From 8693aaa4ce38ba2917f521c06e13c9f1f18de3e5 Mon Sep 17 00:00:00 2001 From: Ivo Studensky Date: Thu, 21 Nov 2024 14:57:33 +0100 Subject: [PATCH] [CMTOOL-380] remove migration- suffix out of security configuration items and use default names instead --- .../security/LegacySecurityConfiguration.java | 22 +-- .../MigrateLegacySecurityRealmsToElytron.java | 165 ++++++++++-------- 2 files changed, 108 insertions(+), 79 deletions(-) diff --git a/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java b/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java index 14681227..436b9e90 100644 --- a/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java +++ b/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/LegacySecurityConfiguration.java @@ -26,9 +26,9 @@ public class LegacySecurityConfiguration { - public static final String DEFAULT_ELYTRON_APPLICATION_DOMAIN_NAME = "migration-defaultApplicationDomain"; - public static final String DEFAULT_ELYTRON_APPLICATION_HTTP_AUTHENTICATION_FACTORY_NAME = "migration-defaultApplicationHttpAuthenticationFactory"; - public static final String DEFAULT_ELYTRON_APPLICATION_SASL_AUTHENTICATION_FACTORY_NAME = "migration-defaultApplicationSaslAuthenticationFactory"; + public static final String DEFAULT_ELYTRON_APPLICATION_DOMAIN_NAME = "ApplicationDomain"; + public static final String DEFAULT_ELYTRON_APPLICATION_HTTP_AUTHENTICATION_FACTORY_NAME = "application-http-authentication"; + public static final String DEFAULT_ELYTRON_APPLICATION_SASL_AUTHENTICATION_FACTORY_NAME = "application-sasl-authentication"; private final JBossServerConfiguration targetConfiguration; private final Map legacySecurityRealms = new HashMap<>(); @@ -69,11 +69,11 @@ public void setDomainControllerRemoteSecurityRealm(String domainControllerRemote } public String getDefaultElytronApplicationRealmName() { - return "migration-defaultApplicationRealm"; + return "ApplicationRealm"; } public String getDefaultElytronManagementRealmName() { - return "migration-defaultManagementRealm"; + return "ManagementRealm"; } public String getDefaultElytronApplicationDomainName() { @@ -81,7 +81,7 @@ public String getDefaultElytronApplicationDomainName() { } public String getDefaultElytronManagementDomainName() { - return "migration-defaultManagementDomain"; + return "ManagementDomain"; } public String getDefaultElytronApplicationHttpAuthenticationFactoryName() { @@ -89,7 +89,7 @@ public String getDefaultElytronApplicationHttpAuthenticationFactoryName() { } public String getDefaultElytronManagementHttpAuthenticationFactoryName() { - return "migration-defaultManagementHttpAuthenticationFactory"; + return "management-http-authentication"; } public String getDefaultElytronApplicationSaslAuthenticationFactoryName() { @@ -97,19 +97,19 @@ public String getDefaultElytronApplicationSaslAuthenticationFactoryName() { } public String getDefaultElytronManagementSaslAuthenticationFactoryName() { - return "migration-defaultManagementSaslAuthenticationFactory"; + return "management-sasl-authentication"; } public String getDefaultElytronTLSKeyStoreName() { - return "migration-defaultTLSKeyStore"; + return "applicationKS"; } public String getDefaultElytronTLSKeyManagerName() { - return "migration-defaultTLSKeyManager"; + return "applicationKM"; } public String getDefaultElytronTLSServerSSLContextName() { - return "migration-defaultTLSServerSSLContext"; + return "applicationSSC"; } @Override diff --git a/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/MigrateLegacySecurityRealmsToElytron.java b/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/MigrateLegacySecurityRealmsToElytron.java index 6d32e744..0dec4de9 100644 --- a/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/MigrateLegacySecurityRealmsToElytron.java +++ b/servers/wildfly26.0/src/main/java/org/jboss/migration/wfly/task/security/MigrateLegacySecurityRealmsToElytron.java @@ -131,104 +131,133 @@ protected void addOperationSteps(LegacySecurityConfiguration legacySecurityConfi protected void addDefaultApplicationRealm(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { final String securityRealmName = legacySecurityConfiguration.getDefaultElytronApplicationRealmName(); - final PropertiesRealmAddOperation propertiesRealmAddOperation = new PropertiesRealmAddOperation(subsystemResource.getResourcePathAddress(), securityRealmName); - propertiesRealmAddOperation.usersProperties(new PropertiesRealmAddOperation.Properties("application-users.properties") - .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") - .digestRealmName(securityRealmName) - ); - propertiesRealmAddOperation.groupsProperties(new PropertiesRealmAddOperation.Properties("application-roles.properties") - .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") - ); - compositeOperationBuilder.addStep(propertiesRealmAddOperation.toModelNode()); + if (! subsystemResource.getResourceConfiguration().hasDefined("properties-realm", securityRealmName)) { + final PropertiesRealmAddOperation propertiesRealmAddOperation = new PropertiesRealmAddOperation(subsystemResource.getResourcePathAddress(), securityRealmName); + propertiesRealmAddOperation.usersProperties(new PropertiesRealmAddOperation.Properties("application-users.properties") + .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") + .digestRealmName(securityRealmName) + ); + propertiesRealmAddOperation.groupsProperties(new PropertiesRealmAddOperation.Properties("application-roles.properties") + .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") + ); + compositeOperationBuilder.addStep(propertiesRealmAddOperation.toModelNode()); + } } protected void addDefaultManagementRealm(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { final String securityRealmName = legacySecurityConfiguration.getDefaultElytronManagementRealmName(); - final PropertiesRealmAddOperation propertiesRealmAddOperation = new PropertiesRealmAddOperation(subsystemResource.getResourcePathAddress(), securityRealmName); - propertiesRealmAddOperation.usersProperties(new PropertiesRealmAddOperation.Properties("mgmt-users.properties") - .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") - .digestRealmName(securityRealmName) - ); - propertiesRealmAddOperation.groupsProperties(new PropertiesRealmAddOperation.Properties("mgmt-groups.properties") - .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") - ); - compositeOperationBuilder.addStep(propertiesRealmAddOperation.toModelNode()); + if (! subsystemResource.getResourceConfiguration().hasDefined("properties-realm", securityRealmName)) { + final PropertiesRealmAddOperation propertiesRealmAddOperation = new PropertiesRealmAddOperation(subsystemResource.getResourcePathAddress(), securityRealmName); + propertiesRealmAddOperation.usersProperties(new PropertiesRealmAddOperation.Properties("mgmt-users.properties") + .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") + .digestRealmName(securityRealmName) + ); + propertiesRealmAddOperation.groupsProperties(new PropertiesRealmAddOperation.Properties("mgmt-groups.properties") + .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") + ); + compositeOperationBuilder.addStep(propertiesRealmAddOperation.toModelNode()); + } } protected void addDefaultApplicationDomain(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { final String securityDomainName = legacySecurityConfiguration.getDefaultElytronApplicationDomainName(); - final SecurityDomainAddOperation securityDomainAddOperation = new SecurityDomainAddOperation(subsystemResource.getResourcePathAddress(),securityDomainName) - .permissionMapper("default-permission-mapper") - .defaultRealm(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()) - .addRealm(new SecurityDomainAddOperation.Realm(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()) - .roleDecoder( "groups-to-roles")) - .addRealm(new SecurityDomainAddOperation.Realm("local")); - compositeOperationBuilder.addStep(securityDomainAddOperation.toModelNode()); + if (! subsystemResource.getResourceConfiguration().hasDefined("security-domain", securityDomainName)) { + final SecurityDomainAddOperation securityDomainAddOperation = new SecurityDomainAddOperation(subsystemResource.getResourcePathAddress(),securityDomainName) + .permissionMapper("default-permission-mapper") + .defaultRealm(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()) + .addRealm(new SecurityDomainAddOperation.Realm(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()) + .roleDecoder( "groups-to-roles")) + .addRealm(new SecurityDomainAddOperation.Realm("local")); + compositeOperationBuilder.addStep(securityDomainAddOperation.toModelNode()); + } } protected void addDefaultManagementDomain(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { final String securityDomainName = legacySecurityConfiguration.getDefaultElytronManagementDomainName(); - final SecurityDomainAddOperation securityDomainAddOperation = new SecurityDomainAddOperation(subsystemResource.getResourcePathAddress(),securityDomainName) - .permissionMapper("default-permission-mapper") - .defaultRealm(legacySecurityConfiguration.getDefaultElytronManagementRealmName()) - .addRealm(new SecurityDomainAddOperation.Realm(legacySecurityConfiguration.getDefaultElytronManagementRealmName()) - .roleDecoder( "groups-to-roles")) - .addRealm(new SecurityDomainAddOperation.Realm("local").roleMapper("super-user-mapper")); - compositeOperationBuilder.addStep(securityDomainAddOperation.toModelNode()); + if (! subsystemResource.getResourceConfiguration().hasDefined("security-domain", securityDomainName)) { + final SecurityDomainAddOperation securityDomainAddOperation = new SecurityDomainAddOperation(subsystemResource.getResourcePathAddress(),securityDomainName) + .permissionMapper("default-permission-mapper") + .defaultRealm(legacySecurityConfiguration.getDefaultElytronManagementRealmName()) + .addRealm(new SecurityDomainAddOperation.Realm(legacySecurityConfiguration.getDefaultElytronManagementRealmName()) + .roleDecoder( "groups-to-roles")) + .addRealm(new SecurityDomainAddOperation.Realm("local").roleMapper("super-user-mapper")); + compositeOperationBuilder.addStep(securityDomainAddOperation.toModelNode()); + } } protected void addDefaultApplicationHttpAuthenticationFactory(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { - compositeOperationBuilder.addStep(new HttpAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), legacySecurityConfiguration.getDefaultElytronApplicationHttpAuthenticationFactoryName()) - .securityDomain(legacySecurityConfiguration.getDefaultElytronApplicationDomainName()) - .httpServerMechanismFactory("global") - .addMechanismConfiguration(new MechanismConfiguration("BASIC").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()))) - .toModelNode()); + final String name = legacySecurityConfiguration.getDefaultElytronApplicationHttpAuthenticationFactoryName(); + if (! subsystemResource.getResourceConfiguration().hasDefined("http-authentication-factory", name)) { + compositeOperationBuilder.addStep(new HttpAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), name) + .securityDomain(legacySecurityConfiguration.getDefaultElytronApplicationDomainName()) + .httpServerMechanismFactory("global") + .addMechanismConfiguration(new MechanismConfiguration("BASIC").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()))) + .toModelNode()); + } } protected void addDefaultManagementHttpAuthenticationFactory(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { - compositeOperationBuilder.addStep(new HttpAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), legacySecurityConfiguration.getDefaultElytronManagementHttpAuthenticationFactoryName()) - .securityDomain(legacySecurityConfiguration.getDefaultElytronManagementDomainName()) - .httpServerMechanismFactory("global") - .addMechanismConfiguration(new MechanismConfiguration("DIGEST").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronManagementRealmName()))) - .toModelNode()); + final String name = legacySecurityConfiguration.getDefaultElytronManagementHttpAuthenticationFactoryName(); + if (! subsystemResource.getResourceConfiguration().hasDefined("http-authentication-factory", name)) { + compositeOperationBuilder.addStep(new HttpAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), name) + .securityDomain(legacySecurityConfiguration.getDefaultElytronManagementDomainName()) + .httpServerMechanismFactory("global") + .addMechanismConfiguration(new MechanismConfiguration("DIGEST").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronManagementRealmName()))) + .toModelNode()); + } } protected void addDefaultApplicationSaslAuthenticationFactory(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { - compositeOperationBuilder.addStep(new SaslAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), legacySecurityConfiguration.getDefaultElytronApplicationSaslAuthenticationFactoryName()) - .securityDomain(legacySecurityConfiguration.getDefaultElytronApplicationDomainName()) - .saslServerFactory("configured") - .addMechanismConfiguration(new MechanismConfiguration("JBOSS-LOCAL-USER").realmMapper("local")) - .addMechanismConfiguration(new MechanismConfiguration("DIGEST-MD5").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()))) - .toModelNode()); + final String name = legacySecurityConfiguration.getDefaultElytronApplicationSaslAuthenticationFactoryName(); + if (! subsystemResource.getResourceConfiguration().hasDefined("sasl-authentication-factory", name)) { + compositeOperationBuilder.addStep(new SaslAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), name) + .securityDomain(legacySecurityConfiguration.getDefaultElytronApplicationDomainName()) + .saslServerFactory("configured") + .addMechanismConfiguration(new MechanismConfiguration("JBOSS-LOCAL-USER").realmMapper("local")) + .addMechanismConfiguration(new MechanismConfiguration("DIGEST-MD5").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronApplicationRealmName()))) + .toModelNode()); + } } protected void addDefaultManagementSaslAuthenticationFactory(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { - compositeOperationBuilder.addStep(new SaslAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), legacySecurityConfiguration.getDefaultElytronManagementSaslAuthenticationFactoryName()) - .securityDomain(legacySecurityConfiguration.getDefaultElytronManagementDomainName()) - .saslServerFactory("configured") - .addMechanismConfiguration(new MechanismConfiguration("JBOSS-LOCAL-USER").realmMapper("local")) - .addMechanismConfiguration(new MechanismConfiguration("DIGEST-MD5").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronManagementRealmName()))) - .toModelNode()); + final String name = legacySecurityConfiguration.getDefaultElytronManagementSaslAuthenticationFactoryName(); + if (! subsystemResource.getResourceConfiguration().hasDefined("sasl-authentication-factory", name)) { + compositeOperationBuilder.addStep(new SaslAuthenticationFactoryAddOperation(subsystemResource.getResourcePathAddress(), name) + .securityDomain(legacySecurityConfiguration.getDefaultElytronManagementDomainName()) + .saslServerFactory("configured") + .addMechanismConfiguration(new MechanismConfiguration("JBOSS-LOCAL-USER").realmMapper("local")) + .addMechanismConfiguration(new MechanismConfiguration("DIGEST-MD5").addMechanismRealmConfiguration(new MechanismRealmConfiguration(legacySecurityConfiguration.getDefaultElytronManagementRealmName()))) + .toModelNode()); + } } protected void addDefaultTLS(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) { // add key-store - compositeOperationBuilder.addStep(new KeystoreAddOperation(subsystemResource.getResourcePathAddress(), legacySecurityConfiguration.getDefaultElytronTLSKeyStoreName()) - .keystorePassword("password") - .path("application.keystore") - .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") - .type("JKS") - .toModelNode()); + final String keyStoreName = legacySecurityConfiguration.getDefaultElytronTLSKeyStoreName(); + if (! subsystemResource.getResourceConfiguration().hasDefined("key-store", keyStoreName)) { + compositeOperationBuilder.addStep(new KeystoreAddOperation(subsystemResource.getResourcePathAddress(), keyStoreName) + .keystorePassword("password") + .path("application.keystore") + .relativeTo(subsystemResource.getServerConfiguration().getConfigurationType() == StandaloneServerConfiguration.RESOURCE_TYPE ? "jboss.server.config.dir" : "jboss.domain.config.dir") + .type("JKS") + .toModelNode()); + } // add key-manager - compositeOperationBuilder.addStep(new KeyManagerAddOperation(subsystemResource.getResourcePathAddress(), legacySecurityConfiguration.getDefaultElytronTLSKeyManagerName()) - .keystore(legacySecurityConfiguration.getDefaultElytronTLSKeyStoreName()) - .generateSelfSignedCertificateHost(true) - .keyPassword("password") - .toModelNode()); + final String keyManagerName = legacySecurityConfiguration.getDefaultElytronTLSKeyManagerName(); + if (! subsystemResource.getResourceConfiguration().hasDefined("key-manager", keyManagerName)) { + compositeOperationBuilder.addStep(new KeyManagerAddOperation(subsystemResource.getResourcePathAddress(), keyManagerName) + .keystore(legacySecurityConfiguration.getDefaultElytronTLSKeyStoreName()) + .generateSelfSignedCertificateHost(true) + .keyPassword("password") + .toModelNode()); + } // add ssl server context - compositeOperationBuilder.addStep(new ServerSSLContextAddOperation(subsystemResource.getResourcePathAddress(), legacySecurityConfiguration.getDefaultElytronTLSServerSSLContextName()) - .keyManager(legacySecurityConfiguration.getDefaultElytronTLSKeyManagerName()) - .toModelNode()); + final String serverSSLContextName = legacySecurityConfiguration.getDefaultElytronTLSServerSSLContextName(); + if (! subsystemResource.getResourceConfiguration().hasDefined("server-ssl-context", serverSSLContextName)) { + compositeOperationBuilder.addStep(new ServerSSLContextAddOperation(subsystemResource.getResourcePathAddress(), serverSSLContextName) + .keyManager(legacySecurityConfiguration.getDefaultElytronTLSKeyManagerName()) + .toModelNode()); + } } protected void migrateRemotingSubsystem(LegacySecurityConfiguration legacySecurityConfiguration, SubsystemResource subsystemResource, Operations.CompositeOperationBuilder compositeOperationBuilder, TaskContext taskContext) {