You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2020/05/04 00:21:52 UTC
[qpid-broker-j] branch master updated: QPID-8426: [Broker-J] Update
service principal names in login module to match host domain
This is an automated email from the ASF dual-hosted git repository.
orudyy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/master by this push:
new 1f94dfd QPID-8426: [Broker-J] Update service principal names in login module to match host domain
1f94dfd is described below
commit 1f94dfdaad151eba5b26794ad12ebdb2a4308366
Author: Alex Rudyy <or...@apache.org>
AuthorDate: Mon May 4 01:19:05 2020 +0100
QPID-8426: [Broker-J] Update service principal names in login module to match host domain
---
.../manager/KerberosAuthenticationManagerTest.java | 17 ++----
.../SimpleLDAPAuthenticationManagerTest.java | 13 +++--
.../auth/manager/SpnegoAuthenticatorTest.java | 20 ++-----
.../apache/qpid/server/test/KerberosUtilities.java | 64 ++++++++++------------
4 files changed, 47 insertions(+), 67 deletions(-)
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
index a633ade..4e2c922 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.java
@@ -19,6 +19,7 @@
package org.apache.qpid.server.security.auth.manager;
+import static java.nio.charset.StandardCharsets.UTF_8;
import static org.apache.qpid.server.security.auth.manager.KerberosAuthenticationManager.GSSAPI_MECHANISM;
import static org.hamcrest.Matchers.not;
import static org.junit.Assert.assertEquals;
@@ -30,9 +31,8 @@ import static org.mockito.Mockito.when;
import java.io.File;
import java.net.InetAddress;
-import java.net.URL;
import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
@@ -51,8 +51,6 @@ import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.AuthenticationProvider;
@@ -70,7 +68,6 @@ import org.apache.qpid.test.utils.UnitTestBase;
public class KerberosAuthenticationManagerTest extends UnitTestBase
{
- private static final Logger LOGGER = LoggerFactory.getLogger(KerberosAuthenticationManagerTest.class);
private static final String LOGIN_CONFIG = "login.config";
private static final String REALM = "QPID.ORG";
private static final String HOST_NAME = InetAddress.getLoopbackAddress().getCanonicalHostName();
@@ -99,11 +96,9 @@ public class KerberosAuthenticationManagerTest extends UnitTestBase
assumeThat(getJvmVendor(), not(JvmVendor.IBM));
KDC.createPrincipal("broker.keytab", SERVER_PRINCIPAL_FULL_NAME);
_clientKeyTabFile = KDC.createPrincipal("client.keytab", CLIENT_PRINCIPAL_FULL_NAME);
- final URL resource = KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
- LOGGER.debug("JAAS config:" + resource);
- assertNotNull(resource);
- SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(),
- StandardCharsets.UTF_8.name()));
+ final Path loginConfig = UTILS.transformLoginConfig(LOGIN_CONFIG, HOST_NAME);
+ SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
+ URLDecoder.decode(loginConfig.toFile().getAbsolutePath(), UTF_8.name()));
SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly", "false");
}
@@ -120,8 +115,6 @@ public class KerberosAuthenticationManagerTest extends UnitTestBase
_kerberosAuthenticationProvider.create();
when(_broker.getChildren(AuthenticationProvider.class))
.thenReturn(Collections.singleton(_kerberosAuthenticationProvider));
-
- KerberosUtilities.debugConfig();
}
@Test
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
index 3f6efa5..ddbb5c6 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.java
@@ -30,8 +30,8 @@ import static org.mockito.Mockito.when;
import java.io.File;
import java.io.IOException;
+import java.net.InetAddress;
import java.net.InetSocketAddress;
-import java.net.URL;
import java.net.URLDecoder;
import java.nio.file.FileSystems;
import java.nio.file.Path;
@@ -49,7 +49,6 @@ import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
-import org.apache.commons.codec.CharEncoding;
import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.Entry;
@@ -91,6 +90,7 @@ import org.apache.qpid.server.security.auth.SocketConnectionPrincipal;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.test.utils.JvmVendor;
+import org.apache.qpid.server.test.KerberosUtilities;
import org.apache.qpid.test.utils.SystemPropertySetter;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.UnitTestBase;
@@ -150,6 +150,7 @@ public class SimpleLDAPAuthenticationManagerTest extends UnitTestBase
private static final String LOGIN_CONFIG = "login.config";
private static final String LOGIN_SCOPE = "ldap-gssapi-bind";
private static final AtomicBoolean KERBEROS_SETUP = new AtomicBoolean();
+ private static final KerberosUtilities UTILS = new KerberosUtilities();
@ClassRule
public static CreateLdapServerRule LDAP = new CreateLdapServerRule();
@@ -403,10 +404,10 @@ public class SimpleLDAPAuthenticationManagerTest extends UnitTestBase
private void setUpJaas() throws LdapException, IOException
{
createKeyTab(BROKER_PRINCIPAL);
- final URL resource = SimpleLDAPAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
- LOGGER.debug("JAAS config:" + resource);
- assertNotNull(resource);
- SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), CharEncoding.UTF_8));
+
+ final Path loginConfig = UTILS.transformLoginConfig(LOGIN_CONFIG, InetAddress.getLoopbackAddress().getCanonicalHostName());
+ SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
+ URLDecoder.decode(loginConfig.toFile().getAbsolutePath(), UTF_8.name()));
SYSTEM_PROPERTY_SETTER.setSystemProperty("sun.security.krb5.debug", "true");
}
diff --git a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
index 6a42fb5..28c87e5 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java
@@ -19,7 +19,7 @@
package org.apache.qpid.server.security.auth.manager;
-import static org.apache.commons.codec.CharEncoding.UTF_8;
+import static java.nio.charset.StandardCharsets.UTF_8;
import static org.hamcrest.Matchers.not;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
@@ -29,21 +29,17 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.net.InetAddress;
-import java.net.URL;
import java.net.URLDecoder;
+import java.nio.file.Path;
import java.security.Principal;
import java.util.Base64;
-import java.util.LinkedHashMap;
import java.util.Map;
-import java.util.Properties;
import org.ietf.jgss.GSSException;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.apache.qpid.server.security.TokenCarryingPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
@@ -55,14 +51,13 @@ import org.apache.qpid.test.utils.UnitTestBase;
public class SpnegoAuthenticatorTest extends UnitTestBase
{
- private static final Logger LOGGER = LoggerFactory.getLogger(SpnegoAuthenticatorTest.class);
private static final String CLIENT_NAME = "client";
private static final String HOST_NAME = InetAddress.getLoopbackAddress().getCanonicalHostName();
private static final String SERVER_NAME = "AMQP/" + HOST_NAME;
private static final String ANOTHER_SERVICE = "foo/" + HOST_NAME;
private static final String REALM = "QPID.ORG";
private static final String LOGIN_CONFIG = "login.config";
- private static final KerberosUtilities UTILS = new KerberosUtilities();;
+ private static final KerberosUtilities UTILS = new KerberosUtilities();
@ClassRule
public static final EmbeddedKdcResource KDC = new EmbeddedKdcResource(HOST_NAME, 0, "QpidTestKerberosServer", REALM);
@@ -80,13 +75,10 @@ public class SpnegoAuthenticatorTest extends UnitTestBase
KDC.createPrincipal("broker.keytab", SERVER_NAME + "@" + REALM);
KDC.createPrincipal("client.keytab", CLIENT_NAME + "@" + REALM);
KDC.createPrincipal("another.keytab", ANOTHER_SERVICE + "@" + REALM);
- final URL resource = KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
- LOGGER.debug("JAAS config:" + resource);
- assertNotNull(resource);
- SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), UTF_8));
+ final Path loginConfig = UTILS.transformLoginConfig(LOGIN_CONFIG, HOST_NAME);
+ SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config",
+ URLDecoder.decode(loginConfig.toFile().getAbsolutePath(), UTF_8.name()));
SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
- KerberosUtilities.debugConfig();
}
@Before
diff --git a/broker-core/src/test/java/org/apache/qpid/server/test/KerberosUtilities.java b/broker-core/src/test/java/org/apache/qpid/server/test/KerberosUtilities.java
index 0e65988..e04b1b9 100644
--- a/broker-core/src/test/java/org/apache/qpid/server/test/KerberosUtilities.java
+++ b/broker-core/src/test/java/org/apache/qpid/server/test/KerberosUtilities.java
@@ -20,13 +20,18 @@
package org.apache.qpid.server.test;
import static java.lang.Boolean.TRUE;
+import static java.nio.charset.StandardCharsets.UTF_8;
import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
import java.util.Collections;
import java.util.HashMap;
-import java.util.LinkedHashMap;
import java.util.Map;
-import java.util.Properties;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Subject;
@@ -56,13 +61,11 @@ public class KerberosUtilities
private static final Logger LOGGER = LoggerFactory.getLogger(KerberosUtilities.class);
private static final String IBM_LOGIN_MODULE_CLASS = "com.ibm.security.auth.module.Krb5LoginModule";
private static final String SUN_LOGIN_MODULE_CLASS = "com.sun.security.auth.module.Krb5LoginModule";
- public static final String KERBEROS_LOGIN_MODULE_CLASS =
+ private static final String KERBEROS_LOGIN_MODULE_CLASS =
System.getProperty("java.vendor").contains("IBM") ? IBM_LOGIN_MODULE_CLASS : SUN_LOGIN_MODULE_CLASS;
public byte[] buildToken(String clientPrincipalName, String targetServerPrincipalName) throws GSSException
{
- debugConfig();
-
debug("Building token for client principal '{}' and server principal '{}'",
clientPrincipalName,
targetServerPrincipalName);
@@ -208,44 +211,35 @@ public class KerberosUtilities
}
}
- public static void debugConfig()
+ public void debug(String message, Object... args)
{
- if (LOGGER.isDebugEnabled())
+ LOGGER.debug(message, args);
+ if (Boolean.TRUE.toString().equalsIgnoreCase(System.getProperty("sun.security.krb5.debug")))
{
- final String krb5Conf = System.getProperty("java.security.krb5.conf");
- if (krb5Conf != null)
- {
- final File file = new File(krb5Conf);
- if (file.exists())
- {
- String config = FileUtils.readFileAsString(file);
- debug("Kerberos config: {}", config);
- }
- else
- {
- LOGGER.warn("Kerberos config file was not found in the expected location at '{}'", krb5Conf);
- }
- }
- else
- {
- LOGGER.warn("JVM system property 'java.security.krb5.conf' is not set");
- }
-
- Map<String, String> env = new LinkedHashMap<>(System.getenv());
- env.forEach((k, v) -> debug("Environment setting: {}={}", k ,v));
-
- Properties properties = new Properties(System.getProperties());
- properties.forEach((k, v) -> debug("JVM setting: {}={}", k ,v));
+ System.out.println(String.format(message.replace("{}", "%s"), args));
}
}
- public static void debug(String message, Object... args)
+ public Path transformLoginConfig(String resourceName, String hostName) throws IOException
{
- LOGGER.debug(message, args);
- if (Boolean.TRUE.toString().equalsIgnoreCase(System.getProperty("sun.security.krb5.debug")))
+ final URL resource = KerberosUtilities.class.getClassLoader().getResource(resourceName);
+ if (resource == null)
{
- System.out.println(String.format(message.replace("{}", "%s"), args));
+ throw new IllegalArgumentException(String.format("Unknown resource '%s'", resourceName));
+ }
+ final String config = new String(FileUtils.readFileAsBytes(resource.getFile()), UTF_8);
+ String newConfig = config.replace("AMQP/localhost", "AMQP/" + hostName);
+ if (IBM_LOGIN_MODULE_CLASS.equals(KERBEROS_LOGIN_MODULE_CLASS))
+ {
+ newConfig = newConfig.replace(SUN_LOGIN_MODULE_CLASS, IBM_LOGIN_MODULE_CLASS);
}
+ final Path file = Paths.get("target", resourceName);
+ Files.write(file,
+ newConfig.getBytes(UTF_8),
+ StandardOpenOption.WRITE,
+ StandardOpenOption.CREATE,
+ StandardOpenOption.TRUNCATE_EXISTING);
+ return file;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org