[
https://issues.apache.org/jira/browse/ARTEMIS-3106?focusedWorklogId=571371&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-571371
]
ASF GitHub Bot logged work on ARTEMIS-3106:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 24/Mar/21 18:05
Start Date: 24/Mar/21 18:05
Worklog Time Spent: 10m
Work Description: laeubi commented on a change in pull request #3470:
URL: https://github.com/apache/activemq-artemis/pull/3470#discussion_r600734275
##########
File path:
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/SCRAMPropertiesLoginModule.java
##########
@@ -0,0 +1,224 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.spi.core.security.jaas;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.Principal;
+import java.security.SecureRandom;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+import javax.crypto.Mac;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+
+import org.apache.activemq.artemis.spi.core.security.scram.SCRAM;
+import org.apache.activemq.artemis.spi.core.security.scram.ScramException;
+import org.apache.activemq.artemis.spi.core.security.scram.ScramUtils;
+import org.apache.activemq.artemis.spi.core.security.scram.UserData;
+import org.apache.activemq.artemis.utils.PasswordMaskingUtil;
+import org.jgroups.util.UUID;
+
+/**
+ * Login modules that uses properties files similar to the {@link
PropertiesLoginModule}. It can
+ * either store the username-password in plain text or in an encrypted/hashed
form. the
+ * {@link #main(String[])} method provides a way to prepare unencrypted data
to be encrypted/hashed.
+ */
+public class SCRAMPropertiesLoginModule extends PropertiesLoader implements
AuditLoginModule {
+
+ /**
+ *
+ */
+ private static final String SEPARATOR_MECHANISM = "|";
+ private static final String SEPARATOR_PARAMETER = ":";
+ private static final int MIN_ITERATIONS = 4096;
+ private static final SecureRandom RANDOM_GENERATOR = new SecureRandom();
+ private Subject subject;
+ private CallbackHandler callbackHandler;
+ private Properties users;
+ private Map<String, Set<String>> roles;
+ private UserData userData;
+ private String user;
+ private final Set<Principal> principals = new HashSet<>();
+
+ @Override
+ public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState,
+ Map<String, ?> options) {
+ this.subject = subject;
+ this.callbackHandler = callbackHandler;
+
+ init(options);
+ users = load(PropertiesLoginModule.USER_FILE_PROP_NAME, "user",
options).getProps();
+ roles = load(PropertiesLoginModule.ROLE_FILE_PROP_NAME, "role",
options).invertedPropertiesValuesMap();
+
+ }
+
+ @Override
+ public boolean login() throws LoginException {
+ NameCallback nameCallback = new NameCallback("Username: ");
+ executeCallbacks(nameCallback);
+ user = nameCallback.getName();
+ if (user == null) {
+ user = UUID.randomUUID().toString();
+ }
+ SCRAMMechanismCallback mechanismCallback = new SCRAMMechanismCallback();
+ executeCallbacks(mechanismCallback);
+ SCRAM scram = getTypeByString(mechanismCallback.getMechanism());
+ String password = users.getProperty(user, users.getProperty(user +
SEPARATOR_MECHANISM + scram.name()));
+ if (PasswordMaskingUtil.isEncMasked(password)) {
+ String[] unwrap =
PasswordMaskingUtil.unwrap(password).split(SEPARATOR_PARAMETER);
+ userData = new UserData(unwrap[0], Integer.parseInt(unwrap[1]),
unwrap[2], unwrap[3]);
+ } else {
+ userData = generateUserData(password);
+ }
+ return true;
+ }
+
+ private UserData generateUserData(String plainTextPassword) throws
LoginException {
+ if (plainTextPassword == null) {
+ // if the user is not available (or the password) generate a random
password here so an
+ // attacker can't
+ // distinguish between a missing username and a wrong password
+ byte[] randomPassword = new byte[256];
+ RANDOM_GENERATOR.nextBytes(randomPassword);
+ plainTextPassword = new String(randomPassword);
+ }
+ DigestCallback digestCallback = new DigestCallback();
+ HmacCallback hmacCallback = new HmacCallback();
+ executeCallbacks(digestCallback, hmacCallback);
+ byte[] salt = generateSalt();
+ try {
+ ScramUtils.NewPasswordStringData data =
+
ScramUtils.byteArrayToStringData(ScramUtils.newPassword(plainTextPassword,
salt, 4096,
+
digestCallback.getDigest(),
+
hmacCallback.getHmac()));
+ return new UserData(data.salt, data.iterations, data.serverKey,
data.storedKey);
+ } catch (ScramException e) {
+ throw new LoginException();
+ }
+ }
+
+ private static byte[] generateSalt() {
+ byte[] salt = new byte[32];
+ RANDOM_GENERATOR.nextBytes(salt);
+ return salt;
+ }
+
+ private void executeCallbacks(Callback... callbacks) throws LoginException {
+ try {
+ callbackHandler.handle(callbacks);
+ } catch (UnsupportedCallbackException | IOException e) {
+ throw new LoginException();
+ }
+ }
+
+ @Override
+ public boolean commit() throws LoginException {
+ if (userData == null) {
+ throw new LoginException();
+ }
+ subject.getPublicCredentials().add(userData);
+ Set<UserPrincipal> authenticatedUsers =
subject.getPrincipals(UserPrincipal.class);
+ UserPrincipal principal = new UserPrincipal(user);
+ principals.add(principal);
+ authenticatedUsers.add(principal);
+ for (UserPrincipal userPrincipal : authenticatedUsers) {
+ Set<String> matchedRoles = roles.get(userPrincipal.getName());
+ if (matchedRoles != null) {
+ for (String entry : matchedRoles) {
+ principals.add(new RolePrincipal(entry));
+ }
+ }
+ }
+ subject.getPrincipals().addAll(principals);
+ return true;
+ }
+
+ @Override
+ public boolean abort() throws LoginException {
+ return true;
+ }
+
+ @Override
+ public boolean logout() throws LoginException {
+ subject.getPrincipals().removeAll(principals);
+ principals.clear();
+ subject.getPublicCredentials().remove(userData);
+ userData = null;
+ return true;
+ }
+
+ /**
+ * Main method that could be used to encrypt given credentials for use in
properties files
+ * @param args username password type [iterations]
+ * @throws GeneralSecurityException if any security mechanism is not
available on this JVM
+ * @throws ScramException if invalid data is supplied
+ */
+ public static void main(String[] args) throws GeneralSecurityException,
ScramException {
+ if (args.length < 2) {
+ System.out.println("Usage: " +
SCRAMPropertiesLoginModule.class.getSimpleName() +
+ " <username> <password> [<iterations>]");
+ System.out.println("\ttype: " + getSupportedTypes());
+ System.out.println("\titerations desired number of iteration (min
value: " + MIN_ITERATIONS + ")");
+ return;
+ }
+ String username = args[0];
+ String password = args[1];
+ for (SCRAM scram : SCRAM.values()) {
+ MessageDigest digest = MessageDigest.getInstance(scram.getDigest());
+ Mac hmac = Mac.getInstance(scram.getHmac());
+ byte[] salt = generateSalt();
+ int iterations;
+ if (args.length > 2) {
+ iterations = Integer.parseInt(args[2]);
+ if (iterations < MIN_ITERATIONS) {
+ throw new IllegalArgumentException("minimum of " +
MIN_ITERATIONS + " required!");
+ }
+ } else {
+ iterations = MIN_ITERATIONS;
+ }
+ ScramUtils.NewPasswordStringData data =
+
ScramUtils.byteArrayToStringData(ScramUtils.newPassword(password, salt,
iterations, digest, hmac));
+ System.out.println(username + SEPARATOR_MECHANISM + scram.name() + "
= " +
Review comment:
For the SCRAMPropertiesLoginModule one needs to use "safe" characters.
If special names are required most likely a more advanced approach is necessary.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 571371)
Time Spent: 14h 10m (was: 14h)
> Support for SASL-SCRAM
> ----------------------
>
> Key: ARTEMIS-3106
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3106
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Components: AMQP
> Reporter: Christoph Läubrich
> Priority: Major
> Time Spent: 14h 10m
> Remaining Estimate: 0h
>
> With the enhancements in ARTEMIS-33 / [PR
> 3432|https://github.com/apache/activemq-artemis/pull/3432] it would be now
> possible to plug-in new SASL mechanism.
> One popular one is
> [SASL-SCRAM|https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism]
> because it allows channelbinding together with secure storage of
> user-credential.
> I have created an [implementation of this for Artemis
> AMQP|https://github.com/laeubi/scram-sasl/tree/artemis/artemis] based on the
> [SCRAM SASL authentication for Java|https://github.com/ogrebgr/scram-sasl]
> code with some enhancements/cleanups to the original.
> As the source is already Apache licensed I'd like to propose to include this
> in the Artemis code-base. This would greatly enhance the interoperability
> with other implementations e.g. Apache QPID.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
