[karaf] branch karaf-4.1.x updated: [KARAF-5487]SshRole restriction not enforced when using username/password

Thu, 16 Nov 2017 19:59:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

ffang pushed a commit to branch karaf-4.1.x
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/karaf-4.1.x by this push:
     new b6e8248  [KARAF-5487]SshRole restriction not enforced when using 
username/password
b6e8248 is described below

commit b6e8248e001c11e912eb826a6ef0b7ab4e20ace6
Author: Freeman Fang <[email protected]>
AuthorDate: Fri Nov 17 11:58:44 2017 +0800

    [KARAF-5487]SshRole restriction not enforced when using username/password
---
 .../base/src/main/resources/resources/etc/users.properties        | 2 +-
 assemblies/features/standard/src/main/feature/feature.xml         | 5 ++---
 .../src/test/java/org/apache/karaf/itests/SshCommandTestBase.java | 3 +++
 .../java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java   | 8 ++++++++
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git 
a/assemblies/features/base/src/main/resources/resources/etc/users.properties 
b/assemblies/features/base/src/main/resources/resources/etc/users.properties
index 0657308..ace2282 100644
--- a/assemblies/features/base/src/main/resources/resources/etc/users.properties
+++ b/assemblies/features/base/src/main/resources/resources/etc/users.properties
@@ -30,4 +30,4 @@
 # with the name "karaf".
 #
 karaf = karaf,_g_:admingroup
-_g_\:admingroup = group,admin,manager,viewer,systembundles
+_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh
diff --git a/assemblies/features/standard/src/main/feature/feature.xml 
b/assemblies/features/standard/src/main/feature/feature.xml
index c402151..d7c582f 100644
--- a/assemblies/features/standard/src/main/feature/feature.xml
+++ b/assemblies/features/standard/src/main/feature/feature.xml
@@ -177,10 +177,9 @@
             hostKeyFormat = simple
 
             #
-            # Role name used for SSH access authorization
-            # If not set, this defaults to the ${karaf.admin.role} configured 
in etc/system.properties
+            # shRole defines the role required to access the console through 
ssh
             #
-            # sshRole = admin
+            sshRole = ssh
 
             #
             # Self defined key size in 1024, 2048, 3072, or 4096
diff --git 
a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java 
b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
index f7a44f0..69b7409 100644
--- a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
+++ b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
@@ -67,8 +67,10 @@ public class SshCommandTestBase extends KarafTestSupport {
                 + ";jaas:user-add " + manageruser + " " + manageruser
                 + ";jaas:role-add " + manageruser + " manager"
                 + ";jaas:role-add " + manageruser + " viewer"
+                + ";jaas:role-add " + manageruser + " ssh"
                 + ";jaas:user-add " + vieweruser + " " + vieweruser
                 + ";jaas:role-add " + vieweruser + " viewer"
+                + ";jaas:role-add " + vieweruser + " ssh"
                 + ";jaas:update;jaas:realm-manage 
--realm=karaf;jaas:user-list\n").getBytes());
         pipe.flush();
         closeSshChannel(pipe);
@@ -81,6 +83,7 @@ public class SshCommandTestBase extends KarafTestSupport {
         pipe.write(("jaas:realm-manage --realm=karaf"
                 + ";jaas:user-add " + vieweruser + " " + vieweruser
                 + ";jaas:role-add " + vieweruser + " viewer"
+                + ";jaas:role-add " + vieweruser + " ssh"
                 + ";jaas:update;jaas:realm-manage 
--realm=karaf;jaas:user-list\n").getBytes());
         pipe.flush();
         closeSshChannel(pipe);
diff --git 
a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
 
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index ad9a33a..83c421b 100644
--- 
a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++ 
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -82,9 +82,13 @@ public class KarafJaasAuthenticator implements 
PasswordAuthenticator, PublickeyA
             });
             loginContext.login();
 
+            boolean hasCorrectRole = role == null || role.isEmpty();
             int roleCount = 0;
             for (Principal principal : subject.getPrincipals()) {
                 if (principal instanceof RolePrincipal) {
+                    if (!hasCorrectRole) {
+                        hasCorrectRole = role.equals(principal.getName());
+                    }
                     roleCount++;
                 }
             }
@@ -92,6 +96,10 @@ public class KarafJaasAuthenticator implements 
PasswordAuthenticator, PublickeyA
             if (roleCount == 0) {
                 throw new FailedLoginException("User doesn't have role 
defined");
             }
+            
+            if (!hasCorrectRole) {
+                throw new FailedLoginException("User doesn't have the required 
role " + role);
+            }
 
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;

-- 
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].

Reply via email to