(druid) branch master updated: Use cache for password hash while validating LDAP password (#15993)

Wed, 28 Feb 2024 05:03:44 -0800 

This is an automated email from the ASF dual-hosted git repository.

kfaraz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new f7572314200 Use cache for password hash while validating LDAP password 
(#15993)
f7572314200 is described below

commit f757231420037e2162c054ec4d58c30b7358c33c
Author: Kashif Faraz <[email protected]>
AuthorDate: Wed Feb 28 18:33:33 2024 +0530

    Use cache for password hash while validating LDAP password (#15993)
---
 .../basic/authentication/LdapUserPrincipal.java    |  4 +--
 .../validator/LDAPCredentialsValidator.java        | 13 ++++---
 .../validator/LDAPCredentialsValidatorTest.java    |  2 +-
 .../MetadataStoreCredentialsValidatorTest.java}    | 42 ++++++++++------------
 4 files changed, 28 insertions(+), 33 deletions(-)

diff --git 
a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java
 
b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java
index bb8845b8625..649e4d235da 100644
--- 
a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java
+++ 
b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java
@@ -92,9 +92,9 @@ public class LdapUserPrincipal implements Principal
     return lastVerified.get();
   }
 
-  public boolean hasSameCredentials(char[] password)
+  public boolean hasSameCredentials(char[] password, PasswordHashGenerator 
hashGenerator)
   {
-    byte[] recalculatedHash = PasswordHashGenerator.computePasswordHash(
+    byte[] recalculatedHash = hashGenerator.getOrComputePasswordHash(
         password,
         this.credentials.getSalt(),
         this.credentials.getIterations()
diff --git 
a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java
 
b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java
index 226904165fa..b3b52838bb3 100644
--- 
a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java
+++ 
b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java
@@ -153,14 +153,13 @@ public class LDAPCredentialsValidator implements 
CredentialsValidator
       char[] password
   )
   {
-    SearchResult userResult;
-    LdapName userDn;
-    Map<String, Object> contextMap = new HashMap<>();
+    final SearchResult userResult;
+    final LdapName userDn;
+    final Map<String, Object> contextMap = new HashMap<>();
+    final LdapUserPrincipal principal = this.cache.getOrExpire(username);
 
-    LdapUserPrincipal principal = this.cache.getOrExpire(username);
-    if (principal != null && principal.hasSameCredentials(password)) {
+    if (principal != null && principal.hasSameCredentials(password, 
hashGenerator)) {
       contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, 
principal.getSearchResult());
-      return new AuthenticationResult(username, authorizerName, 
authenticatorName, contextMap);
     } else {
       ClassLoader currentClassLoader = 
Thread.currentThread().getContextClassLoader();
       try {
@@ -208,8 +207,8 @@ public class LDAPCredentialsValidator implements 
CredentialsValidator
 
       this.cache.put(username, newPrincipal);
       contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult);
-      return new AuthenticationResult(username, authorizerName, 
authenticatorName, contextMap);
     }
+    return new AuthenticationResult(username, authorizerName, 
authenticatorName, contextMap);
   }
 
   /**
diff --git 
a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/LDAPCredentialsValidatorTest.java
 
b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/LDAPCredentialsValidatorTest.java
index 577312b39c2..7a1ae2cc917 100644
--- 
a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/LDAPCredentialsValidatorTest.java
+++ 
b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/LDAPCredentialsValidatorTest.java
@@ -36,7 +36,6 @@ import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.LdapContext;
 import javax.naming.spi.InitialContextFactory;
-
 import java.util.Collections;
 import java.util.Hashtable;
 import java.util.Iterator;
@@ -94,6 +93,7 @@ public class LDAPCredentialsValidatorTest
         properties
     );
     validator.validateCredentials("ldap", "ldap", "validUser", 
"password".toCharArray());
+    validator.validateCredentials("ldap", "ldap", "validUser", 
"password".toCharArray());
   }
 
   public static class MockContextFactory implements InitialContextFactory
diff --git 
a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/DBCredentialsValidatorTest.java
 
b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/basic/authentication/validator/MetadataStoreCredentialsValidatorTest.java
similarity index 75%
rename from 
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/DBCredentialsValidatorTest.java
rename to 
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/basic/authentication/validator/MetadataStoreCredentialsValidatorTest.java
index 4cd6cb33ec7..2e80575f2bf 100644
--- 
a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/DBCredentialsValidatorTest.java
+++ 
b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/basic/authentication/validator/MetadataStoreCredentialsValidatorTest.java
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.druid.security.authentication.validator;
+package org.apache.druid.security.basic.authentication.validator;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.inject.Provider;
@@ -28,28 +28,21 @@ import 
org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticato
 import 
org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate;
 import 
org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
 import 
org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser;
-import 
org.apache.druid.security.basic.authentication.validator.MetadataStoreCredentialsValidator;
 import org.apache.druid.server.security.Access;
 import org.apache.druid.server.security.AuthenticationResult;
 import org.easymock.EasyMock;
 import org.junit.Assert;
-import org.junit.Rule;
 import org.junit.Test;
-import org.junit.rules.ExpectedException;
 
 import java.util.Map;
 
-public class DBCredentialsValidatorTest
+public class MetadataStoreCredentialsValidatorTest
 {
-
-  @Rule
-  public ExpectedException expectedException = ExpectedException.none();
-
-  private static BasicAuthenticatorCredentials USER_A_CREDENTIALS = new 
BasicAuthenticatorCredentials(
+  private static final BasicAuthenticatorCredentials USER_A_CREDENTIALS = new 
BasicAuthenticatorCredentials(
       new BasicAuthenticatorCredentialUpdate("helloworld", 20)
   );
 
-  private static Provider<BasicAuthenticatorCacheManager> 
CACHE_MANAGER_PROVIDER = Providers.of(
+  private static final Provider<BasicAuthenticatorCacheManager> 
CACHE_MANAGER_PROVIDER = Providers.of(
       new BasicAuthenticatorCacheManager()
       {
         @Override
@@ -69,9 +62,8 @@ public class DBCredentialsValidatorTest
       }
   );
 
-  private static MetadataStoreCredentialsValidator validator = new 
MetadataStoreCredentialsValidator(CACHE_MANAGER_PROVIDER);
-
-
+  private static final MetadataStoreCredentialsValidator VALIDATOR
+      = new MetadataStoreCredentialsValidator(CACHE_MANAGER_PROVIDER);
 
   @Test
   public void validateBadAuthenticator()
@@ -87,9 +79,11 @@ public class DBCredentialsValidatorTest
 
     MetadataStoreCredentialsValidator validator = new 
MetadataStoreCredentialsValidator(Providers.of(cacheManager));
 
-    expectedException.expect(IAE.class);
-    expectedException.expectMessage("No userMap is available for authenticator 
with prefix: [notbasic]");
-    validator.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
+    IAE exception = Assert.assertThrows(
+        IAE.class,
+        () -> validator.validateCredentials(authenticatorName, authorizerName, 
username, password.toCharArray())
+    );
+    Assert.assertEquals("No userMap is available for authenticator with 
prefix: [notbasic]", exception.getMessage());
 
     EasyMock.verify(cacheManager);
   }
@@ -102,7 +96,7 @@ public class DBCredentialsValidatorTest
     String username = "userB";
     String password = "helloworld";
 
-    AuthenticationResult result = 
validator.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
+    AuthenticationResult result = 
VALIDATOR.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
     Assert.assertNull(result);
   }
 
@@ -114,7 +108,7 @@ public class DBCredentialsValidatorTest
     String username = "userC";
     String password = "helloworld";
 
-    AuthenticationResult result = 
validator.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
+    AuthenticationResult result = 
VALIDATOR.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
     Assert.assertNull(result);
   }
 
@@ -126,7 +120,7 @@ public class DBCredentialsValidatorTest
     String username = "userA";
     String password = "helloworld";
 
-    AuthenticationResult result = 
validator.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
+    AuthenticationResult result = 
VALIDATOR.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
 
     Assert.assertNotNull(result);
     Assert.assertEquals(username, result.getIdentity());
@@ -143,8 +137,10 @@ public class DBCredentialsValidatorTest
     String username = "userA";
     String password = "badpassword";
 
-    expectedException.expect(BasicSecurityAuthenticationException.class);
-    expectedException.expectMessage(Access.DEFAULT_ERROR_MESSAGE);
-    validator.validateCredentials(authenticatorName, authorizerName, username, 
password.toCharArray());
+    Exception exception = Assert.assertThrows(
+        BasicSecurityAuthenticationException.class,
+        () -> VALIDATOR.validateCredentials(authenticatorName, authorizerName, 
username, password.toCharArray())
+    );
+    Assert.assertEquals(Access.DEFAULT_ERROR_MESSAGE, exception.getMessage());
   }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to