Repository: usergrid Updated Branches: refs/heads/master f2126086e -> b0fbf14eb
Revert "USERGRID-1300: localhost superuser setting" This reverts commit 7ea48c27885da00a9a1d2251702e02bfe8ddf1ef. Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/de6ecb91 Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/de6ecb91 Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/de6ecb91 Branch: refs/heads/master Commit: de6ecb91caafa352dc3e04c0867e0739df8bfe86 Parents: 29c287b Author: Mike Dunker <[email protected]> Authored: Wed Jun 15 14:31:16 2016 -0700 Committer: Mike Dunker <[email protected]> Committed: Wed Jun 15 14:31:16 2016 -0700 ---------------------------------------------------------------------- .../main/resources/usergrid-default.properties | 4 --- .../rest/management/ManagementResource.java | 4 +-- .../shiro/filters/BasicAuthSecurityFilter.java | 19 ++---------- .../management/AccountCreationProps.java | 3 +- .../usergrid/management/ManagementService.java | 6 +--- .../cassandra/AccountCreationPropsImpl.java | 17 ++--------- .../cassandra/ManagementServiceImpl.java | 32 ++++---------------- .../apache/usergrid/security/shiro/Realm.java | 6 ++++ .../shiro/principals/AdminUserPrincipal.java | 4 +-- .../usergrid/management/OrganizationIT.java | 2 +- .../cassandra/ManagementServiceIT.java | 6 ++-- 11 files changed, 26 insertions(+), 77 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/config/src/main/resources/usergrid-default.properties ---------------------------------------------------------------------- diff --git a/stack/config/src/main/resources/usergrid-default.properties b/stack/config/src/main/resources/usergrid-default.properties index d2141cf..0fc31ef 100644 --- a/stack/config/src/main/resources/usergrid-default.properties +++ b/stack/config/src/main/resources/usergrid-default.properties @@ -535,10 +535,6 @@ [email protected] usergrid.sysadmin.login.password=test usergrid.sysadmin.login.allowed=true -# if usergrid.sysadmin.login.allowed=true, only allows sysadmin login if request is localhost -# if usergrid.sysadmin.login.allowed=false, this property has no effect -usergrid.sysadmin.localhost.only=false - # Set admin notification email properties # usergrid.sysadmin.email= http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java index c4a921c..1aa75ee 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java @@ -220,7 +220,7 @@ public class ManagementResource extends AbstractContextResource { // do checking for different grant types if ( GrantType.PASSWORD.toString().equals( grant_type ) ) { try { - user = management.verifyAdminUserPasswordCredentials( username, password, ui ); + user = management.verifyAdminUserPasswordCredentials( username, password ); if ( user != null ) { if (logger.isTraceEnabled()) { @@ -438,7 +438,7 @@ public class ManagementResource extends AbstractContextResource { UserInfo user = null; try { - user = management.verifyAdminUserPasswordCredentials( username, password, ui ); + user = management.verifyAdminUserPasswordCredentials( username, password ); } catch ( Exception e1 ) { // intentionally empty http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java index 7d6b40c..a5d7272 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java @@ -25,7 +25,6 @@ import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.PreMatching; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; -import java.net.InetAddress; import java.security.Principal; import java.util.Map; @@ -66,25 +65,11 @@ public class BasicAuthSecurityFilter extends SecurityFilter { String sysadmin_login_password = properties.getProperty( "usergrid.sysadmin.login.password" ); boolean sysadmin_login_allowed = Boolean.parseBoolean( properties.getProperty( "usergrid.sysadmin.login.allowed" ) ); - boolean sysadmin_localhost_only = - Boolean.parseBoolean( properties.getProperty( "usergrid.sysadmin.localhost.only", "false" ) ); - - boolean is_localhost = false; - try { - is_localhost = InetAddress.getByName(request.getUriInfo().getBaseUri().getHost()).isLoopbackAddress(); - } - catch (Exception e) { - // won't treat as localhost - } - boolean password_match = password.equals( sysadmin_login_password ); - if ( name.equals( sysadmin_login_name ) && (password_match || is_localhost) - && sysadmin_login_allowed && (is_localhost || !sysadmin_localhost_only)) { + if ( name.equals( sysadmin_login_name ) && password.equals( sysadmin_login_password ) + && sysadmin_login_allowed ) { request.setSecurityContext( new SysAdminRoleAuthenticator() ); if (logger.isTraceEnabled()) { logger.trace("System administrator access allowed"); - if (!password_match) { - logger.trace("Allowed sysadmin password mismatch because accessing via localhost"); - } } } } http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java b/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java index a5a0751..17f2c6a 100644 --- a/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java +++ b/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java @@ -75,7 +75,6 @@ public interface AccountCreationProps { String PROPERTIES_SYSADMIN_LOGIN_EMAIL = "usergrid.sysadmin.login.email"; String PROPERTIES_SYSADMIN_LOGIN_NAME = "usergrid.sysadmin.login.name"; String PROPERTIES_SYSADMIN_LOGIN_ALLOWED = "usergrid.sysadmin.login.allowed"; - String PROPERTIES_SYSADMIN_LOCALHOST_ONLY = "usergrid.sysadmin.localhost.only"; String PROPERTIES_ADMIN_SYSADMIN_EMAIL = "usergrid.admin.sysadmin.email"; String PROPERTIES_ORG_SYSADMIN_EMAIL = "usergrid.org.sysadmin.email"; @@ -128,7 +127,7 @@ public interface AccountCreationProps { SuperUser getSuperUser(); interface SuperUser{ - boolean isEnabled(String host); + boolean isEnabled(); String getUsername(); String getEmail(); String getPassword(); http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java b/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java index 481f272..1d74ec3 100644 --- a/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java +++ b/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java @@ -39,8 +39,6 @@ import org.apache.usergrid.services.ServiceResults; import com.google.common.collect.BiMap; import rx.Observable; -import javax.ws.rs.core.UriInfo; - public interface ManagementService { @@ -270,9 +268,7 @@ public interface ManagementService { boolean verifyAdminUserPassword( UUID userId, String password ) throws Exception; - UserInfo verifyAdminUserPasswordCredentialsOnly( String name, String password ) throws Exception; - - UserInfo verifyAdminUserPasswordCredentials( String name, String password, UriInfo uriInfo ) throws Exception; + UserInfo verifyAdminUserPasswordCredentials( String name, String password ) throws Exception; UserInfo verifyMongoCredentials( String name, String nonce, String key ) throws Exception; http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java index 4077ef9..7c6a091 100644 --- a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java +++ b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java @@ -17,11 +17,9 @@ package org.apache.usergrid.management.cassandra; -import java.net.InetAddress; import java.util.Enumeration; import java.util.Properties; -import com.amazonaws.util.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.usergrid.management.AccountCreationProps; @@ -133,28 +131,17 @@ public class AccountCreationPropsImpl implements AccountCreationProps { private final String username; private final String email; private final String password; - private final boolean localhostOnly; public SuperUserImpl(Properties properties) { enabled = parseBoolean(properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_ALLOWED)); username = properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_NAME); email = properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_EMAIL); password = properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_PASSWORD); - localhostOnly = parseBoolean(properties.getProperty(PROPERTIES_SYSADMIN_LOCALHOST_ONLY, "false")); } @Override - public boolean isEnabled(String host) { - boolean isLocalhost = false; - // if host not passed in, assume not localhost - if (!StringUtils.isNullOrEmpty(host)) { - try { - isLocalhost = InetAddress.getByName(host).isLoopbackAddress(); - } catch (Exception e) { - // will treat as non-localhost - } - } - return superuserEnabled() && (isLocalhost || !localhostOnly); + public boolean isEnabled() { + return superuserEnabled(); } @Override http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java index bf20c6d..73a56c8 100644 --- a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java +++ b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java @@ -27,7 +27,6 @@ import com.google.inject.Injector; import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.lang.text.StrSubstitutor; import org.apache.shiro.UnavailableSecurityManagerException; -import org.apache.shiro.authc.ExcessiveAttemptsException; import org.apache.usergrid.corepersistence.service.AggregationService; import org.apache.usergrid.corepersistence.service.AggregationServiceFactory; import org.apache.usergrid.corepersistence.service.ApplicationService; @@ -77,7 +76,6 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import rx.Observable; -import javax.ws.rs.core.UriInfo; import java.nio.ByteBuffer; import java.util.*; import java.util.Map.Entry; @@ -359,13 +357,13 @@ public class ManagementServiceImpl implements ManagementService { logger.warn( "Test app creation disabled" ); } - if ( superuserShouldBeProvisioned() ) { + if ( superuserEnabled() ) { provisionSuperuser(); } } - public boolean superuserShouldBeProvisioned() { + public boolean superuserEnabled() { boolean superuser_enabled = getBooleanProperty( PROPERTIES_SYSADMIN_LOGIN_ALLOWED ); String superuser_username = properties.getProperty( PROPERTIES_SYSADMIN_LOGIN_NAME ); String superuser_email = properties.getProperty( PROPERTIES_SYSADMIN_LOGIN_EMAIL ); @@ -1349,27 +1347,10 @@ public class ManagementServiceImpl implements ManagementService { @Override - public UserInfo verifyAdminUserPasswordCredentials( String name, String password, UriInfo uriInfo ) throws Exception { - // uriInfo should not be null - Preconditions.checkArgument(uriInfo != null, "uriInfo parameter should not be null"); - - return verifyAdminUserPasswordCredentialsInternal(name, password, uriInfo); - } - - - @Override - public UserInfo verifyAdminUserPasswordCredentialsOnly( String name, String password ) throws Exception { - return verifyAdminUserPasswordCredentialsInternal(name, password, null); - } - - - private UserInfo verifyAdminUserPasswordCredentialsInternal( String name, String password, UriInfo uriInfo) - throws Exception { - - // null UriInfo means assume not a localhost request + public UserInfo verifyAdminUserPasswordCredentials( String name, String password ) throws Exception { if(logger.isTraceEnabled()){ - logger.trace("verifyAdminUserPasswordCredentialsInternal for {}", name); + logger.trace("verifyAdminUserPasswordCredentials for {}", name); } User user = findUserEntity( smf.getManagementAppId(), name ); @@ -1380,8 +1361,7 @@ public class ManagementServiceImpl implements ManagementService { if ( verify( smf.getManagementAppId(), user.getUuid(), password ) ) { UserInfo userInfo = getUserInfo( smf.getManagementAppId(), user ); - boolean userIsSuperAdmin = - properties.getSuperUser().isEnabled(uriInfo != null ? uriInfo.getBaseUri().getHost() : null) + boolean userIsSuperAdmin = properties.getSuperUser().isEnabled() && properties.getSuperUser().getEmail().equals(userInfo.getEmail()); boolean testUserEnabled = parseBoolean( properties.getProperty( PROPERTIES_SETUP_TEST_ACCOUNT ) ); @@ -1654,7 +1634,7 @@ public class ManagementServiceImpl implements ManagementService { Map<UUID, String> organizations; AccountCreationProps.SuperUser superUser = properties.getSuperUser(); - if ( superUser.isEnabled(null) && superUser.getUsername().equals( user.getUsername() ) ) { + if ( superUser.isEnabled() && superUser.getUsername().equals( user.getUsername() ) ) { int maxOrganizations = this.getAccountCreationProps().getMaxOrganizationsForSuperUserLogin(); organizations = buildOrgBiMap( getOrganizations( null, maxOrganizations ) ); } http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java index c8ca812..4381f01 100644 --- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java +++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java @@ -56,6 +56,12 @@ public class Realm extends AuthorizingRealm { private TokenService tokens; + @Value( "${" + PROPERTIES_SYSADMIN_LOGIN_ALLOWED + "}" ) + private boolean superUserEnabled; + @Value( "${" + AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_NAME + ":admin}" ) + private String superUser; + + public Realm() { setCredentialsMatcher(new AllowAllCredentialsMatcher()); setPermissionResolver(new CustomPermissionResolver()); http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java index fd4f0c5..a594d1e 100644 --- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java +++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java @@ -66,9 +66,9 @@ public class AdminUserPrincipal extends UserPrincipal { ApplicationInfo application = null; boolean superUserEnabled = false; - final String sysadminLoginAllowedProp = management.getProperties().getProperty( + final String s = management.getProperties().getProperty( AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_ALLOWED); - if ( sysadminLoginAllowedProp != null && "true".equalsIgnoreCase(sysadminLoginAllowedProp.trim())) { + if ( s != null && "true".equalsIgnoreCase(s.trim())) { superUserEnabled = true; } http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java ---------------------------------------------------------------------- diff --git a/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java b/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java index 44599a6..9d20dcb 100644 --- a/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java +++ b/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java @@ -103,7 +103,7 @@ public class OrganizationIT { setup.getEntityIndex().refresh(CpNamingUtils.MANAGEMENT_APPLICATION_ID); - UserInfo u = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly( + UserInfo u = setup.getMgmtSvc().verifyAdminUserPasswordCredentials( organization.getOwner().getUuid().toString(), "test" ); assertNotNull( u ); http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java ---------------------------------------------------------------------- diff --git a/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java b/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java index 83ceae9..6179a6d 100644 --- a/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java +++ b/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java @@ -480,15 +480,15 @@ public class ManagementServiceIT { EntityManager em = setup.getEmf().getEntityManager( setup.getSmf().getManagementAppId() ); setup.getEntityIndex().refresh(applicationId); - UserInfo authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly( username, password ); + UserInfo authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentials( username, password ); assertEquals( adminUser.getUuid(), authedUser.getUuid() ); - authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly( adminUser.getEmail(), password ); + authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentials( adminUser.getEmail(), password ); assertEquals( adminUser.getUuid(), authedUser.getUuid() ); - authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly( adminUser.getUuid().toString(), password ); + authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentials( adminUser.getUuid().toString(), password ); assertEquals( adminUser.getUuid(), authedUser.getUuid() ); }
