Merge pull request #1676 from Ashpan/ELY-2078-encryption

[ELY-2078] Add encryption support to FileSystemSecurityRealm
wildfly-security · Mar 18, 2022 · 6996cb6 · 6996cb6
2 parents a3b1ee8 + 7050f15
commit 6996cb6
Show file tree

Hide file tree

Showing 51 changed files with 2,562 additions and 87 deletions.
diff --git a/auth/realm/base/pom.xml b/auth/realm/base/pom.xml
@@ -59,7 +59,11 @@
         <dependency>
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-x500</artifactId>
-        </dependency>        
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron-encryption</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>org.jboss.logging</groupId>

diff --git a/auth/realm/base/src/main/java/org/wildfly/security/auth/realm/ElytronMessages.java b/auth/realm/base/src/main/java/org/wildfly/security/auth/realm/ElytronMessages.java
@@ -146,4 +146,13 @@ interface ElytronMessages extends BasicLogger {
     @LogMessage(level = Logger.Level.DEBUG)
     @Message(id = 13004, value = "JAAS logout failed for principal %s")
     void debugInfoJaasLogoutFailure(Principal principal, @Cause Throwable cause);
+
+    @Message(id = 13005, value = "Filesystem-backed realm unable to decrypt identity")
+    RealmUnavailableException fileSystemRealmDecryptionFailed(@Cause Throwable cause);
+
+    @Message(id = 13006, value = "Filesystem-backed realm unable to encrypt identity")
+    RealmUnavailableException fileSystemRealmEncryptionFailed(@Cause Throwable cause);
+
+    @Message(id = 13007, value = "Filesystem-backed realm found an incompatible identity version. Requires at least version: %s")
+    RealmUnavailableException fileSystemRealmIncompatibleIdentityVersion(String expectedVersion);
 }
diff --git a/auth/realm/base/src/main/java/org/wildfly/security/auth/realm/FileSystemRealmUtil.java b/auth/realm/base/src/main/java/org/wildfly/security/auth/realm/FileSystemRealmUtil.java
@@ -0,0 +1,64 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2021 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wildfly.security.auth.realm;
+
+
+import java.util.List;
+import org.wildfly.common.Assert;
+import org.wildfly.security.auth.principal.NamePrincipal;
+import org.wildfly.security.auth.server.ModifiableRealmIdentity;
+import org.wildfly.security.auth.server.ModifiableRealmIdentityIterator;
+import org.wildfly.security.auth.server.RealmUnavailableException;
+import org.wildfly.security.authz.Attributes;
+import org.wildfly.security.credential.Credential;
+
+/**
+ * A utility class to utilize methods from the {@code FileSystemSecurityRealm} class for the Elytron Tool.
+ *
+ * @author <a href="mailto:[email protected]">Ashpan Raskar</a>
+ */
+public class FileSystemRealmUtil {
+
+    /**
+     * Converts a pre-existing unencrypted {@code FileSystemSecurityRealm} to a newly created encrypted {@code FileSystemSecurityRealm}
+     *
+     * @param unencryptedRealm the {@code FileSystemSecurityRealm} without any encryption applied
+     * @param encryptedRealm the {@code FileSystemSecurityRealm} configured with a SecretKey to encrypt identity data
+     * @throws RealmUnavailableException if either realm is unavailable
+     */
+    public static void createEncryptedRealmFromUnencrypted(FileSystemSecurityRealm unencryptedRealm, FileSystemSecurityRealm encryptedRealm) throws RealmUnavailableException {
+        Assert.checkNotNullParam("unencryptedRealm", unencryptedRealm);
+        Assert.checkNotNullParam("encryptedRealm", encryptedRealm);
+
+        ModifiableRealmIdentityIterator realmIterator = unencryptedRealm.getRealmIdentityIterator();
+
+        while (realmIterator.hasNext()) {
+            ModifiableRealmIdentity identity = realmIterator.next();
+            List<Credential> credentials = ((FileSystemSecurityRealm.Identity) identity).loadCredentials();
+            Attributes attributes = identity.getAttributes();
+
+            ModifiableRealmIdentity newIdentity = encryptedRealm.getRealmIdentityForUpdate(new NamePrincipal(identity.getRealmIdentityPrincipal().getName()));
+            newIdentity.create();
+            newIdentity.setCredentials(credentials);
+            newIdentity.setAttributes(attributes);
+            newIdentity.dispose();
+        }
+        realmIterator.close();
+    }
+
+}