All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.infinispan.server.security.realm.EncryptedPropertiesSecurityRealm Maven / Gradle / Ivy

There is a newer version: 15.1.0.Dev05
Show newest version
package org.infinispan.server.security.realm;

import static org.infinispan.server.Server.log;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.Provider;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.stream.Collectors;

import org.infinispan.server.Server;
import org.infinispan.server.security.ElytronPasswordProviderSupplier;
import org.wildfly.common.Assert;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.realm.CacheableSecurityRealm;
import org.wildfly.security.auth.server.ModifiableRealmIdentity;
import org.wildfly.security.auth.server.ModifiableRealmIdentityIterator;
import org.wildfly.security.auth.server.ModifiableSecurityRealm;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.authz.Attributes;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.authz.MapAttributes;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.spec.BasicPasswordSpecEncoding;
import org.wildfly.security.password.spec.ClearPasswordSpec;
import org.wildfly.security.password.spec.PasswordSpec;

/**
 * A {@link SecurityRealm} implementation that uses property files with encrypted passwords
 *
 * @author Darran Lofthouse <[email protected]>
 * @author Tristan Tarrant <[email protected]>
 * @since 11.0
 */
public class EncryptedPropertiesSecurityRealm implements CacheableSecurityRealm, ModifiableSecurityRealm {

   private static final String COMMENT_PREFIX1 = "#";
   private static final String COMMENT_PREFIX2 = "!";
   private static final String REALM_COMMENT_PREFIX = "$REALM_NAME=";
   private static final String COMMENT_SUFFIX = "$";
   private static final String ALGORITHM_COMMENT_PREFIX = "$ALGORITHM=";

   private final Supplier providers;
   private final String defaultRealm;
   private final boolean plainText;
   private final String groupsAttribute;
   private final AtomicReference loadedState = new AtomicReference<>();
   private final Set> listeners = new LinkedHashSet<>();

   private EncryptedPropertiesSecurityRealm(Builder builder) {
      plainText = builder.plainText;
      groupsAttribute = builder.groupsAttribute;
      providers = ElytronPasswordProviderSupplier.INSTANCE;
      defaultRealm = builder.defaultRealm;
      try {
         load(null, null);
      } catch (IOException e) {
         Server.log.debugf(e, "Error while loading properties");
      }
   }

   @Override
   public RealmIdentity getRealmIdentity(final Principal principal) {
      if (!(principal instanceof NamePrincipal)) {
         log.tracef("PropertiesRealm: unsupported principal type: [%s]", principal);
         return RealmIdentity.NON_EXISTENT;
      }
      final LoadedState loadedState = this.loadedState.get();

      final AccountEntry accountEntry = loadedState.getAccounts().get(principal.getName());

      if (accountEntry == null) {
         log.tracef("PropertiesRealm: identity [%s] does not exist", principal);
         return RealmIdentity.NON_EXISTENT;
      }

      return new RealmIdentity() {

         @Override
         public Principal getRealmIdentityPrincipal() {
            return principal;
         }

         @Override
         public SupportLevel getCredentialAcquireSupport(final Class credentialType, final String algorithmName, final AlgorithmParameterSpec parameterSpec) {
            for (Credential credential : accountEntry.getCredentials()) {
               if (credential != null && credential.matches(credentialType, algorithmName, parameterSpec)) {
                  return SupportLevel.SUPPORTED;
               }
            }
            return SupportLevel.UNSUPPORTED;
         }

         @Override
         public SupportLevel getEvidenceVerifySupport(final Class evidenceType, final String algorithmName) {
            for (Credential credential : accountEntry.getCredentials()) {
               if (credential != null && credential.canVerify(evidenceType, algorithmName)) {
                  return SupportLevel.SUPPORTED;
               }
            }
            return SupportLevel.UNSUPPORTED;
         }

         @Override
         public  C getCredential(final Class credentialType) {
            return getCredential(credentialType, null);
         }

         @Override
         public  C getCredential(final Class credentialType, final String algorithmName) {
            return getCredential(credentialType, algorithmName, null);
         }

         @Override
         public  C getCredential(final Class credentialType, final String algorithmName, final AlgorithmParameterSpec parameterSpec) {
            for (Credential credential : accountEntry.getCredentials()) {
               if (credential != null && credential.matches(credentialType, algorithmName, parameterSpec)) {
                  return credentialType.cast(credential.clone());
               }
            }
            return null;
         }

         @Override
         public boolean verifyEvidence(final Evidence evidence) {
            for (Credential credential : accountEntry.getCredentials()) {
               if (credential != null && credential.canVerify(evidence)) {
                  return credential.verify(evidence);
               }
            }
            log.tracef("Unable to verify evidence for identity [%s]", principal);
            return false;

         }

         @Override
         public boolean exists() {
            return true;
         }

         @Override
         public AuthorizationIdentity getAuthorizationIdentity() {
            return AuthorizationIdentity.basicIdentity(new MapAttributes(Collections.singletonMap(groupsAttribute, accountEntry.getGroups())));
         }
      };
   }

   private PasswordFactory getPasswordFactory(final String algorithm) {
      try {
         return PasswordFactory.getInstance(algorithm, providers);
      } catch (NoSuchAlgorithmException e) {
         throw new IllegalStateException(e);
      }
   }

   @Override
   public SupportLevel getCredentialAcquireSupport(final Class credentialType, final String algorithmName, final AlgorithmParameterSpec parameterSpec) {
      Assert.checkNotNullParam("credentialType", credentialType);
      return PasswordCredential.class.isAssignableFrom(credentialType) ? SupportLevel.POSSIBLY_SUPPORTED : SupportLevel.UNSUPPORTED;
   }

   @Override
   public SupportLevel getEvidenceVerifySupport(final Class evidenceType, final String algorithmName) {
      return PasswordGuessEvidence.class.isAssignableFrom(evidenceType) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
   }

   /**
    * Loads this properties security realm from the given user and groups input streams.
    *
    * @param usersStream  the input stream from which the realm users are loaded
    * @param groupsStream the input stream from which the roles of realm users are loaded
    * @throws IOException if there is problem while reading the input streams or invalid content is loaded from streams
    */
   public void load(InputStream usersStream, InputStream groupsStream) throws IOException {
      Map accounts = new HashMap<>();
      Properties groups = new Properties();

      if (groupsStream != null) {
         try (InputStreamReader is = new InputStreamReader(groupsStream, StandardCharsets.UTF_8);) {
            groups.load(is);
         }
      }

      long loadTime = 0;
      String realmName = null;
      String algorithm = "clear";
      if (usersStream != null) {
         try (BufferedReader reader = new BufferedReader(new InputStreamReader(usersStream, StandardCharsets.UTF_8))) {
            String currentLine;
            int line = 0;
            while ((currentLine = reader.readLine()) != null) {
               line++;
               final String trimmed = currentLine.trim();
               if (trimmed.startsWith(COMMENT_PREFIX1) && trimmed.contains(REALM_COMMENT_PREFIX)) {
                  // this is the line that contains the realm name.
                  int start = trimmed.indexOf(REALM_COMMENT_PREFIX) + REALM_COMMENT_PREFIX.length();
                  int end = trimmed.indexOf(COMMENT_SUFFIX, start);
                  if (end > -1) {
                     realmName = trimmed.substring(start, end);
                  }
               } else if (trimmed.startsWith(COMMENT_PREFIX1) && trimmed.contains(ALGORITHM_COMMENT_PREFIX)) {
                  // this is the line that contains the algorithm name.
                  int start = trimmed.indexOf(ALGORITHM_COMMENT_PREFIX) + ALGORITHM_COMMENT_PREFIX.length();
                  int end = trimmed.indexOf(COMMENT_SUFFIX, start);
                  if (end > -1) {
                     algorithm = trimmed.substring(start, end);
                  }
               } else {
                  if (!(trimmed.startsWith(COMMENT_PREFIX1) || trimmed.startsWith(COMMENT_PREFIX2))) {
                     String username = null;
                     StringBuilder builder = new StringBuilder();

                     CodePointIterator it = CodePointIterator.ofString(trimmed);
                     while (it.hasNext()) {
                        int cp = it.next();
                        if (cp == '\\' && it.hasNext()) { // escape
                           //might be regular escape of regex like characters \\t \\! or unicode \\uxxxx
                           int marker = it.next();
                           if (marker != 'u') {
                              builder.appendCodePoint(marker);
                           } else {
                              StringBuilder hex = new StringBuilder();
                              try {
                                 hex.appendCodePoint(it.next());
                                 hex.appendCodePoint(it.next());
                                 hex.appendCodePoint(it.next());
                                 hex.appendCodePoint(it.next());
                                 builder.appendCodePoint((char) Integer.parseInt(hex.toString(), 16));
                              } catch (NoSuchElementException e) {
                                 Server.log.debugf(e, "At line %d", line);
                                 throw Server.log.malformedUserProperties(line);
                              }
                           }
                        } else if (username == null && (cp == '=' || cp == ':')) { // username-password delimiter
                           username = builder.toString().trim();
                           builder = new StringBuilder();
                        } else {
                           builder.appendCodePoint(cp);
                        }
                     }
                     if (username != null) { // end of line and delimiter was read
                        List credentials = new ArrayList<>();
                        switch (algorithm) {
                           case "encrypted":
                              String[] passwords = builder.toString().trim().split(";");
                              for (String password : passwords) {
                                 int colon = password.indexOf(':');
                                 if (colon < 0) {
                                    throw Server.log.malformedUserProperties(line);
                                 }
                                 byte[] passwordBytes = CodePointIterator.ofChars(password.substring(colon + 1).toCharArray()).base64Decode().drain();
                                 PasswordFactory factory = getPasswordFactory(password.substring(0, colon));
                                 PasswordSpec passwordSpec = BasicPasswordSpecEncoding.decode(passwordBytes);
                                 try {
                                    credentials.add(new PasswordCredential(factory.generatePassword(passwordSpec)));
                                 } catch (InvalidKeySpecException e) {
                                    Server.log.debugf(e, "At line %d", line);
                                    throw Server.log.malformedUserProperties(line);
                                 }
                              }
                              break;
                           case "clear":
                              PasswordFactory factory = getPasswordFactory("clear");
                              try {
                                 credentials.add(new PasswordCredential(factory.generatePassword(new ClearPasswordSpec(builder.toString().trim().toCharArray()))));
                              } catch (InvalidKeySpecException e) {
                                 Server.log.debugf(e, "At line %d", line);
                                 throw Server.log.malformedUserProperties(line);
                              }
                              break;
                        }

                        accounts.put(username, new AccountEntry(username, credentials, groups.getProperty(username)));
                        // Notify any caching layer that the principal has been reloaded
                        for (Consumer listener : listeners) {
                           listener.accept(new NamePrincipal(username));
                        }
                     }
                  }
               }
            }
         }

         if (realmName == null) {
            if (defaultRealm != null || plainText) {
               realmName = defaultRealm;
            } else {
               throw log.noRealmFoundInProperties();
            }
         }
         loadTime = System.currentTimeMillis();
      }

      // users, which are in groups file only
      for (String userName : groups.stringPropertyNames()) {
         if (!accounts.containsKey(userName)) {
            accounts.put(userName, new AccountEntry(userName, null, groups.getProperty(userName)));
         }
      }

      loadedState.set(new LoadedState(accounts, realmName, loadTime));
   }

   /**
    * Get the time when the realm was last loaded.
    *
    * @return the time when the realm was last loaded (number of milliseconds since the standard base time)
    */
   public long getLoadTime() {
      return loadedState.get().getLoadTime();
   }

   /**
    * Obtain a new {@link Builder} capable of building a {@link EncryptedPropertiesSecurityRealm}.
    *
    * @return a new {@link Builder} capable of building a {@link EncryptedPropertiesSecurityRealm}.
    */
   public static Builder builder() {
      return new Builder();
   }

   @Override
   public void registerIdentityChangeListener(Consumer listener) {
      listeners.add(listener);
   }

   @Override
   public ModifiableRealmIdentityIterator getRealmIdentityIterator() {
      final LoadedState loadedState = this.loadedState.get();
      Iterator accountIterator = loadedState.getAccounts().values().stream().iterator();
      return new ModifiableRealmIdentityIterator() {
         @Override
         public boolean hasNext() {
            return accountIterator.hasNext();
         }

         @Override
         public ModifiableRealmIdentity next() {
            AccountEntry entry = accountIterator.next();
            return new ModifiableRealmIdentity() {
               @Override
               public void delete() {
                  throw new UnsupportedOperationException();
               }

               @Override
               public void create() {
                  throw new UnsupportedOperationException();
               }

               @Override
               public void setCredentials(Collection credentials) {
                  throw new UnsupportedOperationException();
               }

               @Override
               public void setAttributes(Attributes attributes) {
                  throw new UnsupportedOperationException();
               }

               @Override
               public Principal getRealmIdentityPrincipal() {
                  return new NamePrincipal(entry.name);
               }

               @Override
               public SupportLevel getCredentialAcquireSupport(Class credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException {
                  throw new UnsupportedOperationException();
               }

               @Override
               public  C getCredential(Class credentialType) {
                  throw new UnsupportedOperationException();
               }

               @Override
               public SupportLevel getEvidenceVerifySupport(Class evidenceType, String algorithmName) {
                  throw new UnsupportedOperationException();
               }

               @Override
               public boolean verifyEvidence(Evidence evidence) {
                  throw new UnsupportedOperationException();
               }

               @Override
               public boolean exists() {
                  return true;
               }
            };
         }
      };
   }

   /**
    * A builder for properties security realms.
    */
   public static class Builder {
      private String defaultRealm = null;
      private boolean plainText;
      private String groupsAttribute = "groups";

      Builder() {
      }

      /**
       * Where this realm returns an {@link AuthorizationIdentity} set the key on the Attributes that will be used to
       * hold the group membership information.
       *
       * @param groupsAttribute the key on the Attributes that will be used to hold the group membership information.
       * @return this {@link Builder}
       */
      public Builder setGroupsAttribute(final String groupsAttribute) {
         this.groupsAttribute = groupsAttribute;

         return this;
      }


      /**
       * Set the default realm name to use if no realm name is discovered in the properties file.
       *
       * @param defaultRealm the default realm name if one is not discovered in the properties file.
       * @return this {@link Builder}
       */
      public Builder setDefaultRealm(String defaultRealm) {
         this.defaultRealm = defaultRealm;

         return this;
      }

      /**
       * Set format of users property file - if the passwords are stored in plain text. Otherwise is HEX( MD5( username
       * ":" realm ":" password ) ) expected.
       *
       * @param plainText if the passwords are stored in plain text.
       * @return this {@link Builder}
       */
      public Builder setPlainText(boolean plainText) {
         this.plainText = plainText;

         return this;
      }

      /**
       * Builds the {@link EncryptedPropertiesSecurityRealm}.
       *
       * @return built {@link EncryptedPropertiesSecurityRealm}
       */
      public EncryptedPropertiesSecurityRealm build() {
         return new EncryptedPropertiesSecurityRealm(this);
      }

   }

   private static class LoadedState {

      private final Map accounts;
      private final String realmName;
      private final long loadTime;

      private LoadedState(Map accounts, String realmName, long loadTime) {
         this.accounts = accounts;
         this.realmName = realmName;
         this.loadTime = loadTime;
      }

      public Map getAccounts() {
         return accounts;
      }

      public String getRealmName() {
         return realmName;
      }

      public long getLoadTime() {
         return loadTime;
      }

   }

   private static class AccountEntry {

      private final String name;
      private final List credentials;
      private final Set groups;

      private AccountEntry(String name, List credentials, String groups) {
         this.name = name;
         this.credentials = credentials;
         this.groups = convertGroups(groups);
      }

      private Set convertGroups(String groups) {
         if (groups == null) {
            return Collections.emptySet();
         }

         return Arrays.stream(groups.split(","))
               .map(String::trim)
               .filter(s -> !s.isEmpty())
               .collect(Collectors.collectingAndThen(Collectors.toSet(), Collections::unmodifiableSet));
      }

      public String getName() {
         return name;
      }

      public List getCredentials() {
         return credentials;
      }


      public Set getGroups() {
         return groups;
      }
   }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy