[KEYCLOAK-12998] Prevent duplicate resources from being added to the keycloak-saml subsystem

sguilhen · hmlnarik · commit 76717134bae8 · 2020-06-23T20:03:36.000+02:00
- Fixes an issue in parser where the closing tag of the IDP element was in the wrong place, which could break the server configuration
 - Parser now checks for duplicates of elements described with maxOccurs=1 in the schema
 - Add handler for SP and IDP now check for existing SPs or IDPs in the config, preventing addition of a duplicate resource via CLI
 - Subsystem test was enhanced so it now tests some invalid configs with duplicate elements
diff --git a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Configuration.java b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Configuration.java
@@ -16,6 +16,9 @@
  */
 package org.keycloak.subsystem.saml.as7;
 
+import java.util.List;
+
+import org.jboss.as.controller.OperationFailedException;
 import org.jboss.as.server.deployment.DeploymentUnit;
 import org.jboss.as.web.deployment.WarMetaData;
 import org.jboss.dmr.ModelNode;
@@ -34,21 +37,29 @@ public class Configuration {
     private Configuration() {
     }
 
-    void updateModel(ModelNode operation, ModelNode model) {
+    void updateModel(ModelNode operation, ModelNode model) throws OperationFailedException {
+        this.updateModel(operation, model, false);
+    }
+
+    void updateModel(final ModelNode operation, final ModelNode model, final boolean checkSingleton) throws OperationFailedException {
         ModelNode node = config;
-        ModelNode addr = operation.get("address");
-        for (Property item : addr.asPropertyList()) {
-            node = getNodeForAddressElement(node, item);
+
+        final List<Property> addressNodes = operation.get("address").asPropertyList();
+        final int lastIndex = addressNodes.size() - 1;
+        for (int i = 0; i < addressNodes.size(); i++) {
+            Property addressNode = addressNodes.get(i);
+            // if checkSingleton is true, we verify if the key for the last element (e.g. SP or IDP) in the address path is already defined
+            if (i == lastIndex && checkSingleton) {
+                if (node.get(addressNode.getName()).isDefined()) {
+                    // found an existing resource, throw an exception
+                    throw new OperationFailedException("Duplicate resource: " + addressNode.getName());
+                }
+            }
+            node = node.get(addressNode.getName()).get(addressNode.getValue().asString());
         }
         node.set(model);
     }
 
-    private ModelNode getNodeForAddressElement(ModelNode node, Property item) {
-        String key = item.getValue().asString();
-        ModelNode keymodel = node.get(item.getName());
-        return keymodel.get(key);
-    }
-
     public ModelNode getSecureDeployment(DeploymentUnit deploymentUnit) {
         String name = preferredDeploymentName(deploymentUnit);
         ModelNode secureDeployment = config.get("subsystem").get("keycloak-saml").get(Constants.Model.SECURE_DEPLOYMENT);
diff --git a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderAddHandler.java b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderAddHandler.java
@@ -36,7 +36,7 @@ class IdentityProviderAddHandler extends AbstractAddStepHandler {
 
     @Override
     protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {
-        Configuration.INSTANCE.updateModel(operation, model);
+        Configuration.INSTANCE.updateModel(operation, model, true);
     }
 
     @Override
diff --git a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemParser.java b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemParser.java
@@ -76,13 +76,19 @@ void readSecureDeployment(XMLExtendedStreamReader reader, List<ModelNode> list)
         ModelNode addSecureDeployment = Util.createAddOperation(addr);
         list.add(addSecureDeployment);
 
+        Set<String> parsedElements = new HashSet<>();
         while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
             String tagName = reader.getLocalName();
+            if (parsedElements.contains(tagName)) {
+                // all sub-elements of the secure deployment type should occur only once.
+                throw ParseUtils.unexpectedElement(reader);
+            }
             if (tagName.equals(Constants.XML.SERVICE_PROVIDER)) {
                 readServiceProvider(reader, list, addr);
             } else {
                 throw ParseUtils.unexpectedElement(reader);
             }
+            parsedElements.add(tagName);
         }
     }
 
@@ -109,8 +115,13 @@ void readServiceProvider(XMLExtendedStreamReader reader, List<ModelNode> list, P
             attr.parseAndSetParameter(value, addServiceProvider, reader);
         }
 
+        Set parsedElements = new HashSet<>();
         while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
             String tagName = reader.getLocalName();
+            if (parsedElements.contains(tagName)) {
+                // all sub-elements of the service provider type should occur only once.
+                throw ParseUtils.unexpectedElement(reader);
+            }
 
             if (Constants.XML.KEYS.equals(tagName)) {
                 readKeys(list, reader, addr);
@@ -125,6 +136,7 @@ void readServiceProvider(XMLExtendedStreamReader reader, List<ModelNode> list, P
             } else {
                 throw ParseUtils.unexpectedElement(reader);
             }
+            parsedElements.add(tagName);
         }
     }
 
@@ -152,8 +164,13 @@ void readIdentityProvider(List<ModelNode> list, XMLExtendedStreamReader reader,
             attr.parseAndSetParameter(value, addIdentityProvider, reader);
         }
 
+        Set<String> parsedElements = new HashSet<>();
         while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
             String tagName = reader.getLocalName();
+            if (parsedElements.contains(tagName)) {
+                // all sub-elements of the identity provider type should occur only once.
+                throw ParseUtils.unexpectedElement(reader);
+            }
 
             if (Constants.XML.SINGLE_SIGN_ON.equals(tagName)) {
                 readSingleSignOn(addIdentityProvider, reader);
@@ -168,6 +185,7 @@ void readIdentityProvider(List<ModelNode> list, XMLExtendedStreamReader reader,
             } else {
                 throw ParseUtils.unexpectedElement(reader);
             }
+            parsedElements.add(tagName);
         }
     }
 
@@ -265,8 +283,13 @@ void readKey(List<ModelNode> list, XMLExtendedStreamReader reader, PathAddress p
             attr.parseAndSetParameter(value, addKey, reader);
         }
 
+        Set<String> parsedElements = new HashSet<>();
         while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
             String tagName = reader.getLocalName();
+            if (parsedElements.contains(tagName)) {
+                // all sub-elements of the key type should occur only once.
+                throw ParseUtils.unexpectedElement(reader);
+            }
 
             if (Constants.XML.KEY_STORE.equals(tagName)) {
                 readKeyStore(addKey, reader);
@@ -278,6 +301,7 @@ void readKey(List<ModelNode> list, XMLExtendedStreamReader reader, PathAddress p
             } else {
                 throw ParseUtils.unexpectedElement(reader);
             }
+            parsedElements.add(tagName);
         }
     }
 
@@ -308,15 +332,21 @@ void readKeyStore(ModelNode addKey, XMLExtendedStreamReader reader) throws XMLSt
             throw ParseUtils.missingRequired(reader, asSet(Constants.XML.PASSWORD));
         }
 
+        Set<String> parsedElements = new HashSet<>();
         while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
             String tagName = reader.getLocalName();
+            if (parsedElements.contains(tagName)) {
+                // all sub-elements of the keystore type should occur only once.
+                throw ParseUtils.unexpectedElement(reader);
+            }
             if (Constants.XML.PRIVATE_KEY.equals(tagName)) {
                 readPrivateKey(reader, addKeyStore);
             } else if (Constants.XML.CERTIFICATE.equals(tagName)) {
                 readCertificate(reader, addKeyStore);
             } else {
                 throw ParseUtils.unexpectedElement(reader);
             }
+            parsedElements.add(tagName);
         }
     }
 
@@ -500,8 +530,8 @@ void writeIdentityProvider(XMLExtendedStreamWriter writer, ModelNode model) thro
             writeKeys(writer, idpAttributes.get(Constants.Model.KEY));
             writeHttpClient(writer, idpAttributes.get(Constants.Model.HTTP_CLIENT));
             writeAllowedClockSkew(writer, idpAttributes.get(Constants.Model.ALLOWED_CLOCK_SKEW));
+            writer.writeEndElement();
         }
-        writer.writeEndElement();
     }
 
     void writeSingleSignOn(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
diff --git a/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderAddHandler.java b/adapters/saml/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderAddHandler.java
@@ -38,7 +38,7 @@ class ServiceProviderAddHandler extends AbstractAddStepHandler {
 
     @Override
     protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {
-        Configuration.INSTANCE.updateModel(operation, model);
+        Configuration.INSTANCE.updateModel(operation, model, true);
     }
 
     @Override
diff --git a/adapters/saml/as7-eap6/subsystem/src/test/java/org/keycloak/subsystem/saml/as7/SubsystemParsingTestCase.java b/adapters/saml/as7-eap6/subsystem/src/test/java/org/keycloak/subsystem/saml/as7/SubsystemParsingTestCase.java
@@ -17,8 +17,34 @@
 package org.keycloak.subsystem.saml.as7;
 
 import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
 
 import org.jboss.as.subsystem.test.AbstractSubsystemBaseTest;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 
 /**
@@ -28,12 +54,118 @@
  */
 public class SubsystemParsingTestCase extends AbstractSubsystemBaseTest {
 
+    private String subsystemXml = null;
+
+    private String subsystemTemplate = null;
+
+    private Document document = null;
+
+    @Rule
+    public final ExpectedException exception = ExpectedException.none();
+
     public SubsystemParsingTestCase() {
         super(KeycloakSamlExtension.SUBSYSTEM_NAME, new KeycloakSamlExtension());
     }
 
     @Override
     protected String getSubsystemXml() throws IOException {
-        return readResource("keycloak-saml-1.3.xml");
+        return this.subsystemXml;
+    }
+
+    @Before
+    public void initialize() throws IOException {
+        this.subsystemTemplate = readResource("keycloak-saml-1.3.xml");
+        try {
+            DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            this.document = builder.parse(new InputSource(new StringReader(this.subsystemTemplate)));
+        } catch (ParserConfigurationException | SAXException e) {
+            throw new IOException(e);
+        }
+    }
+
+    private void buildSubsystemXml(final Element element, final String expression) throws IOException {
+        if (element != null) {
+            try {
+                // locate the element and insert the node
+                XPath xPath = XPathFactory.newInstance().newXPath();
+                NodeList nodeList = (NodeList) xPath.compile(expression).evaluate(this.document, XPathConstants.NODESET);
+                nodeList.item(0).appendChild(element);
+                // transform again to XML
+                TransformerFactory tf = TransformerFactory.newInstance();
+                Transformer transformer = tf.newTransformer();
+                transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
+                StringWriter writer = new StringWriter();
+                transformer.transform(new DOMSource(this.document), new StreamResult(writer));
+                this.subsystemXml = writer.getBuffer().toString();
+            } catch(TransformerException | XPathExpressionException e) {
+                throw new IOException(e);
+            }
+        } else {
+            this.subsystemXml = this.subsystemTemplate;
+        }
+    }
+
+    @Override
+    public void testSubsystem() throws Exception {
+        this.buildSubsystemXml(null, null);
+        super.testSubsystem();
+    }
+
+    @Test
+    public void testDuplicateServiceProviders() throws Exception {
+        // create a simple service provider element.
+        Element spElement = this.document.createElement(Constants.XML.SERVICE_PROVIDER);
+        spElement.setAttribute(Constants.XML.ENTITY_ID, "duplicate-sp");
+        this.buildSubsystemXml(spElement, "/subsystem/secure-deployment[1]");
+
+        this.exception.expect(XMLStreamException.class);
+        this.exception.expectMessage("JBAS014789: Unexpected element");
+        super.testSubsystem();
+    }
+
+    @Test
+    public void testDuplicateIdentityProviders() throws Exception {
+        // create a duplicate identity provider element.
+        Element idpElement = this.document.createElement(Constants.XML.IDENTITY_PROVIDER);
+        idpElement.setAttribute(Constants.XML.ENTITY_ID, "test-idp");
+        Element singleSignOn = this.document.createElement(Constants.XML.SINGLE_SIGN_ON);
+        singleSignOn.setAttribute(Constants.XML.BINDING_URL, "https://localhost:7887");
+        Element singleLogout = this.document.createElement(Constants.XML.SINGLE_LOGOUT);
+        singleLogout.setAttribute(Constants.XML.POST_BINDING_URL, "httpsL//localhost:8998");
+        idpElement.appendChild(singleSignOn);
+        idpElement.appendChild(singleLogout);
+        this.buildSubsystemXml(idpElement, "/subsystem/secure-deployment[1]/SP");
+
+        this.exception.expect(XMLStreamException.class);
+        this.exception.expectMessage("JBAS014789: Unexpected element");
+        super.testSubsystem();
+    }
+
+    @Test
+    public void testDuplicateKeysInSP() throws Exception {
+        Element keysElement = this.document.createElement(Constants.XML.KEYS);
+        Element keyElement = this.document.createElement(Constants.XML.KEY);
+        keyElement.setAttribute(Constants.XML.ENCRYPTION, "false");
+        keyElement.setAttribute(Constants.XML.SIGNING, "false");
+        keysElement.appendChild(keyElement);
+        this.buildSubsystemXml(keysElement, "/subsystem/secure-deployment[1]/SP");
+
+        this.exception.expect(XMLStreamException.class);
+        this.exception.expectMessage("JBAS014789: Unexpected element");
+        super.testSubsystem();
+    }
+
+    @Test
+    public void testDuplicateKeysInIDP() throws Exception {
+        Element keysElement = this.document.createElement(Constants.XML.KEYS);
+        Element keyElement = this.document.createElement(Constants.XML.KEY);
+        keyElement.setAttribute(Constants.XML.ENCRYPTION, "false");
+        keyElement.setAttribute(Constants.XML.SIGNING, "false");
+        keysElement.appendChild(keyElement);
+        this.buildSubsystemXml(keysElement, "/subsystem/secure-deployment[1]/SP/IDP");
+
+        this.exception.expect(XMLStreamException.class);
+        this.exception.expectMessage("JBAS014789: Unexpected element");
+        super.testSubsystem();
     }
 }
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/Configuration.java b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/Configuration.java
@@ -16,6 +16,9 @@
  */
 package org.keycloak.subsystem.adapter.saml.extension;
 
+import java.util.List;
+
+import org.jboss.as.controller.OperationFailedException;
 import org.jboss.as.server.deployment.DeploymentUnit;
 import org.jboss.as.web.common.WarMetaData;
 import org.jboss.dmr.ModelNode;
@@ -34,21 +37,29 @@ public class Configuration {
     private Configuration() {
     }
 
-    void updateModel(ModelNode operation, ModelNode model) {
+    void updateModel(ModelNode operation, ModelNode model) throws OperationFailedException {
+        this.updateModel(operation, model, false);
+    }
+
+    void updateModel(final ModelNode operation, final ModelNode model, final boolean checkSingleton) throws OperationFailedException {
         ModelNode node = config;
-        ModelNode addr = operation.get("address");
-        for (Property item : addr.asPropertyList()) {
-            node = getNodeForAddressElement(node, item);
+
+        final List<Property> addressNodes = operation.get("address").asPropertyList();
+        final int lastIndex = addressNodes.size() - 1;
+        for (int i = 0; i < addressNodes.size(); i++) {
+            Property addressNode = addressNodes.get(i);
+            // if checkSingleton is true, we verify if the key for the last element (e.g. SP or IDP) in the address path is already defined
+            if (i == lastIndex && checkSingleton) {
+                if (node.get(addressNode.getName()).isDefined()) {
+                    // found an existing resource, throw an exception
+                    throw new OperationFailedException("Duplicate resource: " + addressNode.getName());
+                }
+            }
+            node = node.get(addressNode.getName()).get(addressNode.getValue().asString());
         }
         node.set(model);
     }
 
-    private ModelNode getNodeForAddressElement(ModelNode node, Property item) {
-        String key = item.getValue().asString();
-        ModelNode keymodel = node.get(item.getName());
-        return keymodel.get(key);
-    }
-
     public ModelNode getSecureDeployment(DeploymentUnit deploymentUnit) {
         String name = preferredDeploymentName(deploymentUnit);
         ModelNode secureDeployment = config.get("subsystem").get("keycloak-saml").get(Constants.Model.SECURE_DEPLOYMENT);
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/IdentityProviderAddHandler.java b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/IdentityProviderAddHandler.java
@@ -32,6 +32,6 @@ class IdentityProviderAddHandler extends AbstractAddStepHandler {
 
     @Override
     protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException {
-        Configuration.INSTANCE.updateModel(operation, model);
+        Configuration.INSTANCE.updateModel(operation, model, true);
     }
 }
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/KeycloakSubsystemParser.java b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/KeycloakSubsystemParser.java
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/ServiceProviderAddHandler.java b/adapters/saml/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/saml/extension/ServiceProviderAddHandler.java
diff --git a/adapters/saml/wildfly/wildfly-subsystem/src/test/java/org/keycloak/subsystem/adapter/saml/extension/SubsystemParsingTestCase.java b/adapters/saml/wildfly/wildfly-subsystem/src/test/java/org/keycloak/subsystem/adapter/saml/extension/SubsystemParsingTestCase.java

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ class IdentityProviderAddHandler extends AbstractAddStepHandler {`
`36`	`36`
`37`	`37`	`@Override`
`38`	`38`	`protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {`
`39`		`- Configuration.INSTANCE.updateModel(operation, model);`
	`39`	`+ Configuration.INSTANCE.updateModel(operation, model, true);`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -76,13 +76,19 @@ void readSecureDeployment(XMLExtendedStreamReader reader, List<ModelNode> list)`
`76`	`76`	`ModelNode addSecureDeployment = Util.createAddOperation(addr);`
`77`	`77`	`list.add(addSecureDeployment);`
`78`	`78`
	`79`	`+ Set<String> parsedElements = new HashSet<>();`
`79`	`80`	`while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {`
`80`	`81`	`String tagName = reader.getLocalName();`
	`82`	`+ if (parsedElements.contains(tagName)) {`
	`83`	`+ // all sub-elements of the secure deployment type should occur only once.`
	`84`	`+ throw ParseUtils.unexpectedElement(reader);`
	`85`	`+ }`
`81`	`86`	`if (tagName.equals(Constants.XML.SERVICE_PROVIDER)) {`
`82`	`87`	`readServiceProvider(reader, list, addr);`
`83`	`88`	`} else {`
`84`	`89`	`throw ParseUtils.unexpectedElement(reader);`
`85`	`90`	`}`
	`91`	`+ parsedElements.add(tagName);`
`86`	`92`	`}`
`87`	`93`	`}`
`88`	`94`
`@@ -109,8 +115,13 @@ void readServiceProvider(XMLExtendedStreamReader reader, List<ModelNode> list, P`
`109`	`115`	`attr.parseAndSetParameter(value, addServiceProvider, reader);`
`110`	`116`	`}`
`111`	`117`
	`118`	`+ Set parsedElements = new HashSet<>();`
`112`	`119`	`while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {`
`113`	`120`	`String tagName = reader.getLocalName();`
	`121`	`+ if (parsedElements.contains(tagName)) {`
	`122`	`+ // all sub-elements of the service provider type should occur only once.`
	`123`	`+ throw ParseUtils.unexpectedElement(reader);`
	`124`	`+ }`
`114`	`125`
`115`	`126`	`if (Constants.XML.KEYS.equals(tagName)) {`
`116`	`127`	`readKeys(list, reader, addr);`
`@@ -125,6 +136,7 @@ void readServiceProvider(XMLExtendedStreamReader reader, List<ModelNode> list, P`
`125`	`136`	`} else {`
`126`	`137`	`throw ParseUtils.unexpectedElement(reader);`
`127`	`138`	`}`
	`139`	`+ parsedElements.add(tagName);`
`128`	`140`	`}`
`129`	`141`	`}`
`130`	`142`
`@@ -152,8 +164,13 @@ void readIdentityProvider(List<ModelNode> list, XMLExtendedStreamReader reader,`
`152`	`164`	`attr.parseAndSetParameter(value, addIdentityProvider, reader);`
`153`	`165`	`}`
`154`	`166`
	`167`	`+ Set<String> parsedElements = new HashSet<>();`
`155`	`168`	`while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {`
`156`	`169`	`String tagName = reader.getLocalName();`
	`170`	`+ if (parsedElements.contains(tagName)) {`
	`171`	`+ // all sub-elements of the identity provider type should occur only once.`
	`172`	`+ throw ParseUtils.unexpectedElement(reader);`
	`173`	`+ }`
`157`	`174`
`158`	`175`	`if (Constants.XML.SINGLE_SIGN_ON.equals(tagName)) {`
`159`	`176`	`readSingleSignOn(addIdentityProvider, reader);`
`@@ -168,6 +185,7 @@ void readIdentityProvider(List<ModelNode> list, XMLExtendedStreamReader reader,`
`168`	`185`	`} else {`
`169`	`186`	`throw ParseUtils.unexpectedElement(reader);`
`170`	`187`	`}`
	`188`	`+ parsedElements.add(tagName);`
`171`	`189`	`}`
`172`	`190`	`}`
`173`	`191`
`@@ -265,8 +283,13 @@ void readKey(List<ModelNode> list, XMLExtendedStreamReader reader, PathAddress p`
`265`	`283`	`attr.parseAndSetParameter(value, addKey, reader);`
`266`	`284`	`}`
`267`	`285`
	`286`	`+ Set<String> parsedElements = new HashSet<>();`
`268`	`287`	`while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {`
`269`	`288`	`String tagName = reader.getLocalName();`
	`289`	`+ if (parsedElements.contains(tagName)) {`
	`290`	`+ // all sub-elements of the key type should occur only once.`
	`291`	`+ throw ParseUtils.unexpectedElement(reader);`
	`292`	`+ }`
`270`	`293`
`271`	`294`	`if (Constants.XML.KEY_STORE.equals(tagName)) {`
`272`	`295`	`readKeyStore(addKey, reader);`
`@@ -278,6 +301,7 @@ void readKey(List<ModelNode> list, XMLExtendedStreamReader reader, PathAddress p`
`278`	`301`	`} else {`
`279`	`302`	`throw ParseUtils.unexpectedElement(reader);`
`280`	`303`	`}`
	`304`	`+ parsedElements.add(tagName);`
`281`	`305`	`}`
`282`	`306`	`}`
`283`	`307`
`@@ -308,15 +332,21 @@ void readKeyStore(ModelNode addKey, XMLExtendedStreamReader reader) throws XMLSt`
`308`	`332`	`throw ParseUtils.missingRequired(reader, asSet(Constants.XML.PASSWORD));`
`309`	`333`	`}`
`310`	`334`
	`335`	`+ Set<String> parsedElements = new HashSet<>();`
`311`	`336`	`while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {`
`312`	`337`	`String tagName = reader.getLocalName();`
	`338`	`+ if (parsedElements.contains(tagName)) {`
	`339`	`+ // all sub-elements of the keystore type should occur only once.`
	`340`	`+ throw ParseUtils.unexpectedElement(reader);`
	`341`	`+ }`
`313`	`342`	`if (Constants.XML.PRIVATE_KEY.equals(tagName)) {`
`314`	`343`	`readPrivateKey(reader, addKeyStore);`
`315`	`344`	`} else if (Constants.XML.CERTIFICATE.equals(tagName)) {`
`316`	`345`	`readCertificate(reader, addKeyStore);`
`317`	`346`	`} else {`
`318`	`347`	`throw ParseUtils.unexpectedElement(reader);`
`319`	`348`	`}`
	`349`	`+ parsedElements.add(tagName);`
`320`	`350`	`}`
`321`	`351`	`}`
`322`	`352`
`@@ -500,8 +530,8 @@ void writeIdentityProvider(XMLExtendedStreamWriter writer, ModelNode model) thro`
`500`	`530`	`writeKeys(writer, idpAttributes.get(Constants.Model.KEY));`
`501`	`531`	`writeHttpClient(writer, idpAttributes.get(Constants.Model.HTTP_CLIENT));`
`502`	`532`	`writeAllowedClockSkew(writer, idpAttributes.get(Constants.Model.ALLOWED_CLOCK_SKEW));`
	`533`	`+ writer.writeEndElement();`
`503`	`534`	`}`
`504`		`- writer.writeEndElement();`
`505`	`535`	`}`
`506`	`536`
`507`	`537`	`void writeSingleSignOn(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ class ServiceProviderAddHandler extends AbstractAddStepHandler {`
`38`	`38`
`39`	`39`	`@Override`
`40`	`40`	`protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {`
`41`		`- Configuration.INSTANCE.updateModel(operation, model);`
	`41`	`+ Configuration.INSTANCE.updateModel(operation, model, true);`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,6 @@ class IdentityProviderAddHandler extends AbstractAddStepHandler {`
`32`	`32`
`33`	`33`	`@Override`
`34`	`34`	`protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException {`
`35`		`- Configuration.INSTANCE.updateModel(operation, model);`
	`35`	`+ Configuration.INSTANCE.updateModel(operation, model, true);`
`36`	`36`	`}`
`37`	`37`	`}`