Author: lquack
Date: Thu Feb 4 16:14:12 2016
New Revision: 1728501
URL: http://svn.apache.org/viewvc?rev=1728501&view=rev
Log:
QPID-7035: [Java Broker] Addressed Rob's review comments
* Fix broken scram password upgrade code to use correct iteration count
* Use scam iteration count from context where possible
* Get rid of DatatypeConverter where unneeded
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainPasswordDatabaseAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabaseTest.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabase.java
Thu Feb 4 16:14:12 2016
@@ -36,6 +36,7 @@ import javax.security.sasl.SaslServer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.model.AuthenticationProvider;
import
org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager;
import
org.apache.qpid.server.security.auth.manager.ScramSHA1AuthenticationManager;
import
org.apache.qpid.server.security.auth.manager.ScramSHA256AuthenticationManager;
@@ -65,7 +66,7 @@ public class PlainPasswordFilePrincipalD
private final ScramSaslServerSourceAdapter _scramSha256Adapter;
- public PlainPasswordFilePrincipalDatabase()
+ public PlainPasswordFilePrincipalDatabase(AuthenticationProvider<?>
authenticationProvider)
{
PlainInitialiser plainInitialiser = new PlainInitialiser();
plainInitialiser.initialise(this);
@@ -88,8 +89,9 @@ public class PlainPasswordFilePrincipalD
}
};
- _scramSha1Adapter = new
ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA1", "SHA-1", passwordSource);
- _scramSha256Adapter = new
ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA256", "SHA-256", passwordSource);
+ final int scramIterationCount =
authenticationProvider.getContextValue(Integer.class,
AbstractScramAuthenticationManager.QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT);
+ _scramSha1Adapter = new
ScramSaslServerSourceAdapter(scramIterationCount, "HmacSHA1", "SHA-1",
passwordSource);
+ _scramSha256Adapter = new
ScramSaslServerSourceAdapter(scramIterationCount, "HmacSHA256", "SHA-256",
passwordSource);
}
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.java
Thu Feb 4 16:14:12 2016
@@ -154,6 +154,7 @@ public abstract class AbstractScramAuthe
private void updateStoredPasswordFormatIfNecessary(final ManagedUser user)
{
+ final int oldDefaultIterationCount = 4096;
final String[] passwordFields = user.getPassword().split(",");
if (passwordFields.length == 2)
{
@@ -171,7 +172,7 @@ public abstract class AbstractScramAuthe
+ "," // remove previously insecure salted
password field
+
DatatypeConverter.printBase64Binary(storedKey) + ","
+
DatatypeConverter.printBase64Binary(serverKey) + ","
- +
DatatypeConverter.printInt(getIterationCount());
+ + oldDefaultIterationCount;
user.setPassword(password);
}
@@ -186,7 +187,7 @@ public abstract class AbstractScramAuthe
+ "," // remove previously insecure salted password field
+ passwordFields[PasswordField.STORED_KEY.ordinal()] + ","
+ passwordFields[PasswordField.SERVER_KEY.ordinal()] + ","
- + DatatypeConverter.printInt(getIterationCount());
+ + oldDefaultIterationCount;
user.setPassword(password);
}
else if (passwordFields.length != 5)
@@ -259,7 +260,7 @@ public abstract class AbstractScramAuthe
+ "," // leave insecure salted password field blank
+ DatatypeConverter.printBase64Binary(storedKey) + ","
+ DatatypeConverter.printBase64Binary(serverKey) + ","
- + DatatypeConverter.printInt(iterationCount);
+ + iterationCount;
}
catch (NoSuchAlgorithmException e)
{
@@ -304,7 +305,7 @@ public abstract class AbstractScramAuthe
salt =
DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SALT.ordinal()]);
storedKey =
DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.STORED_KEY.ordinal()]);
serverKey =
DatatypeConverter.parseBase64Binary(passwordFields[PasswordField.SERVER_KEY.ordinal()]);
- iterationCount =
DatatypeConverter.parseInt(passwordFields[PasswordField.ITERATION_COUNT.ordinal()]);
+ iterationCount =
Integer.parseInt(passwordFields[PasswordField.ITERATION_COUNT.ordinal()]);
exception = null;
}
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainAuthenticationProvider.java
Thu Feb 4 16:14:12 2016
@@ -80,9 +80,9 @@ public class PlainAuthenticationProvider
};
-
- _scramSha1Adapter = new
ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA1", "SHA-1", passwordSource);
- _scramSha256Adapter = new
ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA256", "SHA-256", passwordSource);
+ final int scramIterationCount = getContextValue(Integer.class,
AbstractScramAuthenticationManager.QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT);
+ _scramSha1Adapter = new
ScramSaslServerSourceAdapter(scramIterationCount, "HmacSHA1", "SHA-1",
passwordSource);
+ _scramSha256Adapter = new
ScramSaslServerSourceAdapter(scramIterationCount, "HmacSHA256", "SHA-256",
passwordSource);
}
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainPasswordDatabaseAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainPasswordDatabaseAuthenticationManager.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainPasswordDatabaseAuthenticationManager.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PlainPasswordDatabaseAuthenticationManager.java
Thu Feb 4 16:14:12 2016
@@ -42,6 +42,6 @@ public class PlainPasswordDatabaseAuthen
@Override
protected PrincipalDatabase createDatabase()
{
- return new PlainPasswordFilePrincipalDatabase();
+ return new PlainPasswordFilePrincipalDatabase(this);
}
}
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java
Thu Feb 4 16:14:12 2016
@@ -80,8 +80,9 @@ public class SimpleAuthenticationManager
}
};
- _scramSha1Adapter = new
ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA1", "SHA-1", passwordSource);
- _scramSha256Adapter = new
ScramSaslServerSourceAdapter(AbstractScramAuthenticationManager.DEFAULT_ITERATION_COUNT,
"HmacSHA256", "SHA-256", passwordSource);
+ final int scramIterationCount = getContextValue(Integer.class,
AbstractScramAuthenticationManager.QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT);
+ _scramSha1Adapter = new
ScramSaslServerSourceAdapter(scramIterationCount, "HmacSHA1", "SHA-1",
passwordSource);
+ _scramSha256Adapter = new
ScramSaslServerSourceAdapter(scramIterationCount, "HmacSHA256", "SHA-256",
passwordSource);
}
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.java
Thu Feb 4 16:14:12 2016
@@ -129,7 +129,7 @@ public class ScramSaslServer implements
_nonce = parts[3].substring(2) + UUID.randomUUID().toString();
_saltAndPassword = _authManager.getSaltAndPasswordKeys(_username);
- _serverFirstMessage = "r="+_nonce+",s="+
DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i=" +
DatatypeConverter.printInt(_saltAndPassword.getIterationCount());
+ _serverFirstMessage = "r="+_nonce+",s="+
DatatypeConverter.printBase64Binary(_saltAndPassword.getSalt())+",i=" +
_saltAndPassword.getIterationCount();
return _serverFirstMessage.getBytes(ASCII);
}
Modified:
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabaseTest.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabaseTest.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabaseTest.java
(original)
+++
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/database/PlainPasswordFilePrincipalDatabaseTest.java
Thu Feb 4 16:14:12 2016
@@ -20,7 +20,12 @@
*/
package org.apache.qpid.server.security.auth.database;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
+import
org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager;
import org.apache.qpid.test.utils.QpidTestCase;
import javax.security.auth.login.AccountNotFoundException;
@@ -50,7 +55,9 @@ public class PlainPasswordFilePrincipalD
public void setUp() throws Exception
{
- _database = new PlainPasswordFilePrincipalDatabase();
+ final AuthenticationProvider mockAuthenticationProvider =
mock(AuthenticationProvider.class);
+ when(mockAuthenticationProvider.getContextValue(Integer.class,
AbstractScramAuthenticationManager.QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)).thenReturn(4096);
+ _database = new
PlainPasswordFilePrincipalDatabase(mockAuthenticationProvider);
_testPwdFiles.clear();
}
Modified:
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java?rev=1728501&r1=1728500&r2=1728501&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
(original)
+++
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManagerTest.java
Thu Feb 4 16:14:12 2016
@@ -40,6 +40,7 @@ import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
+import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import
org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
@@ -124,7 +125,9 @@ public class PrincipalDatabaseAuthentica
public void testInitialiseWhenPasswordFileNotFound() throws Exception
{
- _principalDatabase = new PlainPasswordFilePrincipalDatabase();
+ AuthenticationProvider mockAuthProvider =
mock(AuthenticationProvider.class);
+ when(mockAuthProvider.getContextValue(Integer.class,
AbstractScramAuthenticationManager.QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)).thenReturn(4096);
+ _principalDatabase = new
PlainPasswordFilePrincipalDatabase(mockAuthProvider);
setupManager(true);
try
{
@@ -140,7 +143,9 @@ public class PrincipalDatabaseAuthentica
public void testInitialiseWhenPasswordFileExists() throws Exception
{
- _principalDatabase = new PlainPasswordFilePrincipalDatabase();
+ AuthenticationProvider mockAuthProvider =
mock(AuthenticationProvider.class);
+ when(mockAuthProvider.getContextValue(Integer.class,
AbstractScramAuthenticationManager.QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)).thenReturn(4096);
+ _principalDatabase = new
PlainPasswordFilePrincipalDatabase(mockAuthProvider);
setupManager(true);
File f = new File(_passwordFileLocation);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
