• Home
• org.apache.solr
• solr-core
• 8.1.1
• source code
• Sha256AuthenticationProvider.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.apache.solr.security.Sha256AuthenticationProvider Maven / Gradle / Ivy

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.solr.security;

import java.lang.invoke.MethodHandles;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.Set;

import com.google.common.collect.ImmutableSet;
import org.apache.commons.codec.binary.Base64;
import org.apache.solr.common.util.CommandOperation;
import org.apache.solr.common.util.Utils;
import org.apache.solr.common.util.ValidatingJsonMap;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import static org.apache.solr.handler.admin.SecurityConfHandler.getMapValue;

public class Sha256AuthenticationProvider implements ConfigEditablePlugin,  BasicAuthPlugin.AuthenticationProvider {
  private Map credentials;
  private String realm;
  private Map promptHeader;

  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());


  static void putUser(String user, String pwd, Map credentials) {
    if (user == null || pwd == null) return;
    String val = getSaltedHashedValue(pwd);
    credentials.put(user, val);
  }

  public static String getSaltedHashedValue(String pwd) {
    final Random r = new SecureRandom();
    byte[] salt = new byte[32];
    r.nextBytes(salt);
    String saltBase64 = Base64.encodeBase64String(salt);
    String val = sha256(pwd, saltBase64) + " " + saltBase64;
    return val;
  }

  @Override
  public void init(Map pluginConfig) {
    if (pluginConfig.containsKey(BasicAuthPlugin.PROPERTY_REALM)) {
      this.realm = (String) pluginConfig.get(BasicAuthPlugin.PROPERTY_REALM);
    } else {
      this.realm = "solr";
    }
    
    promptHeader = Collections.unmodifiableMap(Collections.singletonMap("WWW-Authenticate", "Basic realm=\"" + realm + "\""));
    credentials = new LinkedHashMap<>();
    Map users = (Map) pluginConfig.get("credentials");
    if (users == null) {
      log.debug("No users configured yet");
      return;
    }
    for (Map.Entry e : users.entrySet()) {
      String v = e.getValue();
      if (v == null) {
        log.warn("user has no password " + e.getKey());
        continue;
      }
      credentials.put(e.getKey(), v);
    }

  }

  public boolean authenticate(String username, String password) {
    String cred = credentials.get(username);
    if (cred == null || cred.isEmpty()) return false;
    cred = cred.trim();
    String salt = null;
    if (cred.contains(" ")) {
      String[] ss = cred.split(" ");
      if (ss.length > 1 && !ss[1].isEmpty()) {
        salt = ss[1];
        cred = ss[0];
      }
    }
    return cred.equals(sha256(password, salt));
  }

  @Override
  public Map getPromptHeaders() {
    return promptHeader;
  }

  public static String sha256(String password, String saltKey) {
    MessageDigest digest;
    try {
      digest = MessageDigest.getInstance("SHA-256");
    } catch (NoSuchAlgorithmException e) {
      log.error(e.getMessage(), e);
      return null;//should not happen
    }
    if (saltKey != null) {
      digest.reset();
      digest.update(Base64.decodeBase64(saltKey));
    }

    byte[] btPass = digest.digest(password.getBytes(StandardCharsets.UTF_8));
    digest.reset();
    btPass = digest.digest(btPass);
    return Base64.encodeBase64String(btPass);
  }

  @Override
  public Map edit(Map latestConf, List commands) {
    for (CommandOperation cmd : commands) {
      if (!supported_ops.contains(cmd.name)) {
        cmd.unknownOperation();
        return null;
      }
      if (cmd.hasError()) return null;
      if ("delete-user".equals(cmd.name)) {
        List names = cmd.getStrs("");
        Map map = (Map) latestConf.get("credentials");
        if (map == null || !map.keySet().containsAll(names)) {
          cmd.addError("No such user(s) " +names );
          return null;
        }
        for (String name : names) map.remove(name);
        return latestConf;
      }
      if ("set-user".equals(cmd.name) ) {
        Map map = getMapValue(latestConf, "credentials");
        Map kv = cmd.getDataMap();
        for (Object o : kv.entrySet()) {
          Map.Entry e = (Map.Entry) o;
          if(e.getKey() == null || e.getValue() == null){
            cmd.addError("name and password must be non-null");
            return null;
          }
          putUser(String.valueOf(e.getKey()), String.valueOf(e.getValue()), map);
        }

      }
    }
    return latestConf;
  }

  @Override
  public ValidatingJsonMap getSpec() {
    return Utils.getSpec("cluster.security.BasicAuth.Commands").getSpec();
  }

  static final Set supported_ops = ImmutableSet.of("set-user", "delete-user");
}