Examples with DigestQop io.undertow.security.impl.DigestQop used on opensource projects

Example 1 with DigestQop

use of io.undertow.security.impl.DigestQop in project wildfly by wildfly.

the class DigestAuthenticationMechanism method handleDigestHeader.

public AuthenticationMechanismOutcome handleDigestHeader(HttpServerExchange exchange, final SecurityContext securityContext) {
    DigestContext context = exchange.getAttachment(DigestContext.ATTACHMENT_KEY);
    Map<DigestAuthorizationToken, String> parsedHeader = context.getParsedHeader();
    // Step 1 - Verify the set of tokens received to ensure valid values.
    Set<DigestAuthorizationToken> mandatoryTokens = new HashSet<>(MANDATORY_REQUEST_TOKENS);
    if (!supportedAlgorithms.contains(DigestAlgorithm.MD5)) {
        // If we don't support MD5 then the client must choose an algorithm as we can not fall back to MD5.
        mandatoryTokens.add(DigestAuthorizationToken.ALGORITHM);
    }
    if (!supportedQops.isEmpty() && !supportedQops.contains(DigestQop.AUTH)) {
        // If we do not support auth then we are mandating auth-int so force the client to send a QOP
        mandatoryTokens.add(DigestAuthorizationToken.MESSAGE_QOP);
    }
    DigestQop qop = null;
    // This check is early as is increases the list of mandatory tokens.
    if (parsedHeader.containsKey(DigestAuthorizationToken.MESSAGE_QOP)) {
        qop = DigestQop.forName(parsedHeader.get(DigestAuthorizationToken.MESSAGE_QOP));
        if (qop == null || !supportedQops.contains(qop)) {
            // We are also ensuring the client is not trying to force a qop that has been disabled.
            REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.MESSAGE_QOP.getName(), parsedHeader.get(DigestAuthorizationToken.MESSAGE_QOP));
            // TODO - This actually needs to result in a HTTP 400 Bad Request response and not a new challenge.
            return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        context.setQop(qop);
        mandatoryTokens.add(DigestAuthorizationToken.CNONCE);
        mandatoryTokens.add(DigestAuthorizationToken.NONCE_COUNT);
    }
    // Check all mandatory tokens are present.
    mandatoryTokens.removeAll(parsedHeader.keySet());
    if (mandatoryTokens.size() > 0) {
        for (DigestAuthorizationToken currentToken : mandatoryTokens) {
            // TODO - Need a better check and possible concatenate the list of tokens - however
            // even having one missing token is not something we should routinely expect.
            REQUEST_LOGGER.missingAuthorizationToken(currentToken.getName());
        }
        // TODO - This actually needs to result in a HTTP 400 Bad Request response and not a new challenge.
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
    // Perform some validation of the remaining tokens.
    if (!realmName.equals(parsedHeader.get(DigestAuthorizationToken.REALM))) {
        REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.REALM.getName(), parsedHeader.get(DigestAuthorizationToken.REALM));
        // TODO - This actually needs to result in a HTTP 400 Bad Request response and not a new challenge.
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
    if (parsedHeader.containsKey(DigestAuthorizationToken.OPAQUE)) {
        if (!OPAQUE_VALUE.equals(parsedHeader.get(DigestAuthorizationToken.OPAQUE))) {
            REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.OPAQUE.getName(), parsedHeader.get(DigestAuthorizationToken.OPAQUE));
            return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }
    DigestAlgorithm algorithm;
    if (parsedHeader.containsKey(DigestAuthorizationToken.ALGORITHM)) {
        algorithm = DigestAlgorithm.forName(parsedHeader.get(DigestAuthorizationToken.ALGORITHM));
        if (algorithm == null || !supportedAlgorithms.contains(algorithm)) {
            // We are also ensuring the client is not trying to force an algorithm that has been disabled.
            REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.ALGORITHM.getName(), parsedHeader.get(DigestAuthorizationToken.ALGORITHM));
            // TODO - This actually needs to result in a HTTP 400 Bad Request response and not a new challenge.
            return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    } else {
        // We know this is safe as the algorithm token was made mandatory
        // if MD5 is not supported.
        algorithm = DigestAlgorithm.MD5;
    }
    try {
        context.setAlgorithm(algorithm);
    } catch (NoSuchAlgorithmException e) {
        /*
             * This should not be possible in a properly configured installation.
             */
        REQUEST_LOGGER.exceptionProcessingRequest(e);
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
    final String userName = parsedHeader.get(DigestAuthorizationToken.USERNAME);
    final IdentityManager identityManager = getIdentityManager(securityContext);
    final Account account;
    if (algorithm.isSession()) {
        /* This can follow one of the following: -
             *   1 - New session so use DigestCredentialImpl with the IdentityManager to
             *       create a new session key.
             *   2 - Obtain the existing session key from the session store and validate it, just use
             *       IdentityManager to validate account is still active and the current role assignment.
             */
        throw new IllegalStateException("Not yet implemented.");
    } else {
        final DigestCredential credential = new DigestCredentialImpl(context);
        account = identityManager.verify(userName, credential);
    }
    if (account == null) {
        // Authentication has failed, this could either be caused by the user not-existing or it
        // could be caused due to an invalid hash.
        securityContext.authenticationFailed(MESSAGES.authenticationFailed(userName), mechanismName);
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
    // Step 3 - Verify that the nonce was eligible to be used.
    if (!validateNonceUse(context, parsedHeader, exchange)) {
        // TODO - This is the right place to make use of the decision but the check needs to be much much sooner
        // otherwise a failure server
        // side could leave a packet that could be 're-played' after the failed auth.
        // The username and password verification passed but for some reason we do not like the nonce.
        context.markStale();
        // can easily hit this point.
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
    // We have authenticated the remote user.
    //sendAuthenticationInfoHeader(exchange);
    securityContext.authenticationComplete(account, mechanismName, true);
    return AuthenticationMechanismOutcome.AUTHENTICATED;
// Step 4 - Set up any QOP related requirements.
// TODO - Do QOP
}

Example 2 with DigestQop

use of io.undertow.security.impl.DigestQop in project wildfly-swarm by wildfly-swarm.

the class SecureHttpContexts method secureHandler.

/**
 * Wraps the target handler and makes it inheritSecurity.
 * Includes a predicate for relevant web contexts.
 */
private HttpHandler secureHandler(final HttpHandler toWrap, SecurityRealm securityRealm) {
    HttpHandler handler = toWrap;
    handler = new AuthenticationCallHandler(handler);
    handler = new AuthenticationConstraintHandler(handler);
    RealmIdentityManager idm = new RealmIdentityManager(securityRealm);
    Set<AuthMechanism> mechanisms = securityRealm.getSupportedAuthenticationMechanisms();
    List<AuthenticationMechanism> undertowMechanisms = new ArrayList<AuthenticationMechanism>(mechanisms.size());
    undertowMechanisms.add(wrap(new CachedAuthenticatedSessionMechanism(), null));
    for (AuthMechanism current : mechanisms) {
        switch(current) {
            case DIGEST:
                List<DigestAlgorithm> digestAlgorithms = Collections.singletonList(DigestAlgorithm.MD5);
                List<DigestQop> digestQops = Collections.singletonList(DigestQop.AUTH);
                undertowMechanisms.add(wrap(new DigestAuthenticationMechanism(digestAlgorithms, digestQops, securityRealm.getName(), "Monitor", new SimpleNonceManager()), current));
                break;
            case PLAIN:
                undertowMechanisms.add(wrap(new BasicAuthenticationMechanism(securityRealm.getName()), current));
                break;
            case LOCAL:
                break;
            default:
        }
    }
    handler = new AuthenticationMechanismsHandler(handler, undertowMechanisms);
    handler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, idm, handler);
    // the predicate handler takes care that all of the above
    // will only be enacted on relevant web contexts
    handler = new PredicateHandler(exchange -> {
        if (!monitor.getSecurityRealm().isPresent()) {
            return false;
        }
        if (Queries.isAggregatorEndpoint(monitor, exchange.getRelativePath())) {
            return true;
        }
        if (Queries.isDirectAccessToHealthEndpoint(monitor, exchange.getRelativePath())) {
            if (!hasTokenAuth(exchange)) {
                return true;
            }
            return false;
        }
        if (HttpContexts.getDefaultContextNames().contains(exchange.getRelativePath())) {
            return true;
        }
        return false;
    }, handler, toWrap);
    return handler;
}

Example 3 with DigestQop

use of io.undertow.security.impl.DigestQop in project wildfly-swarm by wildfly-swarm.

the class SecureHttpContexts method secureHandler.

/**
 * Wraps the target handler and makes it inheritSecurity.
 * Includes a predicate for relevant web contexts.
 */
@SuppressWarnings("deprecation")
private HttpHandler secureHandler(final HttpHandler toWrap, SecurityRealm securityRealm) {
    HttpHandler handler = toWrap;
    handler = new AuthenticationCallHandler(handler);
    handler = new AuthenticationConstraintHandler(handler);
    RealmIdentityManager idm = new RealmIdentityManager(securityRealm);
    Set<AuthMechanism> mechanisms = securityRealm.getSupportedAuthenticationMechanisms();
    List<AuthenticationMechanism> undertowMechanisms = new ArrayList<AuthenticationMechanism>(mechanisms.size());
    undertowMechanisms.add(wrap(new CachedAuthenticatedSessionMechanism(), null));
    for (AuthMechanism current : mechanisms) {
        switch(current) {
            case DIGEST:
                List<DigestAlgorithm> digestAlgorithms = Collections.singletonList(DigestAlgorithm.MD5);
                List<DigestQop> digestQops = Collections.singletonList(DigestQop.AUTH);
                undertowMechanisms.add(wrap(new DigestAuthenticationMechanism(digestAlgorithms, digestQops, securityRealm.getName(), "Monitor", new SimpleNonceManager()), current));
                break;
            case PLAIN:
                undertowMechanisms.add(wrap(new BasicAuthenticationMechanism(securityRealm.getName()), current));
                break;
            case LOCAL:
                break;
            default:
        }
    }
    handler = new AuthenticationMechanismsHandler(handler, undertowMechanisms);
    handler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, idm, handler);
    // the predicate handler takes care that all of the above
    // will only be enacted on relevant web contexts
    handler = new PredicateHandler(exchange -> {
        if (!monitor.getSecurityRealm().isPresent()) {
            return false;
        }
        if (Queries.isAggregatorEndpoint(monitor, exchange.getRelativePath())) {
            return true;
        }
        if (Queries.isDirectAccessToHealthEndpoint(monitor, exchange.getRelativePath())) {
            if (!hasTokenAuth(exchange)) {
                return true;
            }
            return false;
        }
        if (HttpContexts.getDefaultContextNames().contains(exchange.getRelativePath())) {
            return true;
        }
        return false;
    }, handler, toWrap);
    return handler;
}

Example 4 with DigestQop

use of io.undertow.security.impl.DigestQop in project undertow by undertow-io.

the class DigestAuthentication2069TestCase method getTestMechanisms.

@Override
protected List<AuthenticationMechanism> getTestMechanisms() {
    List<DigestQop> qopList = Collections.emptyList();
    AuthenticationMechanism mechanism = new DigestAuthenticationMechanism(Collections.singletonList(DigestAlgorithm.MD5), qopList, REALM_NAME, "/", new SimpleNonceManager());
    return Collections.singletonList(mechanism);
}