hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslParticipant.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.hdfs.protocol.datatransfer.sasl;

 import java.io.DataInputStream;
 import java.io.DataOutputStream;
 import java.util.Map;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.sasl.Sasl;
 import javax.security.sasl.SaslClient;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;

 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
 import org.apache.hadoop.security.SaslInputStream;
 import org.apache.hadoop.security.SaslOutputStream;

 /**
  * Strongly inspired by Thrift's TSaslTransport class.
  *
  * Used to abstract over the <code>SaslServer</code> and
  * <code>SaslClient</code> classes, which share a lot of their interface, but
  * unfortunately don't share a common superclass.
  */
 @InterfaceAudience.Private
 class SaslParticipant {

   // This has to be set as part of the SASL spec, but it don't matter for
   // our purposes, but may not be empty. It's sent over the wire, so use
   // a short string.
   private static final String SERVER_NAME = "0";
   private static final String PROTOCOL = "hdfs";
   private static final String MECHANISM = "DIGEST-MD5";

   // One of these will always be null.
   private final SaslServer saslServer;
   private final SaslClient saslClient;

   /**
    * Creates a SaslParticipant wrapping a SaslServer.
    *
    * @param saslProps properties of SASL negotiation
    * @param callbackHandler for handling all SASL callbacks
    * @return SaslParticipant wrapping SaslServer
    * @throws SaslException for any error
    */
   public static SaslParticipant createServerSaslParticipant(
       Map<String, String> saslProps, CallbackHandler callbackHandler)
       throws SaslException {
     return new SaslParticipant(Sasl.createSaslServer(MECHANISM,
       PROTOCOL, SERVER_NAME, saslProps, callbackHandler));
   }

   /**
    * Creates a SaslParticipant wrapping a SaslClient.
    *
    * @param userName SASL user name
    * @param saslProps properties of SASL negotiation
    * @param callbackHandler for handling all SASL callbacks
    * @return SaslParticipant wrapping SaslClient
    * @throws SaslException for any error
    */
   public static SaslParticipant createClientSaslParticipant(String userName,
       Map<String, String> saslProps, CallbackHandler callbackHandler)
       throws SaslException {
     return new SaslParticipant(Sasl.createSaslClient(new String[] { MECHANISM },
       userName, PROTOCOL, SERVER_NAME, saslProps, callbackHandler));
   }

   /**
    * Private constructor wrapping a SaslServer.
    *
    * @param saslServer to wrap
    */
   private SaslParticipant(SaslServer saslServer) {
     this.saslServer = saslServer;
     this.saslClient = null;
   }

   /**
    * Private constructor wrapping a SaslClient.
    *
    * @param saslClient to wrap
    */
   private SaslParticipant(SaslClient saslClient) {
     this.saslServer = null;
     this.saslClient = saslClient;
   }

   /**
    * @see {@link SaslServer#evaluateResponse}
    * @see {@link SaslClient#evaluateChallenge}
    */
   public byte[] evaluateChallengeOrResponse(byte[] challengeOrResponse)
       throws SaslException {
     if (saslClient != null) {
       return saslClient.evaluateChallenge(challengeOrResponse);
     } else {
       return saslServer.evaluateResponse(challengeOrResponse);
     }
   }

   /**
    * After successful SASL negotation, returns the negotiated quality of
    * protection.
    *
    * @return negotiated quality of protection
    */
   public String getNegotiatedQop() {
     if (saslClient != null) {
       return (String) saslClient.getNegotiatedProperty(Sasl.QOP);
     } else {
       return (String) saslServer.getNegotiatedProperty(Sasl.QOP);
     }
   }

   /**
    * After successful SASL negotiation, returns whether it's QOP privacy
    *
    * @return boolean whether it's QOP privacy
    */
   public boolean isNegotiatedQopPrivacy() {
     String qop = getNegotiatedQop();
     return qop != null && "auth-conf".equalsIgnoreCase(qop);
   }

   /**
    * Wraps a byte array.
    *
    * @param bytes The array containing the bytes to wrap.
    * @param off The starting position at the array
    * @param len The number of bytes to wrap
    * @return byte[] wrapped bytes
    * @throws SaslException if the bytes cannot be successfully wrapped
    */
   public byte[] wrap(byte[] bytes, int off, int len) throws SaslException {
     if (saslClient != null) {
       return saslClient.wrap(bytes, off, len);
     } else {
       return saslServer.wrap(bytes, off, len);
     }
   }

   /**
    * Unwraps a byte array.
    *
    * @param bytes The array containing the bytes to unwrap.
    * @param off The starting position at the array
    * @param len The number of bytes to unwrap
    * @return byte[] unwrapped bytes
    * @throws SaslException if the bytes cannot be successfully unwrapped
    */
   public byte[] unwrap(byte[] bytes, int off, int len) throws SaslException {
     if (saslClient != null) {
       return saslClient.unwrap(bytes, off, len);
     } else {
       return saslServer.unwrap(bytes, off, len);
     }
   }

   /**
    * Returns true if SASL negotiation is complete.
    *
    * @return true if SASL negotiation is complete
    */
   public boolean isComplete() {
     if (saslClient != null) {
       return saslClient.isComplete();
     } else {
       return saslServer.isComplete();
     }
   }

   /**
    * Return some input/output streams that may henceforth have their
    * communication encrypted, depending on the negotiated quality of protection.
    *
    * @param out output stream to wrap
    * @param in input stream to wrap
    * @return IOStreamPair wrapping the streams
    */
   public IOStreamPair createStreamPair(DataOutputStream out,
       DataInputStream in) {
     if (saslClient != null) {
       return new IOStreamPair(
           new SaslInputStream(in, saslClient),
           new SaslOutputStream(out, saslClient));
     } else {
       return new IOStreamPair(
           new SaslInputStream(in, saslServer),
           new SaslOutputStream(out, saslServer));
     }
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.hdfs.protocol.datatransfer.sasl;

	import java.io.DataInputStream;
	import java.io.DataOutputStream;
	import java.util.Map;
	import javax.security.auth.callback.CallbackHandler;
	import javax.security.sasl.Sasl;
	import javax.security.sasl.SaslClient;
	import javax.security.sasl.SaslException;
	import javax.security.sasl.SaslServer;

	import org.apache.hadoop.classification.InterfaceAudience;
	import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
	import org.apache.hadoop.security.SaslInputStream;
	import org.apache.hadoop.security.SaslOutputStream;

	/**
	* Strongly inspired by Thrift's TSaslTransport class.
	*
	* Used to abstract over the <code>SaslServer</code> and
	* <code>SaslClient</code> classes, which share a lot of their interface, but
	* unfortunately don't share a common superclass.
	*/
	@InterfaceAudience.Private
	class SaslParticipant {

	// This has to be set as part of the SASL spec, but it don't matter for
	// our purposes, but may not be empty. It's sent over the wire, so use
	// a short string.
	private static final String SERVER_NAME = "0";
	private static final String PROTOCOL = "hdfs";
	private static final String MECHANISM = "DIGEST-MD5";

	// One of these will always be null.
	private final SaslServer saslServer;
	private final SaslClient saslClient;

	/**
	* Creates a SaslParticipant wrapping a SaslServer.
	*
	* @param saslProps properties of SASL negotiation
	* @param callbackHandler for handling all SASL callbacks
	* @return SaslParticipant wrapping SaslServer
	* @throws SaslException for any error
	*/
	public static SaslParticipant createServerSaslParticipant(
	Map<String, String> saslProps, CallbackHandler callbackHandler)
	throws SaslException {
	return new SaslParticipant(Sasl.createSaslServer(MECHANISM,
	PROTOCOL, SERVER_NAME, saslProps, callbackHandler));
	}

	/**
	* Creates a SaslParticipant wrapping a SaslClient.
	*
	* @param userName SASL user name
	* @param saslProps properties of SASL negotiation
	* @param callbackHandler for handling all SASL callbacks
	* @return SaslParticipant wrapping SaslClient
	* @throws SaslException for any error
	*/
	public static SaslParticipant createClientSaslParticipant(String userName,
	Map<String, String> saslProps, CallbackHandler callbackHandler)
	throws SaslException {
	return new SaslParticipant(Sasl.createSaslClient(new String[] { MECHANISM },
	userName, PROTOCOL, SERVER_NAME, saslProps, callbackHandler));
	}

	/**
	* Private constructor wrapping a SaslServer.
	*
	* @param saslServer to wrap
	*/
	private SaslParticipant(SaslServer saslServer) {
	this.saslServer = saslServer;
	this.saslClient = null;
	}

	/**
	* Private constructor wrapping a SaslClient.
	*
	* @param saslClient to wrap
	*/
	private SaslParticipant(SaslClient saslClient) {
	this.saslServer = null;
	this.saslClient = saslClient;
	}

	/**
	* @see {@link SaslServer#evaluateResponse}
	* @see {@link SaslClient#evaluateChallenge}
	*/
	public byte[] evaluateChallengeOrResponse(byte[] challengeOrResponse)
	throws SaslException {
	if (saslClient != null) {
	return saslClient.evaluateChallenge(challengeOrResponse);
	} else {
	return saslServer.evaluateResponse(challengeOrResponse);
	}
	}

	/**
	* After successful SASL negotation, returns the negotiated quality of
	* protection.
	*
	* @return negotiated quality of protection
	*/
	public String getNegotiatedQop() {
	if (saslClient != null) {
	return (String) saslClient.getNegotiatedProperty(Sasl.QOP);
	} else {
	return (String) saslServer.getNegotiatedProperty(Sasl.QOP);
	}
	}

	/**
	* After successful SASL negotiation, returns whether it's QOP privacy
	*
	* @return boolean whether it's QOP privacy
	*/
	public boolean isNegotiatedQopPrivacy() {
	String qop = getNegotiatedQop();
	return qop != null && "auth-conf".equalsIgnoreCase(qop);
	}

	/**
	* Wraps a byte array.
	*
	* @param bytes The array containing the bytes to wrap.
	* @param off The starting position at the array
	* @param len The number of bytes to wrap
	* @return byte[] wrapped bytes
	* @throws SaslException if the bytes cannot be successfully wrapped
	*/
	public byte[] wrap(byte[] bytes, int off, int len) throws SaslException {
	if (saslClient != null) {
	return saslClient.wrap(bytes, off, len);
	} else {
	return saslServer.wrap(bytes, off, len);
	}
	}

	/**
	* Unwraps a byte array.
	*
	* @param bytes The array containing the bytes to unwrap.
	* @param off The starting position at the array
	* @param len The number of bytes to unwrap
	* @return byte[] unwrapped bytes
	* @throws SaslException if the bytes cannot be successfully unwrapped
	*/
	public byte[] unwrap(byte[] bytes, int off, int len) throws SaslException {
	if (saslClient != null) {
	return saslClient.unwrap(bytes, off, len);
	} else {
	return saslServer.unwrap(bytes, off, len);
	}
	}

	/**
	* Returns true if SASL negotiation is complete.
	*
	* @return true if SASL negotiation is complete
	*/
	public boolean isComplete() {
	if (saslClient != null) {
	return saslClient.isComplete();
	} else {
	return saslServer.isComplete();
	}
	}

	/**
	* Return some input/output streams that may henceforth have their
	* communication encrypted, depending on the negotiated quality of protection.
	*
	* @param out output stream to wrap
	* @param in input stream to wrap
	* @return IOStreamPair wrapping the streams
	*/
	public IOStreamPair createStreamPair(DataOutputStream out,
	DataInputStream in) {
	if (saslClient != null) {
	return new IOStreamPair(
	new SaslInputStream(in, saslClient),
	new SaslOutputStream(out, saslClient));
	} else {
	return new IOStreamPair(
	new SaslInputStream(in, saslServer),
	new SaslOutputStream(out, saslServer));
	}
	}
	}