Repository: knox Updated Branches: refs/heads/master e5ef45aae -> b15b65f4d
KNOX-740 - Address new coverity scan issues (Sandeep More via lmccay) Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/b15b65f4 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/b15b65f4 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/b15b65f4 Branch: refs/heads/master Commit: b15b65f4d35269a2c28cf4bbcecb43490c42a149 Parents: e5ef45a Author: Larry McCay <lmc...@hortonworks.com> Authored: Fri Sep 2 14:57:33 2016 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Fri Sep 2 14:57:33 2016 -0400 ---------------------------------------------------------------------- .../filter/ShiroSubjectIdentityAdapter.java | 2 - .../hadoop/gateway/shirorealm/KnoxPamRealm.java | 143 +++++++++++-------- 2 files changed, 81 insertions(+), 64 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/b15b65f4/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java index 692cf8d..2477589 100644 --- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java +++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java @@ -67,8 +67,6 @@ public class ShiroSubjectIdentityAdapter implements Filter { // trigger call to shiro authorization realm // we use shiro authorization realm to look up groups subject.hasRole("authenticatedUser"); - - final String principalName = (String) subject.getPrincipal().toString(); CallableChain callableChain = new CallableChain(request, response, chain); SecurityUtils.getSubject().execute(callableChain); http://git-wip-us.apache.org/repos/asf/knox/blob/b15b65f4/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java index 84121a7..e429e26 100644 --- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java +++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java @@ -68,7 +68,7 @@ import org.jvnet.libpam.UnixUser; * for this propery. * <p> * For example, defining this realm in Shiro .ini: - * + * * <pre> * [main] * pamRealm = org.apache.shiro.realm.libpam4j.KnoxPamRealm @@ -76,69 +76,88 @@ import org.jvnet.libpam.UnixUser; * [urls] * **=authcBasic * </pre> - * + * */ public class KnoxPamRealm extends AuthorizingRealm { - private static final String HASHING_ALGORITHM = "SHA-1"; - private final static String SUBJECT_USER_ROLES = "subject.userRoles"; - private final static String SUBJECT_USER_GROUPS = "subject.userGroups"; - private static GatewayMessages LOG = MessagesFactory.get(GatewayMessages.class); - private HashService hashService = new DefaultHashService(); - KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class); - GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class); - private static AuditService auditService = AuditServiceFactory.getAuditService(); - private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME, - AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME); - - private String service; - - public KnoxPamRealm() { - HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM); - setCredentialsMatcher(credentialsMatcher); - } - - public void setService(String service) { - this.service = service; - } - - public String getService() { - return this.service; - } - - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { - Set<String> roles = new LinkedHashSet<String>(); - - UnixUserPrincipal user = principals.oneByType(UnixUserPrincipal.class); - if (user != null) { - roles.addAll(user.getUnixUser().getGroups()); - } - SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roles); - SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, roles); - GatewayLog.lookedUpUserRoles(roles, user.getName()); - return new SimpleAuthorizationInfo(roles); - } - - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { - UsernamePasswordToken upToken = (UsernamePasswordToken) token; - UnixUser user=null; - try { - user = (new PAM(this.getService())).authenticate(upToken.getUsername(), - new String(upToken.getPassword())); - } catch (PAMException e) { - auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL, - ActionOutcome.FAILURE, e.getMessage()); - ShiroLog.failedLoginInfo(token); - ShiroLog.failedLoginAttempt(e.getCause()); - throw new AuthenticationException(e); - } - HashRequest.Builder builder = new HashRequest.Builder(); - Hash credentialsHash = hashService - .computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build()); - return new SimpleAuthenticationInfo(new UnixUserPrincipal(user) , credentialsHash.toHex(), credentialsHash.getSalt(), - getName()); - } + private static final String HASHING_ALGORITHM = "SHA-1"; + private final static String SUBJECT_USER_ROLES = "subject.userRoles"; + private final static String SUBJECT_USER_GROUPS = "subject.userGroups"; + private HashService hashService = new DefaultHashService(); + KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class); + GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class); + private static AuditService auditService = AuditServiceFactory.getAuditService(); + private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME, + AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME); + + private String service; + + public KnoxPamRealm() { + HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM); + setCredentialsMatcher(credentialsMatcher); + } + + public void setService(String service) { + this.service = service; + } + + public String getService() { + return this.service; + } + + @Override + protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { + Set<String> roles = new LinkedHashSet<String>(); + + UnixUserPrincipal user = principals.oneByType(UnixUserPrincipal.class); + if (user != null) { + roles.addAll(user.getUnixUser().getGroups()); + } + SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roles); + SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, roles); + + /* Coverity Scan CID 1361682 */ + String userName = null; + + if (user != null) { + userName = user.getName(); + } + + GatewayLog.lookedUpUserRoles(roles, userName); + return new SimpleAuthorizationInfo(roles); + } + + @Override + protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { + UsernamePasswordToken upToken = (UsernamePasswordToken) token; + UnixUser user = null; + try { + user = (new PAM(this.getService())).authenticate(upToken.getUsername(), new String(upToken.getPassword())); + } catch (PAMException e) { + handleAuthFailure(token, e.getMessage(), e); + } + HashRequest.Builder builder = new HashRequest.Builder(); + Hash credentialsHash = hashService + .computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build()); + /* Coverity Scan CID 1361684 */ + if (credentialsHash == null) { + handleAuthFailure(token, "Failed to compute hash", null); + } + return new SimpleAuthenticationInfo(new UnixUserPrincipal(user), credentialsHash.toHex(), credentialsHash.getSalt(), + getName()); + } + + private void handleAuthFailure(AuthenticationToken token, String errorMessage, Exception e) { + auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL, ActionOutcome.FAILURE, + errorMessage); + ShiroLog.failedLoginInfo(token); + + if (e != null) { + ShiroLog.failedLoginAttempt(e.getCause()); + throw new AuthenticationException(e); + } + + throw new AuthenticationException(errorMessage); + } }