You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by k-wall <gi...@git.apache.org> on 2017/07/13 15:37:36 UTC
[GitHub] qpid-jms pull request #9: QPIDJMS-294: Ensure that SASL mechanism has comple...
GitHub user k-wall opened a pull request:
https://github.com/apache/qpid-jms/pull/9
QPIDJMS-294: Ensure that SASL mechanism has completed before allowing…
… authentication to complete successfully
This change allows the SCRAM mechanisms to ensure that server final message is verified correctly.
The lack of unit tests around AmqpSaslAuthenticator is bothersome. To address this, I think to extract an SaslMechanismFinder allowing a mock (and a mock Mechanism) to be substituted for unit testing purposes. This would allow simple mock based tests to be written for AmqpSaslAuthenticator and the interactions with both Proton and Mechanism verified, including the new verifyComplete path. Comments welcome.
This change would be breaking for users of the Qpid Broker J < 6.0.4 using the SCRAM SHA authentication, but simple work arounds are available (upgrading to a bug-fix release or a simple configuration change to use a different SASL mech).
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/k-wall/qpid-jms master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/qpid-jms/pull/9.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #9
----
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[GitHub] qpid-jms issue #9: QPIDJMS-294: Ensure that SASL mechanism has completed bef...
Posted by gemmellr <gi...@git.apache.org>.
Github user gemmellr commented on the issue:
https://github.com/apache/qpid-jms/pull/9
Looks good. I gave things a try with the changes from PROTON-1486 (now pushed) against Dispatch and the C++ broker, which continue to send the explicit challange before the outcome rather than use the additional-data field, all seemed well. I assumed you used the java broker and its related changes on QPID-7787 so I skipped that.
On the unit testing, extracting a mechanism finder seems reasonable, can probably do something simple with lambdas and/or method references to essentially pass what its doing now.
I'll wait for proton-j 0.20.0 / PROTON-1486 to actually be available before merging this since it isnt yet pressing and it saves master failing to compile later once the snapshots aren't around.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[GitHub] qpid-jms pull request #9: QPIDJMS-294: Ensure that SASL mechanism has comple...
Posted by tabish121 <gi...@git.apache.org>.
Github user tabish121 commented on a diff in the pull request:
https://github.com/apache/qpid-jms/pull/9#discussion_r127257588
--- Diff: qpid-jms-client/src/test/java/org/apache/qpid/jms/sasl/CramMD5MechanismTest.java ---
@@ -85,4 +115,21 @@ public String getName() {
}
}));
}
+
+ @Test
+ public void testIncompleteExchange() throws Exception {
+ Mechanism mechanism = new CramMD5Mechanism();
+
+ mechanism.getInitialResponse();
+
+ try {
+ mechanism.verifyComplete();
+ fail("Exception not thrown");
+ }
+ catch (SaslException e)
--- End diff --
Please fix your code formatting to match the rest of the client code.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[GitHub] qpid-jms pull request #9: QPIDJMS-294: Ensure that SASL mechanism has comple...
Posted by tabish121 <gi...@git.apache.org>.
Github user tabish121 commented on a diff in the pull request:
https://github.com/apache/qpid-jms/pull/9#discussion_r127257449
--- Diff: qpid-jms-client/src/test/java/org/apache/qpid/jms/sasl/AbstractScramSHAMechanismTestBase.java ---
@@ -137,4 +139,25 @@ public void testServerSignatureDiffer() throws Exception {
// PASS
}
}
+
+ @Test
+ public void testIncompleteExchange() throws Exception {
+ Mechanism mechanism = getConfiguredMechanism();
+
+ byte[] clientInitialResponse = mechanism.getInitialResponse();
+ assertArrayEquals(expectedClientInitialResponse, clientInitialResponse);
+
+ byte[] clientFinalMessage = mechanism.getChallengeResponse(serverFirstMessage);
+ assertArrayEquals(expectedClientFinalMessage, clientFinalMessage);
+
+ try {
+ mechanism.verifyComplete();
+ fail("Exception not thrown");
+ }
+ catch (SaslException e)
--- End diff --
Please fix your code formatting to match the rest of the client code.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[GitHub] qpid-jms pull request #9: QPIDJMS-294: Ensure that SASL mechanism has comple...
Posted by tabish121 <gi...@git.apache.org>.
Github user tabish121 commented on a diff in the pull request:
https://github.com/apache/qpid-jms/pull/9#discussion_r127257712
--- Diff: qpid-jms-client/src/main/java/org/apache/qpid/jms/sasl/CramMD5Mechanism.java ---
@@ -86,6 +86,14 @@ public String getName() {
}
@Override
+ public void verifyComplete() throws SaslException {
+ if (!_sentResponse)
--- End diff --
Please fix your code formatting to match the rest of the client code.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[GitHub] qpid-jms issue #9: QPIDJMS-294: Ensure that SASL mechanism has completed bef...
Posted by k-wall <gi...@git.apache.org>.
Github user k-wall commented on the issue:
https://github.com/apache/qpid-jms/pull/9
I have refreshed the pull request and added a test case around AmqpSaslAuthenticator.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[GitHub] qpid-jms pull request #9: QPIDJMS-294: Ensure that SASL mechanism has comple...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/qpid-jms/pull/9
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[GitHub] qpid-jms issue #9: QPIDJMS-294: Ensure that SASL mechanism has completed bef...
Posted by k-wall <gi...@git.apache.org>.
Github user k-wall commented on the issue:
https://github.com/apache/qpid-jms/pull/9
Tim, I have addressed your comments.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org