Search in sources :

Example 1 with SubjectAuthenticationResult

use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.

the class OAuth2InteractiveAuthenticatorTest method createMockOAuth2AuthenticationProvider.

private OAuth2AuthenticationProvider<?> createMockOAuth2AuthenticationProvider(final HttpPort mockPort) throws URISyntaxException {
    OAuth2AuthenticationProvider authenticationProvider = mock(OAuth2AuthenticationProvider.class);
    Broker mockBroker = mock(Broker.class);
    SubjectCreator mockSubjectCreator = mock(SubjectCreator.class);
    when(_mockPort.getSubjectCreator(anyBoolean(), anyString())).thenReturn(mockSubjectCreator);
    SubjectAuthenticationResult mockSuccessfulSubjectAuthenticationResult = mock(SubjectAuthenticationResult.class);
    SubjectAuthenticationResult mockUnauthorizedSubjectAuthenticationResult = mock(SubjectAuthenticationResult.class);
    final Subject successfulSubject = new Subject(true, Collections.singleton(new AuthenticatedPrincipal(new UsernamePrincipal(TEST_AUTHORIZED_USER, null))), Collections.emptySet(), Collections.emptySet());
    final Subject unauthorizedSubject = new Subject(true, Collections.singleton(new AuthenticatedPrincipal(new UsernamePrincipal(TEST_UNAUTHORIZED_USER, null))), Collections.emptySet(), Collections.emptySet());
    AuthenticationResult mockSuccessfulAuthenticationResult = mock(AuthenticationResult.class);
    AuthenticationResult mockUnauthorizedAuthenticationResult = mock(AuthenticationResult.class);
    AuthenticationResult failedAuthenticationResult = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, new Exception("authentication failed"));
    SubjectAuthenticationResult failedSubjectAuthenticationResult = new SubjectAuthenticationResult(failedAuthenticationResult);
    doAnswer(new Answer() {

        @Override
        public Object answer(final InvocationOnMock invocationOnMock) throws Throwable {
            final Subject subject = Subject.getSubject(AccessController.getContext());
            if (!subject.getPrincipals().iterator().next().getName().equals(TEST_AUTHORIZED_USER)) {
                throw new AccessControlException("access denied");
            }
            return null;
        }
    }).when(mockBroker).authorise(eq(Operation.PERFORM_ACTION("manage")));
    when(authenticationProvider.getAuthorizationEndpointURI(any())).thenReturn(new URI(TEST_AUTHORIZATION_ENDPOINT));
    when(authenticationProvider.getClientId()).thenReturn(TEST_CLIENT_ID);
    when(authenticationProvider.getScope()).thenReturn(TEST_OAUTH2_SCOPE);
    when(authenticationProvider.getParent()).thenReturn(mockBroker);
    when(authenticationProvider.authenticateViaAuthorizationCode(matches(TEST_VALID_AUTHORIZATION_CODE), matches(TEST_REQUEST_HOST), any())).thenReturn(mockSuccessfulAuthenticationResult);
    when(authenticationProvider.authenticateViaAuthorizationCode(matches(TEST_INVALID_AUTHORIZATION_CODE), matches(TEST_REQUEST_HOST), any())).thenReturn(failedAuthenticationResult);
    when(authenticationProvider.authenticateViaAuthorizationCode(matches(TEST_UNAUTHORIZED_AUTHORIZATION_CODE), matches(TEST_REQUEST_HOST), any())).thenReturn(mockUnauthorizedAuthenticationResult);
    when(mockSuccessfulSubjectAuthenticationResult.getSubject()).thenReturn(successfulSubject);
    when(mockUnauthorizedSubjectAuthenticationResult.getSubject()).thenReturn(unauthorizedSubject);
    when(mockSubjectCreator.createResultWithGroups(mockSuccessfulAuthenticationResult)).thenReturn(mockSuccessfulSubjectAuthenticationResult);
    when(mockSubjectCreator.createResultWithGroups(mockUnauthorizedAuthenticationResult)).thenReturn(mockUnauthorizedSubjectAuthenticationResult);
    when(mockSubjectCreator.createResultWithGroups(failedAuthenticationResult)).thenReturn(failedSubjectAuthenticationResult);
    return authenticationProvider;
}
Also used : Broker(org.apache.qpid.server.model.Broker) AccessControlException(java.security.AccessControlException) HttpURI(org.eclipse.jetty.http.HttpURI) URI(java.net.URI) SubjectAuthenticationResult(org.apache.qpid.server.security.auth.SubjectAuthenticationResult) Subject(javax.security.auth.Subject) URISyntaxException(java.net.URISyntaxException) IOException(java.io.IOException) AccessControlException(java.security.AccessControlException) AuthenticatedPrincipal(org.apache.qpid.server.security.auth.AuthenticatedPrincipal) AuthenticationResult(org.apache.qpid.server.security.auth.AuthenticationResult) SubjectAuthenticationResult(org.apache.qpid.server.security.auth.SubjectAuthenticationResult) UsernamePrincipal(org.apache.qpid.server.security.auth.UsernamePrincipal) Answer(org.mockito.stubbing.Answer) Mockito.doAnswer(org.mockito.Mockito.doAnswer) InvocationOnMock(org.mockito.invocation.InvocationOnMock) OAuth2AuthenticationProvider(org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider) SubjectCreator(org.apache.qpid.server.security.SubjectCreator)

Example 2 with SubjectAuthenticationResult

use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.

the class SaslServlet method evaluateSaslResponse.

private void evaluateSaslResponse(final HttpServletRequest request, final HttpServletResponse response, final HttpSession session, final String saslResponse, final SaslNegotiator saslNegotiator, SubjectCreator subjectCreator) throws IOException {
    byte[] saslResponseBytes = saslResponse == null ? new byte[0] : Strings.decodeBase64(saslResponse);
    SubjectAuthenticationResult authenticationResult = subjectCreator.authenticate(saslNegotiator, saslResponseBytes);
    byte[] challenge = authenticationResult.getChallenge();
    Map<String, Object> outputObject = new LinkedHashMap<>();
    int responseStatus = HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
    if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS) {
        Subject original = authenticationResult.getSubject();
        Broker broker = getBroker();
        try {
            Subject subject = HttpManagementUtil.createServletConnectionSubject(request, original);
            HttpManagementUtil.assertManagementAccess(broker, subject);
            HttpManagementUtil.saveAuthorisedSubject(request, subject);
            if (challenge != null && challenge.length != 0) {
                outputObject.put("additionalData", DatatypeConverter.printBase64Binary(challenge));
            }
            responseStatus = HttpServletResponse.SC_OK;
        } catch (SecurityException e) {
            responseStatus = HttpServletResponse.SC_FORBIDDEN;
        } finally {
            cleanup(request, session);
        }
    } else if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE) {
        Random rand = getRandom(request);
        String id = String.valueOf(rand.nextLong());
        HttpManagementUtil.setSessionAttribute(ATTR_ID, id, session, request);
        HttpManagementUtil.setSessionAttribute(ATTR_SASL_NEGOTIATOR, saslNegotiator, session, request);
        long saslExchangeExpiry = getManagementConfiguration().getSaslExchangeExpiry();
        HttpManagementUtil.setSessionAttribute(ATTR_EXPIRY, System.currentTimeMillis() + saslExchangeExpiry, session, request);
        outputObject.put("id", id);
        outputObject.put("challenge", DatatypeConverter.printBase64Binary(challenge));
        responseStatus = HttpServletResponse.SC_OK;
    } else {
        responseStatus = HttpServletResponse.SC_UNAUTHORIZED;
        cleanup(request, session);
    }
    sendJsonResponse(outputObject, request, response, responseStatus, false);
}
Also used : Broker(org.apache.qpid.server.model.Broker) Random(java.util.Random) SecureRandom(java.security.SecureRandom) ConfiguredObject(org.apache.qpid.server.model.ConfiguredObject) SubjectAuthenticationResult(org.apache.qpid.server.security.auth.SubjectAuthenticationResult) Subject(javax.security.auth.Subject) LinkedHashMap(java.util.LinkedHashMap)

Example 3 with SubjectAuthenticationResult

use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.

the class SubjectCreator method createResultWithGroups.

public SubjectAuthenticationResult createResultWithGroups(final AuthenticationResult authenticationResult) {
    if (authenticationResult.getStatus() == AuthenticationStatus.SUCCESS) {
        final Subject authenticationSubject = new Subject();
        authenticationSubject.getPrincipals().addAll(authenticationResult.getPrincipals());
        final Set<Principal> groupPrincipals = getGroupPrincipals(authenticationResult.getMainPrincipal());
        authenticationSubject.getPrincipals().addAll(groupPrincipals);
        authenticationSubject.setReadOnly();
        return new SubjectAuthenticationResult(authenticationResult, authenticationSubject);
    } else {
        return new SubjectAuthenticationResult(authenticationResult);
    }
}
Also used : Subject(javax.security.auth.Subject) Principal(java.security.Principal) SubjectAuthenticationResult(org.apache.qpid.server.security.auth.SubjectAuthenticationResult)

Example 4 with SubjectAuthenticationResult

use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.

the class SubjectCreatorTest method testUnsuccessfulAuthentication.

private void testUnsuccessfulAuthentication(AuthenticationStatus expectedStatus) {
    AuthenticationResult failedAuthenticationResult = new AuthenticationResult(expectedStatus);
    when(_testSaslNegotiator.handleResponse(_saslResponseBytes)).thenReturn(failedAuthenticationResult);
    SubjectAuthenticationResult subjectAuthenticationResult = _subjectCreator.authenticate(_testSaslNegotiator, _saslResponseBytes);
    assertSame(expectedStatus, subjectAuthenticationResult.getStatus());
    assertNull(subjectAuthenticationResult.getSubject());
    if (expectedStatus == AuthenticationStatus.ERROR) {
        ArgumentCaptor<LogMessage> argument = ArgumentCaptor.forClass(LogMessage.class);
        verify(_eventLogger).message(argument.capture());
        assertTrue("Unexpected operational log message", argument.getValue().toString().startsWith("ATH-1010"));
    }
}
Also used : LogMessage(org.apache.qpid.server.logging.LogMessage) SubjectAuthenticationResult(org.apache.qpid.server.security.auth.SubjectAuthenticationResult) SubjectAuthenticationResult(org.apache.qpid.server.security.auth.SubjectAuthenticationResult) AuthenticationResult(org.apache.qpid.server.security.auth.AuthenticationResult)

Example 5 with SubjectAuthenticationResult

use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.

the class AMQPConnection_1_0Impl method processSaslResponse.

private void processSaslResponse(final byte[] response) {
    byte[] challenge = null;
    SubjectAuthenticationResult authenticationResult = _successfulAuthenticationResult;
    if (authenticationResult == null) {
        authenticationResult = _subjectCreator.authenticate(_saslNegotiator, response != null ? response : new byte[0]);
        challenge = authenticationResult.getChallenge();
    }
    if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS) {
        final boolean finalChallenge = challenge != null && challenge.length != 0;
        _successfulAuthenticationResult = authenticationResult;
        if (_sendSaslFinalChallengeAsChallenge && finalChallenge) {
            continueSaslNegotiation(challenge);
        } else {
            setSubject(_successfulAuthenticationResult.getSubject());
            SaslOutcome outcome = new SaslOutcome();
            outcome.setCode(SaslCode.OK);
            if (finalChallenge) {
                outcome.setAdditionalData(new Binary(challenge));
            }
            send(new SASLFrame(outcome), null);
            _saslComplete = true;
            _connectionState = ConnectionState.AWAIT_AMQP_HEADER;
            disposeSaslNegotiator();
        }
    } else if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE) {
        continueSaslNegotiation(challenge);
    } else {
        handleSaslError();
    }
}
Also used : SaslOutcome(org.apache.qpid.server.protocol.v1_0.type.security.SaslOutcome) SASLFrame(org.apache.qpid.server.protocol.v1_0.framing.SASLFrame) Binary(org.apache.qpid.server.protocol.v1_0.type.Binary) SubjectAuthenticationResult(org.apache.qpid.server.security.auth.SubjectAuthenticationResult)

Aggregations

SubjectAuthenticationResult (org.apache.qpid.server.security.auth.SubjectAuthenticationResult)14 AuthenticationResult (org.apache.qpid.server.security.auth.AuthenticationResult)8 Subject (javax.security.auth.Subject)7 SubjectCreator (org.apache.qpid.server.security.SubjectCreator)6 Broker (org.apache.qpid.server.model.Broker)4 AuthenticatedPrincipal (org.apache.qpid.server.security.auth.AuthenticatedPrincipal)4 OAuth2AuthenticationProvider (org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider)4 IOException (java.io.IOException)3 URISyntaxException (java.net.URISyntaxException)3 AccessControlException (java.security.AccessControlException)3 UsernamePrincipal (org.apache.qpid.server.security.auth.UsernamePrincipal)3 URI (java.net.URI)2 SecureRandom (java.security.SecureRandom)2 InetSocketAddress (java.net.InetSocketAddress)1 Principal (java.security.Principal)1 Collections (java.util.Collections)1 Enumeration (java.util.Enumeration)1 HashMap (java.util.HashMap)1 LinkedHashMap (java.util.LinkedHashMap)1 Map (java.util.Map)1