February 2021 - jboss-jira - Jboss List Archives

[Red Hat JIRA] (WFWIP-375) remove-alias on credential-store removes all entries for the given alias

by Darran Lofthouse (Jira)

[ https://issues.redhat.com/browse/WFWIP-375?page=com.atlassian.jira.plugin... ] Darran Lofthouse updated WFWIP-375: ----------------------------------- Priority: Critical (was: Major) > remove-alias on credential-store removes all entries for the given alias > ------------------------------------------------------------------------ > > Key: WFWIP-375 > URL: https://issues.redhat.com/browse/WFWIP-375 > Project: WildFly WIP > Issue Type: Bug > Components: Security > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Priority: Critical > > The {{remove-alias}} operation of the {{credential-store}} resource removes all entries for the given alias, not just one entry according to the given type. > {noformat} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:remove-alias(alias=a2,entry-type=SecretKeyCredential) > { > "outcome" => "failed", > "failure-description" => "WFLYELY00920: Credential alias 'a2' of credential type 'SecretKeyCredential' does not exist in the store", > "rolled-back" => true > } > > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a2) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:remove-alias(alias=a2,entry-type=SecretKeyCredential) > { > "outcome" => "success", > "response-headers" => {"warnings" => [{ > "warning" => "Update dependent resources as alias 'a2' does not exist anymore", > "level" => "WARNING", > "operation" => { > "address" => [ > ("subsystem" => "elytron"), > ("credential-store" => "a") > ], > "operation" => "remove-alias" > } > }]} > } > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) > {"outcome" => "success"} > {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-371) NullPointerException when expression=encryption:create-expression uses resolver with invalid secret-key

by Darran Lofthouse (Jira)

[ https://issues.redhat.com/browse/WFWIP-371?page=com.atlassian.jira.plugin... ] Darran Lofthouse commented on WFWIP-371: ---------------------------------------- Going to move this one up to critical as well to prioritise, I think accurate error reporting of the new operations is going to be important. Moving into using expressions we do loose some of the referential integrity that capabilities and requirements provided but where we have a situation like this we should have something more meaningful to report. > NullPointerException when expression=encryption:create-expression uses resolver with invalid secret-key > ------------------------------------------------------------------------------------------------------- > > Key: WFWIP-371 > URL: https://issues.redhat.com/browse/WFWIP-371 > Project: WildFly WIP > Issue Type: Bug > Components: Security > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Priority: Critical > > NullPointerException when {{/subsystem=elytron/expression=encryption:create-expression}} uses resolver with invalid secret-key (no key under the given alias). > The failure at the end is OK, but it should not be {{NullPointerException}}: > {noformat} > [standalone@localhost:9990 /] /subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases > { > "outcome" => "success", > "result" => [ > "secretkey", > "key" > ] > } > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:read-resource > { > "outcome" => "success", > "result" => { > "default-resolver" => "Default", > "prefix" => "ENC", > "resolvers" => [ > { > "name" => "Default", > "credential-store" => "credentialstorethree", > "secret-key" => "secretkey" > }, > { > "name" => "resolver2", > "credential-store" => "credentialstorethree", > "secret-key" => "secretkey2" > } > ] > } > } > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword) > { > "outcome" => "success", > "result" => {"expression" => "${ENC::RUxZAUMQ+LZYf7LtJiSPV4EqY4FEk3WK2V2i4ywGhTTu/3uRQirYtvphB2A8fmK6CSlUnYUd}"} > } > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword,resolver=resolver2) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.NullPointerException", > "rolled-back" => true > } > {noformat} > {noformat} > 08:52:49,669 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("create-expression") failed - address: ([ > ("subsystem" => "elytron"), > ("expression" => "encryption") > ]): java.lang.NullPointerException > at org.wildfly.extension.elytron@15.0.0.Beta1-SNAPSHOT//org.wildfly.extension.elytron.expression.ElytronExpressionResolver.createExpression(ElytronExpressionResolver.java:139) > at org.wildfly.extension.elytron@15.0.0.Beta1-SNAPSHOT//org.wildfly.extension.elytron.ExpressionResolverResourceDefinition$CreateExpressionHandler.executeRuntimeStep(ExpressionResolverResourceDefinition.java:217) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:59) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:1040) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:779) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:468) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1415) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:431) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:248) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:304) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:270) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:248) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:240) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:138) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:162) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:158) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:328) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:285) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:158) > at org.jboss.as.protocol@15.0.0.Beta1-SNAPSHOT//org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70) > at org.jboss.as.protocol@15.0.0.Beta1-SNAPSHOT//org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) > at java.base/java.lang.Thread.run(Thread.java:834) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.JBossThread.run(JBossThread.java:513) > {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-375) remove-alias on credential-store removes all entries for the given alias

by Ondrej Kotek (Jira)

Ondrej Kotek created WFWIP-375: ---------------------------------- Summary: remove-alias on credential-store removes all entries for the given alias Key: WFWIP-375 URL: https://issues.redhat.com/browse/WFWIP-375 Project: WildFly WIP Issue Type: Bug Components: Security Reporter: Ondrej Kotek Assignee: Darran Lofthouse The {{remove-alias}} operation of the {{credential-store}} resource removes all entries for the given alias, not just one entry according to the given type. {noformat} [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) {"outcome" => "success"} [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:remove-alias(alias=a2,entry-type=SecretKeyCredential) { "outcome" => "failed", "failure-description" => "WFLYELY00920: Credential alias 'a2' of credential type 'SecretKeyCredential' does not exist in the store", "rolled-back" => true } [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a2) {"outcome" => "success"} [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:remove-alias(alias=a2,entry-type=SecretKeyCredential) { "outcome" => "success", "response-headers" => {"warnings" => [{ "warning" => "Update dependent resources as alias 'a2' does not exist anymore", "level" => "WARNING", "operation" => { "address" => [ ("subsystem" => "elytron"), ("credential-store" => "a") ], "operation" => "remove-alias" } }]} } [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) {"outcome" => "success"} {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-374) credential-store overwrites existing aliases when generating or importing keys

by Darran Lofthouse (Jira)

[ https://issues.redhat.com/browse/WFWIP-374?page=com.atlassian.jira.plugin... ] Darran Lofthouse commented on WFWIP-374: ---------------------------------------- I am going to promote this to critical for now, I think we can follow up next week with the fix but we should add the protection against accidental writes as accidentally deleting a secret key makes previously encrypted expressions unusable as there is no alternative to recover them. This is also something we should make sure we cover in all documentation the importance of backing up any created secret key securely as on loss of the secret key the only option will be to regenerate all expressions. > credential-store overwrites existing aliases when generating or importing keys > ------------------------------------------------------------------------------ > > Key: WFWIP-374 > URL: https://issues.redhat.com/browse/WFWIP-374 > Project: WildFly WIP > Issue Type: Bug > Components: Security > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Priority: Critical > > The Elytron {{credential-store}} resource overwrites existing aliases when generating or importing keys, this is not consistent with the behaviour of the {{add-alias}} operation. > {noformat} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a1) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:read-aliases > { > "outcome" => "success", > "result" => ["a1"] > } > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a1) > {"outcome" => "success"} > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:export-secret-key(alias=a2) > { > "outcome" => "success", > "result" => {"key" => "RUxZAUuJqp+mNwIEDMrUz0iK6dyG"} > } > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:import-secret-key(alias=a2,key=RUxZAUuJqp+mNwIEDMrUz0iK6dyG) > {"outcome" => "success"} > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) > { > "outcome" => "failed", > "failure-description" => "WFLYELY00913: Credential alias 'a2' of credential type 'org.wildfly.security.credential.PasswordCredential' already exists in the store", > "rolled-back" => true > } > {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-371) NullPointerException when expression=encryption:create-expression uses resolver with invalid secret-key

by Darran Lofthouse (Jira)

[ https://issues.redhat.com/browse/WFWIP-371?page=com.atlassian.jira.plugin... ] Darran Lofthouse updated WFWIP-371: ----------------------------------- Priority: Critical (was: Major) > NullPointerException when expression=encryption:create-expression uses resolver with invalid secret-key > ------------------------------------------------------------------------------------------------------- > > Key: WFWIP-371 > URL: https://issues.redhat.com/browse/WFWIP-371 > Project: WildFly WIP > Issue Type: Bug > Components: Security > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Priority: Critical > > NullPointerException when {{/subsystem=elytron/expression=encryption:create-expression}} uses resolver with invalid secret-key (no key under the given alias). > The failure at the end is OK, but it should not be {{NullPointerException}}: > {noformat} > [standalone@localhost:9990 /] /subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases > { > "outcome" => "success", > "result" => [ > "secretkey", > "key" > ] > } > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:read-resource > { > "outcome" => "success", > "result" => { > "default-resolver" => "Default", > "prefix" => "ENC", > "resolvers" => [ > { > "name" => "Default", > "credential-store" => "credentialstorethree", > "secret-key" => "secretkey" > }, > { > "name" => "resolver2", > "credential-store" => "credentialstorethree", > "secret-key" => "secretkey2" > } > ] > } > } > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword) > { > "outcome" => "success", > "result" => {"expression" => "${ENC::RUxZAUMQ+LZYf7LtJiSPV4EqY4FEk3WK2V2i4ywGhTTu/3uRQirYtvphB2A8fmK6CSlUnYUd}"} > } > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword,resolver=resolver2) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.NullPointerException", > "rolled-back" => true > } > {noformat} > {noformat} > 08:52:49,669 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("create-expression") failed - address: ([ > ("subsystem" => "elytron"), > ("expression" => "encryption") > ]): java.lang.NullPointerException > at org.wildfly.extension.elytron@15.0.0.Beta1-SNAPSHOT//org.wildfly.extension.elytron.expression.ElytronExpressionResolver.createExpression(ElytronExpressionResolver.java:139) > at org.wildfly.extension.elytron@15.0.0.Beta1-SNAPSHOT//org.wildfly.extension.elytron.ExpressionResolverResourceDefinition$CreateExpressionHandler.executeRuntimeStep(ExpressionResolverResourceDefinition.java:217) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:59) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:1040) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:779) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:468) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1415) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:431) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:248) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:304) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:270) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:248) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:240) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:138) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:162) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:158) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:328) > at org.wildfly.security.elytron-private@1.14.3.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:285) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225) > at org.jboss.as.controller@15.0.0.Beta1-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:158) > at org.jboss.as.protocol@15.0.0.Beta1-SNAPSHOT//org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70) > at org.jboss.as.protocol@15.0.0.Beta1-SNAPSHOT//org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) > at java.base/java.lang.Thread.run(Thread.java:834) > at org.jboss.threads@2.4.0.Final//org.jboss.threads.JBossThread.run(JBossThread.java:513) > {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-374) credential-store overwrites existing aliases when generating or importing keys

by Darran Lofthouse (Jira)

[ https://issues.redhat.com/browse/WFWIP-374?page=com.atlassian.jira.plugin... ] Darran Lofthouse updated WFWIP-374: ----------------------------------- Priority: Critical (was: Major) > credential-store overwrites existing aliases when generating or importing keys > ------------------------------------------------------------------------------ > > Key: WFWIP-374 > URL: https://issues.redhat.com/browse/WFWIP-374 > Project: WildFly WIP > Issue Type: Bug > Components: Security > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Priority: Critical > > The Elytron {{credential-store}} resource overwrites existing aliases when generating or importing keys, this is not consistent with the behaviour of the {{add-alias}} operation. > {noformat} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a1) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:read-aliases > { > "outcome" => "success", > "result" => ["a1"] > } > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a1) > {"outcome" => "success"} > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:export-secret-key(alias=a2) > { > "outcome" => "success", > "result" => {"key" => "RUxZAUuJqp+mNwIEDMrUz0iK6dyG"} > } > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:import-secret-key(alias=a2,key=RUxZAUuJqp+mNwIEDMrUz0iK6dyG) > {"outcome" => "success"} > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) > { > "outcome" => "failed", > "failure-description" => "WFLYELY00913: Credential alias 'a2' of credential type 'org.wildfly.security.credential.PasswordCredential' already exists in the store", > "rolled-back" => true > } > {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-373) :resolve-expression does not resolve encrypted expressions

by Darran Lofthouse (Jira)

[ https://issues.redhat.com/browse/WFWIP-373?page=com.atlassian.jira.plugin... ] Darran Lofthouse commented on WFWIP-373: ---------------------------------------- I wonder if this method would have worked for Vault expressions, I will have a look. As we discussed a little bit in the analysis it may be preferable to not support decryption using the management model but even if that is the case this method should fail with an appropriate error and not try and handle it as a system property. > :resolve-expression does not resolve encrypted expressions > ---------------------------------------------------------- > > Key: WFWIP-373 > URL: https://issues.redhat.com/browse/WFWIP-373 > Project: WildFly WIP > Issue Type: Bug > Components: Security > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Priority: Major > > The {{:resolve-expression}} operation does not resolve encrypted expressions. > {noformat} > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:read-resource > { > "outcome" => "success", > "result" => { > "default-resolver" => "Default", > "prefix" => "ENC", > "resolvers" => [ > { > "name" => "Default", > "credential-store" => "credentialstorethree", > "secret-key" => "secretkey" > }, > { > "name" => "resolver2", > "credential-store" => "credentialstorethree", > "secret-key" => "secretkey2" > } > ] > } > } > [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword) > { > "outcome" => "success", > "result" => {"expression" => "${ENC::RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB}"} > } > [standalone@localhost:9990 /] :resolve-expression(expression="${ENC::RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB}") > { > "outcome" => "success", > "result" => ":RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB" > } > {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-374) credential-store overwrites existing aliases when generating or importing keys

by Ondrej Kotek (Jira)

Ondrej Kotek created WFWIP-374: ---------------------------------- Summary: credential-store overwrites existing aliases when generating or importing keys Key: WFWIP-374 URL: https://issues.redhat.com/browse/WFWIP-374 Project: WildFly WIP Issue Type: Bug Components: Security Reporter: Ondrej Kotek Assignee: Darran Lofthouse The Elytron {{credential-store}} resource overwrites existing aliases when generating or importing keys, this is not consistent with the behaviour of the {{add-alias}} operation. {noformat} [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a1) {"outcome" => "success"} [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:read-aliases { "outcome" => "success", "result" => ["a1"] } [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:generate-secret-key(alias=a1) {"outcome" => "success"} ------------------------- [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:export-secret-key(alias=a2) { "outcome" => "success", "result" => {"key" => "RUxZAUuJqp+mNwIEDMrUz0iK6dyG"} } [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:import-secret-key(alias=a2,key=RUxZAUuJqp+mNwIEDMrUz0iK6dyG) {"outcome" => "success"} ------------------------- [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) {"outcome" => "success"} [standalone@localhost:9990 /] /subsystem=elytron/credential-store=a:add-alias(alias=a2,secret-value=a2) { "outcome" => "failed", "failure-description" => "WFLYELY00913: Credential alias 'a2' of credential type 'org.wildfly.security.credential.PasswordCredential' already exists in the store", "rolled-back" => true } {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-372) The resolver attribute of the create-expression operation does not auto-complete

by Darran Lofthouse (Jira)

[ https://issues.redhat.com/browse/WFWIP-372?page=com.atlassian.jira.plugin... ] Darran Lofthouse commented on WFWIP-372: ---------------------------------------- I can have a look at this one in case I can come up with a solution but I think this may be a future feature request. The reason we have tab completion for various resource references is because the CLI is aware of the capability requirements of a specific resource from it's read-resource-description and is able to query the available capabilities to satisfy the requirement. In this case the individual resolvers don't offer a capability of their own. I may be able to see if that is a possible. Other than that something we have discussed in the past in relation to other resources is the ability to provide some generic kind of lookup for allowed values that both the CLI and admin console can use. > The resolver attribute of the create-expression operation does not auto-complete > -------------------------------------------------------------------------------- > > Key: WFWIP-372 > URL: https://issues.redhat.com/browse/WFWIP-372 > Project: WildFly WIP > Issue Type: Bug > Components: Security > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Priority: Major > > The {{resolver}} attribute of the {{/subsystem=elytron/expression=encryption:create-expression}} operation does not auto-complete in CLI. -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

[Red Hat JIRA] (WFWIP-373) :resolve-expression does not resolve encrypted expressions

by Ondrej Kotek (Jira)

Ondrej Kotek created WFWIP-373: ---------------------------------- Summary: :resolve-expression does not resolve encrypted expressions Key: WFWIP-373 URL: https://issues.redhat.com/browse/WFWIP-373 Project: WildFly WIP Issue Type: Bug Components: Security Reporter: Ondrej Kotek Assignee: Darran Lofthouse The {{:resolve-expression}} operation does not resolve encrypted expressions. {noformat} [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:read-resource { "outcome" => "success", "result" => { "default-resolver" => "Default", "prefix" => "ENC", "resolvers" => [ { "name" => "Default", "credential-store" => "credentialstorethree", "secret-key" => "secretkey" }, { "name" => "resolver2", "credential-store" => "credentialstorethree", "secret-key" => "secretkey2" } ] } } [standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword) { "outcome" => "success", "result" => {"expression" => "${ENC::RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB}"} } [standalone@localhost:9990 /] :resolve-expression(expression="${ENC::RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB}") { "outcome" => "success", "result" => ":RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB" } {noformat} -- This message was sent by Atlassian Jira (v8.13.1#813001)

5 years, 1 month

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2021