broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManager.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.qpid.server.security.auth.manager;

import java.io.File;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;

import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.Container;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.server.security.auth.sasl.kerberos.KerberosNegotiator;

@ManagedObject( category = false, type = "Kerberos" )
public class KerberosAuthenticationManager extends AbstractAuthenticationManager<KerberosAuthenticationManager>
{
    private static final String JAAS_CONFIG_PROPERTY = "java.security.auth.login.config";
    private static final String GSSAPI_SERVER_NAME = "qpid.auth.gssapi.serverName";
    private static final String GSSAPI_SPNEGO_STRIP_REALM = "qpid.auth.gssapi.spnegoStripRealmFromPrincipalName";
    static final String GSSAPI_SPNEGO_CONFIG = "qpid.auth.gssapi.spnegoConfigScope";
    public static final String PROVIDER_TYPE = "Kerberos";
    public static final String GSSAPI_MECHANISM = "GSSAPI";

    private final Container<?> _container;
    private final SpnegoAuthenticator _authenticator;
    private volatile String _serverName;
    private volatile String _spnegoConfig;
    private volatile boolean _stripRealmFromPrincipalName;

    @ManagedObjectFactoryConstructor
    protected KerberosAuthenticationManager(final Map<String, Object> attributes, final Container<?> container)
    {
        super(attributes, container);
        _container = container;
        _authenticator = new SpnegoAuthenticator(this);
    }

    @Override
    protected void onOpen()
    {
        super.onOpen();
        final Set<String> contextKeys = getContextKeys(false);
        _serverName = contextKeys.contains(GSSAPI_SERVER_NAME) ?
                getContextValue(String.class, GSSAPI_SERVER_NAME) : null;
        _spnegoConfig = contextKeys.contains(GSSAPI_SPNEGO_CONFIG) ?
                getContextValue(String.class, GSSAPI_SPNEGO_CONFIG) : null;
        _stripRealmFromPrincipalName = contextKeys.contains(GSSAPI_SPNEGO_STRIP_REALM) ?
                getContextValue(Boolean.class, GSSAPI_SPNEGO_STRIP_REALM) : false;
    }

    @Override
    public List<String> getMechanisms()
    {
        return Collections.singletonList(GSSAPI_MECHANISM);
    }

    @Override
    public SaslNegotiator createSaslNegotiator(final String mechanism,
                                               final SaslSettings saslSettings,
                                               final NamedAddressSpace addressSpace)
    {
        if(GSSAPI_MECHANISM.equals(mechanism))
        {
            final String serverName = _serverName == null ? saslSettings.getLocalFQDN(): _serverName;
            return new KerberosNegotiator(this, serverName);
        }
        else
        {
            return null;
        }
    }

    public AuthenticationResult authenticate(String authorizationHeader)
    {
        return _authenticator.authenticate(authorizationHeader);
    }

    public String getSpnegoLoginConfigScope()
    {
        return _spnegoConfig;
    }

    public boolean isStripRealmFromPrincipalName()
    {
        return _stripRealmFromPrincipalName;
    }

    @Override
    protected void validateOnCreate()
    {
        super.validateOnCreate();
        validate(this);

        if (_container.getChildren(AuthenticationProvider.class)
                .stream()
                .anyMatch(p -> p instanceof KerberosAuthenticationManager && p != this))
        {
            throw new IllegalConfigurationException("Another Kerberos authentication provider already exists."
                    + " Only one Kerberos authentication provider can be created.");
        }
    }

    @Override
    protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
    {
        super.validateChange(proxyForValidation, changedAttributes);
    }

    private void validate(final ConfiguredObject<?> authenticationProvider)
    {
        final String config = System.getProperty(JAAS_CONFIG_PROPERTY);
        if (config != null && !new File(config).exists())
        {
            throw new IllegalConfigurationException(String.format(
                    "A path to non-existing file is specified in JVM system property '%s'", JAAS_CONFIG_PROPERTY));
        }
    }
}