summaryrefslogtreecommitdiff
path: root/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
diff options
context:
space:
mode:
Diffstat (limited to 'java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java')
-rw-r--r--java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java210
1 files changed, 14 insertions, 196 deletions
diff --git a/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java b/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
index 152a9086ec..6887cb99d4 100644
--- a/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
+++ b/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
@@ -20,52 +20,38 @@
*/
package org.apache.qpid.server.security.auth.manager;
-import java.io.IOException;
-import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.UUID;
-import java.util.concurrent.ConcurrentHashMap;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
-import javax.security.auth.login.AccountNotFoundException;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.xml.bind.DatatypeConverter;
-import org.apache.qpid.server.configuration.updater.Task;
-import org.apache.qpid.server.configuration.updater.VoidTaskWithException;
import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider;
-import org.apache.qpid.server.model.User;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;
public abstract class AbstractScramAuthenticationManager<X extends AbstractScramAuthenticationManager<X>>
- extends AbstractAuthenticationManager<X>
+ extends ConfigModelPasswordManagingAuthenticationProvider<X>
implements PasswordCredentialManagingAuthenticationProvider<X>
{
- static final Charset ASCII = Charset.forName("ASCII");
public static final String PLAIN = "PLAIN";
private final SecureRandom _random = new SecureRandom();
private int _iterationCount = 4096;
- private Map<String, ScramAuthUser> _users = new ConcurrentHashMap<String, ScramAuthUser>();
-
protected AbstractScramAuthenticationManager(final Map<String, Object> attributes, final Broker broker)
{
@@ -103,33 +89,9 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
protected abstract String getDigestName();
@Override
- public AuthenticationResult authenticate(final SaslServer server, final byte[] response)
- {
- try
- {
- // Process response from the client
- byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
-
- if (server.isComplete() && (challenge == null || challenge.length == 0))
- {
- final String userId = server.getAuthorizationID();
- return new AuthenticationResult(new UsernamePrincipal(userId));
- }
- else
- {
- return new AuthenticationResult(challenge, AuthenticationResult.AuthenticationStatus.CONTINUE);
- }
- }
- catch (SaslException e)
- {
- return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
- }
- }
-
- @Override
public AuthenticationResult authenticate(final String username, final String password)
{
- ScramAuthUser user = getUser(username);
+ ManagedUser user = getUser(username);
if(user != null)
{
final String[] usernamePassword = user.getPassword().split(",");
@@ -142,7 +104,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
return new AuthenticationResult(new UsernamePrincipal(username));
}
}
- catch (SaslException e)
+ catch (IllegalArgumentException e)
{
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR,e);
}
@@ -162,7 +124,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
public byte[] getSalt(final String username)
{
- ScramAuthUser user = getUser(username);
+ ManagedUser user = getUser(username);
if(user == null)
{
@@ -183,7 +145,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
public byte[] getSaltedPassword(final String username) throws SaslException
{
- ScramAuthUser user = getUser(username);
+ ManagedUser user = getUser(username);
if(user == null)
{
throw new SaslException("Authentication Failed");
@@ -194,14 +156,9 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
}
}
- private ScramAuthUser getUser(final String username)
- {
- return _users.get(username);
- }
-
- private byte[] createSaltedPassword(byte[] salt, String password) throws SaslException
+ private byte[] createSaltedPassword(byte[] salt, String password)
{
- Mac mac = createSha1Hmac(password.getBytes(ASCII));
+ Mac mac = createShaHmac(password.getBytes(ASCII));
mac.update(salt);
mac.update(INT_1);
@@ -222,8 +179,7 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
}
- private Mac createSha1Hmac(final byte[] keyBytes)
- throws SaslException
+ private Mac createShaHmac(final byte[] keyBytes)
{
try
{
@@ -232,132 +188,16 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
mac.init(key);
return mac;
}
- catch (NoSuchAlgorithmException e)
- {
- throw new SaslException(e.getMessage(), e);
- }
- catch (InvalidKeyException e)
+ catch (NoSuchAlgorithmException | InvalidKeyException e)
{
- throw new SaslException(e.getMessage(), e);
+ throw new IllegalArgumentException(e.getMessage(), e);
}
}
protected abstract String getHmacName();
@Override
- public boolean createUser(final String username, final String password, final Map<String, String> attributes)
- {
- return runTask(new Task<Boolean>()
- {
- @Override
- public Boolean execute()
- {
- getSecurityManager().authoriseUserOperation(Operation.CREATE, username);
- if (_users.containsKey(username))
- {
- throw new IllegalArgumentException("User '" + username + "' already exists");
- }
- try
- {
- Map<String, Object> userAttrs = new HashMap<String, Object>();
- userAttrs.put(User.ID, UUID.randomUUID());
- userAttrs.put(User.NAME, username);
- userAttrs.put(User.PASSWORD, createStoredPassword(password));
- userAttrs.put(User.TYPE, ScramAuthUser.SCRAM_USER_TYPE);
- ScramAuthUser user = new ScramAuthUser(userAttrs, AbstractScramAuthenticationManager.this);
- user.create();
-
- return true;
- }
- catch (SaslException e)
- {
- throw new IllegalArgumentException(e);
- }
- }
- });
- }
-
- org.apache.qpid.server.security.SecurityManager getSecurityManager()
- {
- return getBroker().getSecurityManager();
- }
-
- @Override
- public void deleteUser(final String user) throws AccountNotFoundException
- {
- runTask(new VoidTaskWithException<AccountNotFoundException>()
- {
- @Override
- public void execute() throws AccountNotFoundException
- {
- final ScramAuthUser authUser = getUser(user);
- if(authUser != null)
- {
- authUser.delete();
- }
- else
- {
- throw new AccountNotFoundException("No such user: '" + user + "'");
- }
- }
- });
- }
-
- @Override
- public void setPassword(final String username, final String password) throws AccountNotFoundException
- {
- runTask(new VoidTaskWithException<AccountNotFoundException>()
- {
- @Override
- public void execute() throws AccountNotFoundException
- {
-
- final ScramAuthUser authUser = getUser(username);
- if (authUser != null)
- {
- authUser.setPassword(password);
- }
- else
- {
- throw new AccountNotFoundException("No such user: '" + username + "'");
- }
- }
- });
-
- }
-
- @Override
- public Map<String, Map<String, String>> getUsers()
- {
- return runTask(new Task<Map<String, Map<String, String>>>()
- {
- @Override
- public Map<String, Map<String, String>> execute()
- {
-
- Map<String, Map<String, String>> users = new HashMap<String, Map<String, String>>();
- for (String user : _users.keySet())
- {
- users.put(user, Collections.<String, String>emptyMap());
- }
- return users;
- }
- });
- }
-
- @Override
- public void reload() throws IOException
- {
-
- }
-
- @Override
- public void recoverUser(final User user)
- {
- _users.put(user.getName(), (ScramAuthUser) user);
- }
-
- protected String createStoredPassword(final String password) throws SaslException
+ protected String createStoredPassword(final String password)
{
byte[] salt = new byte[32];
_random.nextBytes(salt);
@@ -366,33 +206,11 @@ public abstract class AbstractScramAuthenticationManager<X extends AbstractScram
}
@Override
- public <C extends ConfiguredObject> C addChild(final Class<C> childClass,
- final Map<String, Object> attributes,
- final ConfiguredObject... otherParents)
+ void validateUser(final ManagedUser managedUser)
{
- if(childClass == User.class)
+ if(!ASCII.newEncoder().canEncode(managedUser.getName()))
{
- String username = (String) attributes.get("name");
- String password = (String) attributes.get("password");
-
- if(createUser(username, password,null))
- {
- @SuppressWarnings("unchecked")
- C user = (C) _users.get(username);
- return user;
- }
- else
- {
- return null;
-
- }
+ throw new IllegalArgumentException("User names are restricted to characters in the ASCII charset");
}
- return super.addChild(childClass, attributes, otherParents);
}
-
- Map<String, ScramAuthUser> getUserMap()
- {
- return _users;
- }
-
}
View Lorry Controller Status