You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2016/09/02 18:58:18 UTC
knox git commit: KNOX-740 - Address new coverity scan issues (Sandeep
More via lmccay)
Repository: knox
Updated Branches:
refs/heads/master e5ef45aae -> b15b65f4d
KNOX-740 - Address new coverity scan issues (Sandeep More via lmccay)
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/b15b65f4
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/b15b65f4
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/b15b65f4
Branch: refs/heads/master
Commit: b15b65f4d35269a2c28cf4bbcecb43490c42a149
Parents: e5ef45a
Author: Larry McCay <lm...@hortonworks.com>
Authored: Fri Sep 2 14:57:33 2016 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Fri Sep 2 14:57:33 2016 -0400
----------------------------------------------------------------------
.../filter/ShiroSubjectIdentityAdapter.java | 2 -
.../hadoop/gateway/shirorealm/KnoxPamRealm.java | 143 +++++++++++--------
2 files changed, 81 insertions(+), 64 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/b15b65f4/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
index 692cf8d..2477589 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
@@ -67,8 +67,6 @@ public class ShiroSubjectIdentityAdapter implements Filter {
// trigger call to shiro authorization realm
// we use shiro authorization realm to look up groups
subject.hasRole("authenticatedUser");
-
- final String principalName = (String) subject.getPrincipal().toString();
CallableChain callableChain = new CallableChain(request, response, chain);
SecurityUtils.getSubject().execute(callableChain);
http://git-wip-us.apache.org/repos/asf/knox/blob/b15b65f4/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
index 84121a7..e429e26 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
@@ -68,7 +68,7 @@ import org.jvnet.libpam.UnixUser;
* for this propery.
* <p>
* For example, defining this realm in Shiro .ini:
- *
+ *
* <pre>
* [main]
* pamRealm = org.apache.shiro.realm.libpam4j.KnoxPamRealm
@@ -76,69 +76,88 @@ import org.jvnet.libpam.UnixUser;
* [urls]
* **=authcBasic
* </pre>
- *
+ *
*/
public class KnoxPamRealm extends AuthorizingRealm {
- private static final String HASHING_ALGORITHM = "SHA-1";
- private final static String SUBJECT_USER_ROLES = "subject.userRoles";
- private final static String SUBJECT_USER_GROUPS = "subject.userGroups";
- private static GatewayMessages LOG = MessagesFactory.get(GatewayMessages.class);
- private HashService hashService = new DefaultHashService();
- KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class);
- GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class);
- private static AuditService auditService = AuditServiceFactory.getAuditService();
- private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME,
- AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME);
-
- private String service;
-
- public KnoxPamRealm() {
- HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM);
- setCredentialsMatcher(credentialsMatcher);
- }
-
- public void setService(String service) {
- this.service = service;
- }
-
- public String getService() {
- return this.service;
- }
-
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- Set<String> roles = new LinkedHashSet<String>();
-
- UnixUserPrincipal user = principals.oneByType(UnixUserPrincipal.class);
- if (user != null) {
- roles.addAll(user.getUnixUser().getGroups());
- }
- SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roles);
- SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, roles);
- GatewayLog.lookedUpUserRoles(roles, user.getName());
- return new SimpleAuthorizationInfo(roles);
- }
-
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
- UsernamePasswordToken upToken = (UsernamePasswordToken) token;
- UnixUser user=null;
- try {
- user = (new PAM(this.getService())).authenticate(upToken.getUsername(),
- new String(upToken.getPassword()));
- } catch (PAMException e) {
- auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL,
- ActionOutcome.FAILURE, e.getMessage());
- ShiroLog.failedLoginInfo(token);
- ShiroLog.failedLoginAttempt(e.getCause());
- throw new AuthenticationException(e);
- }
- HashRequest.Builder builder = new HashRequest.Builder();
- Hash credentialsHash = hashService
- .computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
- return new SimpleAuthenticationInfo(new UnixUserPrincipal(user) , credentialsHash.toHex(), credentialsHash.getSalt(),
- getName());
- }
+ private static final String HASHING_ALGORITHM = "SHA-1";
+ private final static String SUBJECT_USER_ROLES = "subject.userRoles";
+ private final static String SUBJECT_USER_GROUPS = "subject.userGroups";
+ private HashService hashService = new DefaultHashService();
+ KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class);
+ GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class);
+ private static AuditService auditService = AuditServiceFactory.getAuditService();
+ private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME,
+ AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME);
+
+ private String service;
+
+ public KnoxPamRealm() {
+ HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM);
+ setCredentialsMatcher(credentialsMatcher);
+ }
+
+ public void setService(String service) {
+ this.service = service;
+ }
+
+ public String getService() {
+ return this.service;
+ }
+
+ @Override
+ protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+ Set<String> roles = new LinkedHashSet<String>();
+
+ UnixUserPrincipal user = principals.oneByType(UnixUserPrincipal.class);
+ if (user != null) {
+ roles.addAll(user.getUnixUser().getGroups());
+ }
+ SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roles);
+ SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, roles);
+
+ /* Coverity Scan CID 1361682 */
+ String userName = null;
+
+ if (user != null) {
+ userName = user.getName();
+ }
+
+ GatewayLog.lookedUpUserRoles(roles, userName);
+ return new SimpleAuthorizationInfo(roles);
+ }
+
+ @Override
+ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+ UsernamePasswordToken upToken = (UsernamePasswordToken) token;
+ UnixUser user = null;
+ try {
+ user = (new PAM(this.getService())).authenticate(upToken.getUsername(), new String(upToken.getPassword()));
+ } catch (PAMException e) {
+ handleAuthFailure(token, e.getMessage(), e);
+ }
+ HashRequest.Builder builder = new HashRequest.Builder();
+ Hash credentialsHash = hashService
+ .computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
+ /* Coverity Scan CID 1361684 */
+ if (credentialsHash == null) {
+ handleAuthFailure(token, "Failed to compute hash", null);
+ }
+ return new SimpleAuthenticationInfo(new UnixUserPrincipal(user), credentialsHash.toHex(), credentialsHash.getSalt(),
+ getName());
+ }
+
+ private void handleAuthFailure(AuthenticationToken token, String errorMessage, Exception e) {
+ auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL, ActionOutcome.FAILURE,
+ errorMessage);
+ ShiroLog.failedLoginInfo(token);
+
+ if (e != null) {
+ ShiroLog.failedLoginAttempt(e.getCause());
+ throw new AuthenticationException(e);
+ }
+
+ throw new AuthenticationException(errorMessage);
+ }
}