Enhance superuser basic auth filter to login to shiro with a token just like the sysadmin tokens.
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/e6600b84 Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/e6600b84 Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/e6600b84 Branch: refs/heads/master Commit: e6600b84ef81ebc4eda64fa9cd2dfddb42e8ab1b Parents: 016b7fa Author: Michael Russo <[email protected]> Authored: Fri Sep 9 23:43:59 2016 -0700 Committer: Michael Russo <[email protected]> Committed: Fri Sep 9 23:43:59 2016 -0700 ---------------------------------------------------------------------- .../actorsystem/ActorSystemManagerImpl.java | 2 +- .../actorsystem/ClusterListener.java | 1 + .../security/SecuredResourceFilterFactory.java | 35 ++++----- .../shiro/filters/BasicAuthSecurityFilter.java | 76 +++++++++----------- .../AbstractPasswordCredentials.java | 3 +- .../shiro/credentials/AdminUserPassword.java | 2 + 6 files changed, 52 insertions(+), 67 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java ---------------------------------------------------------------------- diff --git a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java index 5a36656..ed9344c 100644 --- a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java +++ b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java @@ -194,7 +194,7 @@ public class ActorSystemManagerImpl implements ActorSystemManager { clusterSystem = createClusterSystem( config ); // register our cluster listener - clusterSystem.actorOf(Props.create(ClusterListener.class), + clusterSystem.actorOf(Props.create(ClusterListener.class, getSeedsByRegion(), getCurrentRegion()), "clusterListener"); createClientActors( clusterSystem ); http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java ---------------------------------------------------------------------- diff --git a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java index 44473a7..a568295 100644 --- a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java +++ b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java @@ -38,6 +38,7 @@ public class ClusterListener extends UntypedActor { public ClusterListener( ListMultimap<String, String> seedsByRegion, String currentRegion ){ + // providing these to the lister as they may be used in near future to handle custom logic on member events this.seedsByRegion = seedsByRegion; this.currentRegion = currentRegion; } http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java index f1f6c17..80d9074 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java @@ -254,7 +254,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature { logger.trace("SysadminLocalhostFilter.authorize"); } - if ( !isServiceAdmin() && !isBasicAuthServiceAdmin(request)) { + if ( !isServiceAdmin() ) { // not a sysadmin request return; } @@ -303,7 +303,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature { logger.trace("OrganizationFilter.authorize"); } - if ( !isPermittedAccessToOrganization( getOrganizationIdentifier() ) && !isBasicAuthServiceAdmin(request) ) { + if ( !isPermittedAccessToOrganization( getOrganizationIdentifier() ) ) { if (logger.isTraceEnabled()) { logger.trace("No organization access authorized"); } @@ -375,7 +375,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature { throw mappableSecurityException( "unauthorized", "No application guest access authorized" ); } } - if ( !isPermittedAccessToApplication( getApplicationIdentifier() ) && !isBasicAuthServiceAdmin(request) ) { + if ( !isPermittedAccessToApplication( getApplicationIdentifier() ) ) { throw mappableSecurityException( "unauthorized", "No application access authorized" ); } } @@ -397,7 +397,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature { logger.trace("SystemFilter.authorize"); } try { - if (!isBasicAuthServiceAdmin(request) && !isServiceAdmin()) { + if (!isServiceAdmin()) { if (logger.isTraceEnabled()) { logger.trace("You are not the system admin."); } @@ -405,14 +405,11 @@ public class SecuredResourceFilterFactory implements DynamicFeature { SecurityException.REALM ); } } catch (IllegalStateException e) { - if (logger.isDebugEnabled()) { - logger.debug("This is an invalid state", e); - } - if ((request.getSecurityContext().getUserPrincipal() == null) || - !ROLE_SERVICE_ADMIN.equals( request.getSecurityContext().getUserPrincipal().getName() )) { - throw mappableSecurityException( "unauthorized", "No system access authorized", - SecurityException.REALM ); - } + + logger.error("This is an invalid state", e); + throw mappableSecurityException( "unauthorized", "No system access authorized", + SecurityException.REALM ); + } } @@ -429,7 +426,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature { if (logger.isTraceEnabled()) { logger.trace("AdminUserFilter.authorize"); } - if (!isUser( getUserIdentifier() ) && !isServiceAdmin() && !isBasicAuthServiceAdmin(request) ) { + if (!isUser( getUserIdentifier() ) && !isServiceAdmin() ) { throw mappableSecurityException( "unauthorized", "No admin user access authorized" ); } } @@ -471,7 +468,10 @@ public class SecuredResourceFilterFactory implements DynamicFeature { logger.debug( "PathPermissionsFilter.authorize" ); } - if ( isServiceAdmin() || isBasicAuthServiceAdmin(request)){ + if ( isServiceAdmin() ){ + if(logger.isTraceEnabled()){ + logger.trace("User is sysadmin. Allowing access."); + } // superuser can do anything, short circuit here and allow the request return; } @@ -545,11 +545,4 @@ public class SecuredResourceFilterFactory implements DynamicFeature { } } - private static boolean isBasicAuthServiceAdmin(ContainerRequestContext request){ - - return request.getSecurityContext().isUserInRole( ROLE_SERVICE_ADMIN ); - - } - - } http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java index d4d2e60..b4c4f19 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java @@ -19,6 +19,8 @@ package org.apache.usergrid.rest.security.shiro.filters; import org.apache.shiro.codec.Base64; import org.apache.shiro.subject.Subject; +import org.apache.usergrid.management.UserInfo; +import org.apache.usergrid.rest.exceptions.SecurityException; import org.apache.usergrid.security.shiro.PrincipalCredentialsToken; import org.apache.usergrid.security.shiro.utils.SubjectUtils; import org.slf4j.Logger; @@ -73,64 +75,50 @@ public class BasicAuthSecurityFilter extends SecurityFilter { String sysadmin_login_password = properties.getProperty( "usergrid.sysadmin.login.password" ); boolean sysadmin_login_allowed = Boolean.parseBoolean( properties.getProperty( "usergrid.sysadmin.login.allowed" ) ); - if ( name.equalsIgnoreCase( sysadmin_login_name ) && password.equals( sysadmin_login_password ) - && sysadmin_login_allowed ) { - request.setSecurityContext( new SysAdminRoleAuthenticator() ); - if (logger.isTraceEnabled()) { - logger.trace("System administrator access allowed"); + if ( name.equalsIgnoreCase( sysadmin_login_name ) && sysadmin_login_allowed ) { + + // short cut with a password check against the configured property + if( !password.equals( sysadmin_login_password ) ){ + + throw mappableSecurityException( "unauthorized", "No system access authorized", + SecurityException.REALM ); + } - }else{ try { - PrincipalCredentialsToken token = - management.getPrincipalCredentialsTokenForClientCredentials( name, password ); + UserInfo userInfo = management.verifyAdminUserPasswordCredentials(name.toLowerCase(), password); + PrincipalCredentialsToken token = PrincipalCredentialsToken + .getFromAdminUserInfoAndPassword(userInfo, password, emf.getManagementAppId()); Subject subject = SubjectUtils.getSubject(); subject.login( token ); - } - catch ( Exception e ) { - throw mappableSecurityException( INVALID_CLIENT_CREDENTIALS_ERROR ); - } - - - } - } - - private static class SysAdminRoleAuthenticator implements SecurityContext { - - private final Principal principal; - - SysAdminRoleAuthenticator() { - principal = new Principal() { - @Override - public String getName() { - return ROLE_SERVICE_ADMIN; + if (logger.isTraceEnabled()) { + logger.trace("System administrator access allowed"); } - }; - } - - @Override - public Principal getUserPrincipal() { - return principal; - } + } catch (Exception e) { + logger.error("Unable to validate admin credentials"); + throw mappableSecurityException( "unauthorized", "No system access authorized", + SecurityException.REALM ); + } - @Override - public boolean isUserInRole( String role ) { - return role.equals( ROLE_SERVICE_ADMIN ); } + // only allow client credentials with http basic auth other than the sysadmin + else{ - - @Override - public boolean isSecure() { - return false; - } + try { + PrincipalCredentialsToken token = + management.getPrincipalCredentialsTokenForClientCredentials( name, password ); + Subject subject = SubjectUtils.getSubject(); + subject.login( token ); + } + catch ( Exception e ) { + throw mappableSecurityException( INVALID_CLIENT_CREDENTIALS_ERROR ); + } - @Override - public String getAuthenticationScheme() { - return SecurityContext.BASIC_AUTH; } } + } http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java index a69ed5e..e7e8e82 100644 --- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java +++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java @@ -19,8 +19,9 @@ package org.apache.usergrid.security.shiro.credentials; public class AbstractPasswordCredentials implements PasswordCredentials { - private final String password; + private String password; + public AbstractPasswordCredentials(){} // do not remove, needed for jackson public AbstractPasswordCredentials( String password ) { this.password = password; http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java ---------------------------------------------------------------------- diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java index 41c869a..69aa440 100644 --- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java +++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java @@ -19,6 +19,8 @@ package org.apache.usergrid.security.shiro.credentials; public class AdminUserPassword extends AbstractPasswordCredentials implements AdminUserCredentials { + public AdminUserPassword(){} //do not remove, needed for Jackson + public AdminUserPassword( String password ) { super( password ); }
