Search in sources :

Example 11 with SecureString

use of org.elasticsearch.common.settings.SecureString in project crate by crate.

the class Ec2ClientSettings method loadCredentials.

static AWSCredentials loadCredentials(Settings settings) {
    try (SecureString key = ACCESS_KEY_SETTING.get(settings);
        SecureString secret = SECRET_KEY_SETTING.get(settings);
        SecureString sessionToken = SESSION_TOKEN_SETTING.get(settings)) {
        if (key.length() == 0 && secret.length() == 0) {
            if (sessionToken.length() > 0) {
                throw new SettingsException("Setting [{}] is set but [{}] and [{}] are not", SESSION_TOKEN_SETTING.getKey(), ACCESS_KEY_SETTING.getKey(), SECRET_KEY_SETTING.getKey());
            }
            LOGGER.debug("Using either environment variables, system properties or instance profile credentials");
            return null;
        } else {
            if (key.length() == 0) {
                DEPRECATION_LOGGER.deprecated("Setting [{}] is set but [{}] is not, which will be unsupported in future", SECRET_KEY_SETTING.getKey(), ACCESS_KEY_SETTING.getKey());
            }
            if (secret.length() == 0) {
                DEPRECATION_LOGGER.deprecated("Setting [{}] is set but [{}] is not, which will be unsupported in future", ACCESS_KEY_SETTING.getKey(), SECRET_KEY_SETTING.getKey());
            }
            final AWSCredentials credentials;
            if (sessionToken.length() == 0) {
                LOGGER.debug("Using basic key/secret credentials");
                credentials = new BasicAWSCredentials(key.toString(), secret.toString());
            } else {
                LOGGER.debug("Using basic session credentials");
                credentials = new BasicSessionCredentials(key.toString(), secret.toString(), sessionToken.toString());
            }
            return credentials;
        }
    }
}
Also used : BasicSessionCredentials(com.amazonaws.auth.BasicSessionCredentials) SettingsException(org.elasticsearch.common.settings.SettingsException) BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials) AWSCredentials(com.amazonaws.auth.AWSCredentials) SecureString(org.elasticsearch.common.settings.SecureString) BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials)

Example 12 with SecureString

use of org.elasticsearch.common.settings.SecureString in project crate by crate.

the class UserDefinitions method getSecureHash.

private static SecureHash getSecureHash(String password) {
    SecureHash hash = null;
    try {
        hash = SecureHash.of(new SecureString(password.toCharArray()));
    } catch (GeneralSecurityException e) {
    // do nothing;
    }
    assertNotNull(hash);
    return hash;
}
Also used : SecureHash(io.crate.user.SecureHash) GeneralSecurityException(java.security.GeneralSecurityException) SecureString(org.elasticsearch.common.settings.SecureString)

Example 13 with SecureString

use of org.elasticsearch.common.settings.SecureString in project crate by crate.

the class UserActionsTest method testSecureHashIsGeneratedFromPasswordProperty.

@Test
public void testSecureHashIsGeneratedFromPasswordProperty() throws Exception {
    GenericProperties<Symbol> properties = new GenericProperties<>(Map.of("password", Literal.of("password")));
    SecureHash secureHash = UserActions.generateSecureHash(properties, Row.EMPTY, txnCtx, nodeCtx);
    assertThat(secureHash, Matchers.notNullValue());
    SecureString password = new SecureString("password".toCharArray());
    assertTrue(secureHash.verifyHash(password));
}
Also used : Symbol(io.crate.expression.symbol.Symbol) GenericProperties(io.crate.sql.tree.GenericProperties) SecureString(org.elasticsearch.common.settings.SecureString) Test(org.junit.Test)

Example 14 with SecureString

use of org.elasticsearch.common.settings.SecureString in project crate by crate.

the class HttpAuthUpstreamHandler method handleHttpRequest.

private void handleHttpRequest(ChannelHandlerContext ctx, HttpRequest request) {
    SSLSession session = getSession(ctx.channel());
    Tuple<String, SecureString> credentials = credentialsFromRequest(request, session, settings);
    String username = credentials.v1();
    SecureString password = credentials.v2();
    if (username.equals(authorizedUser)) {
        ctx.fireChannelRead(request);
        return;
    }
    InetAddress address = addressFromRequestOrChannel(request, ctx.channel());
    ConnectionProperties connectionProperties = new ConnectionProperties(address, Protocol.HTTP, session);
    AuthenticationMethod authMethod = authService.resolveAuthenticationType(username, connectionProperties);
    if (authMethod == null) {
        String errorMessage = String.format(Locale.ENGLISH, "No valid auth.host_based.config entry found for host \"%s\", user \"%s\", protocol \"%s\". Did you enable TLS in your client?", address.getHostAddress(), username, Protocol.HTTP.toString());
        sendUnauthorized(ctx.channel(), errorMessage);
    } else {
        try {
            User user = authMethod.authenticate(username, password, connectionProperties);
            if (user != null && LOGGER.isTraceEnabled()) {
                LOGGER.trace("Authentication succeeded user \"{}\" and method \"{}\".", username, authMethod.name());
            }
            authorizedUser = username;
            ctx.fireChannelRead(request);
        } catch (Exception e) {
            if (LOGGER.isInfoEnabled()) {
                LOGGER.info("{} authentication failed for user={} from connection={}", authMethod.name(), username, connectionProperties.address());
            }
            sendUnauthorized(ctx.channel(), e.getMessage());
        }
    }
}
Also used : User(io.crate.user.User) ConnectionProperties(io.crate.protocols.postgres.ConnectionProperties) SSLSession(javax.net.ssl.SSLSession) SecureString(org.elasticsearch.common.settings.SecureString) InetAddress(java.net.InetAddress) SecureString(org.elasticsearch.common.settings.SecureString) SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException)

Example 15 with SecureString

use of org.elasticsearch.common.settings.SecureString in project crate by crate.

the class Headers method extractCredentialsFromHttpBasicAuthHeader.

public static Tuple<String, SecureString> extractCredentialsFromHttpBasicAuthHeader(String authHeaderValue) {
    if (authHeaderValue == null || authHeaderValue.isEmpty()) {
        return EMPTY_CREDENTIALS_TUPLE;
    }
    String username;
    SecureString password = EMPTY_PASSWORD;
    String valueWithoutBasePrefix = authHeaderValue.substring(6);
    String decodedCreds = new String(Base64.getDecoder().decode(valueWithoutBasePrefix), StandardCharsets.UTF_8);
    int idx = decodedCreds.indexOf(':');
    if (idx < 0) {
        username = decodedCreds;
    } else {
        username = decodedCreds.substring(0, idx);
        String passwdStr = decodedCreds.substring(idx + 1);
        if (passwdStr.length() > 0) {
            password = new SecureString(passwdStr.toCharArray());
        }
    }
    return new Tuple<>(username, password);
}
Also used : SecureString(org.elasticsearch.common.settings.SecureString) SecureString(org.elasticsearch.common.settings.SecureString) Tuple(io.crate.common.collections.Tuple)

Aggregations

SecureString (org.elasticsearch.common.settings.SecureString)18 Test (org.junit.Test)7 Symbol (io.crate.expression.symbol.Symbol)4 GenericProperties (io.crate.sql.tree.GenericProperties)4 SecureHash (io.crate.user.SecureHash)3 User (io.crate.user.User)3 VisibleForTesting (io.crate.common.annotations.VisibleForTesting)2 Tuple (io.crate.common.collections.Tuple)2 GeneralSecurityException (java.security.GeneralSecurityException)2 Nullable (javax.annotation.Nullable)2 SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)2 Settings (org.elasticsearch.common.settings.Settings)2 ClientConfiguration (com.amazonaws.ClientConfiguration)1 Protocol (com.amazonaws.Protocol)1 AWSCredentials (com.amazonaws.auth.AWSCredentials)1 BasicAWSCredentials (com.amazonaws.auth.BasicAWSCredentials)1 BasicSessionCredentials (com.amazonaws.auth.BasicSessionCredentials)1 SQLOperations (io.crate.action.sql.SQLOperations)1 SymbolEvaluator (io.crate.analyze.SymbolEvaluator)1 AlwaysOKAuthentication (io.crate.auth.AlwaysOKAuthentication)1