Bug 1150639

Summary: Class-name/code attributes causes conflicts in PicketLink IDM subsystem
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: FIlip Bogyai <fbogyai>
Component: PicketLinkAssignee: Pedro Igor <psilva>
Status: CLOSED CURRENTRELEASE QA Contact: Jitka Kozana <jkudrnac>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: anmiller, bdawidow, jkudrnac, kkhan, psilva
Target Milestone: DR7   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1151002 (view as bug list) Environment:
Last Closed: 2019-08-19 12:45:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1151002    

Description FIlip Bogyai 2014-10-08 14:54:13 UTC 
While configuring PicketLink IDM subsystem with CLI, there were found some problematic attributes, that causes conflicts.

According to XSD schema: wildfly-picketlink-idm_1_0_xsd, these XML elements have attributes "code" and "class-name" which both defines their class name: 

supported-type, credential-handler, mapping

These attributes can be used at the same time, which allows user to define different code and class-name. Consider the following CLI example:

/subsystem=picketlink-identity-management/partition-manager=example/identity-configuration=test/jpa-store=jpa-store/supported-types=supported-types/supported-type=example:add(code=Role, class-name=org.picketlink.Group)

which creates the following element in configuration:
<supported-type class-name="org.picketlink.Group" code="Role"/>

It is confusing whether Group or Role will be used. Would it be possible to use same approach as is used in security subsystem for login-modules via single "code" attribute? Therefore it would be consistent across server configuration. The existing "code" attribute is already able to work with type alias or FQN of a type, so that "class-name" is not needed. 

Furthermore while adding the listed elements with CLI, there can be added 2 or more elements with different names in path, but same values in attribute "code", which cannot be parsed after server reload. The code attribute should be validated that duplicates cannot be added. Similar validation is also in Federation subsystem for handlers of identity-provider.

e.g CLI commands for adding supported-type with same code attribute:

/subsystem=picketlink-identity-management/partition-manager=test/identity-configuration=example/jpa-store=jpa-store/supported-types=supported-types/supported-type=test1:add(code=User)

/subsystem=picketlink-identity-management/partition-manager=test/identity-configuration=example/jpa-store=jpa-store/supported-types=supported-types/supported-type=test2:add(code=User)
Comment 1 JBoss JIRA Server 2014-10-14 13:01:22 UTC 
Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Resolved
Comment 2 JBoss JIRA Server 2014-10-14 13:26:48 UTC 
Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Reopened
Comment 3 Pedro Igor 2014-10-17 15:27:19 UTC 
https://github.com/jbossas/jboss-eap/pull/1810
Comment 4 JBoss JIRA Server 2014-10-17 18:38:36 UTC 
Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Resolved
Comment 5 JBoss JIRA Server 2014-10-22 09:08:06 UTC 
Ondrej Lukas <olukas> updated the status of jira EAP6-182 to Reopened
Comment 6 FIlip Bogyai 2014-10-22 12:49:29 UTC 
Verification failed in EAP 6.4.0.DR6. 

Correctly fixed: 
- only one of code or class-name can be set

But there are still scenarios which allows invalid configuration:

- element with code attribute same as another element with same code attribute can be added
- element with class-name attribute same as another element with same class-name attribute can be added
- element with code attribute value same as another element class-name attribute value can be added

There should be check if same code/class-name is not already added to avoid duplicates, which leads to Exception after server restart. Consider running following CLI commands:

/subsystem=picketlink-identity-management/partition-manager=test/identity-configuration=example/jpa-store=jpa-store/supported-types=supported-types/supported-type=test1:add(code=User)

/subsystem=picketlink-identity-management/partition-manager=test/identity-configuration=example/jpa-store=jpa-store/supported-types=supported-types/supported-type=test2:add(code=User)

reload -> failure

If server is restarted after these commands it leads to Exception during server boot and server is not started.

There are 3 elements in IDM subsystem which are affected by this issue: supported-type, credential-handler, mapping

Also please fix documentation of code attribute for these elements in XSD (wildfly-picketlink-idm_1_0.xsd). Current implementation does not support FQN in code attribute.
Comment 7 Pedro Igor 2014-10-22 18:10:08 UTC 
https://github.com/jbossas/jboss-eap/pull/1838
Comment 8 FIlip Bogyai 2014-11-03 13:49:36 UTC 
Verified in EAP 6.4.0.DR7
Comment 9 JBoss JIRA Server 2014-11-05 07:05:36 UTC 
Rostislav Svoboda <rsvoboda> updated the status of jira EAP6-182 to Resolved
Comment 12 JBoss JIRA Server 2016-03-17 08:36:18 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira WFLY-3978 to Resolved