diff options
Diffstat (limited to 'java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java')
-rw-r--r-- | java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java | 210 |
1 files changed, 14 insertions, 196 deletions
diff --git a/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java b/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java index 152a9086ec..6887cb99d4 100644 --- a/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java +++ b/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java @@ -20,52 +20,38 @@ */ package org.apache.qpid.server.security.auth.manager; -import java.io.IOException; -import java.nio.charset.Charset; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.SecureRandom; import java.util.Arrays; import java.util.Collections; -import java.util.HashMap; import java.util.List; import java.util.Map; -import java.util.UUID; -import java.util.concurrent.ConcurrentHashMap; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; -import javax.security.auth.login.AccountNotFoundException; import javax.security.sasl.SaslException; import javax.security.sasl.SaslServer; import javax.xml.bind.DatatypeConverter; -import org.apache.qpid.server.configuration.updater.Task; -import org.apache.qpid.server.configuration.updater.VoidTaskWithException; import org.apache.qpid.server.model.Broker; -import org.apache.qpid.server.model.ConfiguredObject; import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider; -import org.apache.qpid.server.model.User; -import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.auth.AuthenticationResult; import org.apache.qpid.server.security.auth.UsernamePrincipal; import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer; import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer; public abstract class AbstractScramAuthenticationManager<X extends AbstractScramAuthenticationManager<X>> - extends AbstractAuthenticationManager<X> + extends ConfigModelPasswordManagingAuthenticationProvider<X> implements PasswordCredentialManagingAuthenticationProvider<X> { - static final Charset ASCII = Charset.forName("ASCII"); public static final String PLAIN = "PLAIN"; private final SecureRandom _random = new SecureRandom(); private int _iterationCount = 4096; - private Map<String, ScramAuthUser> _users = new ConcurrentHashMap<String, ScramAuthUser>(); - protected AbstractScramAuthenticationManager(final Map<String, Object> attributes, final Broker broker) { @@ -103,33 +89,9 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram protected abstract String getDigestName(); @Override - public AuthenticationResult authenticate(final SaslServer server, final byte[] response) - { - try - { - // Process response from the client - byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]); - - if (server.isComplete() && (challenge == null || challenge.length == 0)) - { - final String userId = server.getAuthorizationID(); - return new AuthenticationResult(new UsernamePrincipal(userId)); - } - else - { - return new AuthenticationResult(challenge, AuthenticationResult.AuthenticationStatus.CONTINUE); - } - } - catch (SaslException e) - { - return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e); - } - } - - @Override public AuthenticationResult authenticate(final String username, final String password) { - ScramAuthUser user = getUser(username); + ManagedUser user = getUser(username); if(user != null) { final String[] usernamePassword = user.getPassword().split(","); @@ -142,7 +104,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram return new AuthenticationResult(new UsernamePrincipal(username)); } } - catch (SaslException e) + catch (IllegalArgumentException e) { return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR,e); } @@ -162,7 +124,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram public byte[] getSalt(final String username) { - ScramAuthUser user = getUser(username); + ManagedUser user = getUser(username); if(user == null) { @@ -183,7 +145,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram public byte[] getSaltedPassword(final String username) throws SaslException { - ScramAuthUser user = getUser(username); + ManagedUser user = getUser(username); if(user == null) { throw new SaslException("Authentication Failed"); @@ -194,14 +156,9 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram } } - private ScramAuthUser getUser(final String username) - { - return _users.get(username); - } - - private byte[] createSaltedPassword(byte[] salt, String password) throws SaslException + private byte[] createSaltedPassword(byte[] salt, String password) { - Mac mac = createSha1Hmac(password.getBytes(ASCII)); + Mac mac = createShaHmac(password.getBytes(ASCII)); mac.update(salt); mac.update(INT_1); @@ -222,8 +179,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram } - private Mac createSha1Hmac(final byte[] keyBytes) - throws SaslException + private Mac createShaHmac(final byte[] keyBytes) { try { @@ -232,132 +188,16 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram mac.init(key); return mac; } - catch (NoSuchAlgorithmException e) - { - throw new SaslException(e.getMessage(), e); - } - catch (InvalidKeyException e) + catch (NoSuchAlgorithmException | InvalidKeyException e) { - throw new SaslException(e.getMessage(), e); + throw new IllegalArgumentException(e.getMessage(), e); } } protected abstract String getHmacName(); @Override - public boolean createUser(final String username, final String password, final Map<String, String> attributes) - { - return runTask(new Task<Boolean>() - { - @Override - public Boolean execute() - { - getSecurityManager().authoriseUserOperation(Operation.CREATE, username); - if (_users.containsKey(username)) - { - throw new IllegalArgumentException("User '" + username + "' already exists"); - } - try - { - Map<String, Object> userAttrs = new HashMap<String, Object>(); - userAttrs.put(User.ID, UUID.randomUUID()); - userAttrs.put(User.NAME, username); - userAttrs.put(User.PASSWORD, createStoredPassword(password)); - userAttrs.put(User.TYPE, ScramAuthUser.SCRAM_USER_TYPE); - ScramAuthUser user = new ScramAuthUser(userAttrs, AbstractScramAuthenticationManager.this); - user.create(); - - return true; - } - catch (SaslException e) - { - throw new IllegalArgumentException(e); - } - } - }); - } - - org.apache.qpid.server.security.SecurityManager getSecurityManager() - { - return getBroker().getSecurityManager(); - } - - @Override - public void deleteUser(final String user) throws AccountNotFoundException - { - runTask(new VoidTaskWithException<AccountNotFoundException>() - { - @Override - public void execute() throws AccountNotFoundException - { - final ScramAuthUser authUser = getUser(user); - if(authUser != null) - { - authUser.delete(); - } - else - { - throw new AccountNotFoundException("No such user: '" + user + "'"); - } - } - }); - } - - @Override - public void setPassword(final String username, final String password) throws AccountNotFoundException - { - runTask(new VoidTaskWithException<AccountNotFoundException>() - { - @Override - public void execute() throws AccountNotFoundException - { - - final ScramAuthUser authUser = getUser(username); - if (authUser != null) - { - authUser.setPassword(password); - } - else - { - throw new AccountNotFoundException("No such user: '" + username + "'"); - } - } - }); - - } - - @Override - public Map<String, Map<String, String>> getUsers() - { - return runTask(new Task<Map<String, Map<String, String>>>() - { - @Override - public Map<String, Map<String, String>> execute() - { - - Map<String, Map<String, String>> users = new HashMap<String, Map<String, String>>(); - for (String user : _users.keySet()) - { - users.put(user, Collections.<String, String>emptyMap()); - } - return users; - } - }); - } - - @Override - public void reload() throws IOException - { - - } - - @Override - public void recoverUser(final User user) - { - _users.put(user.getName(), (ScramAuthUser) user); - } - - protected String createStoredPassword(final String password) throws SaslException + protected String createStoredPassword(final String password) { byte[] salt = new byte[32]; _random.nextBytes(salt); @@ -366,33 +206,11 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram } @Override - public <C extends ConfiguredObject> C addChild(final Class<C> childClass, - final Map<String, Object> attributes, - final ConfiguredObject... otherParents) + void validateUser(final ManagedUser managedUser) { - if(childClass == User.class) + if(!ASCII.newEncoder().canEncode(managedUser.getName())) { - String username = (String) attributes.get("name"); - String password = (String) attributes.get("password"); - - if(createUser(username, password,null)) - { - @SuppressWarnings("unchecked") - C user = (C) _users.get(username); - return user; - } - else - { - return null; - - } + throw new IllegalArgumentException("User names are restricted to characters in the ASCII charset"); } - return super.addChild(childClass, attributes, otherParents); } - - Map<String, ScramAuthUser> getUserMap() - { - return _users; - } - } |