QPID-446 Update to write accessRights file and correctly write Base64 MD5 Hashed password to password file.

MBeanInvocationHandlerImpl - made statics ADMIN,READONLY,READWRITE public so they can be used in writing the access file.
AMQUserManagementMBean - Update to write the access File.
PrincipalDatabase - create getUser(username) to retrieve a Principal from the database this is then implemented in all PDs. Used to check for existence of a user.


git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/branches/M2@527803 13f79535-47bb-0310-9956-ffa450edef68

6 files changed, 133 insertions, 29 deletions

diff --git a/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java b/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
index 07260d8645..a79d993afc 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/management/MBeanInvocationHandlerImpl.java
@@ -52,9 +52,9 @@ public class MBeanInvocationHandlerImpl implements InvocationHandler
 {
     private static final Logger _logger = Logger.getLogger(MBeanInvocationHandlerImpl.class);
 
-    private final static String ADMIN = "admin";
-    private final static String READWRITE = "readwrite";
-    private final static String READONLY = "readonly";
+    public final static String ADMIN = "admin";
+    public final static String READWRITE = "readwrite";
+    public final static String READONLY = "readonly";
     private final static String DELEGATE = "JMImplementation:type=MBeanServerDelegate";
     private MBeanServer mbs;
     private static Properties _userRoles = new Properties();
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java
index 15e3b8681f..3314013232 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/AMQUserManagementMBean.java
@@ -36,10 +36,8 @@ import javax.security.auth.login.AccountNotFoundException;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.FileOutputStream;
 import java.util.Properties;
-import java.util.Map;
-import java.util.HashMap;
-import java.security.Principal;
 
 /** MBean class for AMQUserManagementMBean. It implements all the management features exposed for managing users. */
 @MBeanDescription("User Management Interface")
@@ -49,9 +47,9 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
     private static final Logger _logger = Logger.getLogger(AMQUserManagementMBean.class);
 
     private PrincipalDatabase _principalDatabase;
-    private String _accessFile;
-
-    Map<String, Principal> _users = new HashMap<String, Principal>();
+    private String _accessFileName;
+    private Properties _accessRights;
+    private File _accessFile;
 
     public AMQUserManagementMBean() throws JMException
     {
@@ -82,6 +80,40 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
                              @MBeanOperationParameter(name = "write", description = "Administration write")boolean write,
                              @MBeanOperationParameter(name = "admin", description = "Administration rights")boolean admin)
     {
+
+        if (_accessRights.get(username) == null)
+        {
+            if (_principalDatabase.getUser(username) == null)
+            {
+                return false;
+            }
+        }
+
+        if (admin)
+        {
+            _accessRights.put(username, MBeanInvocationHandlerImpl.ADMIN);
+        }
+        else
+        {
+            if (read | write)
+            {
+                if (read)
+                {
+                    _accessRights.put(username, MBeanInvocationHandlerImpl.READONLY);
+                }
+                if (write)
+                {
+                    _accessRights.put(username, MBeanInvocationHandlerImpl.READWRITE);
+                }
+            }
+            else
+            {
+                return false;
+            }
+        }
+
+        saveAccessFile();
+
         return true;
     }
 
@@ -95,8 +127,9 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
         {
             if (_principalDatabase.createPrincipal(new UsernamePrincipal(username), password))
             {
-                _users.remove(username);
-                return true;
+                _accessRights.put(username, "");
+
+                return setRights(username, read, write, admin);
             }
         }
         catch (AccountNotFoundException e)
@@ -114,7 +147,8 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
         {
             if (_principalDatabase.deletePrincipal(new UsernamePrincipal(username)))
             {
-                _users.remove(username);
+                _accessRights.remove(username);
+
                 return true;
             }
         }
@@ -180,9 +214,9 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
      */
     public void setAccessFile(String accessFile) throws IOException, ConfigurationException
     {
-        _accessFile = accessFile;
+        _accessFileName = accessFile;
 
-        if (_accessFile != null)
+        if (_accessFileName != null)
         {
             loadAccessFile();
         }
@@ -196,27 +230,39 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
     {
         Properties accessRights = new Properties();
 
-        File access = new File(_accessFile);
+        _accessFile = new File(_accessFileName);
 
-        if (!access.exists())
+        if (!_accessFile.exists())
         {
-            throw new ConfigurationException("'" + _accessFile + "' does not exist");
+            throw new ConfigurationException("'" + _accessFileName + "' does not exist");
         }
 
-        if (!access.canRead())
+        if (!_accessFile.canRead())
         {
-            throw new ConfigurationException("Cannot read '" + _accessFile + "'.");
+            throw new ConfigurationException("Cannot read '" + _accessFileName + "'.");
         }
 
-        if (!access.canWrite())
+        if (!_accessFile.canWrite())
         {
-            _logger.warn("Unable to write to access file '" + _accessFile + "' changes will not be preserved.");
+            _logger.warn("Unable to write to access file '" + _accessFileName + "' changes will not be preserved.");
         }
 
-        accessRights.load(new FileInputStream(access));
+        accessRights.load(new FileInputStream(_accessFileName));
         processAccessRights(accessRights);
     }
 
+    private void saveAccessFile()
+    {
+        try
+        {
+            _accessRights.store(new FileOutputStream(_accessFile), "");
+        }
+        catch (IOException e)
+        {
+            _logger.warn("Unable to write to access file '" + _accessFileName + "' changes will not be preserved.");
+        }
+    }
+
     /**
      * user=read user=write user=readwrite user=admin
      *
@@ -225,6 +271,7 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
     private void processAccessRights(Properties accessRights)
     {
         _logger.info("Processing Access Rights:" + accessRights);
-        MBeanInvocationHandlerImpl.setAccessRights(accessRights);       
+        _accessRights = accessRights;
+        MBeanInvocationHandlerImpl.setAccessRights(_accessRights);
     }
 }
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
index 618451d502..2499c086e7 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java
@@ -22,6 +22,7 @@ package org.apache.qpid.server.security.auth.database;
 
 import org.apache.log4j.Logger;
 import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
 import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HashedInitialiser;
 import org.apache.qpid.server.security.access.AMQUserManagementMBean;
 import org.apache.qpid.server.security.Passwd;
@@ -46,6 +47,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.security.Principal;
 import java.security.NoSuchAlgorithmException;
+import java.security.MessageDigest;
 
 /**
  * Represents a user database where the account information is stored in a simple flat file.
@@ -270,6 +272,15 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase
         return _saslServers;
     }
 
+    public Principal getUser(String username)
+    {
+        if (_users.containsKey(username))
+        {
+            return new UsernamePrincipal(username);
+        }
+        return null;
+    }
+
     /**
      * Looks up the password for a specified user in the password file. Note this code is <b>not</b> secure since it
      * creates strings of passwords. It should be modified to create only char arrays which get nulled out.
@@ -374,7 +385,7 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase
 
                             user.saved();
                         }
-                        catch (EncoderException e)
+                        catch (Exception e)
                         {
                             _logger.warn("Unable to encode new password reverting to old password.");
                             writer.write(line.getBytes(DEFAULT_ENCODING));
@@ -397,7 +408,7 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase
                         writer.println();
                         user.saved();
                     }
-                    catch (EncoderException e)
+                    catch (Exception e)
                     {
                         _logger.warn("Unable to get Encoded password for user'" + user.getName() + "' password not saved");
                     }
@@ -490,7 +501,7 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase
         }
 
 
-        byte[] getEncodePassword() throws EncoderException, UnsupportedEncodingException
+        byte[] getEncodePassword() throws EncoderException, UnsupportedEncodingException, NoSuchAlgorithmException
         {
             if (_encodedPassword == null)
             {
@@ -499,10 +510,10 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase
             return _encodedPassword;
         }
 
-        private void encodePassword() throws EncoderException, UnsupportedEncodingException
+        private void encodePassword() throws EncoderException, UnsupportedEncodingException, NoSuchAlgorithmException
         {
             Base64 b64 = new Base64();
-            _encodedPassword = b64.encode(new String(_password).getBytes(DEFAULT_ENCODING));
+            _encodedPassword = b64.encode(getHash(new String(_password)));
         }
 
         public boolean isModified()
@@ -524,5 +535,19 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase
         {
             _modified = false;
         }
+
+        private byte[] getHash(String text) throws NoSuchAlgorithmException, UnsupportedEncodingException
+        {
+            byte[] data = text.getBytes(DEFAULT_ENCODING);
+
+            MessageDigest md = MessageDigest.getInstance("MD5");
+
+            for (byte b : data)
+            {
+                md.update(b);
+            }
+
+            return  md.digest();
+        }
     }
 }
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
index 1644d20bde..f290e86b5f 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
@@ -23,6 +23,7 @@ package org.apache.qpid.server.security.auth.database;
 import org.apache.log4j.Logger;
 import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
 import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
 import org.apache.qpid.server.security.auth.sasl.amqplain.AmqPlainInitialiser;
 import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
 import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser;
@@ -143,7 +144,7 @@ public class PlainPasswordFilePrincipalDatabase implements PrincipalDatabase
         int index = 0;
 
         for (byte b : passwdBytes)
-        {            
+        {
             passwd[index++] = (char) b;
         }
 
@@ -170,6 +171,22 @@ public class PlainPasswordFilePrincipalDatabase implements PrincipalDatabase
         return _saslServers;
     }
 
+    public Principal getUser(String username)
+    {
+        try
+        {
+            if (lookupPassword(username) != null)
+            {
+                return new UsernamePrincipal(username);
+            }
+        }
+        catch (IOException e)
+        {
+            //fall through to null return
+        }
+        return null;
+    }
+
     private boolean compareCharArray(char[] a, char[] b)
     {
         boolean equal = false;
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
index 50a2845b4f..c73b37df36 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PrincipalDatabase.java
@@ -72,4 +72,6 @@ public interface PrincipalDatabase
             throws AccountNotFoundException;
 
     public Map<String, AuthenticationProviderInitialiser> getMechanisms();
+
+    Principal getUser(String username);
 }
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java
index ce6569ebd5..669a180359 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/PropertiesPrincipalDatabase.java
@@ -21,6 +21,7 @@
 package org.apache.qpid.server.security.auth.database;
 
 import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
 import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5Initialiser;
 import org.apache.qpid.server.security.auth.sasl.plain.PlainInitialiser;
 
@@ -143,4 +144,16 @@ public class PropertiesPrincipalDatabase implements PrincipalDatabase
     {
         return _saslServers;
     }
+
+    public Principal getUser(String username)
+    {
+        if (_users.getProperty(username) != null)
+        {
+            return new UsernamePrincipal(username);
+        }
+        else
+        {
+            return null;
+        }
+    }
 }