/** * Checks whether KpwdPrincipal is flagged as disabled. */ @Override public void account(Set<Principal> authorizedPrincipals) throws AuthenticationException { KpwdPrincipal kpwd = getFirst(filter(authorizedPrincipals, KpwdPrincipal.class), null); checkAuthentication(kpwd == null || !kpwd.isDisabled, "account disabled"); }
private static Set<Principal> getPrincipalsFromLoginReply(LoginReply loginReply) throws AuthenticationException { Subject subject = loginReply.getSubject(); checkAuthentication(subject != null, "subject is null"); Set<Principal> principals = subject.getPrincipals(); checkAuthentication(principals != null, "subject principals is null"); return principals; } }
/** * checks if {@link attributes} has at one and only one of each of * HomeDirectory and RootDirectory * @param attributes * @throws AuthenticationException if check fails */ private static void validateAttributes(Set<Object> attributes) throws AuthenticationException { boolean hasHome = false; boolean hasRoot = false; for(Object attribute:attributes) { if(attribute instanceof HomeDirectory) { checkAuthentication(!hasHome, "multiple home-directories"); hasHome = true; } if(attribute instanceof RootDirectory) { checkAuthentication(!hasRoot, "multiple root-directories"); hasRoot = true; } } checkAuthentication(hasHome && hasRoot, attributesErrorMessage(hasHome, hasRoot)); }
private static Set<Object> getSessionAttributesFromLoginReply(LoginReply loginReply) throws AuthenticationException { Set<Object> attributes = loginReply.getSessionAttributes(); checkAuthentication(attributes != null, "attributes is null"); return attributes; }
private UserAuthzInformation getEntity(String name) throws AuthenticationException { Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(name); checkAuthentication(!mappings.isEmpty(), "no mapping exists for " + name); return get(mappings, 0); }
@Override public void map(Set<Principal> principals) throws AuthenticationException { Set<Principal> kerberosPrincipals = new HashSet<>(); for (Principal principal : principals) { if (principal instanceof KerberosPrincipal) { kerberosPrincipals.add(new UserNamePrincipal(stripDomain(principal.getName()))); } } checkAuthentication(!kerberosPrincipals.isEmpty(), "no Kerberos principals"); principals.addAll(kerberosPrincipals); }
for(Principal principal:principals) { if(principal instanceof UserNamePrincipal) { checkAuthentication(!hasUserName, "multiple usernames"); hasUserName = true; continue; checkAuthentication(!hasUid, "multiple UIDs"); hasUid = true; continue; GidPrincipal gidPrincipal = (GidPrincipal) principal; if(gidPrincipal.isPrimaryGroup()) { checkAuthentication(!hasPrimaryGid, "multiple GIDs"); hasPrimaryGid = true; checkAuthentication(hasUserName && hasUid && hasPrimaryGid, principalsErrorMessage(hasUserName, hasUid, hasPrimaryGid));
@Override public void map(Set<Principal> principals) throws AuthenticationException { Map<PrincipalMatcher,Set<Principal>> mapping = mapFile.mapping(); Set<Principal> mappedPrincipals = principals.stream() .flatMap(p -> mapping.entrySet().stream() .filter(e -> e.getKey().matches(p)) .map(e -> e.getValue().stream()) .findFirst() .orElse(Stream.empty())) .collect(Collectors.toSet()); checkAuthentication(!mappedPrincipals.isEmpty(), "no mappable principals"); if (principals.stream().anyMatch(GidPrincipal::isPrimaryGid) && mappedPrincipals.stream().anyMatch(GidPrincipal::isPrimaryGid)) { mappedPrincipals = mappedPrincipals.stream() .map(p -> p instanceof GidPrincipal ? ((GidPrincipal)p).withPrimaryGroup(false) : p) .collect(Collectors.toSet()); } principals.addAll(mappedPrincipals); } }
@Override public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException { try { PasswordCredential credential = getFirst(filter(privateCredentials, PasswordCredential.class), null); checkAuthentication(credential != null, "no username and password"); String name = credential.getUsername(); String hash = getHash(name); checkAuthentication(hash != null, name + " is unknown"); checkAuthentication(MD5Crypt.verifyPassword(credential.getPassword(), hash), "wrong password"); identifiedPrincipals.add(new UserNamePrincipal(name)); } catch (IOException e) { throw new AuthenticationException("Authentication failed due to I/O error: " + e.getMessage(), e); } }
/** * Assigns home, root and read only attributes from KpwdPrincipal. */ @SuppressWarnings("null") @Override public void session(Set<Principal> authorizedPrincipals, Set<Object> attrib) throws AuthenticationException { KpwdPrincipal kpwd = getFirst(filter(authorizedPrincipals, KpwdPrincipal.class), null); checkAuthentication(kpwd != null, "no record found"); attrib.add(new HomeDirectory(kpwd.home)); attrib.add(new RootDirectory(kpwd.root)); if (kpwd.isReadOnly) { attrib.add(Restrictions.readOnly()); } } }
@Override public void session(Set<Principal> authorizedPrincipals, Set<Object> attrib) throws AuthenticationException { Principal principal = find(authorizedPrincipals, instanceOf(UserNamePrincipal.class), null); checkAuthentication(principal != null, "no username principal"); try { Attributes userAttr = _ctx.getAttributes(NISMAP_PASSWORD_BY_NAME + "/" + principal.getName()); attrib.add(new HomeDirectory((String) userAttr.get(HOME_DIR_ATTRIBUTE).get())); attrib.add(new RootDirectory("/")); } catch (NamingException e) { throw new AuthenticationException("no mapping: " + e.getMessage(), e); } } }
@Override public void map(Set<Principal> principals) throws AuthenticationException { if (any(principals, instanceOf(UserNamePrincipal.class))) { return; } _gridMapFile.refresh(); Map.Entry<Principal,String> entry = getMappingFor(principals); checkAuthentication(entry != null, "no mapping"); principals.add(new UserNamePrincipal(entry.getValue())); } }
@Override public void map(Set<Principal> principals) throws AuthenticationException { boolean mapped; Principal principal = find(principals, instanceOf(UserNamePrincipal.class), null); checkAuthentication(principal != null, "no username principal"); try { Attributes userAttr = _ctx.getAttributes(NISMAP_PASSWORD_BY_NAME + "/" + principal.getName()); principals.add(new UidPrincipal((String) userAttr.get(UID_NUMBER_ATTRIBUTE).get())); principals.add(new GidPrincipal((String) userAttr.get(GID_NUMBER_ATTRIBUTE).get(), true)); NamingEnumeration<SearchResult> groupResult = _ctx.search(NISMAP_GROUP_BY_NAME, new BasicAttributes(MEMBER_UID_ATTRIBUTE, principal.getName())); mapped = true; while (groupResult.hasMore()) { SearchResult result = groupResult.next(); principals.add( new GidPrincipal((String) result.getAttributes().get(GID_NUMBER_ATTRIBUTE).get(), false)); } } catch (NamingException e) { _log.debug("Failed to get mapping: {}", e.toString()); throw new AuthenticationException("no mapping: " + e.getMessage(), e); } checkAuthentication(mapped, "no matching principal"); }
@Override public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException { PasswordCredential password = getFirst(filter(privateCredentials, PasswordCredential.class), null); checkAuthentication(password != null, "no login name"); try { LoginContext loginContext = new LoginContext(_name, new PasswordCallbackHandler(password)); loginContext.login(); identifiedPrincipals.addAll(loginContext.getSubject().getPrincipals()); tryToLogout(loginContext); } catch (LoginException e) { throw new AuthenticationException(e.getMessage(), e); } }
/** * Password authentication. * * Authenticates login name + password and generates a * KpwdPrincipal. */ @SuppressWarnings("null") @Override public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException { PasswordCredential password = getFirst(filter(privateCredentials, PasswordCredential.class), null); checkAuthentication(password != null, "no username and password"); String name = password.getUsername(); UserPwdRecord entry = getAuthFile().getUserPwdRecord(name); checkAuthentication(entry != null, name + " is unknown"); checkAuthentication(entry.isAnonymous() || entry.isDisabled() || entry.passwordIsValid(String.valueOf(password.getPassword())), "wrong password"); /* NOTE: We add the principal even when the account is * disabled (banned) and we do so without checking the password; this * is to allow banning during the account step. */ identifiedPrincipals.add(new KpwdPrincipal(entry)); checkAuthentication(!entry.isDisabled(), "account is disabled"); }
@Override public void map(Set<Principal> principals) throws AuthenticationException { __password password = null; boolean havePrimaryGid = false; for (Principal p : principals) { if (p instanceof UserNamePrincipal && password == null) { password = _libc.getpwnam(p.getName()); } else if (p instanceof GidPrincipal) { havePrimaryGid |= ((GidPrincipal) p).isPrimaryGroup(); } } checkAuthentication(password != null, "no mapping"); principals.add(new UidPrincipal(password.uid)); principals.add(new GidPrincipal(password.gid, !havePrimaryGid)); for (int id : groupsOf(password)) { principals.add(new GidPrincipal(id, false)); } }
checkAuthentication(authorized, "no record");
@Override public void session(Set<Principal> authorizedPrincipals, Set<Object> attrib) throws AuthenticationException { Principal principal = find(authorizedPrincipals, instanceOf(UserNamePrincipal.class), null); checkAuthentication(principal != null, "no username principal"); Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(principal.getName()); checkAuthentication(!mappings.isEmpty(), "no mapping found for " + principal); for (UserAuthzInformation mapping : mappings) { attrib.add(new HomeDirectory(mapping.getHome())); attrib.add(new RootDirectory(mapping.getRoot())); if (mapping.isReadOnly()) { attrib.add(Restrictions.readOnly()); } mapping.getMaxUpload().ifPresent(s -> { attrib.add(new MaxUploadSize(s)); }); } } }
@Override public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException { Optional<PasswordCredential> password = findFirst(privateCredentials, PasswordCredential.class::isInstance).map(PasswordCredential.class::cast); checkAuthentication(password.isPresent(), "no login name"); Subject subject = new Subject(); LdapLoginModule loginModule = new LdapLoginModule(); Map<String, Object> loginOptions = ImmutableMap.<String, Object>builder() .put(USERNAME_KEY, password.get().getUsername()) .put(PASSWORD_KEY, password.get().getPassword().toCharArray()) .build(); loginModule.initialize(subject, null, loginOptions, globalLoginOptions); try { loginModule.login(); loginModule.commit(); subject.getPrincipals(UserPrincipal.class).stream() .map(Principal::getName) .map(UserNamePrincipal::new) .forEach(identifiedPrincipals::add); tryToLogout(loginModule); } catch (FailedLoginException e) { tryToAbortLogin(loginModule); throw new AuthenticationException(e.getMessage(), e); } catch (LoginException e) { tryToAbortLogin(loginModule); LOGGER.warn("LDAP login failed: {}", e.getMessage()); throw new AuthenticationException(e.getMessage(), e); } }
checkAuthentication(found, message);