Example 6 with ConnectionProperties
use of io.crate.protocols.postgres.ConnectionProperties in project crate by crate.
the class ClientCertAuthTest method testHttpClientCertAuthFailsOnUserMissMatchWithCN.
@Test
public void testHttpClientCertAuthFailsOnUserMissMatchWithCN() throws Exception {
ClientCertAuth clientCertAuth = new ClientCertAuth(userName -> exampleUser);
ConnectionProperties conn = new ConnectionProperties(InetAddresses.forString("127.0.0.1"), Protocol.HTTP, sslSession);
expectedException.expectMessage("Common name \"example.com\" in client certificate doesn't match username \"arthur_is_wrong\"");
clientCertAuth.authenticate("arthur_is_wrong", null, conn);
}
Also used :
ConnectionProperties(io.crate.protocols.postgres.ConnectionProperties)
Test(org.junit.Test)
Example 7 with ConnectionProperties
use of io.crate.protocols.postgres.ConnectionProperties in project crate by crate.
the class HttpAuthUpstreamHandler method handleHttpRequest.
private void handleHttpRequest(ChannelHandlerContext ctx, HttpRequest request) {
SSLSession session = getSession(ctx.channel());
Tuple<String, SecureString> credentials = credentialsFromRequest(request, session, settings);
String username = credentials.v1();
SecureString password = credentials.v2();
if (username.equals(authorizedUser)) {
ctx.fireChannelRead(request);
return;
}
InetAddress address = addressFromRequestOrChannel(request, ctx.channel());
ConnectionProperties connectionProperties = new ConnectionProperties(address, Protocol.HTTP, session);
AuthenticationMethod authMethod = authService.resolveAuthenticationType(username, connectionProperties);
if (authMethod == null) {
String errorMessage = String.format(Locale.ENGLISH, "No valid auth.host_based.config entry found for host \"%s\", user \"%s\", protocol \"%s\". Did you enable TLS in your client?", address.getHostAddress(), username, Protocol.HTTP.toString());
sendUnauthorized(ctx.channel(), errorMessage);
} else {
try {
User user = authMethod.authenticate(username, password, connectionProperties);
if (user != null && LOGGER.isTraceEnabled()) {
LOGGER.trace("Authentication succeeded user \"{}\" and method \"{}\".", username, authMethod.name());
}
authorizedUser = username;
ctx.fireChannelRead(request);
} catch (Exception e) {
if (LOGGER.isInfoEnabled()) {
LOGGER.info("{} authentication failed for user={} from connection={}", authMethod.name(), username, connectionProperties.address());
}
sendUnauthorized(ctx.channel(), e.getMessage());
}
}
}
Also used :
User(io.crate.user.User)
ConnectionProperties(io.crate.protocols.postgres.ConnectionProperties)
SSLSession(javax.net.ssl.SSLSession)
SecureString(org.elasticsearch.common.settings.SecureString)
InetAddress(java.net.InetAddress)
SecureString(org.elasticsearch.common.settings.SecureString)
SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException)
Example 8 with ConnectionProperties
use of io.crate.protocols.postgres.ConnectionProperties in project crate by crate.
the class HostBasedAuthenticationTest method testHttpSSLOption.
@Test
public void testHttpSSLOption() throws Exception {
Settings baseConfig = Settings.builder().put(HBA_1).put("auth.host_based.config.1.protocol", "http").build();
SSLSession sslSession = mock(SSLSession.class);
when(sslSession.getPeerCertificates()).thenReturn(new Certificate[0]);
ConnectionProperties sslConnProperties = new ConnectionProperties(LOCALHOST, Protocol.HTTP, sslSession);
ConnectionProperties noSslConnProperties = new ConnectionProperties(LOCALHOST, Protocol.HTTP, null);
Settings sslConfig;
HostBasedAuthentication authService;
sslConfig = Settings.builder().put(baseConfig).put("auth.host_based.config.1." + HostBasedAuthentication.SSL.KEY, HostBasedAuthentication.SSL.OPTIONAL.VALUE).build();
authService = new HostBasedAuthentication(sslConfig, null, SystemDefaultDnsResolver.INSTANCE);
assertThat(authService.getEntry("crate", noSslConnProperties), not(Optional.empty()));
assertThat(authService.getEntry("crate", sslConnProperties), not(Optional.empty()));
sslConfig = Settings.builder().put(baseConfig).put("auth.host_based.config.1." + HostBasedAuthentication.SSL.KEY, HostBasedAuthentication.SSL.REQUIRED.VALUE).build();
authService = new HostBasedAuthentication(sslConfig, null, SystemDefaultDnsResolver.INSTANCE);
assertThat(authService.getEntry("crate", noSslConnProperties), is(Optional.empty()));
assertThat(authService.getEntry("crate", sslConnProperties), not(Optional.empty()));
sslConfig = Settings.builder().put(baseConfig).put("auth.host_based.config.1." + HostBasedAuthentication.SSL.KEY, HostBasedAuthentication.SSL.NEVER.VALUE).build();
authService = new HostBasedAuthentication(sslConfig, null, SystemDefaultDnsResolver.INSTANCE);
assertThat(authService.getEntry("crate", noSslConnProperties), not(Optional.empty()));
assertThat(authService.getEntry("crate", sslConnProperties), is(Optional.empty()));
}
Also used :
ConnectionProperties(io.crate.protocols.postgres.ConnectionProperties)
SSLSession(javax.net.ssl.SSLSession)
Settings(org.elasticsearch.common.settings.Settings)
Test(org.junit.Test)
Example 9 with ConnectionProperties
use of io.crate.protocols.postgres.ConnectionProperties in project crate by crate.
the class HostBasedAuthenticationTest method testKeyOrderIsRespectedInHbaConfig.
public void testKeyOrderIsRespectedInHbaConfig() {
Settings first = Settings.builder().put("auth.host_based.config.1.method", "trust").put("auth.host_based.config.1.protocol", "pg").build();
Settings second = Settings.builder().put("auth.host_based.config.2.method", "cert").put("auth.host_based.config.2.protocol", "http").build();
// add in reverse order to test natural order of keys in config
Settings settings = Settings.builder().put(second).put(first).build();
HostBasedAuthentication hba = new HostBasedAuthentication(settings, null, SystemDefaultDnsResolver.INSTANCE);
AuthenticationMethod authMethod = hba.resolveAuthenticationType("crate", new ConnectionProperties(InetAddresses.forString("1.2.3.4"), Protocol.POSTGRES, null));
assertThat(authMethod, instanceOf(TrustAuthenticationMethod.class));
AuthenticationMethod authMethod2 = hba.resolveAuthenticationType("crate", new ConnectionProperties(InetAddresses.forString("1.2.3.4"), Protocol.HTTP, null));
assertThat(authMethod2, instanceOf(ClientCertAuth.class));
}
Also used :
ConnectionProperties(io.crate.protocols.postgres.ConnectionProperties)
Settings(org.elasticsearch.common.settings.Settings)
Example 10 with ConnectionProperties
use of io.crate.protocols.postgres.ConnectionProperties in project crate by crate.
the class HostBasedAuthenticationTest method testResolveAuthMethod.
@Test
public void testResolveAuthMethod() {
HostBasedAuthentication authService = new HostBasedAuthentication(HBA_1, null, SystemDefaultDnsResolver.INSTANCE);
AuthenticationMethod method = authService.resolveAuthenticationType("crate", new ConnectionProperties(LOCALHOST, Protocol.POSTGRES, null));
assertThat(method, instanceOf(TrustAuthenticationMethod.class));
}
Also used :
ConnectionProperties(io.crate.protocols.postgres.ConnectionProperties)
Test(org.junit.Test)
Aggregations
ConnectionProperties (io.crate.protocols.postgres.ConnectionProperties)14
Test (org.junit.Test)10
Settings (org.elasticsearch.common.settings.Settings)5
SSLSession (javax.net.ssl.SSLSession)4
InetAddress (java.net.InetAddress)2
Optional (java.util.Optional)2
AuthenticationWithSSLIntegrationTest.getAbsoluteFilePathFromClassPath (io.crate.auth.AuthenticationWithSSLIntegrationTest.getAbsoluteFilePathFromClassPath)1
User (io.crate.user.User)1
Channel (io.netty.channel.Channel)1
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)1
Path (java.nio.file.Path)1
Date (java.util.Date)1
HashMap (java.util.HashMap)1
SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)1
AuthenticationException (javax.security.sasl.AuthenticationException)1
CloseableChannel (org.elasticsearch.common.network.CloseableChannel)1
SecureString (org.elasticsearch.common.settings.SecureString)1
Before (org.junit.Before)1
