trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authentication/L8_PreAuthTest.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.jackrabbit.oak.exercise.security.authentication;

import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import javax.jcr.NoSuchWorkspaceException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;

import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.junit.Test;

/**
 * <pre>
 * Module: Authentication
 * =============================================================================
 *
 * Title: Pre-Authentication with LoginModule Chain
 * -----------------------------------------------------------------------------
 *
 * Goal:
 * Understand how a pre-authentication can be used in combination with the
 * {@link LoginModule} chain according to the description provided in
 * http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html
 *
 * Exercises:
 *
 * - {@link #testPreAuthenticatedLogin()}
 *   Modify the {@link CustomLoginModule}
 *   such that the simplified pre-auth in the test-case passes.
 *
 * - With the same setup at hand explain why the {@code CustomCredentials} must
 *   be package protected. Come up with a vulnerability/exploit if this credentials
 *   implemenation was exposed to the public.
 *
 *
 * Additional Exercises:
 * -----------------------------------------------------------------------------
 *
 * In a Sling base repository installation (Granite|CQ) make use of your
 * understanding of pre-authentication with LoginModule chain involvement
 * and defined a dedicated bundle that comes with a package that contains the
 * following classes
 *
 * - A Credentials implemenation that is package private and cannot be abused
 *   outside of the scope of this bundle.
 * - Sling AuthenticationHandler implementation that performs the pre-auth and
 *   passes the package private Credentials to the repository login
 * - LoginModule implementation (that receives the package private Credentials
 *   and updates the shared state accordingly).
 *
 *
 * Related Exercises:
 * -----------------------------------------------------------------------------
 *
 * - {@link L3_LoginModuleTest}
 * - {@link L9_NullLoginTest}
 *
 * </pre>
 *
 * @see org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin
 * @see <a href="http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html">Pre-Authentication Documentation</a>
 */
public class L8_PreAuthTest extends AbstractSecurityTest {

    @Override
    protected Configuration getConfiguration() {
        final ConfigurationParameters config = getSecurityConfigParameters();
        return new Configuration() {
            @Override
            public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName) {
                Map<String, ?> options = getSecurityConfigParameters().getConfigValue(applicationName, Collections.<String, Object>emptyMap());
                return new AppConfigurationEntry[]{
                        new AppConfigurationEntry(CustomLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, options),
                        new AppConfigurationEntry(LoginModuleImpl.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)};
            }
        };
    }

    @Test
    public void testPreAuthenticatedLogin() throws IOException, LoginException, NoSuchWorkspaceException {
        // EXERCISE: adjust the CustomLoginModule such that the following test passes, the jaas configuration has already been adjusted for you above.

        // login as admin with CustomCredentials and without a password
        // -> no password verification in the module required as this is expected
        //    to have already happened during the pre-auth setp (which is missing here)
        String loginID = getUserConfiguration().getParameters().getConfigValue(UserConstants.DEFAULT_ADMIN_ID, UserConstants.DEFAULT_ADMIN_ID);
        ContentSession contentSession = login(new CustomCredentials(loginID, null, Collections.EMPTY_MAP));

        // EXERCISE: add verification of the AuthInfo according to your implementation of the custom login module.

        contentSession.close();
    }
}