This is an automated email from the ASF dual-hosted git repository.
ffang pushed a commit to branch karaf-4.0.x
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/karaf-4.0.x by this push:
new d9763bd [KARAF-5487]SshRole restriction not enforced when using
username/password
d9763bd is described below
commit d9763bdcd8361c2f453de2bc72525ccf5a03f83b
Author: Freeman Fang <[email protected]>
AuthorDate: Fri Nov 17 11:58:44 2017 +0800
[KARAF-5487]SshRole restriction not enforced when using username/password
(cherry picked from commit b6e8248e001c11e912eb826a6ef0b7ab4e20ace6)
Conflicts:
assemblies/features/standard/src/main/feature/feature.xml
---
.../base/src/main/resources/resources/etc/users.properties | 2 +-
.../src/test/java/org/apache/karaf/itests/SshCommandTestBase.java | 3 +++
.../java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java | 8 ++++++++
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git
a/assemblies/features/base/src/main/resources/resources/etc/users.properties
b/assemblies/features/base/src/main/resources/resources/etc/users.properties
index 0657308..ace2282 100644
--- a/assemblies/features/base/src/main/resources/resources/etc/users.properties
+++ b/assemblies/features/base/src/main/resources/resources/etc/users.properties
@@ -30,4 +30,4 @@
# with the name "karaf".
#
karaf = karaf,_g_:admingroup
-_g_\:admingroup = group,admin,manager,viewer,systembundles
+_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh
diff --git
a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
index aaa0c04..c59f9d2 100644
--- a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
+++ b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java
@@ -63,8 +63,10 @@ public class SshCommandTestBase extends KarafTestSupport {
+ ";jaas:user-add " + manageruser + " " + manageruser
+ ";jaas:role-add " + manageruser + " manager"
+ ";jaas:role-add " + manageruser + " viewer"
+ + ";jaas:role-add " + manageruser + " ssh"
+ ";jaas:user-add " + vieweruser + " " + vieweruser
+ ";jaas:role-add " + vieweruser + " viewer"
+ + ";jaas:role-add " + vieweruser + " ssh"
+ ";jaas:update;jaas:realm-manage
--realm=karaf;jaas:user-list\n").getBytes());
pipe.flush();
closeSshChannel(pipe);
@@ -77,6 +79,7 @@ public class SshCommandTestBase extends KarafTestSupport {
pipe.write(("jaas:realm-manage --realm=karaf"
+ ";jaas:user-add " + vieweruser + " " + vieweruser
+ ";jaas:role-add " + vieweruser + " viewer"
+ + ";jaas:role-add " + vieweruser + " ssh"
+ ";jaas:update;jaas:realm-manage
--realm=karaf;jaas:user-list\n").getBytes());
pipe.flush();
closeSshChannel(pipe);
diff --git
a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index a968357..e47d809 100644
---
a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -82,9 +82,13 @@ public class KarafJaasAuthenticator implements
PasswordAuthenticator, PublickeyA
});
loginContext.login();
+ boolean hasCorrectRole = role == null || role.isEmpty();
int roleCount = 0;
for (Principal principal : subject.getPrincipals()) {
if (principal instanceof RolePrincipal) {
+ if (!hasCorrectRole) {
+ hasCorrectRole = role.equals(principal.getName());
+ }
roleCount++;
}
}
@@ -92,6 +96,10 @@ public class KarafJaasAuthenticator implements
PasswordAuthenticator, PublickeyA
if (roleCount == 0) {
throw new FailedLoginException("User doesn't have role
defined");
}
+
+ if (!hasCorrectRole) {
+ throw new FailedLoginException("User doesn't have the required
role " + role);
+ }
session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
return true;
--
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].
