RC9/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java - qpid - Git at Google

 /*
  *  Licensed to the Apache Software Foundation (ASF) under one
  *  or more contributor license agreements.  See the NOTICE file
  *  distributed with this work for additional information
  *  regarding copyright ownership.  The ASF licenses this file
  *  to you under the Apache License, Version 2.0 (the
  *  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  *  Unless required by applicable law or agreed to in writing,
  *  software distributed under the License is distributed on an
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
  *  under the License.
  *
  *
  */
 package org.apache.qpid.server.security.auth.manager;

 import org.apache.log4j.Logger;
 import org.apache.commons.configuration.Configuration;
 import org.apache.commons.configuration.ConfigurationException;
 import org.apache.qpid.server.registry.ApplicationRegistry;
 import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
 import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
 import org.apache.qpid.server.security.auth.sasl.JCAProvider;
 import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
 import org.apache.qpid.server.security.auth.AuthenticationResult;

 import javax.security.auth.callback.CallbackHandler;
 import javax.security.sasl.SaslServerFactory;
 import javax.security.sasl.SaslServer;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.Sasl;
 import java.util.Map;
 import java.util.HashMap;
 import java.util.TreeMap;
 import java.security.Security;

 public class PrincipalDatabaseAuthenticationManager implements AuthenticationManager
 {
     private static final Logger _logger = Logger.getLogger(PrincipalDatabaseAuthenticationManager.class);

     /** The list of mechanisms, in the order in which they are configured (i.e. preferred order) */
     private String _mechanisms;

     /** Maps from the mechanism to the callback handler to use for handling those requests */
     private Map<String, CallbackHandler> _callbackHandlerMap = new HashMap<String, CallbackHandler>();

     /**
      * Maps from the mechanism to the properties used to initialise the server. See the method Sasl.createSaslServer for
      * details of the use of these properties. This map is populated during initialisation of each provider.
      */
     private Map<String, Map<String, ?>> _serverCreationProperties = new HashMap<String, Map<String, ?>>();

     private AuthenticationManager _default = null;
     /** The name for the required SASL Server mechanisms */
     public static final String PROVIDER_NAME= "AMQSASLProvider-Server";

     public PrincipalDatabaseAuthenticationManager(String name, Configuration hostConfig) throws Exception
     {
         _logger.info("Initialising " + (name == null ? "Default" : "'" + name + "'")
                      + " PrincipleDatabase authentication manager.");

         // Fixme This should be done per Vhost but allowing global hack isn't right but ...
         // required as authentication is done before Vhost selection

         Map<String, Class<? extends SaslServerFactory>> providerMap = new TreeMap<String, Class<? extends SaslServerFactory>>();


         if (name == null || hostConfig == null)
         {
             initialiseAuthenticationMechanisms(providerMap, ApplicationRegistry.getInstance().getDatabaseManager().getDatabases());
         }
         else
         {
             String databaseName = hostConfig.getString("security.authentication.name");

             if (databaseName == null)
             {

                 _default = ApplicationRegistry.getInstance().getAuthenticationManager();
                 return;
             }
             else
             {
                 PrincipalDatabase database = ApplicationRegistry.getInstance().getDatabaseManager().getDatabases().get(databaseName);

                 if (database == null)
                 {
                     throw new ConfigurationException("Requested database:" + databaseName + " was not found");
                 }

                 initialiseAuthenticationMechanisms(providerMap, database);
             }
         }

         if (providerMap.size() > 0)
         {
             // Ensure we are used before the defaults
             if (Security.insertProviderAt(new JCAProvider(PROVIDER_NAME, providerMap), 1) == -1)
             {
                 _logger.error("Unable to load custom SASL providers. Qpid custom SASL authenticators unavailable.");
             }
             else
             {
                 _logger.info("Additional SASL providers successfully registered.");
             }

         }
         else
         {
             _logger.warn("No additional SASL providers registered.");
         }

     }


     private void initialiseAuthenticationMechanisms(Map<String, Class<? extends SaslServerFactory>> providerMap, Map<String, PrincipalDatabase> databases) throws Exception
     {
 //        Configuration config = ApplicationRegistry.getInstance().getConfiguration();
 //        List<String> mechanisms = config.getList("security.sasl.mechanisms.mechanism.initialiser.class");
 //
 //        // Maps from the mechanism to the properties used to initialise the server. See the method
 //        // Sasl.createSaslServer for details of the use of these properties. This map is populated during initialisation
 //        // of each provider.


         if (databases.size() > 1)
         {
             _logger.warn("More than one principle database provided currently authentication mechanism will override each other.");
         }

         for (Map.Entry<String, PrincipalDatabase> entry : databases.entrySet())
         {

             // fixme As the database now provide the mechanisms they support, they will ...
             // overwrite each other in the map. There should only be one database per vhost.
             // But currently we must have authentication before vhost definition.
             initialiseAuthenticationMechanisms(providerMap, entry.getValue());
         }

     }

     private void initialiseAuthenticationMechanisms(Map<String, Class<? extends SaslServerFactory>> providerMap, PrincipalDatabase database) throws Exception
     {
         if (database == null || database.getMechanisms().size() == 0)
         {
             _logger.warn("No Database or no mechanisms to initialise authentication");
             return;
         }

         for (Map.Entry<String, AuthenticationProviderInitialiser> mechanism : database.getMechanisms().entrySet())
         {
             initialiseAuthenticationMechanism(mechanism.getKey(), mechanism.getValue(), providerMap);
         }
     }

     private void initialiseAuthenticationMechanism(String mechanism, AuthenticationProviderInitialiser initialiser,
                                                    Map<String, Class<? extends SaslServerFactory>> providerMap)
             throws Exception
     {
         if (_mechanisms == null)
         {
             _mechanisms = mechanism;
         }
         else
         {
             // simple append should be fine since the number of mechanisms is small and this is a one time initialisation
             _mechanisms = _mechanisms + " " + mechanism;
         }
         _callbackHandlerMap.put(mechanism, initialiser.getCallbackHandler());
         _serverCreationProperties.put(mechanism, initialiser.getProperties());
         Class<? extends SaslServerFactory> factory = initialiser.getServerFactoryClassForJCARegistration();
         if (factory != null)
         {
             providerMap.put(mechanism, factory);
         }
         _logger.info("Initialised " + mechanism + " SASL provider successfully");
     }

     public String getMechanisms()
     {
         if (_default != null)
         {
             // Use the default AuthenticationManager if present
             return _default.getMechanisms();
         }
         else
         {
             return _mechanisms;
         }
     }

     public SaslServer createSaslServer(String mechanism, String localFQDN) throws SaslException
     {
         if (_default != null)
         {
             // Use the default AuthenticationManager if present
             return _default.createSaslServer(mechanism, localFQDN);
         }
         else
         {
             return Sasl.createSaslServer(mechanism, "AMQP", localFQDN, _serverCreationProperties.get(mechanism),
                                          _callbackHandlerMap.get(mechanism));
         }

     }

     public AuthenticationResult authenticate(SaslServer server, byte[] response)
     {
         // Use the default AuthenticationManager if present
         if (_default != null)
         {
             return _default.authenticate(server, response);
         }


         try
         {
             // Process response from the client
             byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);

             if (server.isComplete())
             {
                 return new AuthenticationResult(challenge, AuthenticationResult.AuthenticationStatus.SUCCESS);
             }
             else
             {
                 return new AuthenticationResult(challenge, AuthenticationResult.AuthenticationStatus.CONTINUE);
             }
         }
         catch (SaslException e)
         {
             return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
         }
     }

     public void close()
     {
         Security.removeProvider(PROVIDER_NAME);
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*
	*/
	package org.apache.qpid.server.security.auth.manager;

	import org.apache.log4j.Logger;
	import org.apache.commons.configuration.Configuration;
	import org.apache.commons.configuration.ConfigurationException;
	import org.apache.qpid.server.registry.ApplicationRegistry;
	import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
	import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
	import org.apache.qpid.server.security.auth.sasl.JCAProvider;
	import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
	import org.apache.qpid.server.security.auth.AuthenticationResult;

	import javax.security.auth.callback.CallbackHandler;
	import javax.security.sasl.SaslServerFactory;
	import javax.security.sasl.SaslServer;
	import javax.security.sasl.SaslException;
	import javax.security.sasl.Sasl;
	import java.util.Map;
	import java.util.HashMap;
	import java.util.TreeMap;
	import java.security.Security;

	public class PrincipalDatabaseAuthenticationManager implements AuthenticationManager
	{
	private static final Logger _logger = Logger.getLogger(PrincipalDatabaseAuthenticationManager.class);

	/** The list of mechanisms, in the order in which they are configured (i.e. preferred order) */
	private String _mechanisms;

	/** Maps from the mechanism to the callback handler to use for handling those requests */
	private Map<String, CallbackHandler> _callbackHandlerMap = new HashMap<String, CallbackHandler>();

	/**
	* Maps from the mechanism to the properties used to initialise the server. See the method Sasl.createSaslServer for
	* details of the use of these properties. This map is populated during initialisation of each provider.
	*/
	private Map<String, Map<String, ?>> _serverCreationProperties = new HashMap<String, Map<String, ?>>();

	private AuthenticationManager _default = null;
	/** The name for the required SASL Server mechanisms */
	public static final String PROVIDER_NAME= "AMQSASLProvider-Server";

	public PrincipalDatabaseAuthenticationManager(String name, Configuration hostConfig) throws Exception
	{
	_logger.info("Initialising " + (name == null ? "Default" : "'" + name + "'")
	+ " PrincipleDatabase authentication manager.");

	// Fixme This should be done per Vhost but allowing global hack isn't right but ...
	// required as authentication is done before Vhost selection

	Map<String, Class<? extends SaslServerFactory>> providerMap = new TreeMap<String, Class<? extends SaslServerFactory>>();


	if (name == null \|\| hostConfig == null)
	{
	initialiseAuthenticationMechanisms(providerMap, ApplicationRegistry.getInstance().getDatabaseManager().getDatabases());
	}
	else
	{
	String databaseName = hostConfig.getString("security.authentication.name");

	if (databaseName == null)
	{

	_default = ApplicationRegistry.getInstance().getAuthenticationManager();
	return;
	}
	else
	{
	PrincipalDatabase database = ApplicationRegistry.getInstance().getDatabaseManager().getDatabases().get(databaseName);

	if (database == null)
	{
	throw new ConfigurationException("Requested database:" + databaseName + " was not found");
	}

	initialiseAuthenticationMechanisms(providerMap, database);
	}
	}

	if (providerMap.size() > 0)
	{
	// Ensure we are used before the defaults
	if (Security.insertProviderAt(new JCAProvider(PROVIDER_NAME, providerMap), 1) == -1)
	{
	_logger.error("Unable to load custom SASL providers. Qpid custom SASL authenticators unavailable.");
	}
	else
	{
	_logger.info("Additional SASL providers successfully registered.");
	}

	}
	else
	{
	_logger.warn("No additional SASL providers registered.");
	}

	}


	private void initialiseAuthenticationMechanisms(Map<String, Class<? extends SaslServerFactory>> providerMap, Map<String, PrincipalDatabase> databases) throws Exception
	{
	// Configuration config = ApplicationRegistry.getInstance().getConfiguration();
	// List<String> mechanisms = config.getList("security.sasl.mechanisms.mechanism.initialiser.class");
	//
	// // Maps from the mechanism to the properties used to initialise the server. See the method
	// // Sasl.createSaslServer for details of the use of these properties. This map is populated during initialisation
	// // of each provider.


	if (databases.size() > 1)
	{
	_logger.warn("More than one principle database provided currently authentication mechanism will override each other.");
	}

	for (Map.Entry<String, PrincipalDatabase> entry : databases.entrySet())
	{

	// fixme As the database now provide the mechanisms they support, they will ...
	// overwrite each other in the map. There should only be one database per vhost.
	// But currently we must have authentication before vhost definition.
	initialiseAuthenticationMechanisms(providerMap, entry.getValue());
	}

	}

	private void initialiseAuthenticationMechanisms(Map<String, Class<? extends SaslServerFactory>> providerMap, PrincipalDatabase database) throws Exception
	{
	if (database == null \|\| database.getMechanisms().size() == 0)
	{
	_logger.warn("No Database or no mechanisms to initialise authentication");
	return;
	}

	for (Map.Entry<String, AuthenticationProviderInitialiser> mechanism : database.getMechanisms().entrySet())
	{
	initialiseAuthenticationMechanism(mechanism.getKey(), mechanism.getValue(), providerMap);
	}
	}

	private void initialiseAuthenticationMechanism(String mechanism, AuthenticationProviderInitialiser initialiser,
	Map<String, Class<? extends SaslServerFactory>> providerMap)
	throws Exception
	{
	if (_mechanisms == null)
	{
	_mechanisms = mechanism;
	}
	else
	{
	// simple append should be fine since the number of mechanisms is small and this is a one time initialisation
	_mechanisms = _mechanisms + " " + mechanism;
	}
	_callbackHandlerMap.put(mechanism, initialiser.getCallbackHandler());
	_serverCreationProperties.put(mechanism, initialiser.getProperties());
	Class<? extends SaslServerFactory> factory = initialiser.getServerFactoryClassForJCARegistration();
	if (factory != null)
	{
	providerMap.put(mechanism, factory);
	}
	_logger.info("Initialised " + mechanism + " SASL provider successfully");
	}

	public String getMechanisms()
	{
	if (_default != null)
	{
	// Use the default AuthenticationManager if present
	return _default.getMechanisms();
	}
	else
	{
	return _mechanisms;
	}
	}

	public SaslServer createSaslServer(String mechanism, String localFQDN) throws SaslException
	{
	if (_default != null)
	{
	// Use the default AuthenticationManager if present
	return _default.createSaslServer(mechanism, localFQDN);
	}
	else
	{
	return Sasl.createSaslServer(mechanism, "AMQP", localFQDN, _serverCreationProperties.get(mechanism),
	_callbackHandlerMap.get(mechanism));
	}

	}

	public AuthenticationResult authenticate(SaslServer server, byte[] response)
	{
	// Use the default AuthenticationManager if present
	if (_default != null)
	{
	return _default.authenticate(server, response);
	}


	try
	{
	// Process response from the client
	byte[] challenge = server.evaluateResponse(response != null ? response : new byte[0]);

	if (server.isComplete())
	{
	return new AuthenticationResult(challenge, AuthenticationResult.AuthenticationStatus.SUCCESS);
	}
	else
	{
	return new AuthenticationResult(challenge, AuthenticationResult.AuthenticationStatus.CONTINUE);
	}
	}
	catch (SaslException e)
	{
	return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
	}
	}

	public void close()
	{
	Security.removeProvider(PROVIDER_NAME);
	}
	}