You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2019/07/16 20:21:21 UTC

[knox] branch master updated: KNOX-1925 - KnoxPamRealm code cleanup

This is an automated email from the ASF dual-hosted git repository.

krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 30446bf  KNOX-1925 - KnoxPamRealm code cleanup
30446bf is described below

commit 30446bf80fefaa934d7f41d934208252cd9da53b
Author: Kevin Risden <kr...@apache.org>
AuthorDate: Tue Jul 16 15:08:23 2019 -0400

    KNOX-1925 - KnoxPamRealm code cleanup
    
    Signed-off-by: Kevin Risden <kr...@apache.org>
---
 .../knox/gateway/shirorealm/KnoxPamRealm.java      | 66 +++++++++++++---------
 1 file changed, 38 insertions(+), 28 deletions(-)

diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/knox/gateway/shirorealm/KnoxPamRealm.java b/gateway-provider-security-shiro/src/main/java/org/apache/knox/gateway/shirorealm/KnoxPamRealm.java
index 93a5390..a0c17ec 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/knox/gateway/shirorealm/KnoxPamRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/knox/gateway/shirorealm/KnoxPamRealm.java
@@ -16,26 +16,27 @@
  *  specific language governing permissions and limitations
  *  under the License.
  */
-
 package org.apache.knox.gateway.shirorealm;
 
+import java.util.LinkedHashSet;
+import java.util.Set;
 import org.apache.knox.gateway.GatewayMessages;
 import org.apache.knox.gateway.audit.api.Action;
 import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.ResourceType;
 import org.apache.knox.gateway.audit.api.AuditService;
 import org.apache.knox.gateway.audit.api.AuditServiceFactory;
 import org.apache.knox.gateway.audit.api.Auditor;
-import org.apache.knox.gateway.audit.api.ResourceType;
 import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
 import org.apache.knox.gateway.i18n.messages.MessagesFactory;
 import org.apache.knox.gateway.shirorealm.impl.i18n.KnoxShiroMessages;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.AuthenticationException;
+
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
 import org.apache.shiro.authc.UsernamePasswordToken;
-import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.crypto.hash.DefaultHashService;
@@ -44,13 +45,11 @@ import org.apache.shiro.crypto.hash.HashRequest;
 import org.apache.shiro.crypto.hash.HashService;
 import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
 import org.jvnet.libpam.PAM;
 import org.jvnet.libpam.PAMException;
 import org.jvnet.libpam.UnixUser;
 
-import java.util.LinkedHashSet;
-import java.util.Set;
-
 /**
  * A Unix-style
  * <a href="http://www.kernel.org/pub/linux/libs/pam/index.html">PAM</a>
@@ -66,9 +65,9 @@ import java.util.Set;
  * <p>
  * Using a {@code KnoxPamRealm} requires a PAM {@code service} name. This is the
  * name of the file under {@code /etc/pam.d} that is used to initialise and
- * configure the PAM subsytem. Normally, this file reflects the application
+ * configure the PAM subsystem. Normally, this file reflects the application
  * using it. For example {@code gdm}, {@code su}, etc. There is no default value
- * for this propery.
+ * for this property.
  * <p>
  * For example, defining this realm in Shiro .ini:
  *
@@ -81,18 +80,19 @@ import java.util.Set;
  * </pre>
  *
  */
-
 public class KnoxPamRealm extends AuthorizingRealm {
   private static final String HASHING_ALGORITHM = "SHA-256";
   private static final String SUBJECT_USER_ROLES = "subject.userRoles";
   private static final String SUBJECT_USER_GROUPS = "subject.userGroups";
-  private HashService hashService = new DefaultHashService();
-  KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class);
-  GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class);
-  private static AuditService auditService = AuditServiceFactory.getAuditService();
-  private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME,
+
+  private static final AuditService auditService = AuditServiceFactory.getAuditService();
+  private static final Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME,
       AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME);
 
+  private final HashService hashService = new DefaultHashService();
+  private final KnoxShiroMessages shiroLog = MessagesFactory.get(KnoxShiroMessages.class);
+  private final GatewayMessages gatewayLog = MessagesFactory.get(GatewayMessages.class);
+
   private String service;
 
   public KnoxPamRealm() {
@@ -126,41 +126,51 @@ public class KnoxPamRealm extends AuthorizingRealm {
       userName = user.getName();
     }
 
-    GatewayLog.lookedUpUserRoles(roles, userName);
+    gatewayLog.lookedUpUserRoles(roles, userName);
     return new SimpleAuthorizationInfo(roles);
   }
 
   @Override
-  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
-    UsernamePasswordToken upToken = (UsernamePasswordToken) token;
+  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
+      throws AuthenticationException {
+    PAM pam = null;
     UnixUser user = null;
     try {
-      user = (new PAM(this.getService())).authenticate(upToken.getUsername(), new String(upToken.getPassword()));
+      pam = new PAM(this.getService());
+      UsernamePasswordToken upToken = (UsernamePasswordToken) token;
+      user = pam.authenticate(upToken.getUsername(), new String(upToken.getPassword()));
     } catch (PAMException e) {
       handleAuthFailure(token, e.getMessage(), e);
+    } finally {
+      if(pam != null) {
+        pam.dispose();
+      }
     }
-    HashRequest.Builder builder = new HashRequest.Builder();
-    Hash credentialsHash = hashService
-        .computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
+
+    HashRequest hashRequest = new HashRequest.Builder()
+                                  .setSource(token.getCredentials())
+                                  .setAlgorithmName(HASHING_ALGORITHM)
+                                  .build();
+    Hash credentialsHash = hashService.computeHash(hashRequest);
+
     /* Coverity Scan CID 1361684 */
     if (credentialsHash == null) {
       handleAuthFailure(token, "Failed to compute hash", null);
     }
-    return new SimpleAuthenticationInfo(new UnixUserPrincipal(user), credentialsHash.toHex(), credentialsHash.getSalt(),
-        getName());
+    return new SimpleAuthenticationInfo(new UnixUserPrincipal(user), credentialsHash.toHex(),
+        credentialsHash.getSalt(), getName());
   }
 
   private void handleAuthFailure(AuthenticationToken token, String errorMessage, Exception e) {
-    auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL, ActionOutcome.FAILURE,
-        errorMessage);
-    ShiroLog.failedLoginInfo(token);
+    auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(),
+        ResourceType.PRINCIPAL, ActionOutcome.FAILURE, errorMessage);
+    shiroLog.failedLoginInfo(token);
 
     if (e != null) {
-      ShiroLog.failedLoginAttempt(e.getCause());
+      shiroLog.failedLoginAttempt(e.getCause());
       throw new AuthenticationException(e);
     }
 
     throw new AuthenticationException(errorMessage);
   }
-
 }