]
Tomas Hofman moved ELY-1042 to WFCORE-2617:
-------------------------------------------
Project: WildFly Core (was: WildFly Elytron)
Key: WFCORE-2617 (was: ELY-1042)
Component/s: Security
(was: Credential Store)
When failed credential store flush to file on the disk then we have
inconsistency between credential store in memory and persisted file.
----------------------------------------------------------------------------------------------------------------------------------------
Key: WFCORE-2617
URL:
https://issues.jboss.org/browse/WFCORE-2617
Project: WildFly Core
Issue Type: Bug
Components: Security
Reporter: Hynek Švábek
Assignee: Tomas Hofman
Priority: Critical
When failed credential store flush to file on the disk then we have inconsistency between
credential store in memory and persisted file.
I expect consistent state, same aliases in memory and persisted on disk.
We must not add new aliases only to memory.
This problem is exported from issue
https://issues.jboss.org/browse/JBEAP-6866
where is noted as secondary problem.
*HOW TO REPRODUCE*
{code}
/subsystem=elytron/credential-store=cs001:add(uri="cr-store://test/cs/credentialstore.jceks?create=true",
credential-reference={clear-text=pass123}, relative-to="jboss.server.data.dir")
{code}
{code}
/subsystem=elytron/credential-store=cs001/alias=alias001:add(secret-value=secretvalue)
{code}
Now is credentialstore.jceks file persisted on disk here *JBOSS_HOME/standalone/data/cs*
Please remove write permission for folder "cs"
{code}
chmod g-w cs
chmod u-w cs
{code}
Try add another entry to credential store
/subsystem=elytron/credential-store=cs001/alias=alias002:add(secret-value=secretvalue)
{
"outcome" => "failed",
"failure-description" => "WFLYELY00009: Unable to complete
operation. 'ELY09525: Unable to flush credential store to storage'",
"rolled-back" => true
}
And you get error message as above.
Now you list all aliases in credential store:
{code}
/subsystem=elytron/credential-store=cs001:read-children-names(child-type=alias)
{
"outcome" => "success",
"result" => [
"alias001",
"alias002"
]
}
{code}
There is non persisted "alias002" too.
*Now we check aliases in persisted file**:*
{code}
reload
{code}
There isn't any alias "alias002" after reload.
{code}
/subsystem=elytron/credential-store=cs001:read-children-names(child-type=alias)
{
"outcome" => "success",
"result" => ["alias001"]
}
{code}