 
                        
        
                        
        org.glassfish.common.util.admin.AuthTokenManager Maven / Gradle / Ivy
/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 * 
 * Copyright (c) 2010-2012 Oracle and/or its affiliates. All rights reserved.
 * 
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
 * or packager/legal/LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 * 
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at packager/legal/LICENSE.txt.
 * 
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 * 
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 * 
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 */
package org.glassfish.common.util.admin;
import com.sun.enterprise.util.CULoggerInfo;
import com.sun.enterprise.util.LocalStringManagerImpl;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Singleton;
import javax.security.auth.Subject;
import org.jvnet.hk2.annotations.Service;
/**
 * Coordinates generation and consumption of very-limited-use authentication tokens.
 * 
 * Some DAS commands submit admin commands to be run elsewhere - either in
 * another process on the same host or, via ssh, to another host.  Given that it
 * is already executing, the DAS command in progress has already been authenticated (if
 * required).  Therefore we want the soon-to-be submitted commands to also
 * be authenticated, but we do not want to send the username and/or password
 * information that was used to authenticate the currently-running DAS command
 * to the other process for it to use.
 * 
 * Instead, the currently-running DAS command can use this service to obtain
 * a one-time authentication token.  The DAS command then includes the token,
 * rather than username/password credentials, in the submitted command.
 * 
 * This service records which tokens have been given out but not yet used up.
 * When an admin request arrives with a token, the AdminAdapter consults this
 * service to see if the token is valid and, if so, the AdminAdapter
 * allows the request to run.
 * 
 * We allow each token to be used twice, once for retrieving the command
 * metadata and then the second time to execute the command. (Also see the note below.)
 * 
 * Tokens have a limited life as measured in time also.  If a token is created
 * but not fully consumed before it expires, then this manager considers the
 * token invalid and removes it from the collection of known valid tokens.
 *
 *                              NOTE
 *
 * Commands that trigger other commands on multiple hosts - such as
 * start-cluster - will need to reuse the authentication token more than twice.
 * For such purposes the code using the token can append a "+" to the token.
 * When such a token is used, this manager does NOT decrement the remaining
 * number of uses.  Rather, it only refreshes the token's expiration time.
 *
 * @author Tim Quinn
 */
@Service
@Singleton
public class AuthTokenManager {
    public static final String AUTH_TOKEN_OPTION_NAME = "_authtoken";
    private static final String SUPPRESSED_TOKEN_OUTPUT = "????";
    private final static int TOKEN_SIZE = 10;
    private final static long DEFAULT_TOKEN_LIFETIME = 60 * 1000;
    private final static long TOKEN_EXPIRATION_IN_MS = 360 * 1000;
    private final SecureRandom rng = new SecureRandom();
    private final Map liveTokens = new HashMap();
    private final static Logger logger = CULoggerInfo.getLogger();
    private final static char REUSE_TOKEN_MARKER = '+';
    private static final LocalStringManagerImpl localStrings =
            new LocalStringManagerImpl(AuthTokenManager.class);
    /* hex conversion stolen shamelessly from Bill's LocalPasswordImpl - maybe refactor to share later */
    private static final char[] hex = {
        '0', '1', '2', '3', '4', '5', '6', '7',
        '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'
    };
    private static class TokenInfo {
        private final String token;
        private int usesRemaining = 2; // each token is used once to get metadata, once to execute
        private long expiration;
        private final long lifetime;
        private final Subject subject;
        
        private TokenInfo(final Subject subject, final String value, final long lifetime) {
            this.subject = subject;
            this.token = value;
            this.lifetime = lifetime;
            this.expiration = System.currentTimeMillis() + (lifetime);
        }
        private synchronized boolean isOKTouse(final long now) {
            return  ! isUsedUp(now);
        }
        
        private synchronized boolean use(final boolean isBeingReused, final long now) {
            if (isUsedUp(now)) {
                if (logger.isLoggable(Level.FINER)) {
                    final String msg = localStrings.getLocalString("AuthTokenInvalid",
                        "Use of auth token {2} attempted but token is invalid; usesRemaining = {0,number,integer}, expired = {1}",
                        Integer.valueOf(usesRemaining), Boolean.toString(expiration <= now),
                        token);
                    logger.log(Level.FINER, msg);
                }
                return false;
            }
            if ( ! isBeingReused) {
                usesRemaining--;
            }
            if (logger.isLoggable(Level.FINER)) {
                logger.log(Level.FINER,
                        "Use of auth token {0} OK; isBeingReused = {2}; remaining uses = {1,number,integer}",
                        new Object[] {token, Integer.valueOf(usesRemaining), Boolean.toString(isBeingReused)});
            }
            expiration += lifetime;
            return true;
        }
        private boolean isUsedUp(final long now) {
            return usesRemaining <= 0 || expiration <= now;
        }
    }
    /**
     * Creates a new limited use authentication token with the specified
     * lifetime (in ms).
     * @param subject the Subject to associate with this token when it is consumed
     * @param lifetime how long each use of the token extends its lifetime
     * @return auth token
     */
    public String createToken(final Subject subject, final long lifetime) {
        final byte[] newToken = new byte[TOKEN_SIZE];
        rng.nextBytes(newToken);
        final String token = toHex(newToken);
        liveTokens.put(token, new TokenInfo(subject, token, lifetime));
        logger.log(Level.FINER, "Auth token {0} created", token);
        return token;
    }
    
    /**
     * Creates a new limited use authentication token with the default
     * lifetime.
     * @return auth token
     */
    public String createToken() {
        return createToken(DEFAULT_TOKEN_LIFETIME);
    }
    
    /**
     * Creates a new limited use authentication token with the given Subject
     * and the default lifetime.
     * @param subject the Subject to associated with this token when it is consumed
     * @return 
     */
    public String createToken(final Subject subject) {
        return createToken(subject, DEFAULT_TOKEN_LIFETIME);
    }
    
    /**
     * Creates a new limited use authentication token with the specified
     * lifetime but no Subject.
     * @param lifetime how long each use of the token extends its lifetime
     * @return 
     */
    public String createToken(final long lifetime) {
        return createToken (new Subject(), lifetime);
    }
    /**
     * Locates the Subject for the specified token (if any) without consuming 
     * the token.  
     * 
     * Use this method only from authentication logic that needs to find the
     * token.  Later command processing will consume the token if it is present.
     * This avoids having to force the special admin LoginModule to run even if
     * username/password authentication works.
     * 
     * @param token the token to find
     * @return Subject for the token; null if the token does not exist;
     */
    public Subject findToken(final String token) {
        final TokenInfo ti = findTokenInfo(token, System.currentTimeMillis());
        return (ti != null ? ti.subject : null);
    }
    
    private TokenInfo findTokenInfo(final String token, final long now) {
        final int firstReuseMarker = token.indexOf(REUSE_TOKEN_MARKER);
        final String tokenAsRecorded = (isReusedToken(token) ? token.substring(0, firstReuseMarker) : token);
        
        final TokenInfo ti = liveTokens.get(tokenAsRecorded);
        if (ti == null) {
            logger.log(Level.WARNING, CULoggerInfo.useNonexistentToken,
                    logger.isLoggable(Level.FINER) ? tokenAsRecorded : SUPPRESSED_TOKEN_OUTPUT);
            return null;
        }
        return (ti.isOKTouse(now) ? ti : null);
    }
    
    /**
     * Records the use of an authentication token by an admin request.
     * 
     * Just to make it easier for callers, the token value can have any number
     * of trailing reuse markers.  This simplifies the code in RemoteAdminCommand
     * which actually sends two requests for each command: one to retrieve
     * metadata and one to execute the command.  It might be that the command
     * itself might be reusing the token, in which case it will already have
     * appened a reuse marker to it.  Then the code which sends the metadata
     * request can freely append the marker again without having to check if
     * it is already present.
     *
     * @param token the token consumed, with 0 or more cppies of the reuse marker appended
     * @return the Subject stored with the token when it was created; null if none was provided
     */
    public Subject consumeToken(final String token) {
        Subject result = null;
        final long now = System.currentTimeMillis();
        final TokenInfo ti = findTokenInfo(token, now);
        if (ti != null) {
            if (ti.use(isReusedToken(token), now)) {
                /*
                 * We found the token info for this token and it is still valid,
                 * so prepare to return the stored Subject.
                 */
                result = ti.subject;
            }
        }
        retireExpiredTokens(now);
        return result;
    }
    private boolean isReusedToken(final String token) {
        return token.indexOf(REUSE_TOKEN_MARKER) != -1;
    }
    
    public Subject subject(final String token) {
        final TokenInfo ti = liveTokens.get(token);
        return (ti != null) ? ti.subject : null;
    }
    
    public static String markTokenForReuse(final String token) {
        return token + REUSE_TOKEN_MARKER;
    }
    
    private synchronized void retireExpiredTokens(final long now) {
        for (Iterator> it = liveTokens.entrySet().iterator(); it.hasNext(); ) {
            final Map.Entry entry = it.next();
            if (entry.getValue().isUsedUp(now)) {
                logger.log(Level.FINER, "Auth token {0} being retired during scan", entry.getValue().token);
                it.remove();
            }
        }
    }
    /**
     * Convert the byte array to a hex string.
     */
    private static String toHex(byte[] b) {
        char[] bc = new char[b.length * 2];
        for (int i = 0, j = 0; i < b.length; i++) {
            byte bb = b[i];
            bc[j++] = hex[(bb >> 4) & 0xF];
            bc[j++] = hex[bb & 0xF];
        }
        return new String(bc);
    }
}