You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2016/05/30 14:53:22 UTC
svn commit: r1746140 - in /qpid/java/trunk/broker-core/src:
main/java/org/apache/qpid/server/security/auth/manager/
main/java/org/apache/qpid/server/security/auth/manager/oauth2/
test/java/org/apache/qpid/server/security/auth/
Author: orudyy
Date: Mon May 30 14:53:22 2016
New Revision: 1746140
URL: http://svn.apache.org/viewvc?rev=1746140&view=rev
Log:
QPID-7282: Java Broker should always send server-final message when required to the client on succesful SASL negotiation
Added:
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/AuthenticationProviderTest.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java?rev=1746140&r1=1746139&r2=1746140&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AnonymousAuthenticationManager.java Mon May 30 14:53:22 2016
@@ -93,7 +93,7 @@ public class AnonymousAuthenticationMana
}
else
{
- return new AuthenticationResult(challenge, AuthenticationResult.AuthenticationStatus.CONTINUE);
+ return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
}
}
catch (SaslException e)
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java?rev=1746140&r1=1746139&r2=1746140&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java Mon May 30 14:53:22 2016
@@ -218,6 +218,11 @@ public abstract class ConfigModelPasswor
{
try
{
+ if (server.isComplete())
+ {
+ return new AuthenticationResult(new UsernamePrincipal(server.getAuthorizationID()));
+ }
+
// Process response from the client
byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java?rev=1746140&r1=1746139&r2=1746140&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java Mon May 30 14:53:22 2016
@@ -78,10 +78,15 @@ public class KerberosAuthenticationManag
{
try
{
+ if (server.isComplete())
+ {
+ return new AuthenticationResult(new UsernamePrincipal(server.getAuthorizationID()));
+ }
+
// Process response from the client
byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
- if (server.isComplete())
+ if (server.isComplete() && (challenge == null || challenge.length == 0))
{
return new AuthenticationResult(new UsernamePrincipal(server.getAuthorizationID()));
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java?rev=1746140&r1=1746139&r2=1746140&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java Mon May 30 14:53:22 2016
@@ -210,10 +210,15 @@ public abstract class PrincipalDatabaseA
{
try
{
+ if (server.isComplete())
+ {
+ return new AuthenticationResult(new UsernamePrincipal(server.getAuthorizationID()));
+ }
+
// Process response from the client
byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
- if (server.isComplete())
+ if (server.isComplete() && (challenge == null || challenge.length == 0))
{
final String userId = server.getAuthorizationID();
return new AuthenticationResult(new UsernamePrincipal(userId));
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java?rev=1746140&r1=1746139&r2=1746140&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java Mon May 30 14:53:22 2016
@@ -128,10 +128,15 @@ public class SimpleAuthenticationManager
{
try
{
+ if (server.isComplete())
+ {
+ return new AuthenticationResult(new UsernamePrincipal(server.getAuthorizationID()));
+ }
+
// Process response from the client
byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
- if (server.isComplete())
+ if (server.isComplete() && (challenge == null || challenge.length == 0))
{
String authorizationID = server.getAuthorizationID();
_logger.debug("Authenticated as " + authorizationID);
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java?rev=1746140&r1=1746139&r2=1746140&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java Mon May 30 14:53:22 2016
@@ -250,10 +250,15 @@ public class SimpleLDAPAuthenticationMan
{
try
{
+ if (server.isComplete())
+ {
+ return new AuthenticationResult(new UsernamePrincipal(server.getAuthorizationID()));
+ }
+
// Process response from the client
byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
- if (server.isComplete())
+ if (server.isComplete() && (challenge == null || challenge.length == 0))
{
String authorizationID = server.getAuthorizationID();
_logger.debug("Authenticated as {}", authorizationID);
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java?rev=1746140&r1=1746139&r2=1746140&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java Mon May 30 14:53:22 2016
@@ -53,6 +53,7 @@ import org.apache.qpid.server.model.Mana
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager;
import org.apache.qpid.server.util.ConnectionBuilder;
import org.apache.qpid.server.util.ParameterizedTypes;
@@ -220,10 +221,16 @@ public class OAuth2AuthenticationProvide
{
try
{
+ if (server.isComplete())
+ {
+ String accessToken = (String) server.getNegotiatedProperty(OAuth2SaslServer.ACCESS_TOKEN_PROPERTY);
+ return authenticateViaAccessToken(accessToken);
+ }
+
// Process response from the client
byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);
- if (server.isComplete())
+ if (server.isComplete() && (challenge == null || challenge.length == 0))
{
String accessToken = (String) server.getNegotiatedProperty(OAuth2SaslServer.ACCESS_TOKEN_PROPERTY);
return authenticateViaAccessToken(accessToken);
Added: qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/AuthenticationProviderTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/AuthenticationProviderTest.java?rev=1746140&view=auto
==============================================================================
--- qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/AuthenticationProviderTest.java (added)
+++ qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/AuthenticationProviderTest.java Mon May 30 14:53:22 2016
@@ -0,0 +1,188 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.auth;
+
+
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.mock;
+
+import java.io.File;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.security.auth.manager.*;
+import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
+import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProviderImplFactory;
+import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService;
+import org.apache.qpid.server.util.BrokerTestHelper;
+import org.apache.qpid.test.utils.QpidTestCase;
+import org.apache.qpid.test.utils.TestFileUtils;
+
+public class AuthenticationProviderTest extends QpidTestCase
+{
+ private Broker _broker;
+ private File _testFile;
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ _broker = BrokerTestHelper.createBrokerMock();
+ _testFile = TestFileUtils.createTempFile(this);
+ }
+
+ @Override
+ public void tearDown() throws Exception
+ {
+ try
+ {
+ if (_testFile != null)
+ {
+ _testFile.delete();
+ }
+ }
+ finally
+ {
+ super.tearDown();
+ }
+ }
+
+ public void testAuthenticateFinalChallenge() throws SaslException
+ {
+ Map<String, Object> attributes = Collections.<String, Object>singletonMap("name", "test");
+ PlainAuthenticationProvider plain = new PlainAuthenticationProviderFactory()
+ .create(_broker.getObjectFactory(), attributes, _broker);
+ MD5AuthenticationProvider md5 = new MD5AuthenticationProviderFactory()
+ .create(_broker.getObjectFactory(), attributes, _broker);
+ ScramSHA256AuthenticationManager scramSha256 = new ScramSHA256AuthenticationManagerFactory()
+ .create(_broker.getObjectFactory(), attributes, _broker);
+ ScramSHA1AuthenticationManager scramSha1 = new ScramSHA1AuthenticationManagerFactory()
+ .create(_broker.getObjectFactory(), attributes, _broker);
+ SimpleAuthenticationManager simple = new SimpleAuthenticationManager(attributes, _broker);
+
+ KerberosAuthenticationManager kerberos = new KerberosAuthenticationManagerFactory()
+ .create(_broker.getObjectFactory(), attributes, _broker);
+
+ final Map<String, Object> fileBasedProviderAttributes = new HashMap<>(attributes);
+ fileBasedProviderAttributes.put("path", _testFile.getAbsolutePath());
+ PlainPasswordDatabaseAuthenticationManager plainPasswordFile =
+ new PlainPasswordDatabaseAuthenticationManagerFactory()
+ .create(_broker.getObjectFactory(), fileBasedProviderAttributes, _broker);
+ Base64MD5PasswordDatabaseAuthenticationManager bas64Md5 =
+ new Base64MD5PasswordDatabaseAuthenticationManagerFactory()
+ .create(_broker.getObjectFactory(), fileBasedProviderAttributes, _broker);
+
+ // Oauth2 and Ldap auth providers need special services to be pre-configured
+
+ List<? extends AuthenticationProvider<?>> testAuthenticationProviders =
+ Arrays.asList(plain, md5, scramSha256, scramSha1, simple, kerberos, plainPasswordFile, bas64Md5);
+ for (AuthenticationProvider<?> provider : testAuthenticationProviders)
+ {
+ performTestAuthenticateFinalChallenge(provider);
+ }
+ }
+
+ private void performTestAuthenticateFinalChallenge(AuthenticationProvider authenticationProvider)
+ throws SaslException
+ {
+ TestSaslServer saslServer = new TestSaslServer();
+
+ AuthenticationResult result = authenticationProvider.authenticate(saslServer, new byte[1]);
+ assertEquals("Unexpected authentication status " + authenticationProvider,
+ AuthenticationResult.AuthenticationStatus.CONTINUE,
+ result.getStatus());
+ assertTrue("Unexpected challenge " + authenticationProvider, Arrays.equals(new byte[1], result.getChallenge()));
+
+ result = authenticationProvider.authenticate(saslServer, new byte[1]);
+ assertEquals("Unexpected authentication status for " + authenticationProvider,
+ AuthenticationResult.AuthenticationStatus.SUCCESS,
+ result.getStatus());
+ assertNull("Unexpected challenge " + authenticationProvider, result.getChallenge());
+ }
+
+
+ private class TestSaslServer implements SaslServer
+ {
+
+ private boolean _complete;
+
+ @Override
+ public String getMechanismName()
+ {
+ return null;
+ }
+
+ @Override
+ public byte[] evaluateResponse(final byte[] response) throws SaslException
+ {
+ if (_complete)
+ {
+ throw new IllegalStateException();
+ }
+ _complete = true;
+ return new byte[1];
+ }
+
+ @Override
+ public boolean isComplete()
+ {
+ return _complete;
+ }
+
+ @Override
+ public String getAuthorizationID()
+ {
+ return _complete ? "testPrincipal" : null;
+ }
+
+ @Override
+ public byte[] unwrap(final byte[] incoming, final int offset, final int len) throws SaslException
+ {
+ return new byte[0];
+ }
+
+ @Override
+ public byte[] wrap(final byte[] outgoing, final int offset, final int len) throws SaslException
+ {
+ return new byte[0];
+ }
+
+ @Override
+ public Object getNegotiatedProperty(final String propName)
+ {
+ return null;
+ }
+
+ @Override
+ public void dispose() throws SaslException
+ {
+
+ }
+ }
+
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org