[jboss-jira] [JBoss JIRA] (WFCORE-2199) RuntimeExpressionResolver does not fail upon seeing a vault expression if no VaultReader is present

Brian Stansberry (JIRA) issues at jboss.org
Mon Jan 16 15:17:00 EST 2017 

    [ https://issues.jboss.org/browse/WFCORE-2199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13348968#comment-13348968 ] 

Brian Stansberry commented on WFCORE-2199:
------------------------------------------

We can't test WFCORE-2199 without a fix for the testsuite problem WFCORE-2198 aims at. I originally tried to fix it as part of WFCORE-2182 but the testsuite won't pass with the change because it has tests that assume a vault expression will resolve, not realizing that with PicketBox not in place they do resolve, but not correctly. The tests are not concerned with correct resolution, just whether RBAC allows the ops to succeed or fail, and this change will make the ops fail for non-RBAC reasons. See VaultExpressionSensitivityTestCase.

> RuntimeExpressionResolver does not fail upon seeing a vault expression if no VaultReader is present
> ---------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-2199
>                 URL: https://issues.jboss.org/browse/WFCORE-2199
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management
>            Reporter: Brian Stansberry
>            Assignee: Brian Stansberry
>            Priority: Minor
>
> If the server is unable to instantiate RuntimeVaultReader, which will be the case for the WildFly Core dist as it doesn't package the org.picketbox module needed by RuntimeVaultReader, then RuntimeExpressionResolver will ignore vault expressions, allowing the superclass to take over and process them. This will be done incorrectly, as the superclass will treat the first ':' in the vault expression as the delimiter between a system property name and the default value, resolving the expression to everything after that first ':'. So
> ${VAULT::datasources::password::123AB45CD}
> resolves to
> :datasources::password::123AB45CD
> Minor as the resolved value is unlikely to be useful, so there will be a failure.
> Possibly could be treated as an Enhancement.
> Fix would be for RuntimeExpressionResolver to check for the vault expression pattern and throw NoSuchItemException if found and not VaultReader is available.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list