Search in sources :

Example 1 with BasicSecurityAuthenticationException

use of org.apache.druid.security.basic.BasicSecurityAuthenticationException in project druid by druid-io.

the class BasicHTTPAuthenticatorTest method testBadPasswordWithSkipOnFailureValidator.

@Test
public void testBadPasswordWithSkipOnFailureValidator() throws IOException, ServletException {
    CredentialsValidator validator = EasyMock.createMock(CredentialsValidator.class);
    BasicHTTPAuthenticator authenticatorWithValidator = new BasicHTTPAuthenticator(CACHE_MANAGER_PROVIDER, "basic", "basic", null, null, false, null, null, true, validator);
    String header = StringUtils.utf8Base64("userA:badpassword");
    header = StringUtils.format("Basic %s", header);
    EasyMock.expect(validator.validateCredentials(EasyMock.eq("basic"), EasyMock.eq("basic"), EasyMock.eq("userA"), EasyMock.aryEq("badpassword".toCharArray()))).andThrow(new BasicSecurityAuthenticationException("User authentication failed.")).times(1);
    EasyMock.replay(validator);
    HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
    EasyMock.expect(req.getHeader("Authorization")).andReturn(header);
    EasyMock.replay(req);
    HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
    resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User authentication failed.");
    EasyMock.expectLastCall().times(1);
    EasyMock.replay(resp);
    // Authentication filter should not move on to the next filter in the chain
    FilterChain filterChain = EasyMock.createMock(FilterChain.class);
    EasyMock.replay(filterChain);
    Filter authenticatorFilter = authenticatorWithValidator.getFilter();
    authenticatorFilter.doFilter(req, resp, filterChain);
    EasyMock.verify(req, resp, validator, filterChain);
}
Also used : BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) HttpServletRequest(javax.servlet.http.HttpServletRequest) BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) Filter(javax.servlet.Filter) FilterChain(javax.servlet.FilterChain) HttpServletResponse(javax.servlet.http.HttpServletResponse) CredentialsValidator(org.apache.druid.security.basic.authentication.validator.CredentialsValidator) Test(org.junit.Test)

Example 2 with BasicSecurityAuthenticationException

use of org.apache.druid.security.basic.BasicSecurityAuthenticationException in project druid by druid-io.

the class LDAPCredentialsValidator method validateCredentials.

@Override
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
    SearchResult userResult;
    LdapName userDn;
    Map<String, Object> contextMap = new HashMap<>();
    LdapUserPrincipal principal = this.cache.getOrExpire(username);
    if (principal != null && principal.hasSameCredentials(password)) {
        contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, principal.getSearchResult());
        return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
    } else {
        ClassLoader currentClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            // Set the context classloader same as the loader of this class so that BasicSecuritySSLSocketFactory
            // class can be found
            Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
            InitialDirContext dirContext = new InitialDirContext(bindProperties(this.ldapConfig));
            try {
                userResult = getLdapUserObject(this.ldapConfig, dirContext, username);
                if (userResult == null) {
                    LOG.debug("User not found: %s", username);
                    return null;
                }
                userDn = new LdapName(userResult.getNameInNamespace());
            } finally {
                try {
                    dirContext.close();
                } catch (Exception ignored) {
                // ignored
                }
            }
        } catch (NamingException e) {
            LOG.error(e, "Exception during user lookup");
            return null;
        } finally {
            Thread.currentThread().setContextClassLoader(currentClassLoader);
        }
        if (!validatePassword(this.ldapConfig, userDn, password)) {
            LOG.debug("Password incorrect for LDAP user %s", username);
            throw new BasicSecurityAuthenticationException("User LDAP authentication failed.");
        }
        byte[] salt = BasicAuthUtils.generateSalt();
        byte[] hash = BasicAuthUtils.hashPassword(password, salt, this.ldapConfig.getCredentialIterations());
        LdapUserPrincipal newPrincipal = new LdapUserPrincipal(username, new BasicAuthenticatorCredentials(salt, hash, this.ldapConfig.getCredentialIterations()), userResult);
        this.cache.put(username, newPrincipal);
        contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult);
        return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
    }
}
Also used : BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) SearchResult(javax.naming.directory.SearchResult) InitialDirContext(javax.naming.directory.InitialDirContext) BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) NamingException(javax.naming.NamingException) AuthenticationException(javax.naming.AuthenticationException) LdapName(javax.naming.ldap.LdapName) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) NamingException(javax.naming.NamingException) LdapUserPrincipal(org.apache.druid.security.basic.authentication.LdapUserPrincipal)

Example 3 with BasicSecurityAuthenticationException

use of org.apache.druid.security.basic.BasicSecurityAuthenticationException in project druid by druid-io.

the class MetadataStoreCredentialsValidator method validateCredentials.

@Override
@Nullable
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
    Map<String, BasicAuthenticatorUser> userMap = cacheManager.get().getUserMap(authenticatorName);
    if (userMap == null) {
        throw new IAE("No userMap is available for authenticator with prefix: [%s]", authenticatorName);
    }
    BasicAuthenticatorUser user = userMap.get(username);
    if (user == null) {
        return null;
    }
    BasicAuthenticatorCredentials credentials = user.getCredentials();
    if (credentials == null) {
        return null;
    }
    byte[] recalculatedHash = BasicAuthUtils.hashPassword(password, credentials.getSalt(), credentials.getIterations());
    if (Arrays.equals(recalculatedHash, credentials.getHash())) {
        return new AuthenticationResult(username, authorizerName, authenticatorName, null);
    } else {
        LOG.debug("Password incorrect for metadata store user %s", username);
        throw new BasicSecurityAuthenticationException("User metadata store authentication failed.");
    }
}
Also used : BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) IAE(org.apache.druid.java.util.common.IAE) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Nullable(javax.annotation.Nullable)

Aggregations

BasicSecurityAuthenticationException (org.apache.druid.security.basic.BasicSecurityAuthenticationException)3 BasicAuthenticatorCredentials (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials)2 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)2 HashMap (java.util.HashMap)1 LinkedHashMap (java.util.LinkedHashMap)1 Nullable (javax.annotation.Nullable)1 AuthenticationException (javax.naming.AuthenticationException)1 NamingException (javax.naming.NamingException)1 InitialDirContext (javax.naming.directory.InitialDirContext)1 SearchResult (javax.naming.directory.SearchResult)1 LdapName (javax.naming.ldap.LdapName)1 Filter (javax.servlet.Filter)1 FilterChain (javax.servlet.FilterChain)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 IAE (org.apache.druid.java.util.common.IAE)1 BasicHTTPAuthenticator (org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)1 LdapUserPrincipal (org.apache.druid.security.basic.authentication.LdapUserPrincipal)1 BasicAuthenticatorUser (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser)1 CredentialsValidator (org.apache.druid.security.basic.authentication.validator.CredentialsValidator)1