[ELY-2711] Add support for encrypted expressions in the wildfly-config.xml

[PrarthonaPaul]

Issue: https://issues.redhat.com/browse/ELY-2711
Depends on: wildfly/wildfly-client-config#42
Note:

• This PR will fail CI tests because it depends on some changes on wildfly-client-config that still need to be merged
• The code for Encryption client has been moved to org.wildfly.security.encryption.client and org.wildfly.security.encryption has been moved to a folder called base. Module name for this stays the same.

[fjuma]

@PrarthonaPaul Since this PR depends on changes in wildfly-client-config that haven't been pushed yet, I think it would be good to mark this as a draft PR.

[fjuma]

Thanks for the PR, @PrarthonaPaul! I have started going through the analysis document and this PR and am adding some initial feedback. Let me know if you have any questions.

[fjuma]

We need to be a bit careful here. This is a server dependency and it also depends on Elytron. We can't add a dependency on it here. Where it makes sense to do so, we could consider pulling out common pieces of code and adding it to Elytron and then updating the server code to make use of that.

[PrarthonaPaul]

removed core dependency!

[fjuma]

What is this needed for? Is this for tests?

[PrarthonaPaul]

This is used for tests.
Since the absolute path needs to be specified for the location of the credential store, I added an environment variable to specify the path.
Maybe we can change it to something like what the OIDC tests do to resolve env variables.

[fjuma]

Missing copyright header (this can be copied from another .java file and then the year just needs to be updated).

[PrarthonaPaul]

added!

[fjuma]

WildFly Core depends on Elytron. We can't add this dependency here (see my comment above).

[PrarthonaPaul]

removed circular dependency. Introduced new exception classes instead and got rid of server specific code/classes.

[Skyllarr]

@PrarthonaPaul the tests could later include an wildfly-config.xml file that contains additional schemas that can be included there. You can find them here: https://docs.wildfly.org/30/WildFly_Elytron_Security.html#Configuring_other_clients_using_wildfly-config , there are also links to schema locations

[PrarthonaPaul]

I have added a new test that uses encrypted expression with authentication client.
Please let me know if there are any other clients I should add tests for. So far there are tests for parsing only, but no integrated functionality tests. Please let me know if I should add those and where I can add those.
Thanks!

[Skyllarr]

@PrarthonaPaul we can add an integration tests that verify that the credentials used in SASL authentication are resolved as expected and authentication pass. See for example the MaskedPasswordSaslAuthenticationTest where there is a SASL client and SASL server communication and we test that their authentication is successful. We could add similar integraiton tests that uses encrypted password on the client side

[PrarthonaPaul]

I have added a test for this. Currently looking to see if we need a programmatic one.
But the one for xml config should be good to go.
Thanks @Skyllarr

[Skyllarr]

@PrarthonaPaul Just a minor, you can make the InvalidEncryptedExpressionConfigurationException extend IllegalArgumentException and then remove the RuntimeException here..similarly as it is done for DefaultAuthenticationContextProvider

[PrarthonaPaul]

fixed!

[Skyllarr]

Just a total minor, we can name it without shortcut to keep it consistent with the rest of classes : EncryptedExpressionConfiguration

[PrarthonaPaul]

fixed!

[Skyllarr]

@PrarthonaPaul just a minor, this callback handler is unused so you can remove it

[PrarthonaPaul]

removed!

[Skyllarr]

Just a minor, you can remove the CAPABILITY string

[PrarthonaPaul]

removed!

[Skyllarr]

just a minor, these three variables are unused

[PrarthonaPaul]

removed them!

[Skyllarr]

@PrarthonaPaul most code in this class seems the same as in the wildfly-core repo. Can you extract the parts of the code used by both to some Utils class and make both wildfly-elytron-client and wildfly-core use the methods from Utils, so we avoid code duplication?

[PrarthonaPaul]

I am not sure if we could do this (at least for some of the bigger ones, like createExpression or resolveExpressionInternal or resolveExpression since on the core side, they are server dependent).
But some of the smaller functions, like setResolverConfigurations or setDefaultResolver or setPrefix, we can add those to the utility.

[Skyllarr]

@PrarthonaPaul The methods that can be extracted to common Utils should be extracted, so that if a bug is found in the future, we can fix it on a single place. You can also refactor the methods on the server side to be able to introduce common Utils methods where it is possible

[PrarthonaPaul]

@Skyllarr
I have identified the common code between the two classes (ElytronExpressionResolver and the EncryptedExpressionResolver).
There are 3 functions whose contents are the same:

server side: https://github.com/wildfly/wildfly-core/blob/main/elytron/src/main/java/org/wildfly/extension/elytron/expression/ElytronExpressionResolver.java#L169-L186

Client side:

wildfly-elytron/encryption/client/src/main/java/org/wildfly/security/encryption/client/EncryptedExpressionResolver.java

Lines 142 to 161 in a8334dd

	public EncryptedExpressionResolver setPrefix(final String prefix) {
	this.prefix = prefix;
	this.completePrefix = prefix + "::";
	return this;
	}
	public EncryptedExpressionResolver setDefaultResolver(final String defaultResolver) {
	if (defaultResolver == null) {
	this.defaultResolver = getResolverConfiguration().entrySet().iterator().next().getKey();
	} else {
	this.defaultResolver = defaultResolver;
	}
	return this;
	}
	public EncryptedExpressionResolver setResolverConfigurations(final Map<String, ResolverConfiguration> resolverConfigurations) {
	this.resolverConfigurations = Collections.unmodifiableMap(resolverConfigurations);
	return this;
	}

However, since the objects that invoke these functions, ElytronExpressionResolver and EncryptedExpressionResolver are different, I am not exactly sure how to combine them to use the same function. I could send them as Java Objects and then cast them using instanceof keyword.

Another thing is that I was thinking of adding it to org.wildfly.security.utils, but it turns out that would lead to a circular dependency. I could fix that using a service loader or add it to another module (maybe create org.wildfly.security.encryption.util and add it there)?

[PrarthonaPaul]

Another thing I realized is that the server side resolver lives inside WF-core and client side resolver is inside elytron. I think if we wanted to access the server-side resolver class from org.wildfly.security.utils, we would need to use a service loader. Or maybe we can place the util class for encryptedexoressionresolution inside the org.wildfly.common dependency?

[Skyllarr]

Is this method unused?

[PrarthonaPaul]

yes, I have removed it.

[Skyllarr]

Just a minor, this exception is unused

[PrarthonaPaul]

removed!

[Skyllarr]

Just a total minor, I would rename the file to encrypted-expressions-1_0.xsd

[PrarthonaPaul]

fixed!

[fjuma]

@Skyllarr @PrarthonaPaul To be consistent with the other clients, just wondering if this should be encrypted-expressions-client-1_0.xsd or encryption-client-1_0.xsd with the root element updated accordingly as well.

[Skyllarr]

@fjuma Yes that is a good idea!

[PrarthonaPaul]

sure! I can make changes to the schema and the elements.

[Skyllarr]

can we add some test that verifies that the resolved expression is as expected?

[PrarthonaPaul]

Looking into this now

[Skyllarr]

@PrarthonaPaul Just wondering, is it possible for this new schema to reference the types from the existing elytron-client xsd schema? With some include?

[PrarthonaPaul]

Are there any examples of this?
If we can reuse credential-store-type from the elytron schema, it would make it much simpler.

[Skyllarr]

@PrarthonaPaul I do not know of any examples, but maybe it is possible to do https://stackoverflow.com/questions/8194112/basics-of-referencing-a-xsd-schema-from-another-schema ? It needs some investigations of the schema possibilities

[PrarthonaPaul]

I have added a reference to the elytron schema using the method mentioned in the post you shared. Thanks!

[PrarthonaPaul]

Thanks, @Skyllarr for the comments!
I have addressed some of the comments and for the others, I have added some questions.

[fjuma]

Very minor but some classes have EncryptedExpressions in the class name and others have just EncryptedExpression. We need to make sure that we are consistent with the schema throughout.

[fjuma]

Do we need "Context" in the class name? Just wondering if this was a copy/paste from DefaultAuthenticationContextProvider or if there is a reason to include it in the name here too.

[fjuma]

I see now there's a corresponding EncryptedExpressionContext class.

[PrarthonaPaul]

I have changed classes related to encryption client to have names like EncryptionClientContext

[fjuma]

"default identity context" -> This is likely a copy/paste from something else, should be reworded

[PrarthonaPaul]

fixed!

[fjuma]

s/interface/utility class

[fjuma]

Since this is just a utility class with helper methods, this shouldn't be public API. Currently, this is a public class in the org.wildfly.security.auth.client package and that is public API.

[PrarthonaPaul]

Thanks for pointing out!
Which of the following do you think would be the best approach:

1. move it to org.wildfly.security.auth.util?
2. keep it in the same directory and change the class and its functions to private or
3. change the functions to protected and keep the class public or
4. something else

[fjuma]

Is this needed?

[PrarthonaPaul]

nope, I think i was trying to use it for something else but did not need it.
Should be removed now.

[fjuma]

Is this used?

[PrarthonaPaul]

removed!

[fjuma]

"authentication context" references above

[PrarthonaPaul]

Fixed!

[PrarthonaPaul]

I added this function to decrypt a password before adding it so if users want to programmatically configure an auth client with encrypted expressions, they can do that.

To make it more general, we can replace it with a function called decryptAndUseValue() that takes in the expression to decrypt and the function to call afterwards. However, I am not sure if that is something we can do with templates (not sure if that's what they are called in java. But here is what I am talking about https://cplusplus.com/doc/oldtutorial/templates/).

If this is not supported, then we can send enumerated values like this function is doing. So, based on the enum value, we can call the appropriate function with the decrypted value.

@Skyllarr @fjuma please let me know what you think.

[fjuma]

Are these getOrDefault methods used?

[PrarthonaPaul]

removed!

[fjuma]

Is this thrown specifically for issues with encrypted expressions? If so, would be good to update the class name to reflect that.

[PrarthonaPaul]

Updated the name to EncryptedExpressionResolutionException

[fjuma]

Can you provide some more details on what this class is used for?

[PrarthonaPaul]

Sure! This is part of the service loader process.
The ResolverProvider interface lives inside the wildfly-client-config project and the WildFlyClientResolverProvider class implements that class in wildfly-elytron to give access to the classes and functions needed to resolve and decrypt the encrypted expression.

[PrarthonaPaul]

This function is here temporarily and will be uncommented if we decide to add support for programmatic configuration with encrypted expressions.

[PrarthonaPaul]

@Skyllarr
I have identified the common code between the two classes (ElytronExpressionResolver and the EncryptedExpressionResolver).
There are 3 functions whose contents are the same:

server side: https://github.com/wildfly/wildfly-core/blob/main/elytron/src/main/java/org/wildfly/extension/elytron/expression/ElytronExpressionResolver.java#L169-L186

Client side:

wildfly-elytron/encryption/client/src/main/java/org/wildfly/security/encryption/client/EncryptedExpressionResolver.java

Lines 142 to 161 in a8334dd

	public EncryptedExpressionResolver setPrefix(final String prefix) {
	this.prefix = prefix;
	this.completePrefix = prefix + "::";
	return this;
	}
	public EncryptedExpressionResolver setDefaultResolver(final String defaultResolver) {
	if (defaultResolver == null) {
	this.defaultResolver = getResolverConfiguration().entrySet().iterator().next().getKey();
	} else {
	this.defaultResolver = defaultResolver;
	}
	return this;
	}
	public EncryptedExpressionResolver setResolverConfigurations(final Map<String, ResolverConfiguration> resolverConfigurations) {
	this.resolverConfigurations = Collections.unmodifiableMap(resolverConfigurations);
	return this;
	}

However, since the objects that invoke these functions, ElytronExpressionResolver and EncryptedExpressionResolver are different, I am not exactly sure how to combine them to use the same function. I could send them as Java Objects and then cast them using instanceof keyword.

Another thing is that I was thinking of adding it to org.wildfly.security.utils, but it turns out that would lead to a circular dependency. I could fix that using a service loader or add it to another module (maybe create org.wildfly.security.encryption.util and add it there)?

[PrarthonaPaul]

Another thing I realized is that the server side resolver lives inside WF-core and client side resolver is inside elytron. I think if we wanted to access the server-side resolver class from org.wildfly.security.utils, we would need to use a service loader. Or maybe we can place the util class for encryptedexoressionresolution inside the org.wildfly.common dependency?

[ropalka]

Just a friendly remainder @PrarthonaPaul there's a change required to move this PR forward.

[PrarthonaPaul]

Just a friendly remainder @PrarthonaPaul there's a change required to move this PR forward.

Thanks @ropalka
I will resolve these conflicts and push soon.