diff options
author | Martin Ritchie <ritchiem@apache.org> | 2008-06-06 16:03:48 +0000 |
---|---|---|
committer | Martin Ritchie <ritchiem@apache.org> | 2008-06-06 16:03:48 +0000 |
commit | 47a972af5ab762f41fe3990089cece925aee11b5 (patch) | |
tree | 74c3c257701c101821f0dd2a2e7e27c332674ad9 | |
parent | 83ec6a5f10a3fd60b08b5f47bfff4d4ab93cbeac (diff) | |
download | qpid-python-47a972af5ab762f41fe3990089cece925aee11b5.tar.gz |
QPID-1058 : Addition of a CRAM-MD5-HEX as discussed on the JIRA. An additional test is provided to ensure that the handle method correctly wraps a given Database password in hex.
git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/branches/M2.x@664001 13f79535-47bb-0310-9956-ffa450edef68
5 files changed, 454 insertions, 3 deletions
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java index 348bccb4e9..ec4ce8cb85 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/database/Base64MD5PasswordFilePrincipalDatabase.java @@ -24,6 +24,7 @@ import org.apache.log4j.Logger; import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser; import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal; import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HashedInitialiser; +import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HexInitialiser; import org.apache.qpid.server.security.access.management.AMQUserManagementMBean; import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.EncoderException; @@ -81,6 +82,11 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase cram.initialise(this); _saslServers.put(cram.getMechanismName(), cram); + //Add the Hex initialiser + CRAMMD5HexInitialiser cramHex = new CRAMMD5HexInitialiser(); + cramHex.initialise(this); + _saslServers.put(cramHex.getMechanismName(), cramHex); + //fixme The PDs should setup a PD Mangement MBean // try // { @@ -284,7 +290,6 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase return true; } - public Map<String, AuthenticationProviderInitialiser> getMechanisms() { return _saslServers; @@ -325,7 +330,6 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase } } - private void loadPasswordFile() throws IOException { try @@ -553,7 +557,6 @@ public class Base64MD5PasswordFilePrincipalDatabase implements PrincipalDatabase _encodedPassword = null; } - byte[] getEncodePassword() throws EncoderException, UnsupportedEncodingException, NoSuchAlgorithmException { if (_encodedPassword == null) diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java new file mode 100644 index 0000000000..b3099897ad --- /dev/null +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexInitialiser.java @@ -0,0 +1,139 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.auth.sasl.crammd5; + +import org.apache.qpid.server.security.auth.database.PrincipalDatabase; +import org.apache.qpid.server.security.auth.sasl.UsernamePasswordInitialiser; +import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser; + +import javax.security.sasl.SaslServerFactory; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.login.AccountNotFoundException; +import java.util.Map; +import java.util.List; +import java.security.Principal; +import java.io.IOException; + +public class CRAMMD5HexInitialiser extends UsernamePasswordInitialiser +{ + public String getMechanismName() + { + return CRAMMD5HexSaslServer.MECHANISM; + } + + public Class<? extends SaslServerFactory> getServerFactoryClassForJCARegistration() + { + return CRAMMD5HexServerFactory.class; + } + + public Map<String, ?> getProperties() + { + return null; + } + + public void initialise(PrincipalDatabase db) + { + super.initialise(new HexifyPrincipalDatabase(db)); + + } + + private class HexifyPrincipalDatabase implements PrincipalDatabase + { + private PrincipalDatabase _realPricipalDatabase; + + HexifyPrincipalDatabase(PrincipalDatabase db) + { + _realPricipalDatabase = db; + } + + private char[] toHex(char[] password) + { + StringBuilder sb = new StringBuilder(); + for (char c : password) + { + //toHexString does not prepend 0 so we have to + if (((byte) c > -1) && (byte) c < 10) + { + sb.append(0); + } + + sb.append(Integer.toHexString(c & 0xFF)); + } + + //Extract the hex string as char[] + char[] hex = new char[sb.length()]; + + sb.getChars(0, sb.length(), hex, 0); + + return hex; + } + + public void setPassword(Principal principal, PasswordCallback callback) throws IOException, AccountNotFoundException + { + //Let the read DB set the password + _realPricipalDatabase.setPassword(principal, callback); + + //Retrieve the setpassword + char[] plainPassword = callback.getPassword(); + + char[] hexPassword = toHex(plainPassword); + + callback.setPassword(hexPassword); + } + + // Simply delegate to the real PrincipalDB + public boolean verifyPassword(String principal, char[] password) throws AccountNotFoundException + { + return _realPricipalDatabase.verifyPassword(principal, password); + } + + public boolean updatePassword(Principal principal, char[] password) throws AccountNotFoundException + { + return _realPricipalDatabase.updatePassword(principal, password); + } + + public boolean createPrincipal(Principal principal, char[] password) + { + return _realPricipalDatabase.createPrincipal(principal, password); + } + + public boolean deletePrincipal(Principal principal) throws AccountNotFoundException + { + return _realPricipalDatabase.deletePrincipal(principal); + } + + public Principal getUser(String username) + { + return _realPricipalDatabase.getUser(username); + } + + public Map<String, AuthenticationProviderInitialiser> getMechanisms() + { + return _realPricipalDatabase.getMechanisms(); + } + + public List<Principal> getUsers() + { + return _realPricipalDatabase.getUsers(); + } + } + +} diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexSaslServer.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexSaslServer.java new file mode 100644 index 0000000000..192ff74bff --- /dev/null +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexSaslServer.java @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + * + */ +package org.apache.qpid.server.security.auth.sasl.crammd5; + +import javax.security.sasl.SaslServer; +import javax.security.sasl.SaslException; +import javax.security.sasl.Sasl; +import javax.security.sasl.SaslServerFactory; +import javax.security.auth.callback.CallbackHandler; +import java.util.Enumeration; +import java.util.Map; + +public class CRAMMD5HexSaslServer implements SaslServer +{ + public static final String MECHANISM = "CRAM-MD5-HEX"; + + private SaslServer _realServer; + + public CRAMMD5HexSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, + CallbackHandler cbh) throws SaslException + { + Enumeration factories = Sasl.getSaslServerFactories(); + + while (factories.hasMoreElements()) + { + SaslServerFactory factory = (SaslServerFactory) factories.nextElement(); + + if (factory instanceof CRAMMD5HexServerFactory) + { + continue; + } + + String[] mechs = factory.getMechanismNames(props); + + for (String mech : mechs) + { + if (mech.equals("CRAM-MD5")) + { + _realServer = factory.createSaslServer("CRAM-MD5", protocol, serverName, props, cbh); + return; + } + } + } + + throw new RuntimeException("No default SaslServer found for mechanism:" + "CRAM-MD5"); + } + + public String getMechanismName() + { + return MECHANISM; + } + + public byte[] evaluateResponse(byte[] response) throws SaslException + { + return _realServer.evaluateResponse(response); + } + + public boolean isComplete() + { + return _realServer.isComplete(); + } + + public String getAuthorizationID() + { + return _realServer.getAuthorizationID(); + } + + public byte[] unwrap(byte[] incoming, int offset, int len) throws SaslException + { + return _realServer.unwrap(incoming, offset, len); + } + + public byte[] wrap(byte[] outgoing, int offset, int len) throws SaslException + { + return _realServer.wrap(outgoing, offset, len); + } + + public Object getNegotiatedProperty(String propName) + { + return _realServer.getNegotiatedProperty(propName); + } + + public void dispose() throws SaslException + { + _realServer.dispose(); + } +} diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexServerFactory.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexServerFactory.java new file mode 100644 index 0000000000..ce0e19abf9 --- /dev/null +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/crammd5/CRAMMD5HexServerFactory.java @@ -0,0 +1,61 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.auth.sasl.crammd5; + +import java.util.Map; + +import javax.security.auth.callback.CallbackHandler; +import javax.security.sasl.Sasl; +import javax.security.sasl.SaslException; +import javax.security.sasl.SaslServer; +import javax.security.sasl.SaslServerFactory; + +public class CRAMMD5HexServerFactory implements SaslServerFactory +{ + public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, + CallbackHandler cbh) throws SaslException + { + if (mechanism.equals(CRAMMD5HexSaslServer.MECHANISM)) + { + return new CRAMMD5HexSaslServer(mechanism, protocol, serverName, props, cbh); + } + else + { + return null; + } + } + + public String[] getMechanismNames(Map props) + { + if (props != null) + { + if (props.containsKey(Sasl.POLICY_NOPLAINTEXT) || + props.containsKey(Sasl.POLICY_NODICTIONARY) || + props.containsKey(Sasl.POLICY_NOACTIVE)) + { + // returned array must be non null according to interface documentation + return new String[0]; + } + } + + return new String[]{CRAMMD5HexSaslServer.MECHANISM}; + } +} diff --git a/java/broker/src/test/java/org/apache/qpid/server/securiity/auth/sasl/CRAMMD5HexInitialiserTest.java b/java/broker/src/test/java/org/apache/qpid/server/securiity/auth/sasl/CRAMMD5HexInitialiserTest.java new file mode 100644 index 0000000000..0d92b21d74 --- /dev/null +++ b/java/broker/src/test/java/org/apache/qpid/server/securiity/auth/sasl/CRAMMD5HexInitialiserTest.java @@ -0,0 +1,143 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.securiity.auth.sasl; + +import junit.framework.TestCase; +import org.apache.qpid.server.security.auth.database.PropertiesPrincipalDatabase; +import org.apache.qpid.server.security.auth.sasl.crammd5.CRAMMD5HexInitialiser; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import java.io.IOException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Properties; + +/** + * These tests ensure that the Hex wrapping that the initialiser performs does actually operate when the handle method is called. + */ +public class CRAMMD5HexInitialiserTest extends TestCase +{ + + public void testHex() + { + + //Create User details for testing + String user = "testUser"; + String password = "testPassword"; + + perform(user, password); + } + + public void testHashedHex() + { + + //Create User details for testing + String user = "testUser"; + String password = "testPassword"; + + //Create a hashed password that we then attempt to put through the call back mechanism. + try + { + password = new String(MessageDigest.getInstance("MD5").digest(password.getBytes())); + } + catch (NoSuchAlgorithmException e) + { + fail(e.getMessage()); + } + + perform(user, password); + } + + public void perform(String user, String password) + { + CRAMMD5HexInitialiser initialiser = new CRAMMD5HexInitialiser(); + + //Use properties to create a PrincipalDatabase + Properties users = new Properties(); + users.put(user, password); + + PropertiesPrincipalDatabase db = new PropertiesPrincipalDatabase(users); + + initialiser.initialise(db); + + //setup the callbacks + PasswordCallback passwordCallback = new PasswordCallback("password:", false); + NameCallback usernameCallback = new NameCallback("user:", user); + + Callback[] callbacks = new Callback[]{usernameCallback, passwordCallback}; + + //Check the + try + { + assertNull("The password was not null before the handle call.", passwordCallback.getPassword()); + initialiser.getCallbackHandler().handle(callbacks); + } + catch (IOException e) + { + fail(e.getMessage()); + } + catch (UnsupportedCallbackException e) + { + fail(e.getMessage()); + } + + //Hex the password we initialised with and compare it with the passwordCallback + assertArrayEquals(toHex(password.toCharArray()), passwordCallback.getPassword()); + + } + + private void assertArrayEquals(char[] expected, char[] actual) + { + assertEquals("Arrays are not the same length", expected.length, actual.length); + + for (int index = 0; index < expected.length; index++) + { + assertEquals("Characters are not equal", expected[index], actual[index]); + } + } + + private char[] toHex(char[] password) + { + StringBuilder sb = new StringBuilder(); + for (char c : password) + { + //toHexString does not prepend 0 so we have to + if (((byte) c > -1) && (byte) c < 10) + { + sb.append(0); + } + + sb.append(Integer.toHexString(c & 0xFF)); + } + + //Extract the hex string as char[] + char[] hex = new char[sb.length()]; + + sb.getChars(0, sb.length(), hex, 0); + + return hex; + } + + +} |