Example 16 with RolePrincipal
use of org.apache.karaf.jaas.boot.principal.RolePrincipal in project karaf by apache.
the class GuardProxyCatalogTest method testInvocationBlocking3.
@SuppressWarnings("unchecked")
@Test
public void testInvocationBlocking3() throws Exception {
class MyService implements TestServiceAPI, TestServiceAPI2 {
public String doit(String s) {
return new StringBuilder(s).reverse().toString();
}
public String doit() {
return "Doing it";
}
}
Dictionary<String, Object> c1 = new Hashtable<>();
c1.put(Constants.SERVICE_PID, "foobar");
c1.put("service.guard", "(objectClass=" + TestServiceAPI.class.getName() + ")");
c1.put("do*", "c");
Dictionary<String, Object> c2 = new Hashtable<>();
c2.put(Constants.SERVICE_PID, "foobar2");
c2.put("service.guard", "(objectClass=" + TestServiceAPI2.class.getName() + ")");
c2.put("doit(java.lang.String)[/[tT][a]+/]", "b,d # a regex rule");
c2.put("doit(java.lang.String)", "a");
BundleContext bc = mockConfigAdminBundleContext(c1, c2);
final Object proxy = testCreateProxy(bc, new Class[] { TestServiceAPI.class, TestServiceAPI2.class }, new MyService());
// Run with the right credentials so we can test the expected roles
Subject subject = new Subject();
subject.getPrincipals().add(new RolePrincipal("c"));
Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
assertEquals("Doing it", ((TestServiceAPI) proxy).doit());
return null;
});
Subject subject2 = new Subject();
subject2.getPrincipals().add(new RolePrincipal("b"));
subject2.getPrincipals().add(new RolePrincipal("f"));
Subject.doAs(subject2, (PrivilegedAction<Object>) () -> {
try {
assertEquals("Doing it", ((TestServiceAPI) proxy).doit());
fail("Should have been blocked");
} catch (SecurityException se) {
// good
}
assertEquals("aaT", ((TestServiceAPI2) proxy).doit("Taa"));
try {
((TestServiceAPI2) proxy).doit("t");
fail("Should have been blocked");
} catch (SecurityException se) {
// good
}
return null;
});
}
Also used :
Hashtable(java.util.Hashtable)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
Subject(javax.security.auth.Subject)
BundleContext(org.osgi.framework.BundleContext)
Test(org.junit.Test)
Example 17 with RolePrincipal
use of org.apache.karaf.jaas.boot.principal.RolePrincipal in project karaf by apache.
the class GuardProxyCatalogTest method testCustomRole.
@SuppressWarnings("unchecked")
@Test
public void testCustomRole() throws Exception {
class MyRolePrincipal implements Principal {
@Override
public String getName() {
return "role1";
}
}
Dictionary<String, Object> c1 = new Hashtable<>();
c1.put(Constants.SERVICE_PID, "foobar");
c1.put("service.guard", "(objectClass=" + TestServiceAPI.class.getName() + ")");
c1.put("doit", MyRolePrincipal.class.getName() + ":role1");
BundleContext bc = mockConfigAdminBundleContext(c1);
final Object proxy = testCreateProxy(bc, new Class[] { TestServiceAPI.class }, new TestService());
Subject s1 = new Subject();
s1.getPrincipals().add(new RolePrincipal("role1"));
Subject.doAs(s1, (PrivilegedAction<Object>) () -> {
try {
((TestServiceAPI) proxy).doit();
fail("Should have prevented this invocation as the custom role is required");
} catch (SecurityException se) {
// good
}
return null;
});
Subject s2 = new Subject();
s2.getPrincipals().add(new MyRolePrincipal());
Subject.doAs(s2, (PrivilegedAction<Object>) () -> {
// Should work, the custom role is there
((TestServiceAPI) proxy).doit();
return null;
});
Subject s3 = new Subject();
s3.getPrincipals().add(new MyRolePrincipal());
s3.getPrincipals().add(new RolePrincipal("role1"));
Subject.doAs(s3, (PrivilegedAction<Object>) () -> {
// Should work, the custom role is there
((TestServiceAPI) proxy).doit();
return null;
});
}
Also used :
Hashtable(java.util.Hashtable)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
Principal(java.security.Principal)
Subject(javax.security.auth.Subject)
BundleContext(org.osgi.framework.BundleContext)
Test(org.junit.Test)
Example 18 with RolePrincipal
use of org.apache.karaf.jaas.boot.principal.RolePrincipal in project karaf by apache.
the class GuardProxyCatalogTest method testInvocationBlocking7.
@SuppressWarnings("unchecked")
@Test
public void testInvocationBlocking7() throws Exception {
Dictionary<String, Object> c1 = new Hashtable<>();
c1.put(Constants.SERVICE_PID, "foobar");
c1.put("service.guard", "(objectClass=" + TestServiceAPI3.class.getName() + ")");
c1.put("foo()", "a");
c1.put("bar", "b");
c1.put("*", "*");
BundleContext bc = mockConfigAdminBundleContext(c1);
final Object proxy = testCreateProxy(bc, new Class[] { TestServiceAPI3.class }, new TestService3());
Subject s1 = new Subject();
Subject.doAs(s1, (PrivilegedAction<Object>) () -> {
TestServiceAPI3 obj = (TestServiceAPI3) proxy;
assertEquals("Should have allowed this invocation for any (or no) role", -7, obj.foo(7));
try {
obj.foo();
fail("Should have been blocked");
} catch (SecurityException se) {
// good
}
try {
obj.bar();
fail("Should have been blocked");
} catch (SecurityException se) {
// good
}
return null;
});
Subject s2 = new Subject();
s2.getPrincipals().add(new RolePrincipal("a"));
s2.getPrincipals().add(new RolePrincipal("b"));
s2.getPrincipals().add(new RolePrincipal("d"));
Subject.doAs(s2, (PrivilegedAction<Object>) () -> {
TestServiceAPI3 obj = (TestServiceAPI3) proxy;
assertEquals(42, obj.foo());
assertEquals(99, obj.bar());
assertEquals(-32767, obj.foo(32767));
return null;
});
}
Also used :
Hashtable(java.util.Hashtable)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
Subject(javax.security.auth.Subject)
BundleContext(org.osgi.framework.BundleContext)
Test(org.junit.Test)
Example 19 with RolePrincipal
use of org.apache.karaf.jaas.boot.principal.RolePrincipal in project karaf by apache.
the class LDAPPubkeyLoginModule method doLogin.
protected boolean doLogin() throws LoginException {
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PublickeyCallback();
try {
callbackHandler.handle(callbacks);
} catch (IOException ioException) {
throw new LoginException(ioException.getMessage());
} catch (UnsupportedCallbackException unsupportedCallbackException) {
throw new LoginException(unsupportedCallbackException.getMessage() + " not available to obtain information from user.");
}
user = Util.doRFC2254Encoding(((NameCallback) callbacks[0]).getName());
PublicKey remotePubkey = ((PublickeyCallback) callbacks[1]).getPublicKey();
LDAPOptions options = new LDAPOptions(this.options);
if (options.isUsernameTrim()) {
if (user != null) {
user = user.trim();
}
}
principals = new HashSet<>();
LDAPCache cache = LDAPCache.getCache(options);
// step 1: get the user DN
final String[] userDnAndNamespace;
try {
logger.debug("Get the user DN.");
userDnAndNamespace = cache.getUserDnAndNamespace(user);
if (userDnAndNamespace == null) {
return false;
}
} catch (Exception e) {
logger.warn("Can't connect to the LDAP server: {}", e.getMessage(), e);
throw new LoginException("Can't connect to the LDAP server: " + e.getMessage());
}
String userFullDn = userDnAndNamespace[0] + "," + options.getUserBaseDn();
// step 2: pubkey authentication
try {
authenticatePubkey(userFullDn, remotePubkey, cache);
} catch (NamingException e) {
logger.warn("Can't connect to the LDAP server: {}", e.getMessage(), e);
throw new LoginException("Can't connect to the LDAP server: " + e.getMessage());
} catch (FailedLoginException e) {
if (!this.detailedLoginExcepion) {
throw new LoginException("Authentication failed");
} else {
logger.warn("Public key authentication failed for user {}: {}", user, e.getMessage(), e);
throw new LoginException("Public key authentication failed for user " + user + ": " + e.getMessage());
}
}
principals.add(new UserPrincipal(user));
// step 3: retrieving user roles
try {
String[] roles = cache.getUserRoles(user, userDnAndNamespace[0], userDnAndNamespace[1]);
for (String role : roles) {
principals.add(new RolePrincipal(role));
}
} catch (Exception e) {
throw new LoginException("Can't get user " + user + " roles: " + e.getMessage());
}
return true;
}
Also used :
PublickeyCallback(org.apache.karaf.jaas.modules.publickey.PublickeyCallback)
PublicKey(java.security.PublicKey)
IOException(java.io.IOException)
LoginException(javax.security.auth.login.LoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
NamingException(javax.naming.NamingException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal)
NameCallback(javax.security.auth.callback.NameCallback)
PublickeyCallback(org.apache.karaf.jaas.modules.publickey.PublickeyCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
FailedLoginException(javax.security.auth.login.FailedLoginException)
LoginException(javax.security.auth.login.LoginException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
NamingException(javax.naming.NamingException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
Example 20 with RolePrincipal
use of org.apache.karaf.jaas.boot.principal.RolePrincipal in project karaf by apache.
the class OsgiConfigLoginModule method login.
public boolean login() throws LoginException {
try {
String pid = (String) options.get(PID);
Configuration config = ConfigAdminHolder.getService().getConfiguration(pid, null);
Dictionary<String, Object> properties = config.getProperties();
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException ioe) {
throw new LoginException(ioe.getMessage());
} catch (UnsupportedCallbackException uce) {
throw new LoginException(uce.getMessage() + " not available to obtain information from user");
}
String user = ((NameCallback) callbacks[0]).getName();
String password = new String(((PasswordCallback) callbacks[1]).getPassword());
String userInfos = (String) properties.get(USER_PREFIX + user);
if (userInfos == null) {
if (!this.detailedLoginExcepion) {
throw new FailedLoginException("login failed");
} else {
throw new FailedLoginException("User does not exist");
}
}
String[] infos = userInfos.split(",");
String storedPassword = infos[0];
// check the provided password
if (!checkPassword(password, storedPassword)) {
if (!this.detailedLoginExcepion) {
throw new FailedLoginException("login failed");
} else {
throw new FailedLoginException("Password for " + user + " does not match");
}
}
principals = new HashSet<>();
principals.add(new UserPrincipal(user));
for (int i = 1; i < infos.length; i++) {
principals.add(new RolePrincipal(infos[i]));
}
return true;
} catch (LoginException e) {
throw e;
} catch (Exception e) {
throw (LoginException) new LoginException("Unable to authenticate user").initCause(e);
} finally {
callbackHandler = null;
options = null;
}
}
Also used :
Configuration(org.osgi.service.cm.Configuration)
IOException(java.io.IOException)
UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal)
LoginException(javax.security.auth.login.LoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
FailedLoginException(javax.security.auth.login.FailedLoginException)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
LoginException(javax.security.auth.login.LoginException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
Aggregations
RolePrincipal (org.apache.karaf.jaas.boot.principal.RolePrincipal)61
UserPrincipal (org.apache.karaf.jaas.boot.principal.UserPrincipal)20
Subject (javax.security.auth.Subject)19
Principal (java.security.Principal)15
Test (org.junit.Test)15
LoginException (javax.security.auth.login.LoginException)14
IOException (java.io.IOException)13
NameCallback (javax.security.auth.callback.NameCallback)13
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)13
ArrayList (java.util.ArrayList)12
Callback (javax.security.auth.callback.Callback)11
PasswordCallback (javax.security.auth.callback.PasswordCallback)10
FailedLoginException (javax.security.auth.login.FailedLoginException)10
GroupPrincipal (org.apache.karaf.jaas.boot.principal.GroupPrincipal)9
BundleContext (org.osgi.framework.BundleContext)8
Hashtable (java.util.Hashtable)7
HashSet (java.util.HashSet)6
File (java.io.File)4
Configuration (org.osgi.service.cm.Configuration)4
Attribute (ddf.security.assertion.Attribute)3
