[ELY-2813] Do not decode URI for processing

.github/workflows/pr-ci.yaml

@@ -15,12 +15,13 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
+        java: ['11', '17', '21']
     steps:
       - uses: actions/checkout@v2
-      - name: Set up JDK 11
+      - name: Set up JDK ${{ matrix.java }}
         uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: ${{ matrix.java }}
       # ELY-2204 - Temporarily preventing OidcTest from running on macOS since there
       # are intermittent issues with starting up the Docker container.
       #- if: matrix.os == 'macos-latest'

.gitignore

@@ -20,6 +20,8 @@ target
 nbactions.xml
 nb-configuration.xml
 catalog.xml
+# Ignore VSCode Files
+.vscode
 #
 maven-ant-tasks.jar
 test-output

CONTRIBUTING.md

@@ -81,6 +81,8 @@ To run only a specific test, use:
 ```bash
 mvn clean install -Dtest=TestClassName
 ```
+Note: Some tests will fail if `localhost` is not listed first in `/etc/hosts` file for the loopback addresses (IPv4 and IPv6).
+
 For more information, including details on how WildFly Elytron is integrated in WildFly Core and WildFly, check out our [developer guide](https://wildfly-security.github.io/wildfly-elytron/getting-started-for-developers/).
 
 ## Contributing Guidelines
@@ -95,5 +97,17 @@ When submitting a PR, please keep the following guidelines in mind:
 
 For an example of a properly formatted PR, take a look at https://github.com/wildfly-security/wildfly-elytron/pull/1532
 
+## Code Reviews
+
+All submissions, including submissions by project members, need to be reviewed by at least two WildFly Elytron committers before being merged.
+
+The [GitHub Pull Request Review Process](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews) is followed for every pull request.
+
+## Maintenance Branches
+
+If you are working on a fix that's required for a maintenance branch (e.g., a fix for the 1.15.x or 2.2.x branches), please submit
+your PR directly against the relevant maintenance branch. Once a fix for a maintenance branch is approved and merged, we then
+merge the maintenance branch to the upstream branch to ensure changes are kept in sync.
+
 ## Community
 For more information on how to get involved with WildFly Elytron, check out our [community](https://wildfly-security.github.io/wildfly-elytron/community/) page.

ELY_Messages.txt

@@ -126,7 +126,7 @@
 24000 - 24999    wildfly-elytron-jose-jwk
 25000 - 25999    wildfly-elytron-jose-jws
 26000 - 26999    wildfly-elytron-jose-util
-27000 - 27999
+27000 - 27999    wildfly-elytron-dynamic-ssl
 28000 - 28999
 29000 - 29999
 30000 - 30999

README.md

@@ -29,20 +29,25 @@ $ mvn clean install
 Issue Tracking
 --------------
 
-Bugs and features are tracked within the Elytron Jira project at https://issues.jboss.org/browse/ELY
+Bugs and features are tracked within the Elytron Jira project at https://issues.redhat.com/browse/ELY
 
 Contributions
 -------------
 
-All new features and enhancements should be submitted to 1.x branch only.
-Our [contribution guide](https://github.com/wildfly-security/wildfly-elytron/blob/1.x/CONTRIBUTING.md) will guide you through the steps for getting started on the WildFly Elytron project and will go through how to format and submit your first PR.
+All new features and enhancements should be submitted to 2.x branch only.
+Our [contribution guide](https://github.com/wildfly-security/wildfly-elytron/blob/2.x/CONTRIBUTING.md) will guide you through the steps for getting started on the WildFly Elytron project and will go through how to format and submit your first PR.
 
 For more details, check out our [getting started guide](https://wildfly-security.github.io/wildfly-elytron/getting-started-for-developers/) for developers.
 
+Example Feature Demos
+---------------------
+
+Our [elytron-examples](https://github.com/wildfly-security-incubator/elytron-examples) repository contains example demos of WildFly Elytron features.
+
 Get Help
 --------
 There are a couple ways to get in touch with us.
 
 Feel free to ask questions on the WildFly user [forum](https://groups.google.com/g/wildfly).  
 
-The WildFly Elytron team also has an open chat room where you can listen in and ask questions. Join us on [Zulip chat](https://wildfly.zulipchat.com/#narrow/stream/173102-wildfly-elytron).
+The WildFly Elytron team also has an open chat room where you can listen in and ask questions. Join us on [Zulip chat](https://wildfly.zulipchat.com/#narrow/stream/173102-wildfly-elytron).

SECURITY.md

@@ -1,11 +1,23 @@
-# Security Policy 
-
-## Security Contacts and Procedures
-
-The WildFly Elytron community takes security very seriously, and we aim to take immediate action to address serious security-related problems that involve our products or services.
-
-Please report any suspected security vulnerability in this project to Red Hat Product Security at [email protected]. You can use our GPG key to communicate with us securely.
-
-To report an issue in any Red Hat branded website or online service, please contact Red Hat Information Security at [email protected].
-https://access.redhat.com/security/team/contact
+# Reporting of CVEs and Security Issues
 
+## The WildFly Elytron community and our sponsor, Red Hat, take security bugs very seriously
+
+We aim to take immediate action to address serious security-related problems that involve our projects. 
+
+Note that we will only fix such issues in the most recent minor release of WildFly Elytron.</p>
+
+## Reporting of Security Issues
+
+When reporting a security vulnerability it is important to not accidentally broadcast to the world that the issue exists, as this makes it easier for people to exploit it. The software industry uses the term <a href="https://www.redhat.com/en/blog/security-embargoes-red-hat">embargo</a> to describe the time a security issue is known internally until it is public knowledge.
+
+Our preferred way of reporting security issues in WildFly Elytron and its related projects is listed below.
+
+### Email the mailing list</h2>
+
+The list at <a href="mailto:[email protected]">[email protected]</a> is the preferred mechanism for outside users to report security issues. A member of the WildFly Elytron team will open the required issues.
+
+### Other considerations</h2>
+
+If you would like to work with us on a fix for the security vulnerability, please include your GitHub username in the above email, and we will provide you access to a temporary private fork where we can collaborate on a fix without it being disclosed publicly, **including in your own publicly visible git repository**.
+
+Do not open a public issue, send a pull request, or disclose any information about the suspected vulnerability publicly, **including in your own publicly visible git repository**. If you discover any publicly disclosed security vulnerabilities, please notify us immediately through <a href="mailto:[email protected]">[email protected]

asn1/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.7.CR1-SNAPSHOT</version>
+        <version>2.6.1.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

audit/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.7.CR1-SNAPSHOT</version>
+        <version>2.6.1.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

audit/src/main/java/org/wildfly/security/audit/FileAuditEndpoint.java

@@ -70,22 +70,22 @@ public class FileAuditEndpoint implements AuditEndpoint {
     }
 
     void setFile(final File file) throws IOException {
-        boolean ok = false;
+        boolean isFileSet = false;
         final FileOutputStream fos = new FileOutputStream(file, true);
         try {
             final Writer writer = new OutputStreamWriter(new BufferedOutputStream(fos), this.charset);
             try {
                 this.fileDescriptor = fos.getFD();
                 this.writer = writer;
                 this.file = file;
-                ok = true;
+                isFileSet = true;
             } finally {
-                if (! ok) {
+                if (! isFileSet) {
                     safeClose(writer);
                 }
             }
         } finally {
-            if (! ok) {
+            if (! isFileSet) {
                 safeClose(fos);
             }
         }

audit/src/main/java/org/wildfly/security/audit/PeriodicRotatingFileAuditEndpoint.java

@@ -233,9 +233,10 @@ public Builder setSuffix(String suffix) throws IllegalArgumentException {
         public AuditEndpoint build() throws IOException {
             return new PeriodicRotatingFileAuditEndpoint(this);
         }
-    }
 
-    private static <T extends Comparable<? super T>> T min(T a, T b) {
-        return a.compareTo(b) <= 0 ? a : b;
+        private static <T extends Comparable<? super T>> T min(T a, T b) {
+            return a.compareTo(b) <= 0 ? a : b;
+        }
     }
+
 }

audit/src/main/java/org/wildfly/security/audit/SyslogAuditEndpoint.java

@@ -66,7 +66,13 @@ public Integer run() {
      */
     SyslogAuditEndpoint(Builder builder) throws IOException {
         maxReconnectAttempts = builder.maxReconnectAttempts;
-        protocol = builder.ssl ? Protocol.SSL_TCP : builder.tcp ? Protocol.TCP : Protocol.UDP;
+        if (builder.ssl) {
+            protocol = Protocol.SSL_TCP;
+        } else if (builder.tcp) {
+            protocol = Protocol.TCP;
+        } else {
+            protocol = Protocol.UDP;
+        }
         syslogHandler = new SyslogHandler(checkNotNullParam("serverAddress", builder.serverAddress), builder.port, Facility.SECURITY,
                 builder.format, protocol, checkNotNullParam("hostName", builder.hostName));
 

auth/base/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.7.CR1-SNAPSHOT</version>
+        <version>2.6.1.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

auth/base/src/main/java/org/wildfly/security/auth/principal/CompositePrincipal.java

@@ -62,7 +62,13 @@ public CompositePrincipal(Principal... principals) {
     }
 
     private CompositePrincipal(Principal[] principals, boolean clone) {
-        p = principals.length == 0 ? NO_PRINCIPALS : clone ? principals.clone() : principals;
+        if (principals.length == 0) {
+            p = NO_PRINCIPALS;
+        } else if (clone) {
+            p = principals.clone();
+        } else {
+            p = principals;
+        }
         for (int i = 0; i < p.length; i++) {
             Assert.checkNotNullArrayParam("principals", i, p[i]);
         }

auth/client/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.7.CR1-SNAPSHOT</version>
+        <version>2.6.1.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
@@ -60,6 +60,10 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-mechanism</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron-mechanism-gssapi</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-password-impl</artifactId>
@@ -76,7 +80,6 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-ssh-util</artifactId>
         </dependency>
-
         <dependency>
             <groupId>org.jboss.logging</groupId>
             <artifactId>jboss-logging-annotations</artifactId>

auth/client/src/main/java/org/wildfly/security/auth/client/ActiveSessionsSSLContext.java

@@ -0,0 +1,33 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2024 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.auth.client;
+
+/**
+ * An interface indicating active sessions of an SSLContext
+ */
+public interface ActiveSessionsSSLContext {
+    /**
+     * Indicates if the SSLContext has active sessions.
+     *
+     * @return true if SSLContext has active sessions. Otherwise, false
+     */
+    default boolean hasActiveSessions() {
+        return false;
+    }
+}

auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContext.java

@@ -361,6 +361,10 @@ public <T, E extends Exception> T runAsSupplierEx(ExceptionSupplier<T, E> action
         return runExFunction(ExceptionSupplier::get, action);
     }
 
+    RuleNode<SecurityFactory<SSLContext>> getSslRules() {
+        return this.sslRules;
+    }
+
     public ContextManager<AuthenticationContext> getInstanceContextManager() {
         return getContextManager();
     }

auth/client/src/main/java/org/wildfly/security/auth/client/AuthenticationContextConfigurationClient.java

@@ -30,7 +30,9 @@
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.Provider;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 import java.util.function.Supplier;
 import java.util.function.UnaryOperator;
 
@@ -196,6 +198,42 @@ private static AuthenticationConfiguration initializeConfiguration(final URI uri
         return configuration;
     }
 
+    /**
+     * Get all SSL contexts configured for this authentication context.
+     *
+     * @param authenticationContext the authentication context to examine (must not be {@code null})
+     * @return List of all configured SSL contexts belonging to the provided authentication context
+     */
+    public List<SSLContext> getConfiguredSSLContexts(AuthenticationContext authenticationContext) throws GeneralSecurityException {
+        Assert.checkNotNullParam("authenticationContext", authenticationContext);
+        List<SSLContext> sslContexts = new ArrayList<>();
+        RuleNode<SecurityFactory<SSLContext>> node = authenticationContext.getSslRules();
+        while (node != null) {
+            sslContexts.add(node.getConfiguration().create());
+            node = node.getNext();
+        }
+        return sslContexts;
+    }
+
+    /**
+     * Get the default SSL context that should be used when no other rules match, or {@link SSLContext#getDefault()} if there is none configured.
+     *
+     * @param authenticationContext the authentication context to examine (must not be {@code null})
+     * @return the default SSL context configured if no other rules match
+     */
+    public SSLContext getDefaultSSLContext(AuthenticationContext authenticationContext) throws GeneralSecurityException {
+        Assert.checkNotNullParam("authenticationContext", authenticationContext);
+        SSLContext defaultSSLContext = null;
+        RuleNode<SecurityFactory<SSLContext>> node = authenticationContext.getSslRules();
+        while (node != null) {
+            if (node.getRule().equals(MatchRule.ALL)) {
+                defaultSSLContext = node.getConfiguration().create();
+            }
+            node = node.getNext();
+        }
+        return defaultSSLContext == null ? SSLContext.getDefault() : defaultSSLContext;
+    }
+
     /**
      * Get the configured SSL context which matches ALL rules from provided AuthenticationContext, or {@link SSLContext#getDefault()} if there is none.
      *