENTICATION_FACTORY_NAME; + private static final String DEFAULT_MIGRATED_APPLICATION_SASL_AUTHENTICATION_FACTORY = LegacySecurityConfiguration.DEFAULT_ELYTRON_APPLICATION_SASL_AUTHENTICATION_FACTORY_NAME; private static final String DEFAULT_MIGRATED_APPLICATION_SECURITY_DOMAIN = LegacySecurityConfiguration.DEFAULT_ELYTRON_APPLICATION_DOMAIN_NAME; + private static final String HTTP_CONNECTOR = "http-connector"; private static final String REALM_NAME = "realm-name"; private static final String REALMS = "realms"; private static final String SERVICE_LOADER_HTTP_SERVER_MECHANISM = "service-loader-http-server-mechanism-factory"; + public MigrateKeycloakSubsystemSubtaskBuilder() { super(JBossSubsystemNames.KEYCLOAK); } @@ -164,6 +168,9 @@ protected void removeKeycloakSecurityDomain(String keycloakRealmName, SubsystemR // remove http authentication factory bounded to the keycloak security domain if any removeKeycloakHttpAuthenticationFactory(securityDomainName, keycloakSubsystemResource, elytronSubsystemConfig, elytronSubsystemAddress, compositeOperationBuilder); + // remove sasl authentication factory bounded to the keycloak security domain if any + removeKeycloakSaslAuthenticationFactory(securityDomainName, keycloakSubsystemResource, elytronSubsystemConfig, elytronSubsystemAddress, compositeOperationBuilder); + // update ejb3's application security domain based by keycloak if any and point it to another one updateKeycloakEJB3ApplicationSecurityDomain(securityDomainName, keycloakSubsystemResource, compositeOperationBuilder); @@ -189,6 +196,43 @@ protected void removeKeycloakHttpAuthenticationFactory(String keycloakSecurityDo }); } + protected void removeKeycloakSaslAuthenticationFactory(String keycloakSecurityDomainName, SubsystemResource keycloakSubsystemResource, ModelNode elytronSubsystemConfig, PathAddress elytronSubsystemAddress, Operations.CompositeOperationBuilder compositeOperationBuilder) { + // look for any http authentication factory configured to the given keycloak security domain + elytronSubsystemConfig.get(SASL_AUTHENTICATION_FACTORY).asPropertyListOrEmpty() + .stream() + .filter(p -> p.getValue().hasDefined(SECURITY_DOMAIN)) + .filter(p -> p.getValue().get(SECURITY_DOMAIN).asString().equals(keycloakSecurityDomainName)) + .forEach(p -> { + final String saslAuthenticationFactoryName = p.getName(); + // update Remoting's http connector based by keycloak if any and point it to the default sasl authentication factory + updateKeycloakRemotingHttpConnectorSaslAuthenticationFactory(saslAuthenticationFactoryName, keycloakSubsystemResource, compositeOperationBuilder); + + // remove the keycloak sasl authentication factory + compositeOperationBuilder.addStep(Util.createRemoveOperation(elytronSubsystemAddress.append(SASL_AUTHENTICATION_FACTORY, saslAuthenticationFactoryName))); + }); + } + + protected void updateKeycloakRemotingHttpConnectorSaslAuthenticationFactory(String keycloakSaslAuthenticationFactoryName, SubsystemResource keycloakSubsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder) { + final SubsystemResource remotingSubsystemResource = keycloakSubsystemResource.getParentResource().getSubsystemResource(JBossSubsystemNames.REMOTING); + final ModelNode remotingSubsystemConfig = remotingSubsystemResource.getResourceConfiguration(); + final PathAddress remotingSubsystemAddress = remotingSubsystemResource.getResourcePathAddress(); + // look for any Remoting's http-connector configured to the given keycloak sasl authentication factory + remotingSubsystemConfig.get(HTTP_CONNECTOR).asPropertyListOrEmpty() + .stream() + .filter(p -> p.getValue().hasDefined(SASL_AUTHENTICATION_FACTORY)) + .filter(p -> p.getValue().get(SASL_AUTHENTICATION_FACTORY).asString().equals(keycloakSaslAuthenticationFactoryName)) + .forEach(p -> { + final String httpConnectorName = p.getName(); + // update Remoting http connector's sasl authentication factory to the migrated default one + ModelNode updateOp = Util.getWriteAttributeOperation( + remotingSubsystemAddress.append(HTTP_CONNECTOR, httpConnectorName), + SASL_AUTHENTICATION_FACTORY, + DEFAULT_MIGRATED_APPLICATION_SASL_AUTHENTICATION_FACTORY); + //FIXME check if there is any such migrated factory + compositeOperationBuilder.addStep(updateOp); + }); + } + protected void updateKeycloakUndertowApplicationSecurityDomain(String keycloakHttpAuthenticationFactoryName, SubsystemResource keycloakSubsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder) { final SubsystemResource undertowSubsystemResource = keycloakSubsystemResource.getParentResource().getSubsystemResource(JBossSubsystemNames.UNDERTOW); final ModelNode undertowSubsystemConfig = undertowSubsystemResource.getResourceConfiguration();