use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.
the class OAuth2InteractiveAuthenticatorTest method createMockOAuth2AuthenticationProvider.
private OAuth2AuthenticationProvider<?> createMockOAuth2AuthenticationProvider(final HttpPort mockPort) throws URISyntaxException {
OAuth2AuthenticationProvider authenticationProvider = mock(OAuth2AuthenticationProvider.class);
Broker mockBroker = mock(Broker.class);
SubjectCreator mockSubjectCreator = mock(SubjectCreator.class);
when(_mockPort.getSubjectCreator(anyBoolean(), anyString())).thenReturn(mockSubjectCreator);
SubjectAuthenticationResult mockSuccessfulSubjectAuthenticationResult = mock(SubjectAuthenticationResult.class);
SubjectAuthenticationResult mockUnauthorizedSubjectAuthenticationResult = mock(SubjectAuthenticationResult.class);
final Subject successfulSubject = new Subject(true, Collections.singleton(new AuthenticatedPrincipal(new UsernamePrincipal(TEST_AUTHORIZED_USER, null))), Collections.emptySet(), Collections.emptySet());
final Subject unauthorizedSubject = new Subject(true, Collections.singleton(new AuthenticatedPrincipal(new UsernamePrincipal(TEST_UNAUTHORIZED_USER, null))), Collections.emptySet(), Collections.emptySet());
AuthenticationResult mockSuccessfulAuthenticationResult = mock(AuthenticationResult.class);
AuthenticationResult mockUnauthorizedAuthenticationResult = mock(AuthenticationResult.class);
AuthenticationResult failedAuthenticationResult = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, new Exception("authentication failed"));
SubjectAuthenticationResult failedSubjectAuthenticationResult = new SubjectAuthenticationResult(failedAuthenticationResult);
doAnswer(new Answer() {
@Override
public Object answer(final InvocationOnMock invocationOnMock) throws Throwable {
final Subject subject = Subject.getSubject(AccessController.getContext());
if (!subject.getPrincipals().iterator().next().getName().equals(TEST_AUTHORIZED_USER)) {
throw new AccessControlException("access denied");
}
return null;
}
}).when(mockBroker).authorise(eq(Operation.PERFORM_ACTION("manage")));
when(authenticationProvider.getAuthorizationEndpointURI(any())).thenReturn(new URI(TEST_AUTHORIZATION_ENDPOINT));
when(authenticationProvider.getClientId()).thenReturn(TEST_CLIENT_ID);
when(authenticationProvider.getScope()).thenReturn(TEST_OAUTH2_SCOPE);
when(authenticationProvider.getParent()).thenReturn(mockBroker);
when(authenticationProvider.authenticateViaAuthorizationCode(matches(TEST_VALID_AUTHORIZATION_CODE), matches(TEST_REQUEST_HOST), any())).thenReturn(mockSuccessfulAuthenticationResult);
when(authenticationProvider.authenticateViaAuthorizationCode(matches(TEST_INVALID_AUTHORIZATION_CODE), matches(TEST_REQUEST_HOST), any())).thenReturn(failedAuthenticationResult);
when(authenticationProvider.authenticateViaAuthorizationCode(matches(TEST_UNAUTHORIZED_AUTHORIZATION_CODE), matches(TEST_REQUEST_HOST), any())).thenReturn(mockUnauthorizedAuthenticationResult);
when(mockSuccessfulSubjectAuthenticationResult.getSubject()).thenReturn(successfulSubject);
when(mockUnauthorizedSubjectAuthenticationResult.getSubject()).thenReturn(unauthorizedSubject);
when(mockSubjectCreator.createResultWithGroups(mockSuccessfulAuthenticationResult)).thenReturn(mockSuccessfulSubjectAuthenticationResult);
when(mockSubjectCreator.createResultWithGroups(mockUnauthorizedAuthenticationResult)).thenReturn(mockUnauthorizedSubjectAuthenticationResult);
when(mockSubjectCreator.createResultWithGroups(failedAuthenticationResult)).thenReturn(failedSubjectAuthenticationResult);
return authenticationProvider;
}
use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.
the class SaslServlet method evaluateSaslResponse.
private void evaluateSaslResponse(final HttpServletRequest request, final HttpServletResponse response, final HttpSession session, final String saslResponse, final SaslNegotiator saslNegotiator, SubjectCreator subjectCreator) throws IOException {
byte[] saslResponseBytes = saslResponse == null ? new byte[0] : Strings.decodeBase64(saslResponse);
SubjectAuthenticationResult authenticationResult = subjectCreator.authenticate(saslNegotiator, saslResponseBytes);
byte[] challenge = authenticationResult.getChallenge();
Map<String, Object> outputObject = new LinkedHashMap<>();
int responseStatus = HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS) {
Subject original = authenticationResult.getSubject();
Broker broker = getBroker();
try {
Subject subject = HttpManagementUtil.createServletConnectionSubject(request, original);
HttpManagementUtil.assertManagementAccess(broker, subject);
HttpManagementUtil.saveAuthorisedSubject(request, subject);
if (challenge != null && challenge.length != 0) {
outputObject.put("additionalData", DatatypeConverter.printBase64Binary(challenge));
}
responseStatus = HttpServletResponse.SC_OK;
} catch (SecurityException e) {
responseStatus = HttpServletResponse.SC_FORBIDDEN;
} finally {
cleanup(request, session);
}
} else if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE) {
Random rand = getRandom(request);
String id = String.valueOf(rand.nextLong());
HttpManagementUtil.setSessionAttribute(ATTR_ID, id, session, request);
HttpManagementUtil.setSessionAttribute(ATTR_SASL_NEGOTIATOR, saslNegotiator, session, request);
long saslExchangeExpiry = getManagementConfiguration().getSaslExchangeExpiry();
HttpManagementUtil.setSessionAttribute(ATTR_EXPIRY, System.currentTimeMillis() + saslExchangeExpiry, session, request);
outputObject.put("id", id);
outputObject.put("challenge", DatatypeConverter.printBase64Binary(challenge));
responseStatus = HttpServletResponse.SC_OK;
} else {
responseStatus = HttpServletResponse.SC_UNAUTHORIZED;
cleanup(request, session);
}
sendJsonResponse(outputObject, request, response, responseStatus, false);
}
use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.
the class SubjectCreator method createResultWithGroups.
public SubjectAuthenticationResult createResultWithGroups(final AuthenticationResult authenticationResult) {
if (authenticationResult.getStatus() == AuthenticationStatus.SUCCESS) {
final Subject authenticationSubject = new Subject();
authenticationSubject.getPrincipals().addAll(authenticationResult.getPrincipals());
final Set<Principal> groupPrincipals = getGroupPrincipals(authenticationResult.getMainPrincipal());
authenticationSubject.getPrincipals().addAll(groupPrincipals);
authenticationSubject.setReadOnly();
return new SubjectAuthenticationResult(authenticationResult, authenticationSubject);
} else {
return new SubjectAuthenticationResult(authenticationResult);
}
}
use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.
the class SubjectCreatorTest method testUnsuccessfulAuthentication.
private void testUnsuccessfulAuthentication(AuthenticationStatus expectedStatus) {
AuthenticationResult failedAuthenticationResult = new AuthenticationResult(expectedStatus);
when(_testSaslNegotiator.handleResponse(_saslResponseBytes)).thenReturn(failedAuthenticationResult);
SubjectAuthenticationResult subjectAuthenticationResult = _subjectCreator.authenticate(_testSaslNegotiator, _saslResponseBytes);
assertSame(expectedStatus, subjectAuthenticationResult.getStatus());
assertNull(subjectAuthenticationResult.getSubject());
if (expectedStatus == AuthenticationStatus.ERROR) {
ArgumentCaptor<LogMessage> argument = ArgumentCaptor.forClass(LogMessage.class);
verify(_eventLogger).message(argument.capture());
assertTrue("Unexpected operational log message", argument.getValue().toString().startsWith("ATH-1010"));
}
}
use of org.apache.qpid.server.security.auth.SubjectAuthenticationResult in project qpid-broker-j by apache.
the class AMQPConnection_1_0Impl method processSaslResponse.
private void processSaslResponse(final byte[] response) {
byte[] challenge = null;
SubjectAuthenticationResult authenticationResult = _successfulAuthenticationResult;
if (authenticationResult == null) {
authenticationResult = _subjectCreator.authenticate(_saslNegotiator, response != null ? response : new byte[0]);
challenge = authenticationResult.getChallenge();
}
if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS) {
final boolean finalChallenge = challenge != null && challenge.length != 0;
_successfulAuthenticationResult = authenticationResult;
if (_sendSaslFinalChallengeAsChallenge && finalChallenge) {
continueSaslNegotiation(challenge);
} else {
setSubject(_successfulAuthenticationResult.getSubject());
SaslOutcome outcome = new SaslOutcome();
outcome.setCode(SaslCode.OK);
if (finalChallenge) {
outcome.setAdditionalData(new Binary(challenge));
}
send(new SASLFrame(outcome), null);
_saslComplete = true;
_connectionState = ConnectionState.AWAIT_AMQP_HEADER;
disposeSaslNegotiator();
}
} else if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE) {
continueSaslNegotiation(challenge);
} else {
handleSaslError();
}
}
Aggregations