You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2016/09/02 18:58:18 UTC

knox git commit: KNOX-740 - Address new coverity scan issues (Sandeep More via lmccay)

Repository: knox
Updated Branches:
  refs/heads/master e5ef45aae -> b15b65f4d


KNOX-740 - Address new coverity scan issues (Sandeep More via lmccay)

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/b15b65f4
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/b15b65f4
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/b15b65f4

Branch: refs/heads/master
Commit: b15b65f4d35269a2c28cf4bbcecb43490c42a149
Parents: e5ef45a
Author: Larry McCay <lm...@hortonworks.com>
Authored: Fri Sep 2 14:57:33 2016 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Fri Sep 2 14:57:33 2016 -0400

----------------------------------------------------------------------
 .../filter/ShiroSubjectIdentityAdapter.java     |   2 -
 .../hadoop/gateway/shirorealm/KnoxPamRealm.java | 143 +++++++++++--------
 2 files changed, 81 insertions(+), 64 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/b15b65f4/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
index 692cf8d..2477589 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
@@ -67,8 +67,6 @@ public class ShiroSubjectIdentityAdapter implements Filter {
     // trigger call to shiro authorization realm
     // we use shiro authorization realm to look up groups
     subject.hasRole("authenticatedUser");
-    
-    final String principalName = (String) subject.getPrincipal().toString();
 
     CallableChain callableChain = new CallableChain(request, response, chain);
     SecurityUtils.getSubject().execute(callableChain);

http://git-wip-us.apache.org/repos/asf/knox/blob/b15b65f4/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
index 84121a7..e429e26 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
@@ -68,7 +68,7 @@ import org.jvnet.libpam.UnixUser;
  * for this propery.
  * <p>
  * For example, defining this realm in Shiro .ini:
- * 
+ *
  * <pre>
  * [main]
  * pamRealm = org.apache.shiro.realm.libpam4j.KnoxPamRealm
@@ -76,69 +76,88 @@ import org.jvnet.libpam.UnixUser;
  * [urls]
  * **=authcBasic
  * </pre>
- * 
+ *
  */
 
 public class KnoxPamRealm extends AuthorizingRealm {
-	private static final String HASHING_ALGORITHM = "SHA-1";
-	private final static String  SUBJECT_USER_ROLES = "subject.userRoles";
-	private final static String  SUBJECT_USER_GROUPS = "subject.userGroups";
-	private static GatewayMessages LOG = MessagesFactory.get(GatewayMessages.class);
-	private HashService hashService = new DefaultHashService();
-	KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class);
-	GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class);
-	private static AuditService auditService = AuditServiceFactory.getAuditService();
-	private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME,
-			AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME);
-
-	private String service;
-
-	public KnoxPamRealm() {
-		HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM);
-		setCredentialsMatcher(credentialsMatcher);
-	}
-
-	public void setService(String service) {
-		this.service = service;
-	}
-
-	public String getService() {
-		return this.service;
-	}
-
-	@Override
-	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
-		Set<String> roles = new LinkedHashSet<String>();
-
-		UnixUserPrincipal user = principals.oneByType(UnixUserPrincipal.class);
-		if (user != null) {
-			roles.addAll(user.getUnixUser().getGroups());
-		}
-		SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roles);
-		SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, roles);
-		GatewayLog.lookedUpUserRoles(roles, user.getName());
-		return new SimpleAuthorizationInfo(roles);
-	}
-
-	@Override
-	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
-		UsernamePasswordToken upToken = (UsernamePasswordToken) token;
-		UnixUser user=null;
-		try {
-            user = (new PAM(this.getService())).authenticate(upToken.getUsername(), 
-            		new String(upToken.getPassword()));
-		} catch (PAMException e) {
-			auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL,
-					ActionOutcome.FAILURE, e.getMessage());
-			ShiroLog.failedLoginInfo(token);
-			ShiroLog.failedLoginAttempt(e.getCause());
-			throw new AuthenticationException(e);
-		}
-		HashRequest.Builder builder = new HashRequest.Builder();
-		Hash credentialsHash = hashService
-				.computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
-		return new SimpleAuthenticationInfo(new UnixUserPrincipal(user) , credentialsHash.toHex(), credentialsHash.getSalt(),
-				getName());
-	}
+  private static final String HASHING_ALGORITHM = "SHA-1";
+  private final static String SUBJECT_USER_ROLES = "subject.userRoles";
+  private final static String SUBJECT_USER_GROUPS = "subject.userGroups";
+  private HashService hashService = new DefaultHashService();
+  KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class);
+  GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class);
+  private static AuditService auditService = AuditServiceFactory.getAuditService();
+  private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME,
+      AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME);
+
+  private String service;
+
+  public KnoxPamRealm() {
+    HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM);
+    setCredentialsMatcher(credentialsMatcher);
+  }
+
+  public void setService(String service) {
+    this.service = service;
+  }
+
+  public String getService() {
+    return this.service;
+  }
+
+  @Override
+  protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+    Set<String> roles = new LinkedHashSet<String>();
+
+    UnixUserPrincipal user = principals.oneByType(UnixUserPrincipal.class);
+    if (user != null) {
+      roles.addAll(user.getUnixUser().getGroups());
+    }
+    SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roles);
+    SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, roles);
+
+    /* Coverity Scan CID 1361682 */
+    String userName = null;
+
+    if (user != null) {
+      userName = user.getName();
+    }
+
+    GatewayLog.lookedUpUserRoles(roles, userName);
+    return new SimpleAuthorizationInfo(roles);
+  }
+
+  @Override
+  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+    UsernamePasswordToken upToken = (UsernamePasswordToken) token;
+    UnixUser user = null;
+    try {
+      user = (new PAM(this.getService())).authenticate(upToken.getUsername(), new String(upToken.getPassword()));
+    } catch (PAMException e) {
+      handleAuthFailure(token, e.getMessage(), e);
+    }
+    HashRequest.Builder builder = new HashRequest.Builder();
+    Hash credentialsHash = hashService
+        .computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
+    /* Coverity Scan CID 1361684 */
+    if (credentialsHash == null) {
+      handleAuthFailure(token, "Failed to compute hash", null);
+    }
+    return new SimpleAuthenticationInfo(new UnixUserPrincipal(user), credentialsHash.toHex(), credentialsHash.getSalt(),
+        getName());
+  }
+
+  private void handleAuthFailure(AuthenticationToken token, String errorMessage, Exception e) {
+    auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL, ActionOutcome.FAILURE,
+        errorMessage);
+    ShiroLog.failedLoginInfo(token);
+
+    if (e != null) {
+      ShiroLog.failedLoginAttempt(e.getCause());
+      throw new AuthenticationException(e);
+    }
+
+    throw new AuthenticationException(errorMessage);
+  }
 
 }