[ELY-2496] Add integrity to existing filesystem realms using Elytron Tool

[jessicarod7]

https://issues.redhat.com/browse/ELY-2496

Commits:

1. The first two commits come from ELY-2514, since the integrity command uses JDK 11 features. First JDK 11 commit removes Java 8 specific classes
2. Second JDK 11 commit replaces with Java 9 specific classes and updates POMs. (dropped from this PR)

1. Moves reused parameters into a common class Params within Command
2. Add hash-charset parameter and test cases to filesystem-realm-encrypt, which was missed in the original PR [ELY-2078] Add encryption support to FileSystemSecurityRealm  #1676
3. EDIT: Updated warning messages in Command.getSecretKey() to be more consistent, and always warn (vs. sometimes crashing from an uncaught exception)
4. Adds new filesystem-realm-integrity command, with support for upgraded encrypted realms
5. Support upgrading realms with integrity enabled in filesystem-realm-encrypt. Also disabled upgrade of empty realms (see below)
6. Add test cases in both commands for filesystem realms with integrity
7. Modified to remove methods which require JDK 11 (see [ELY-2514] Update minimum JDK for all modules to 11 #1880)

Summary of changes:

• Addition of a new command filesystem-realm-integrity to upgrade existing realms to support integrity verification. Requires an non-empty filesystem realm, and a password-protected keystore with a key pair.
  • Supports upgrading encrypted realms
  • Supports in-place realm upgrade (upgraded realm is placed in the same directory)
  • Test cases for all params, with validation of CLI scripts via validateScript method and ScriptParams class
  • Encryption command issues not present in integrity command: ELY-2530, ELY-2536, ELY-2540, ELY-2541, ELY-2542, and ELY-2546
• Update filesystem-realm-encrypt command to support upgrading filesystem realms which already have integrity enabled (Note that encryption command cannot enable integrity, and vice versa)
  • Added missing option hash-charset to encryption command
• Changes for both commands
  • Move static Elytron password/keystore providers, overrideable warning/error handlers, and methods getSecretKey and getKeyPair to Command class
  • Add new method FileSystemRealmUtil.createRealmWithIntegrityValidation() to build new realm; moved shared code between encryption and integrity commands into a private method
  • Empty filesystem realms cannot upgraded by Elytron Tool (the directory is not copied), so instead provides a warning and instructs user to update within management client (see [WFCORE-6129] Unable to add integrity support to existing filesystem realm wildfly/wildfly-core#5411)
• Other
  • Move common parameters and strings across Elytron Tool commands (ex. HELP_PARAM, System.getProperty(“line.separator”)) to new class org.wildfly.security.tool.Command$Params

Also, I've manually imported and tested all of the test case realms with the wildfly/wildfly@784cc50 commit. All identities are readable, and the :verify-integrity CLI command works.

[fjuma]

Instead of catching the NullPointerException here, it would be better to check the return value of credentialStore.retrieve prior to calling getSecretKey. If it's null, we can print the error and return null.

[jessicarod7]

I'll update this and the other section to be similar to getKeyPair. This code was unchanged from the original encrypt command, so I'm not as familiar with the functionality.

[jessicarod7]

@OndrejKotek Noting that I made some changes in response to this, in the new 5th commit

[fjuma]

FYI for other reviewers, this is private API.

[jessicarod7]

Looks like a random failure due to a timeout on the Windows build. Could someone please rerun the CI?

[fjuma]

Thanks, re-triggered it.

[Skyllarr]

@cam-rod LGTM, thanks!

[Skyllarr]

@cam-rod just a minor, we can set status to GENERAL_CONFIGURATION_WARNING here

[jessicarod7]

fixed

[jessicarod7]

turns out this change actually broke a number of tests in FileSystemRealmCommandTest, so I'm reverting it

[Skyllarr]

@cam-rod just a total minor, this line is superfluous since we configured the status to be GENERAL_CONFIGURATION_ERROR at the beginning

[jessicarod7]

fixed in this command and encryption (where I made the same change)

[fjuma]

Thanks @cam-rod!

[fjuma]

@cam-rod Just noticed, we have some CI failures now.

[jessicarod7]

Thanks for the heads up, added some patches for the rebase.

[fjuma]

Thanks @cam-rod!