Search in sources :

Example 6 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class SASTargetInterceptor method receive_request.

@Override
public void receive_request(ServerRequestInfo ri) {
    IIOPLogger.ROOT_LOGGER.tracef("receive_request: %s", ri.operation());
    CurrentRequestInfo threadLocal = threadLocalData.get();
    threadLocal.sasContextReceived = false;
    threadLocal.authenticationTokenReceived = false;
    threadLocal.incomingUsername = empty;
    threadLocal.incomingPassword = empty;
    threadLocal.incomingTargetName = empty;
    threadLocal.incomingIdentity = absent;
    threadLocal.incomingPrincipalName = empty;
    threadLocal.sasReply = null;
    threadLocal.sasReplyIsAccept = false;
    try {
        ServiceContext sc = ri.get_request_service_context(sasContextId);
        Any any = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
        SASContextBody contextBody = SASContextBodyHelper.extract(any);
        if (contextBody != null) {
            if (contextBody.discriminator() == MTMessageInContext.value) {
                // should not happen, as stateful context requests are always negotiated down to stateless in this implementation.
                long contextId = contextBody.in_context_msg().client_context_id;
                threadLocal.sasReply = createMsgCtxError(contextId, 4);
                throw IIOPLogger.ROOT_LOGGER.missingSASContext();
            } else if (contextBody.discriminator() == MTEstablishContext.value) {
                EstablishContext message = contextBody.establish_msg();
                threadLocal.contextId = message.client_context_id;
                threadLocal.sasContextReceived = true;
                if (message.client_authentication_token != null && message.client_authentication_token.length > 0) {
                    IIOPLogger.ROOT_LOGGER.trace("Received client authentication token");
                    InitialContextToken authToken = CSIv2Util.decodeInitialContextToken(message.client_authentication_token, codec);
                    if (authToken == null) {
                        threadLocal.sasReply = createMsgCtxError(message.client_context_id, 2);
                        throw IIOPLogger.ROOT_LOGGER.errorDecodingInitContextToken();
                    }
                    threadLocal.incomingUsername = authToken.username;
                    threadLocal.incomingPassword = authToken.password;
                    threadLocal.incomingTargetName = CSIv2Util.decodeGssExportedName(authToken.target_name);
                    if (threadLocal.incomingTargetName == null) {
                        threadLocal.sasReply = createMsgCtxError(message.client_context_id, 2);
                        throw IIOPLogger.ROOT_LOGGER.errorDecodingTargetInContextToken();
                    }
                    threadLocal.authenticationTokenReceived = true;
                }
                if (message.identity_token != null) {
                    IIOPLogger.ROOT_LOGGER.trace("Received identity token");
                    threadLocal.incomingIdentity = message.identity_token;
                    if (message.identity_token.discriminator() == ITTPrincipalName.value) {
                        // Extract the RFC2743-encoded name from CDR encapsulation.
                        Any a = codec.decode_value(message.identity_token.principal_name(), GSS_NT_ExportedNameHelper.type());
                        byte[] encodedName = GSS_NT_ExportedNameHelper.extract(a);
                        // Decode the principal name.
                        threadLocal.incomingPrincipalName = CSIv2Util.decodeGssExportedName(encodedName);
                        if (threadLocal.incomingPrincipalName == null) {
                            threadLocal.sasReply = createMsgCtxError(message.client_context_id, 2);
                            throw IIOPLogger.ROOT_LOGGER.errorDecodingPrincipalName();
                        }
                    }
                }
                threadLocal.sasReply = (threadLocal.contextId == 0) ? msgCtx0Accepted : createMsgCtxAccepted(threadLocal.contextId);
                threadLocal.sasReplyIsAccept = true;
            }
        }
    } catch (BAD_PARAM e) {
    // no service context with sasContextId: do nothing.
    } catch (FormatMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorDecodingContextData(this.name(), e);
    } catch (TypeMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorDecodingContextData(this.name(), e);
    }
}
Also used : ServiceContext(org.omg.IOP.ServiceContext) InitialContextToken(org.omg.GSSUP.InitialContextToken) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(org.omg.CSI.SASContextBody) CompleteEstablishContext(org.omg.CSI.CompleteEstablishContext) EstablishContext(org.omg.CSI.EstablishContext) MTEstablishContext(org.omg.CSI.MTEstablishContext) Any(org.omg.CORBA.Any) FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch) TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)

Example 7 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class SASClientIdentityInterceptor method receive_exception.

@Override
public void receive_exception(ClientRequestInfo ri) {
    try {
        ServiceContext sc = ri.get_reply_service_context(sasContextId);
        Any msg = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
        SASContextBody contextBody = SASContextBodyHelper.extract(msg);
        // At this point contextBody may contain either a CompleteEstablishContext message or a ContextError message.
        // Neither message requires any treatment. We decoded the contextbody just to check that it contains a
        // well-formed message.
        IIOPLogger.ROOT_LOGGER.tracef("receive_exception: got SAS reply, type %d", contextBody.discriminator());
    } catch (BAD_PARAM e) {
    // no service context with sasContextId: do nothing.
    } catch (FormatMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_MAYBE);
    } catch (TypeMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_MAYBE);
    }
}
Also used : ServiceContext(org.omg.IOP.ServiceContext) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch) TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)

Example 8 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class SASClientIdentityInterceptor method send_request.

@Override
public void send_request(ClientRequestInfo ri) {
    try {
        CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, (short) (EstablishTrustInClient.value + IdentityAssertion.value), /* client supports */
        (short) 0);
        if (secMech == null) {
            return;
        }
        if (IIOPLogger.ROOT_LOGGER.isTraceEnabled()) {
            StringBuilder tmp = new StringBuilder();
            CSIv2Util.toString(secMech, tmp);
            IIOPLogger.ROOT_LOGGER.trace(tmp);
        }
        // these "null tokens" will be changed if needed.
        IdentityToken identityToken = absentIdentityToken;
        byte[] encodedAuthenticationToken = noAuthenticationToken;
        if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
            // will create identity token.
            RunAs runAs = SecurityActions.peekRunAsIdentity();
            Principal p = (runAs != null) ? runAs : SecurityActions.getPrincipal();
            if (p != null) {
                // The name scope needs to be externalized.
                String name = p.getName();
                if (name.indexOf('@') < 0) {
                    // hardcoded (REVISIT!)
                    name += "@default";
                }
                byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
                // encode the principal name as mandated by RFC2743.
                byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
                // encapsulate the encoded name.
                Any any = ORB.init().create_any();
                byte[] encapsulatedEncodedName;
                GSS_NT_ExportedNameHelper.insert(any, encodedName);
                try {
                    encapsulatedEncodedName = codec.encode_value(any);
                } catch (InvalidTypeForEncoding e) {
                    throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
                }
                // create identity token.
                identityToken = new IdentityToken();
                identityToken.principal_name(encapsulatedEncodedName);
            } else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
                // no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
                identityToken = new IdentityToken();
                identityToken.anonymous(true);
            }
        }
        if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
            // will create authentication token with the configured pair serverUsername/serverPassword.
            byte[] encodedTargetName = secMech.as_context_mech.target_name;
            String name = serverUsername;
            if (name.indexOf('@') < 0) {
                byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
                String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
                // "@default"
                name += "@" + targetName;
            }
            byte[] username = name.getBytes(StandardCharsets.UTF_8);
            // I don't know why there is not a better way to go from char[] -> byte[].
            byte[] password = serverPassword.getBytes(StandardCharsets.UTF_8);
            // create authentication token
            InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
            // ASN.1-encode it, as defined in RFC 2743.
            encodedAuthenticationToken = CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
        }
        if (identityToken != absentIdentityToken || encodedAuthenticationToken != noAuthenticationToken) {
            // at least one non-null token was created, create EstablishContext message with it.
            EstablishContext message = new // stateless ctx id
            EstablishContext(// stateless ctx id
            0, noAuthorizationToken, identityToken, encodedAuthenticationToken);
            // create SAS context with the EstablishContext message.
            SASContextBody contextBody = new SASContextBody();
            contextBody.establish_msg(message);
            // stuff the SAS context into the outgoing request.
            Any any = ORB.init().create_any();
            SASContextBodyHelper.insert(any, contextBody);
            ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(any));
            ri.add_request_service_context(sc, true);
        }
    } catch (InvalidTypeForEncoding e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) RunAs(org.jboss.security.RunAs) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding) IdentityToken(org.omg.CSI.IdentityToken) InitialContextToken(org.omg.GSSUP.InitialContextToken) EstablishContext(org.omg.CSI.EstablishContext) Principal(java.security.Principal)

Example 9 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class SASClientInterceptor method receive_reply.

@Override
public void receive_reply(ClientRequestInfo ri) {
    try {
        ServiceContext sc = ri.get_reply_service_context(sasContextId);
        Any msg = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
        SASContextBody contextBody = SASContextBodyHelper.extract(msg);
        // At this point contextBody should contain a CompleteEstablishContext message, which does not require any
        // treatment. ContextError messages should arrive via receive_exception().
        IIOPLogger.ROOT_LOGGER.tracef("receive_reply: got SAS reply, type %d", contextBody.discriminator());
        if (contextBody.discriminator() == MTContextError.value) {
            // should not happen.
            throw IIOPLogger.ROOT_LOGGER.unexpectedContextErrorInSASReply(0, CompletionStatus.COMPLETED_YES);
        }
    } catch (BAD_PARAM e) {
    // no service context with sasContextId: do nothing
    } catch (FormatMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_YES);
    } catch (TypeMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_YES);
    }
}
Also used : ServiceContext(org.omg.IOP.ServiceContext) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch) TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)

Example 10 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class SASClientInterceptor method receive_exception.

@Override
public void receive_exception(ClientRequestInfo ri) {
    try {
        ServiceContext sc = ri.get_reply_service_context(sasContextId);
        Any msg = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
        SASContextBody contextBody = SASContextBodyHelper.extract(msg);
        // At this point contextBody may contain either a CompleteEstablishContext message or a ContextError message.
        // Neither message requires any treatment. We decoded the context body just to check that it contains
        // a well-formed message.
        IIOPLogger.ROOT_LOGGER.tracef("receive_exception: got SAS reply, type %d", contextBody.discriminator());
    } catch (BAD_PARAM e) {
    // no service context with sasContextId: do nothing.
    } catch (FormatMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_MAYBE);
    } catch (TypeMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_MAYBE);
    }
}
Also used : ServiceContext(org.omg.IOP.ServiceContext) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch) TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)

Aggregations

Any (org.omg.CORBA.Any)10 SASContextBody (org.omg.CSI.SASContextBody)10 ServiceContext (org.omg.IOP.ServiceContext)10 BAD_PARAM (org.omg.CORBA.BAD_PARAM)7 FormatMismatch (org.omg.IOP.CodecPackage.FormatMismatch)7 TypeMismatch (org.omg.IOP.CodecPackage.TypeMismatch)7 EstablishContext (org.omg.CSI.EstablishContext)4 Principal (java.security.Principal)3 CompoundSecMech (org.omg.CSIIOP.CompoundSecMech)3 InitialContextToken (org.omg.GSSUP.InitialContextToken)3 IdentityToken (org.omg.CSI.IdentityToken)2 InvalidTypeForEncoding (org.omg.IOP.CodecPackage.InvalidTypeForEncoding)2 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 RunAs (org.jboss.security.RunAs)1 LocalObject (org.omg.CORBA.LocalObject)1 CompleteEstablishContext (org.omg.CSI.CompleteEstablishContext)1 MTEstablishContext (org.omg.CSI.MTEstablishContext)1 AuthenticationConfiguration (org.wildfly.security.auth.client.AuthenticationConfiguration)1