[WFLY-16179] Add integrity support to FilesystemSecurityRealm #15411
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
deps-ok
|
/retest |
bstansberry
added
core-upgrade-needed
fjuma
reviewed
Apr 25, 2022
| @@ -6,7 +6,7 @@ | |||
|
|
|||
| <container qualifier="jboss" default="true"> | |||
| <configuration> | |||
| <property name="javaVmArguments">${server.jvm.args}</property> | |||
| <property name="javaVmArguments">${server.jvm.args} -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005</property> | |||
There was a problem hiding this comment.
This shouldn't be included here.
Ashpan
force-pushed
the
WFLY-16179
branch
2 times, most recently
from
ace6b30
to
772f7f5
Compare
|
@Ashpan This branch now has conflicts that need to be resolved. Note that the encryption changes have been merged so they're no longer needed in this PR. |
fjuma
reviewed
Jun 9, 2022
| @@ -148,6 +148,38 @@ An encrypted `filesystem-realm` that makes use of the `credential-store` could b | |||
| /subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir, credential-store=mycredstore, secret-key=key) | |||
| ---- | |||
|
|
|||
| ==== Integrity | |||
|
|
|||
| It is also possible to enable integrity support on the filesystem realm by configuring the key-store and key-store-alias attributes for the realm. | |||
There was a problem hiding this comment.
s/enable integrity support/enable support for integrity checking
fjuma
reviewed
Jun 9, 2022
|
|
||
| It is also possible to enable integrity support on the filesystem realm by configuring the key-store and key-store-alias attributes for the realm. | ||
|
|
||
| When enabling integrity on a filesystem realm, you will have to specify the following 2 attributes |
There was a problem hiding this comment.
s/integrity/integrity checking
fjuma
reviewed
Jun 9, 2022
|
|
||
| When enabling integrity on a filesystem realm, you will have to specify the following 2 attributes | ||
|
|
||
| * `key-store`: This attribute specifies the key-store where the key-pair (Private Key and Public Key) is used for signing each identity file for the filesystem realm. |
There was a problem hiding this comment.
s/where the key-pair (Private Key and Public Key) is used for signing each identity file for the filesystem realm/that contains the key pair (private key and public key) that's used for signing each identity file and for integrity checking
fjuma
reviewed
Jun 9, 2022
|
|
||
| * `key-store`: This attribute specifies the key-store where the key-pair (Private Key and Public Key) is used for signing each identity file for the filesystem realm. | ||
|
|
||
| * `key-store-alias`: This attribute specifies the alias of the key-store that contains the correct key-pair to be using for signing the files. |
There was a problem hiding this comment.
the alias within the key-store that identifies the PrivateKeyEntry to use to sign identity files and perform filesystem integrity checks
fjuma
reviewed
Jun 9, 2022
| /subsystem=elytron/key-store=keystore:store() | ||
| ---- | ||
|
|
||
| To create an integrity enabled filesystem realm with a key-store called ``keystore`` and the secret-key alias ``localhost``, the following command would be used |
fjuma
reviewed
Jun 9, 2022
| @@ -25,9 +27,11 @@ The charset is UTF-8 and the string encoding is BASE64. | |||
|
|
|||
| The `credential-store` being referenced is called `mycredstore` and the alias of the `secret-key` in that `credential-store` is `key`. The secret key will be used to encrypt and decrypt the filesystem realm. | |||
|
|
|||
| The key-store being referenced is called `keystore` and the alias of the key pair in that key-store is `localhost`. The `localhost` key pair will be used to sign identity files and verify the pre-existing signatures to ensure that the filesystem realm has not been tampered with. | |||
fjuma
reviewed
Jun 9, 2022
| @@ -47,12 +51,20 @@ To delete existing identity from filesystem realm: | |||
| /subsystem=elytron/filesystem-realm=fsRealm:remove-identity(identity=alex) | |||
| ---- | |||
|
|
|||
| An operation is added if an integrity-enabled filesystem realm needs to update the key-store or the key-store alias. The following command will update the realm and all the identity signatures to utilize the new key-pair. | |||
There was a problem hiding this comment.
Maybe this could be reworded to something like:
It's possible to update the key-store or key-store-alias to use for integrity checking using the update-key-pair command as shown below. This command will also update the signature in any existing identity files.
Ashpan
force-pushed
the
WFLY-16179
branch
3 times, most recently
from
35fd1f8
to
2eac750
Compare
fjuma
approved these changes
Jun 16, 2022
Skyllarr
approved these changes
Jul 28, 2022
fjuma
added
the
Critical
bstansberry
removed
the
core-upgrade-needed
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Jira: https://issues.redhat.com/browse/WFLY-16179
Requires: https://issues.redhat.com/browse/WFCORE-5859
WildFly Core PR with tests: wildfly/wildfly-core#5048