public CommandResult authenticate() {
SaslClient saslClient = createSaslClient();
try {
byte[] response =
(saslClient.hasInitialResponse() ? saslClient.evaluateChallenge(new byte[0]) : null);
CommandResult res = sendSaslStart(response);
res.throwOnError();
int conversationId = (Integer) res.get("conversationId");
while (!(Boolean) res.get("done")) {
response = saslClient.evaluateChallenge((byte[]) res.get("payload"));
if (response == null) {
throw new MongoException("SASL protocol error: no client response to challenge");
}
res = sendSaslContinue(conversationId, response);
res.throwOnError();
}
return res;
} catch (IOException e) {
throw new MongoException.Network("IOException authenticating the connection", e);
} finally {
try {
saslClient.dispose();
} catch (SaslException e) {
// ignore
}
}
}
@Test
public void testServerNotTrustedByClient() throws Exception {
final SaslClientFactory clientFactory = obtainSaslClientFactory(EntitySaslClientFactory.class);
assertNotNull(clientFactory);
final SaslServer saslServer =
createSaslServer(
SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC,
"testserver1.example.com",
getX509KeyManager(serverKeyStore, KEYSTORE_PASSWORD),
getX509TrustManager(serverTrustStore));
final String[] mechanisms =
new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC};
CallbackHandler cbh =
createClientCallbackHandler(
mechanisms, clientKeyStore, CLIENT_KEYSTORE_ALIAS, KEYSTORE_PASSWORD, null);
final SaslClient saslClient =
clientFactory.createSaslClient(
mechanisms,
null,
"test",
"testserver1.example.com",
Collections.<String, Object>emptyMap(),
cbh);
byte[] message = saslServer.evaluateResponse(new byte[0]);
message = saslClient.evaluateChallenge(message);
message = saslServer.evaluateResponse(message);
try {
saslClient.evaluateChallenge(message);
fail("Expected SaslException not thrown");
} catch (SaslException expected) {
}
}
@Test
public void testServerAuthIndirect_Client() throws Exception {
Map<String, Object> props = new HashMap<String, Object>();
// No properties are set, an appropriate EntitySaslClient should be returned
SaslClient client =
Sasl.createSaslClient(
new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC},
"TestUser",
"TestProtocol",
"TestServer",
props,
null);
assertEquals(EntitySaslClient.class, client.getClass());
assertEquals(
SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, client.getMechanismName());
// If we set SERVER_AUTH to true even though only unilateral mechanisms are specified, no client
// should be returned
props.put(Sasl.SERVER_AUTH, Boolean.toString(true));
client =
Sasl.createSaslClient(
new String[] {
SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC,
SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1,
SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1
},
"TestUser",
"TestProtocol",
"TestServer",
props,
null);
assertNull(client);
// If we set SERVER_AUTH to true, an appropriate EntitySaslClient should be returned
props.put(Sasl.SERVER_AUTH, Boolean.toString(true));
client =
Sasl.createSaslClient(
new String[] {
SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC,
SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1,
SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1,
SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC,
SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1,
SaslMechanismInformation.Names.IEC_ISO_9798_M_ECDSA_SHA1
},
"TestUser",
"TestProtocol",
"TestServer",
props,
null);
assertEquals(EntitySaslClient.class, client.getClass());
assertEquals(
SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, client.getMechanismName());
}
protected void authenticate() throws IOException, XMPPException {
String authenticationText = null;
try {
if (sc.hasInitialResponse()) {
byte[] response = sc.evaluateChallenge(new byte[0]);
authenticationText = Base64.encodeBytes(response, Base64.DONT_BREAK_LINES);
}
} catch (SaslException e) {
throw new XMPPException("SASL authentication failed", e);
}
// Send the authentication to the server
getSASLAuthentication().send(new AuthMechanism(getName(), authenticationText));
}
public SaslOutputStream(SaslClient client, OutputStream dest) throws IOException {
super();
this.client = client;
maxRawSendSize = Integer.parseInt((String) client.getNegotiatedProperty(Sasl.RAW_SEND_SIZE));
server = null;
this.dest = dest;
}
/**
* The server is challenging the SASL mechanism for the stanza he just sent. Send a response to
* the server's challenge.
*
* @param challenge a base64 encoded string representing the challenge.
* @throws IOException if an exception sending the response occurs.
*/
public void challengeReceived(String challenge) throws IOException {
byte response[];
if (challenge != null) {
response = sc.evaluateChallenge(Base64.decode(challenge));
} else {
response = sc.evaluateChallenge(new byte[0]);
}
Packet responseStanza;
if (response == null) {
responseStanza = new Response();
} else {
responseStanza = new Response(Base64.encodeBytes(response, Base64.DONT_BREAK_LINES));
}
// Send the authentication to the server
getSASLAuthentication().send(responseStanza);
}
private void saslDispose(final SaslClient saslClient) {
if (saslClient != null) {
try {
saslClient.dispose();
} catch (SaslException e) {
client.trace("Failure disposing of SaslClient", e);
}
}
}
@Test
public void testMutualAuthenticationWithDNSInCNField() throws Exception {
// Although specifying a DNS name using the Common Name field has been deprecated, it is
// still used in practice (e.g., see http://tools.ietf.org/html/rfc2818). This test makes
// sure that general name matching during authentication still works in this case.
final SaslClientFactory clientFactory = obtainSaslClientFactory(EntitySaslClientFactory.class);
assertNotNull(clientFactory);
final KeyStore keyStore = loadKeyStore(serverKeyStore);
final Certificate[] certificateChain = keyStore.getCertificateChain("dnsInCNServer");
final SaslServer saslServer =
createSaslServer(
SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1,
"testserver2.example.com",
getX509TrustManager(serverTrustStore),
(PrivateKey) keyStore.getKey("dnsInCNServer", KEYSTORE_PASSWORD),
Arrays.copyOf(certificateChain, certificateChain.length, X509Certificate[].class));
final String[] mechanisms =
new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1};
CallbackHandler cbh =
createClientCallbackHandler(
mechanisms,
clientKeyStore,
"dnsInCNClient",
KEYSTORE_PASSWORD,
getX509TrustManager(clientTrustStore));
final SaslClient saslClient =
clientFactory.createSaslClient(
mechanisms,
null,
"test",
"testserver2.example.com",
Collections.<String, Object>emptyMap(),
cbh);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
byte[] message = saslServer.evaluateResponse(new byte[0]);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslClient.evaluateChallenge(message);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslServer.evaluateResponse(message);
assertNotNull(message);
message = saslClient.evaluateChallenge(message);
assertNull(message);
assertTrue(saslClient.isComplete());
assertTrue(saslServer.isComplete());
assertEquals(
"cn=testclient2.example.com,ou=jboss,o=red hat,l=raleigh,st=north carolina,c=us",
saslServer.getAuthorizationID());
}
public OcsConnection(final String domain, final OcsAccount account, int key) {
this.domain = domain;
this.addr = Util.cast2SocketAddress(domain);
this.account = account;
this.setKey(key);
if (account.isExemptPassword() == false) {
this.plainHandler = new OcsPlainHandler(account.getUsername(), account.getPassword());
mech = new String[] {"PLAIN"};
try {
SaslClient sc =
Sasl.createSaslClient(mech, null, "memcached", addr.toString(), null, plainHandler);
evaluate = sc.evaluateChallenge(/* empty bytes */ new byte[0]);
mechanism = sc.getMechanismName();
} catch (SaslException e) {
logger.error("SaslClient exception", e);
throw new RuntimeException("SaslClient exception", e);
}
}
channel = null;
}
@Ignore // todo: this test could be modified to use the wrong key of the write algorithm, or it
// could be removed
@Test
public void testServerPrivateKeyPublicKeyMismatch() throws Exception {
final SaslClientFactory clientFactory = obtainSaslClientFactory(EntitySaslClientFactory.class);
assertNotNull(clientFactory);
// A certificate that does not correspond to the server's private key will be used
final KeyStore keyStore = loadKeyStore(serverKeyStore);
final Certificate[] certificateChain = keyStore.getCertificateChain(WRONG_KEYSTORE_ALIAS);
final SaslServer saslServer =
createSaslServer(
SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC,
"testserver1.example.com",
getX509TrustManager(serverTrustStore),
(PrivateKey) keyStore.getKey(SERVER_KEYSTORE_ALIAS, KEYSTORE_PASSWORD),
Arrays.copyOf(certificateChain, certificateChain.length, X509Certificate[].class));
final String[] mechanisms =
new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC};
CallbackHandler cbh =
createClientCallbackHandler(
mechanisms,
clientKeyStore,
CLIENT_KEYSTORE_ALIAS,
KEYSTORE_PASSWORD,
getX509TrustManager(clientTrustStore));
final SaslClient saslClient =
clientFactory.createSaslClient(
mechanisms, null, "test", "", Collections.<String, Object>emptyMap(), cbh);
byte[] message = saslServer.evaluateResponse(new byte[0]);
message = saslClient.evaluateChallenge(message);
message = saslServer.evaluateResponse(message);
try {
saslClient.evaluateChallenge(message);
fail("Expected SaslException not thrown");
} catch (SaslException expected) {
}
}
@Test
public void testUnilateralSha1WithRsaAuthenticationWithTrustedAuthorities() throws Exception {
final SaslClientFactory clientFactory = obtainSaslClientFactory(EntitySaslClientFactory.class);
assertNotNull(clientFactory);
final SaslServer saslServer =
createSaslServer(
SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC,
"testserver1.example.com",
getX509KeyManager(serverKeyStore, KEYSTORE_PASSWORD),
getX509TrustManager(serverTrustStore));
assertNotNull(saslServer);
assertFalse(saslServer.isComplete());
final String[] mechanisms =
new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC};
CallbackHandler cbh =
createClientCallbackHandler(
mechanisms, getX509KeyManager(clientKeyStore, KEYSTORE_PASSWORD), null);
final SaslClient saslClient =
clientFactory.createSaslClient(
mechanisms,
null,
"test",
"testserver1.example.com",
Collections.<String, Object>emptyMap(),
cbh);
assertNotNull(saslClient);
assertTrue(saslClient instanceof EntitySaslClient);
assertFalse(saslClient.hasInitialResponse());
assertFalse(saslClient.isComplete());
byte[] message = saslServer.evaluateResponse(new byte[0]);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslClient.evaluateChallenge(message);
assertFalse(saslServer.isComplete());
assertFalse(saslClient.isComplete());
message = saslServer.evaluateResponse(message);
assertTrue(saslServer.isComplete());
assertNull(message);
assertNull(saslClient.evaluateChallenge(message));
assertTrue(saslClient.isComplete());
assertEquals(
"cn=test client 1,ou=jboss,o=red hat,st=north carolina,c=us",
saslServer.getAuthorizationID());
}
public static void main(String[] args) throws Exception {
if (args.length == 0) {
namesfile = null;
auto = true;
} else {
int i = 0;
if (args[i].equals("-m")) {
i++;
auto = false;
}
if (args.length > i) {
namesfile = args[i++];
if (args.length > i) {
proxyfile = args[i];
}
} else {
namesfile = null;
}
}
CallbackHandler clntCbh = null;
final CallbackHandler srvCbh = new PropertiesFileCallbackHandler(null, namesfile, proxyfile);
Subject clntSubj = doLogin("client");
Subject srvSubj = doLogin("server");
final HashMap clntprops = new HashMap();
final HashMap srvprops = new HashMap();
clntprops.put(Sasl.QOP, "auth");
srvprops.put(Sasl.QOP, "auth,auth-int,auth-conf");
final SaslClient clnt =
(SaslClient)
Subject.doAs(
clntSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return Sasl.createSaslClient(
new String[] {MECH}, null, PROTOCOL, SERVER_FQDN, clntprops, null);
}
});
if (verbose) {
System.out.println(clntSubj);
System.out.println(srvSubj);
}
final SaslServer srv =
(SaslServer)
Subject.doAs(
srvSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN, srvprops, srvCbh);
}
});
if (clnt == null) {
throw new IllegalStateException("Unable to find client impl for " + MECH);
}
if (srv == null) {
throw new IllegalStateException("Unable to find server impl for " + MECH);
}
byte[] response;
byte[] challenge;
response =
(byte[])
Subject.doAs(
clntSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return (clnt.hasInitialResponse() ? clnt.evaluateChallenge(EMPTY) : EMPTY);
}
});
while (!clnt.isComplete() || !srv.isComplete()) {
final byte[] responseCopy = response;
challenge =
(byte[])
Subject.doAs(
srvSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return srv.evaluateResponse(responseCopy);
}
});
if (challenge != null) {
final byte[] challengeCopy = challenge;
response =
(byte[])
Subject.doAs(
clntSubj,
new PrivilegedExceptionAction() {
public Object run() throws Exception {
return clnt.evaluateChallenge(challengeCopy);
}
});
}
}
if (clnt.isComplete() && srv.isComplete()) {
if (verbose) {
System.out.println("SUCCESS");
System.out.println("authzid is " + srv.getAuthorizationID());
}
} else {
throw new IllegalStateException(
"FAILURE: mismatched state:"
+ " client complete? "
+ clnt.isComplete()
+ " server complete? "
+ srv.isComplete());
}
if (verbose) {
System.out.println(clnt.getNegotiatedProperty(Sasl.QOP));
}
// Now try to use security layer
byte[] clntBuf = new byte[] {0, 1, 2, 3};
try {
byte[] wrapped = clnt.wrap(clntBuf, 0, clntBuf.length);
throw new Exception("clnt wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
byte[] srvBuf = new byte[] {10, 11, 12, 13};
try {
byte[] wrapped = srv.wrap(srvBuf, 0, srvBuf.length);
throw new Exception("srv wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
try {
byte[] unwrapped = clnt.unwrap(clntBuf, 0, clntBuf.length);
throw new Exception("clnt wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
try {
byte[] unwrapped = srv.unwrap(srvBuf, 0, srvBuf.length);
throw new Exception("srv wrap should not be allowed w/no security layer");
} catch (IllegalStateException e) {
// expected
}
}
public boolean authenticate(
String[] mechs, final String realm, final String authzid, final String u, final String p)
throws ProtocolException {
synchronized (pr) { // authenticate method should be synchronized
List<Response> v = new ArrayList<Response>();
String tag = null;
Response r = null;
boolean done = false;
if (logger.isLoggable(Level.FINE)) {
logger.fine("SASL Mechanisms:");
for (int i = 0; i < mechs.length; i++) logger.fine(" " + mechs[i]);
logger.fine("");
}
SaslClient sc;
CallbackHandler cbh =
new CallbackHandler() {
public void handle(Callback[] callbacks) {
if (logger.isLoggable(Level.FINE))
logger.fine("SASL callback length: " + callbacks.length);
for (int i = 0; i < callbacks.length; i++) {
if (logger.isLoggable(Level.FINE))
logger.fine("SASL callback " + i + ": " + callbacks[i]);
if (callbacks[i] instanceof NameCallback) {
NameCallback ncb = (NameCallback) callbacks[i];
ncb.setName(u);
} else if (callbacks[i] instanceof PasswordCallback) {
PasswordCallback pcb = (PasswordCallback) callbacks[i];
pcb.setPassword(p.toCharArray());
} else if (callbacks[i] instanceof RealmCallback) {
RealmCallback rcb = (RealmCallback) callbacks[i];
rcb.setText(realm != null ? realm : rcb.getDefaultText());
} else if (callbacks[i] instanceof RealmChoiceCallback) {
RealmChoiceCallback rcb = (RealmChoiceCallback) callbacks[i];
if (realm == null) rcb.setSelectedIndex(rcb.getDefaultChoice());
else {
// need to find specified realm in list
String[] choices = rcb.getChoices();
for (int k = 0; k < choices.length; k++) {
if (choices[k].equals(realm)) {
rcb.setSelectedIndex(k);
break;
}
}
}
}
}
}
};
try {
sc = Sasl.createSaslClient(mechs, authzid, name, host, (Map) props, cbh);
} catch (SaslException sex) {
logger.log(Level.FINE, "Failed to create SASL client", sex);
throw new UnsupportedOperationException(sex.getMessage(), sex);
}
if (sc == null) {
logger.fine("No SASL support");
throw new UnsupportedOperationException("No SASL support");
}
if (logger.isLoggable(Level.FINE)) logger.fine("SASL client " + sc.getMechanismName());
try {
Argument args = new Argument();
args.writeAtom(sc.getMechanismName());
if (pr.hasCapability("SASL-IR") && sc.hasInitialResponse()) {
String irs;
byte[] ba = sc.evaluateChallenge(new byte[0]);
if (ba.length > 0) {
ba = BASE64EncoderStream.encode(ba);
irs = ASCIIUtility.toString(ba, 0, ba.length);
} else irs = "=";
args.writeAtom(irs);
}
tag = pr.writeCommand("AUTHENTICATE", args);
} catch (Exception ex) {
logger.log(Level.FINE, "SASL AUTHENTICATE Exception", ex);
return false;
}
OutputStream os = pr.getIMAPOutputStream(); // stream to IMAP server
/*
* Wrap a BASE64Encoder around a ByteArrayOutputstream
* to craft b64 encoded username and password strings
*
* Note that the encoded bytes should be sent "as-is" to the
* server, *not* as literals or quoted-strings.
*
* Also note that unlike the B64 definition in MIME, CRLFs
* should *not* be inserted during the encoding process. So, I
* use Integer.MAX_VALUE (0x7fffffff (> 1G)) as the bytesPerLine,
* which should be sufficiently large !
*/
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] CRLF = {(byte) '\r', (byte) '\n'};
// Hack for Novell GroupWise XGWTRUSTEDAPP authentication mechanism
// http://www.novell.com/developer/documentation/gwimap/?
// page=/developer/documentation/gwimap/gwimpenu/data/al7te9j.html
boolean isXGWTRUSTEDAPP =
sc.getMechanismName().equals("XGWTRUSTEDAPP")
&& PropUtil.getBooleanProperty(
props, "mail." + name + ".sasl.xgwtrustedapphack.enable", true);
while (!done) { // loop till we are done
try {
r = pr.readResponse();
if (r.isContinuation()) {
byte[] ba = null;
if (!sc.isComplete()) {
ba = r.readByteArray().getNewBytes();
if (ba.length > 0) ba = BASE64DecoderStream.decode(ba);
if (logger.isLoggable(Level.FINE))
logger.fine("SASL challenge: " + ASCIIUtility.toString(ba, 0, ba.length) + " :");
ba = sc.evaluateChallenge(ba);
}
if (ba == null) {
logger.fine("SASL no response");
os.write(CRLF); // write out empty line
os.flush(); // flush the stream
bos.reset(); // reset buffer
} else {
if (logger.isLoggable(Level.FINE))
logger.fine("SASL response: " + ASCIIUtility.toString(ba, 0, ba.length) + " :");
ba = BASE64EncoderStream.encode(ba);
if (isXGWTRUSTEDAPP) bos.write(ASCIIUtility.getBytes("XGWTRUSTEDAPP "));
bos.write(ba);
bos.write(CRLF); // CRLF termination
os.write(bos.toByteArray()); // write out line
os.flush(); // flush the stream
bos.reset(); // reset buffer
}
} else if (r.isTagged() && r.getTag().equals(tag))
// Ah, our tagged response
done = true;
else if (r.isBYE()) // outta here
done = true;
else // hmm .. unsolicited response here ?!
v.add(r);
} catch (Exception ioex) {
logger.log(Level.FINE, "SASL Exception", ioex);
// convert this into a BYE response
r = Response.byeResponse(ioex);
done = true;
// XXX - ultimately return true???
}
}
if (sc.isComplete() /*&& res.status == SUCCESS*/) {
String qop = (String) sc.getNegotiatedProperty(Sasl.QOP);
if (qop != null
&& (qop.equalsIgnoreCase("auth-int") || qop.equalsIgnoreCase("auth-conf"))) {
// XXX - NOT SUPPORTED!!!
logger.fine("SASL Mechanism requires integrity or confidentiality");
return false;
}
}
/* Dispatch untagged responses.
* NOTE: in our current upper level IMAP classes, we add the
* responseHandler to the Protocol object only *after* the
* connection has been authenticated. So, for now, the below
* code really ends up being just a no-op.
*/
Response[] responses = v.toArray(new Response[v.size()]);
pr.notifyResponseHandlers(responses);
// Handle the final OK, NO, BAD or BYE response
pr.handleResult(r);
pr.setCapabilities(r);
/*
* If we're using the Novell Groupwise XGWTRUSTEDAPP mechanism
* to run as a specified authorization ID, we have to issue a
* LOGIN command to select the user we want to operate as.
*/
if (isXGWTRUSTEDAPP && authzid != null) {
Argument args = new Argument();
args.writeString(authzid);
responses = pr.command("LOGIN", args);
// dispatch untagged responses
pr.notifyResponseHandlers(responses);
// Handle result of this command
pr.handleResult(responses[responses.length - 1]);
// If the response includes a CAPABILITY response code, process it
pr.setCapabilities(responses[responses.length - 1]);
}
return true;
}
}
public void handleEvent(final ConnectedMessageChannel channel) {
final Pooled<ByteBuffer> pooledBuffer = connection.allocate();
try {
final ByteBuffer buffer = pooledBuffer.getResource();
final int res;
try {
res = channel.receive(buffer);
} catch (IOException e) {
connection.handleException(e);
return;
}
if (res == 0) {
return;
}
if (res == -1) {
connection.handleException(client.abruptClose(connection));
return;
}
buffer.flip();
final byte msgType = buffer.get();
switch (msgType) {
case Protocol.CONNECTION_ALIVE:
{
client.trace("Client received connection alive");
return;
}
case Protocol.CONNECTION_CLOSE:
{
client.trace("Client received connection close request");
connection.handleIncomingCloseRequest();
return;
}
case Protocol.AUTH_CHALLENGE:
{
client.trace("Client received authentication challenge");
connection
.getExecutor()
.execute(
new Runnable() {
public void run() {
final boolean clientComplete = saslClient.isComplete();
if (clientComplete) {
connection.handleException(
new SaslException("Received extra auth message after completion"));
return;
}
final byte[] response;
final byte[] challenge = Buffers.take(buffer, buffer.remaining());
try {
response = saslClient.evaluateChallenge(challenge);
if (msgType == Protocol.AUTH_COMPLETE
&& response != null
&& response.length > 0) {
connection.handleException(
new SaslException(
"Received extra auth message after completion"));
return;
}
} catch (Exception e) {
client.tracef("Client authentication failed: %s", e);
failedMechs.add(saslClient.getMechanismName());
sendCapRequest(serverName);
return;
}
client.trace("Client sending authentication response");
final Pooled<ByteBuffer> pooled = connection.allocate();
final ByteBuffer sendBuffer = pooled.getResource();
sendBuffer.put(Protocol.AUTH_RESPONSE);
sendBuffer.put(response);
sendBuffer.flip();
connection.send(pooled);
connection.getChannel().resumeReads();
return;
}
});
connection.getChannel().suspendReads();
return;
}
case Protocol.AUTH_COMPLETE:
{
client.trace("Client received authentication complete");
connection
.getExecutor()
.execute(
new Runnable() {
public void run() {
final boolean clientComplete = saslClient.isComplete();
final byte[] challenge = Buffers.take(buffer, buffer.remaining());
if (!clientComplete)
try {
final byte[] response = saslClient.evaluateChallenge(challenge);
if (response != null && response.length > 0) {
connection.handleException(
new SaslException(
"Received extra auth message after completion"));
return;
}
if (!saslClient.isComplete()) {
connection.handleException(
new SaslException(
"Client not complete after processing auth complete message"));
return;
}
} catch (SaslException e) {
// todo log message
failedMechs.add(saslClient.getMechanismName());
sendCapRequest(serverName);
return;
}
// auth complete.
final ConnectionHandlerFactory connectionHandlerFactory =
new ConnectionHandlerFactory() {
public ConnectionHandler createInstance(
final ConnectionHandlerContext connectionContext) {
// this happens immediately.
final RemoteConnectionHandler connectionHandler =
new RemoteConnectionHandler(connectionContext, connection);
connection.setReadListener(
new RemoteReadListener(connectionHandler, connection));
return connectionHandler;
}
};
connection.getResult().setResult(connectionHandlerFactory);
connection.getChannel().resumeReads();
return;
}
});
connection.getChannel().suspendReads();
return;
}
case Protocol.AUTH_REJECTED:
{
client.trace("Client received authentication rejected");
failedMechs.add(saslClient.getMechanismName());
sendCapRequest(serverName);
return;
}
default:
{
client.unknownProtocolId(msgType);
connection.handleException(client.invalidMessage(connection));
return;
}
}
} finally {
pooledBuffer.free();
}
}
public void handleEvent(final ConnectedMessageChannel channel) {
final Pooled<ByteBuffer> pooledReceiveBuffer = connection.allocate();
try {
final ByteBuffer receiveBuffer = pooledReceiveBuffer.getResource();
int res = 0;
try {
res = channel.receive(receiveBuffer);
} catch (IOException e) {
connection.handleException(e);
return;
}
if (res == -1) {
connection.handleException(client.abruptClose(connection));
return;
}
if (res == 0) {
return;
}
receiveBuffer.flip();
boolean starttls = false;
final Set<String> saslMechs = new LinkedHashSet<String>();
final byte msgType = receiveBuffer.get();
switch (msgType) {
case Protocol.CONNECTION_ALIVE:
{
client.trace("Client received connection alive");
return;
}
case Protocol.CONNECTION_CLOSE:
{
client.trace("Client received connection close request");
connection.handleIncomingCloseRequest();
return;
}
case Protocol.CAPABILITIES:
{
client.trace("Client received capabilities response");
while (receiveBuffer.hasRemaining()) {
final byte type = receiveBuffer.get();
final int len = receiveBuffer.get() & 0xff;
final ByteBuffer data = Buffers.slice(receiveBuffer, len);
switch (type) {
case Protocol.CAP_VERSION:
{
final byte version = data.get();
client.tracef(
"Client received capability: version %d",
Integer.valueOf(version & 0xff));
// We only support version zero, so knowing the other side's version is not
// useful presently
break;
}
case Protocol.CAP_SASL_MECH:
{
final String mechName = Buffers.getModifiedUtf8(data);
client.tracef("Client received capability: SASL mechanism %s", mechName);
if (!failedMechs.contains(mechName)
&& !disallowedMechs.contains(mechName)
&& (allowedMechs == null || allowedMechs.contains(mechName))) {
client.tracef("SASL mechanism %s added to allowed set", mechName);
saslMechs.add(mechName);
}
break;
}
case Protocol.CAP_STARTTLS:
{
client.trace("Client received capability: STARTTLS");
starttls = true;
break;
}
default:
{
client.tracef(
"Client received unknown capability %02x", Integer.valueOf(type & 0xff));
// unknown, skip it for forward compatibility.
break;
}
}
}
if (starttls) {
// only initiate starttls if not forbidden by config
if (optionMap.get(Options.SSL_STARTTLS, true)) {
// Prepare the request message body
final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate();
final ByteBuffer sendBuffer = pooledSendBuffer.getResource();
sendBuffer.put(Protocol.STARTTLS);
sendBuffer.flip();
connection.setReadListener(new StartTls(serverName));
connection.send(pooledSendBuffer);
// all set
return;
}
}
if (saslMechs.isEmpty()) {
connection.handleException(
new SaslException("No more authentication mechanisms to try"));
return;
}
// OK now send our authentication request
final OptionMap optionMap = connection.getOptionMap();
final String userName = optionMap.get(RemotingOptions.AUTHORIZE_ID);
final Map<String, ?> propertyMap =
SaslUtils.createPropertyMap(
optionMap, Channels.getOption(channel, Options.SECURE, false));
final SaslClient saslClient;
try {
saslClient =
AccessController.doPrivileged(
new PrivilegedExceptionAction<SaslClient>() {
public SaslClient run() throws SaslException {
return Sasl.createSaslClient(
saslMechs.toArray(new String[saslMechs.size()]),
userName,
"remote",
serverName,
propertyMap,
callbackHandler);
}
},
accessControlContext);
} catch (PrivilegedActionException e) {
final SaslException se = (SaslException) e.getCause();
connection.handleException(se);
return;
}
final String mechanismName = saslClient.getMechanismName();
client.tracef("Client initiating authentication using mechanism %s", mechanismName);
// Prepare the request message body
final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate();
final ByteBuffer sendBuffer = pooledSendBuffer.getResource();
sendBuffer.put(Protocol.AUTH_REQUEST);
Buffers.putModifiedUtf8(sendBuffer, mechanismName);
sendBuffer.flip();
connection.send(pooledSendBuffer);
connection.setReadListener(new Authentication(saslClient, serverName));
return;
}
default:
{
client.unknownProtocolId(msgType);
connection.handleException(client.invalidMessage(connection));
return;
}
}
} catch (BufferUnderflowException e) {
connection.handleException(client.invalidMessage(connection));
return;
} catch (BufferOverflowException e) {
connection.handleException(client.invalidMessage(connection));
return;
} finally {
pooledReceiveBuffer.free();
}
}
public boolean isComplete() {
return saslClient.isComplete();
}
@After
public void dispose() throws Exception {
if (client != null) client.dispose();
if (server != null) server.dispose();
if (testKdc != null) testKdc.stopAll();
}
public void handleEvent(final ConnectedMessageChannel channel) {
final Pooled<ByteBuffer> pooledBuffer = connection.allocate();
boolean free = true;
try {
final ByteBuffer buffer = pooledBuffer.getResource();
synchronized (connection.getLock()) {
final int res;
try {
res = channel.receive(buffer);
} catch (IOException e) {
connection.handleException(e);
saslDispose(saslClient);
return;
}
if (res == 0) {
return;
}
if (res == -1) {
connection.handleException(client.abruptClose(connection));
saslDispose(saslClient);
return;
}
}
buffer.flip();
final byte msgType = buffer.get();
switch (msgType) {
case Protocol.CONNECTION_ALIVE:
{
client.trace("Client received connection alive");
connection.sendAliveResponse();
return;
}
case Protocol.CONNECTION_ALIVE_ACK:
{
client.trace("Client received connection alive ack");
return;
}
case Protocol.CONNECTION_CLOSE:
{
client.trace("Client received connection close request");
connection.handlePreAuthCloseRequest();
saslDispose(saslClient);
return;
}
case Protocol.AUTH_CHALLENGE:
{
client.trace("Client received authentication challenge");
channel.suspendReads();
connection
.getExecutor()
.execute(
() -> {
try {
final boolean clientComplete = saslClient.isComplete();
if (clientComplete) {
connection.handleException(
new SaslException("Received extra auth message after completion"));
return;
}
final byte[] response;
final byte[] challenge = Buffers.take(buffer, buffer.remaining());
try {
response = saslClient.evaluateChallenge(challenge);
} catch (Throwable e) {
final String mechanismName = saslClient.getMechanismName();
client.debugf(
"Client authentication failed for mechanism %s: %s",
mechanismName, e);
failedMechs.put(mechanismName, e.toString());
saslDispose(saslClient);
sendCapRequest(serverName);
return;
}
client.trace("Client sending authentication response");
final Pooled<ByteBuffer> pooled = connection.allocate();
boolean ok = false;
try {
final ByteBuffer sendBuffer = pooled.getResource();
sendBuffer.put(Protocol.AUTH_RESPONSE);
sendBuffer.put(response);
sendBuffer.flip();
connection.send(pooled);
ok = true;
channel.resumeReads();
} finally {
if (!ok) pooled.free();
}
return;
} finally {
pooledBuffer.free();
}
});
free = false;
return;
}
case Protocol.AUTH_COMPLETE:
{
client.trace("Client received authentication complete");
channel.suspendReads();
connection
.getExecutor()
.execute(
() -> {
try {
final boolean clientComplete = saslClient.isComplete();
final byte[] challenge = Buffers.take(buffer, buffer.remaining());
if (!clientComplete)
try {
final byte[] response = saslClient.evaluateChallenge(challenge);
if (response != null && response.length > 0) {
connection.handleException(
new SaslException(
"Received extra auth message after completion"));
saslDispose(saslClient);
return;
}
if (!saslClient.isComplete()) {
connection.handleException(
new SaslException(
"Client not complete after processing auth complete message"));
saslDispose(saslClient);
return;
}
} catch (Throwable e) {
final String mechanismName = saslClient.getMechanismName();
client.debugf(
"Client authentication failed for mechanism %s: %s",
mechanismName, e);
failedMechs.put(mechanismName, e.toString());
saslDispose(saslClient);
sendCapRequest(serverName);
return;
}
final Object qop = saslClient.getNegotiatedProperty(Sasl.QOP);
if ("auth-int".equals(qop) || "auth-conf".equals(qop)) {
connection.setSaslWrapper(SaslWrapper.create(saslClient));
}
// auth complete.
final ConnectionHandlerFactory connectionHandlerFactory =
connectionContext -> {
// this happens immediately.
final RemoteConnectionHandler connectionHandler =
new RemoteConnectionHandler(
connectionContext,
connection,
maxInboundChannels,
maxOutboundChannels,
remoteEndpointName,
behavior);
connection.setReadListener(
new RemoteReadListener(connectionHandler, connection), false);
connection
.getRemoteConnectionProvider()
.addConnectionHandler(connectionHandler);
return connectionHandler;
};
connection.getResult().setResult(connectionHandlerFactory);
channel.resumeReads();
return;
} finally {
pooledBuffer.free();
}
});
free = false;
return;
}
case Protocol.AUTH_REJECTED:
{
final String mechanismName = saslClient.getMechanismName();
client.debugf(
"Client received authentication rejected for mechanism %s", mechanismName);
failedMechs.put(mechanismName, "Server rejected authentication");
saslDispose(saslClient);
sendCapRequest(serverName);
return;
}
default:
{
client.unknownProtocolId(msgType);
connection.handleException(client.invalidMessage(connection));
saslDispose(saslClient);
return;
}
}
} finally {
if (free) pooledBuffer.free();
}
}
public void handleEvent(final ConnectedMessageChannel channel) {
final Pooled<ByteBuffer> pooledReceiveBuffer = connection.allocate();
try {
final ByteBuffer receiveBuffer = pooledReceiveBuffer.getResource();
synchronized (connection.getLock()) {
int res;
try {
res = channel.receive(receiveBuffer);
} catch (IOException e) {
connection.handleException(e);
return;
}
if (res == -1) {
connection.handleException(client.abruptClose(connection));
return;
}
if (res == 0) {
return;
}
}
receiveBuffer.flip();
boolean starttls = false;
final Set<String> serverSaslMechs = new LinkedHashSet<String>();
final byte msgType = receiveBuffer.get();
switch (msgType) {
case Protocol.CONNECTION_ALIVE:
{
client.trace("Client received connection alive");
connection.sendAliveResponse();
return;
}
case Protocol.CONNECTION_ALIVE_ACK:
{
client.trace("Client received connection alive ack");
return;
}
case Protocol.CONNECTION_CLOSE:
{
client.trace("Client received connection close request");
connection.handlePreAuthCloseRequest();
return;
}
case Protocol.CAPABILITIES:
{
client.trace("Client received capabilities response");
String remoteEndpointName = null;
int version = Protocol.VERSION;
int behavior = Protocol.BH_FAULTY_MSG_SIZE;
boolean useDefaultChannels = true;
int channelsIn = 40;
int channelsOut = 40;
while (receiveBuffer.hasRemaining()) {
final byte type = receiveBuffer.get();
final int len = receiveBuffer.get() & 0xff;
final ByteBuffer data = Buffers.slice(receiveBuffer, len);
switch (type) {
case Protocol.CAP_VERSION:
{
version = data.get() & 0xff;
client.tracef(
"Client received capability: version %d",
Integer.valueOf(version & 0xff));
break;
}
case Protocol.CAP_SASL_MECH:
{
final String mechName = Buffers.getModifiedUtf8(data);
client.tracef("Client received capability: SASL mechanism %s", mechName);
if (!failedMechs.containsKey(mechName)
&& !disallowedMechs.contains(mechName)
&& (allowedMechs == null || allowedMechs.contains(mechName))) {
client.tracef("SASL mechanism %s added to allowed set", mechName);
serverSaslMechs.add(mechName);
}
break;
}
case Protocol.CAP_STARTTLS:
{
client.trace("Client received capability: STARTTLS");
starttls = true;
break;
}
case Protocol.CAP_ENDPOINT_NAME:
{
remoteEndpointName = Buffers.getModifiedUtf8(data);
client.tracef(
"Client received capability: remote endpoint name \"%s\"",
remoteEndpointName);
break;
}
case Protocol.CAP_MESSAGE_CLOSE:
{
behavior |= Protocol.BH_MESSAGE_CLOSE;
// remote side must be >= 3.2.11.GA
// but, we'll assume it's >= 3.2.14.GA because no AS or EAP release included
// 3.2.8.SP1 < x < 3.2.14.GA
behavior &= ~Protocol.BH_FAULTY_MSG_SIZE;
client.tracef("Client received capability: message close protocol supported");
break;
}
case Protocol.CAP_VERSION_STRING:
{
// remote side must be >= 3.2.16.GA
behavior &= ~Protocol.BH_FAULTY_MSG_SIZE;
final String remoteVersionString = Buffers.getModifiedUtf8(data);
client.tracef(
"Client received capability: remote version is \"%s\"",
remoteVersionString);
break;
}
case Protocol.CAP_CHANNELS_IN:
{
useDefaultChannels = false;
// their channels in is our channels out
channelsOut = ProtocolUtils.readIntData(data, len);
client.tracef(
"Client received capability: remote channels in is \"%d\"", channelsOut);
break;
}
case Protocol.CAP_CHANNELS_OUT:
{
useDefaultChannels = false;
// their channels out is our channels in
channelsIn = ProtocolUtils.readIntData(data, len);
client.tracef(
"Client received capability: remote channels out is \"%d\"", channelsIn);
break;
}
default:
{
client.tracef(
"Client received unknown capability %02x", Integer.valueOf(type & 0xff));
// unknown, skip it for forward compatibility.
break;
}
}
}
if (useDefaultChannels) {
channelsIn = 40;
channelsOut = 40;
}
if (starttls) {
// only initiate starttls if not forbidden by config
if (optionMap.get(Options.SSL_STARTTLS, true)) {
// Prepare the request message body
final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate();
boolean ok = false;
try {
final ByteBuffer sendBuffer = pooledSendBuffer.getResource();
sendBuffer.put(Protocol.STARTTLS);
sendBuffer.flip();
connection.setReadListener(new StartTls(remoteServerName), true);
connection.send(pooledSendBuffer);
ok = true;
// all set
return;
} finally {
if (!ok) pooledSendBuffer.free();
}
}
}
if (serverSaslMechs.isEmpty()) {
if (failedMechs.isEmpty()) {
connection.handleException(
new SaslException(
"Authentication failed: the server presented no authentication mechanisms"));
} else {
// At this point we have been attempting to use mechanisms as they have been
// presented to us but we have now exhausted the list.
connection.handleException(allMechanismsFailed());
}
return;
}
// OK now send our authentication request
final AuthenticationContextConfigurationClient configurationClient =
AUTH_CONFIGURATION_CLIENT;
AuthenticationConfiguration configuration =
configurationClient.getAuthenticationConfiguration(uri, authenticationContext);
final SaslClient saslClient;
try {
saslClient =
configurationClient.createSaslClient(
uri, configuration, saslClientFactory, serverSaslMechs);
} catch (SaslException e) {
// apparently no more mechanisms can succeed
connection.handleException(e);
return;
}
if (saslClient == null) {
connection.handleException(allMechanismsFailed());
return;
}
final String mechanismName = saslClient.getMechanismName();
client.tracef("Client initiating authentication using mechanism %s", mechanismName);
connection.getChannel().suspendReads();
final int negotiatedVersion = version;
final SaslClient usedSaslClient = saslClient;
final Authentication authentication =
new Authentication(
usedSaslClient,
remoteServerName,
remoteEndpointName,
behavior,
channelsIn,
channelsOut);
connection
.getExecutor()
.execute(
() -> {
final byte[] response;
try {
response =
usedSaslClient.hasInitialResponse()
? usedSaslClient.evaluateChallenge(EMPTY_BYTES)
: null;
} catch (SaslException e) {
client.tracef("Client authentication failed: %s", e);
saslDispose(usedSaslClient);
failedMechs.put(mechanismName, e.toString());
sendCapRequest(remoteServerName);
return;
}
// Prepare the request message body
final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate();
boolean ok = false;
try {
final ByteBuffer sendBuffer = pooledSendBuffer.getResource();
sendBuffer.put(Protocol.AUTH_REQUEST);
if (negotiatedVersion < 1) {
sendBuffer.put(mechanismName.getBytes(Protocol.UTF_8));
} else {
ProtocolUtils.writeString(sendBuffer, mechanismName);
if (response != null) {
sendBuffer.put(response);
}
}
sendBuffer.flip();
connection.send(pooledSendBuffer);
ok = true;
connection.setReadListener(authentication, true);
return;
} finally {
if (!ok) pooledSendBuffer.free();
}
});
return;
}
default:
{
client.unknownProtocolId(msgType);
connection.handleException(client.invalidMessage(connection));
return;
}
}
} catch (BufferUnderflowException | BufferOverflowException e) {
connection.handleException(client.invalidMessage(connection));
return;
} finally {
pooledReceiveBuffer.free();
}
}
private void doAuth() {
SaslClient saslClient = null;
try {
saslClient =
Sasl.createSaslClient(
authInfo.getMechanisms(),
null,
"memcached",
memcachedTCPSession.getRemoteSocketAddress().toString(),
null,
this.authInfo.getCallbackHandler());
final AtomicBoolean done = new AtomicBoolean(false);
byte[] response =
saslClient.hasInitialResponse() ? saslClient.evaluateChallenge(EMPTY_BYTES) : EMPTY_BYTES;
CountDownLatch latch = new CountDownLatch(1);
Command command =
this.commandFactory.createAuthStartCommand(
saslClient.getMechanismName(), latch, response);
if (!this.memcachedTCPSession.isClosed()) this.memcachedTCPSession.write(command);
else {
log.error("Authentication fail,because the connection has been closed");
throw new RuntimeException("Authentication fai,connection has been close");
}
while (!done.get()) {
try {
latch.await();
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
done.set(true);
}
ResponseStatus responseStatus = ((BaseBinaryCommand) command).getResponseStatus();
switch (responseStatus) {
case NO_ERROR:
done.set(true);
log.info(
"Authentication to "
+ this.memcachedTCPSession.getRemoteSocketAddress()
+ " successfully");
break;
case AUTH_REQUIRED:
log.error(
"Authentication failed to " + this.memcachedTCPSession.getRemoteSocketAddress());
log.warn(
"Reopen connection to "
+ this.memcachedTCPSession.getRemoteSocketAddress()
+ ",beacause auth fail");
this.memcachedTCPSession.setAuthFailed(true);
// It it is not first time,try to sleep 1 second
if (!this.authInfo.isFirstTime()) {
Thread.sleep(1000);
}
this.memcachedTCPSession.close();
done.set(true);
break;
case FUTHER_AUTH_REQUIRED:
String result = (String) command.getResult();
response = saslClient.evaluateChallenge(ByteUtils.getBytes(result));
latch = new CountDownLatch(1);
command =
commandFactory.createAuthStepCommand(
saslClient.getMechanismName(), latch, response);
if (!this.memcachedTCPSession.isClosed()) this.memcachedTCPSession.write(command);
else {
log.error("Authentication fail,because the connection has been closed");
throw new RuntimeException("Authentication fai,connection has been close");
}
break;
default:
done.set(true);
log.error(
"Authentication failed to "
+ this.memcachedTCPSession.getRemoteSocketAddress()
+ ",response status="
+ responseStatus);
break;
}
}
} catch (Exception e) {
log.error("Create saslClient error", e);
} finally {
if (saslClient != null) {
try {
saslClient.dispose();
} catch (SaslException e) {
log.error("Dispose saslClient error", e);
}
}
}
}
/**
* When writing octets to the resulting stream, if a security layer has been negotiated, each
* piece of data written (by a single invocation of <code>write()</code>) will be encapsulated as
* a SASL buffer, as defined in RFC 2222, and then written to the underlying <i>dest</i> output
* stream.
*/
public void write(byte[] b, int off, int len) throws IOException {
if (b == null) {
throw new NullPointerException("b");
}
if ((off < 0)
|| (off > b.length)
|| (len < 0)
|| ((off + len) > b.length)
|| ((off + len) < 0)) {
throw new IndexOutOfBoundsException(
"off="
+ String.valueOf(off)
+ ", len="
+ String.valueOf(len)
+ ", b.length="
+ String.valueOf(b.length));
}
if (len == 0) {
return;
}
if (DEBUG && debuglevel > 8) debug(TRACE, "==> write()");
int chunckSize, length, chunck = 1;
byte[] output = null, result;
if (DEBUG && debuglevel > 6)
debug(TRACE, "About to wrap " + String.valueOf(len) + " byte(s)...");
while (len > 0) {
chunckSize = (len > maxRawSendSize ? maxRawSendSize : len);
if (DEBUG && debuglevel > 6)
debug(
TRACE,
"Outgoing buffer (before security) (hex): " + Util.dumpString(b, off, chunckSize));
if (DEBUG && debuglevel > 6)
debug(
TRACE,
"Outgoing buffer (before security) (str): \"" + new String(b, off, chunckSize) + "\"");
if (client != null) output = client.wrap(b, off, chunckSize);
else output = server.wrap(b, off, chunckSize);
if (DEBUG && debuglevel > 6)
debug(TRACE, "Outgoing buffer (after security) (hex): " + Util.dumpString(output));
if (DEBUG && debuglevel > 6)
debug(TRACE, "Outgoing buffer (after security) (str): \"" + new String(output) + "\"");
length = output.length;
result = new byte[length + 4];
result[0] = (byte) (length >>> 24);
result[1] = (byte) (length >>> 16);
result[2] = (byte) (length >>> 8);
result[3] = (byte) length;
System.arraycopy(output, 0, result, 4, length);
dest.write(result);
off += chunckSize;
len -= chunckSize;
if (DEBUG && debuglevel > 6) debug(TRACE, "Wrapped chunck #" + String.valueOf(chunck));
chunck++;
}
dest.flush();
if (DEBUG && debuglevel > 8) debug(TRACE, "<== write()");
}
