@Test public void testServerAuthIndirect_Client() throws Exception { Map<String, Object> props = new HashMap<String, Object>(); // No properties are set, an appropriate EntitySaslClient should be returned SaslClient client = Sasl.createSaslClient( new String[] {SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC}, "TestUser", "TestProtocol", "TestServer", props, null); assertEquals(EntitySaslClient.class, client.getClass()); assertEquals( SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, client.getMechanismName()); // If we set SERVER_AUTH to true even though only unilateral mechanisms are specified, no client // should be returned props.put(Sasl.SERVER_AUTH, Boolean.toString(true)); client = Sasl.createSaslClient( new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1 }, "TestUser", "TestProtocol", "TestServer", props, null); assertNull(client); // If we set SERVER_AUTH to true, an appropriate EntitySaslClient should be returned props.put(Sasl.SERVER_AUTH, Boolean.toString(true)); client = Sasl.createSaslClient( new String[] { SaslMechanismInformation.Names.IEC_ISO_9798_U_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_U_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_U_ECDSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, SaslMechanismInformation.Names.IEC_ISO_9798_M_DSA_SHA1, SaslMechanismInformation.Names.IEC_ISO_9798_M_ECDSA_SHA1 }, "TestUser", "TestProtocol", "TestServer", props, null); assertEquals(EntitySaslClient.class, client.getClass()); assertEquals( SaslMechanismInformation.Names.IEC_ISO_9798_M_RSA_SHA1_ENC, client.getMechanismName()); }
public OcsConnection(final String domain, final OcsAccount account, int key) { this.domain = domain; this.addr = Util.cast2SocketAddress(domain); this.account = account; this.setKey(key); if (account.isExemptPassword() == false) { this.plainHandler = new OcsPlainHandler(account.getUsername(), account.getPassword()); mech = new String[] {"PLAIN"}; try { SaslClient sc = Sasl.createSaslClient(mech, null, "memcached", addr.toString(), null, plainHandler); evaluate = sc.evaluateChallenge(/* empty bytes */ new byte[0]); mechanism = sc.getMechanismName(); } catch (SaslException e) { logger.error("SaslClient exception", e); throw new RuntimeException("SaslClient exception", e); } } channel = null; }
public boolean authenticate( String[] mechs, final String realm, final String authzid, final String u, final String p) throws ProtocolException { synchronized (pr) { // authenticate method should be synchronized List<Response> v = new ArrayList<Response>(); String tag = null; Response r = null; boolean done = false; if (logger.isLoggable(Level.FINE)) { logger.fine("SASL Mechanisms:"); for (int i = 0; i < mechs.length; i++) logger.fine(" " + mechs[i]); logger.fine(""); } SaslClient sc; CallbackHandler cbh = new CallbackHandler() { public void handle(Callback[] callbacks) { if (logger.isLoggable(Level.FINE)) logger.fine("SASL callback length: " + callbacks.length); for (int i = 0; i < callbacks.length; i++) { if (logger.isLoggable(Level.FINE)) logger.fine("SASL callback " + i + ": " + callbacks[i]); if (callbacks[i] instanceof NameCallback) { NameCallback ncb = (NameCallback) callbacks[i]; ncb.setName(u); } else if (callbacks[i] instanceof PasswordCallback) { PasswordCallback pcb = (PasswordCallback) callbacks[i]; pcb.setPassword(p.toCharArray()); } else if (callbacks[i] instanceof RealmCallback) { RealmCallback rcb = (RealmCallback) callbacks[i]; rcb.setText(realm != null ? realm : rcb.getDefaultText()); } else if (callbacks[i] instanceof RealmChoiceCallback) { RealmChoiceCallback rcb = (RealmChoiceCallback) callbacks[i]; if (realm == null) rcb.setSelectedIndex(rcb.getDefaultChoice()); else { // need to find specified realm in list String[] choices = rcb.getChoices(); for (int k = 0; k < choices.length; k++) { if (choices[k].equals(realm)) { rcb.setSelectedIndex(k); break; } } } } } } }; try { sc = Sasl.createSaslClient(mechs, authzid, name, host, (Map) props, cbh); } catch (SaslException sex) { logger.log(Level.FINE, "Failed to create SASL client", sex); throw new UnsupportedOperationException(sex.getMessage(), sex); } if (sc == null) { logger.fine("No SASL support"); throw new UnsupportedOperationException("No SASL support"); } if (logger.isLoggable(Level.FINE)) logger.fine("SASL client " + sc.getMechanismName()); try { Argument args = new Argument(); args.writeAtom(sc.getMechanismName()); if (pr.hasCapability("SASL-IR") && sc.hasInitialResponse()) { String irs; byte[] ba = sc.evaluateChallenge(new byte[0]); if (ba.length > 0) { ba = BASE64EncoderStream.encode(ba); irs = ASCIIUtility.toString(ba, 0, ba.length); } else irs = "="; args.writeAtom(irs); } tag = pr.writeCommand("AUTHENTICATE", args); } catch (Exception ex) { logger.log(Level.FINE, "SASL AUTHENTICATE Exception", ex); return false; } OutputStream os = pr.getIMAPOutputStream(); // stream to IMAP server /* * Wrap a BASE64Encoder around a ByteArrayOutputstream * to craft b64 encoded username and password strings * * Note that the encoded bytes should be sent "as-is" to the * server, *not* as literals or quoted-strings. * * Also note that unlike the B64 definition in MIME, CRLFs * should *not* be inserted during the encoding process. So, I * use Integer.MAX_VALUE (0x7fffffff (> 1G)) as the bytesPerLine, * which should be sufficiently large ! */ ByteArrayOutputStream bos = new ByteArrayOutputStream(); byte[] CRLF = {(byte) '\r', (byte) '\n'}; // Hack for Novell GroupWise XGWTRUSTEDAPP authentication mechanism // http://www.novell.com/developer/documentation/gwimap/? // page=/developer/documentation/gwimap/gwimpenu/data/al7te9j.html boolean isXGWTRUSTEDAPP = sc.getMechanismName().equals("XGWTRUSTEDAPP") && PropUtil.getBooleanProperty( props, "mail." + name + ".sasl.xgwtrustedapphack.enable", true); while (!done) { // loop till we are done try { r = pr.readResponse(); if (r.isContinuation()) { byte[] ba = null; if (!sc.isComplete()) { ba = r.readByteArray().getNewBytes(); if (ba.length > 0) ba = BASE64DecoderStream.decode(ba); if (logger.isLoggable(Level.FINE)) logger.fine("SASL challenge: " + ASCIIUtility.toString(ba, 0, ba.length) + " :"); ba = sc.evaluateChallenge(ba); } if (ba == null) { logger.fine("SASL no response"); os.write(CRLF); // write out empty line os.flush(); // flush the stream bos.reset(); // reset buffer } else { if (logger.isLoggable(Level.FINE)) logger.fine("SASL response: " + ASCIIUtility.toString(ba, 0, ba.length) + " :"); ba = BASE64EncoderStream.encode(ba); if (isXGWTRUSTEDAPP) bos.write(ASCIIUtility.getBytes("XGWTRUSTEDAPP ")); bos.write(ba); bos.write(CRLF); // CRLF termination os.write(bos.toByteArray()); // write out line os.flush(); // flush the stream bos.reset(); // reset buffer } } else if (r.isTagged() && r.getTag().equals(tag)) // Ah, our tagged response done = true; else if (r.isBYE()) // outta here done = true; else // hmm .. unsolicited response here ?! v.add(r); } catch (Exception ioex) { logger.log(Level.FINE, "SASL Exception", ioex); // convert this into a BYE response r = Response.byeResponse(ioex); done = true; // XXX - ultimately return true??? } } if (sc.isComplete() /*&& res.status == SUCCESS*/) { String qop = (String) sc.getNegotiatedProperty(Sasl.QOP); if (qop != null && (qop.equalsIgnoreCase("auth-int") || qop.equalsIgnoreCase("auth-conf"))) { // XXX - NOT SUPPORTED!!! logger.fine("SASL Mechanism requires integrity or confidentiality"); return false; } } /* Dispatch untagged responses. * NOTE: in our current upper level IMAP classes, we add the * responseHandler to the Protocol object only *after* the * connection has been authenticated. So, for now, the below * code really ends up being just a no-op. */ Response[] responses = v.toArray(new Response[v.size()]); pr.notifyResponseHandlers(responses); // Handle the final OK, NO, BAD or BYE response pr.handleResult(r); pr.setCapabilities(r); /* * If we're using the Novell Groupwise XGWTRUSTEDAPP mechanism * to run as a specified authorization ID, we have to issue a * LOGIN command to select the user we want to operate as. */ if (isXGWTRUSTEDAPP && authzid != null) { Argument args = new Argument(); args.writeString(authzid); responses = pr.command("LOGIN", args); // dispatch untagged responses pr.notifyResponseHandlers(responses); // Handle result of this command pr.handleResult(responses[responses.length - 1]); // If the response includes a CAPABILITY response code, process it pr.setCapabilities(responses[responses.length - 1]); } return true; } }
public void handleEvent(final ConnectedMessageChannel channel) { final Pooled<ByteBuffer> pooledBuffer = connection.allocate(); try { final ByteBuffer buffer = pooledBuffer.getResource(); final int res; try { res = channel.receive(buffer); } catch (IOException e) { connection.handleException(e); return; } if (res == 0) { return; } if (res == -1) { connection.handleException(client.abruptClose(connection)); return; } buffer.flip(); final byte msgType = buffer.get(); switch (msgType) { case Protocol.CONNECTION_ALIVE: { client.trace("Client received connection alive"); return; } case Protocol.CONNECTION_CLOSE: { client.trace("Client received connection close request"); connection.handleIncomingCloseRequest(); return; } case Protocol.AUTH_CHALLENGE: { client.trace("Client received authentication challenge"); connection .getExecutor() .execute( new Runnable() { public void run() { final boolean clientComplete = saslClient.isComplete(); if (clientComplete) { connection.handleException( new SaslException("Received extra auth message after completion")); return; } final byte[] response; final byte[] challenge = Buffers.take(buffer, buffer.remaining()); try { response = saslClient.evaluateChallenge(challenge); if (msgType == Protocol.AUTH_COMPLETE && response != null && response.length > 0) { connection.handleException( new SaslException( "Received extra auth message after completion")); return; } } catch (Exception e) { client.tracef("Client authentication failed: %s", e); failedMechs.add(saslClient.getMechanismName()); sendCapRequest(serverName); return; } client.trace("Client sending authentication response"); final Pooled<ByteBuffer> pooled = connection.allocate(); final ByteBuffer sendBuffer = pooled.getResource(); sendBuffer.put(Protocol.AUTH_RESPONSE); sendBuffer.put(response); sendBuffer.flip(); connection.send(pooled); connection.getChannel().resumeReads(); return; } }); connection.getChannel().suspendReads(); return; } case Protocol.AUTH_COMPLETE: { client.trace("Client received authentication complete"); connection .getExecutor() .execute( new Runnable() { public void run() { final boolean clientComplete = saslClient.isComplete(); final byte[] challenge = Buffers.take(buffer, buffer.remaining()); if (!clientComplete) try { final byte[] response = saslClient.evaluateChallenge(challenge); if (response != null && response.length > 0) { connection.handleException( new SaslException( "Received extra auth message after completion")); return; } if (!saslClient.isComplete()) { connection.handleException( new SaslException( "Client not complete after processing auth complete message")); return; } } catch (SaslException e) { // todo log message failedMechs.add(saslClient.getMechanismName()); sendCapRequest(serverName); return; } // auth complete. final ConnectionHandlerFactory connectionHandlerFactory = new ConnectionHandlerFactory() { public ConnectionHandler createInstance( final ConnectionHandlerContext connectionContext) { // this happens immediately. final RemoteConnectionHandler connectionHandler = new RemoteConnectionHandler(connectionContext, connection); connection.setReadListener( new RemoteReadListener(connectionHandler, connection)); return connectionHandler; } }; connection.getResult().setResult(connectionHandlerFactory); connection.getChannel().resumeReads(); return; } }); connection.getChannel().suspendReads(); return; } case Protocol.AUTH_REJECTED: { client.trace("Client received authentication rejected"); failedMechs.add(saslClient.getMechanismName()); sendCapRequest(serverName); return; } default: { client.unknownProtocolId(msgType); connection.handleException(client.invalidMessage(connection)); return; } } } finally { pooledBuffer.free(); } }
public void handleEvent(final ConnectedMessageChannel channel) { final Pooled<ByteBuffer> pooledReceiveBuffer = connection.allocate(); try { final ByteBuffer receiveBuffer = pooledReceiveBuffer.getResource(); int res = 0; try { res = channel.receive(receiveBuffer); } catch (IOException e) { connection.handleException(e); return; } if (res == -1) { connection.handleException(client.abruptClose(connection)); return; } if (res == 0) { return; } receiveBuffer.flip(); boolean starttls = false; final Set<String> saslMechs = new LinkedHashSet<String>(); final byte msgType = receiveBuffer.get(); switch (msgType) { case Protocol.CONNECTION_ALIVE: { client.trace("Client received connection alive"); return; } case Protocol.CONNECTION_CLOSE: { client.trace("Client received connection close request"); connection.handleIncomingCloseRequest(); return; } case Protocol.CAPABILITIES: { client.trace("Client received capabilities response"); while (receiveBuffer.hasRemaining()) { final byte type = receiveBuffer.get(); final int len = receiveBuffer.get() & 0xff; final ByteBuffer data = Buffers.slice(receiveBuffer, len); switch (type) { case Protocol.CAP_VERSION: { final byte version = data.get(); client.tracef( "Client received capability: version %d", Integer.valueOf(version & 0xff)); // We only support version zero, so knowing the other side's version is not // useful presently break; } case Protocol.CAP_SASL_MECH: { final String mechName = Buffers.getModifiedUtf8(data); client.tracef("Client received capability: SASL mechanism %s", mechName); if (!failedMechs.contains(mechName) && !disallowedMechs.contains(mechName) && (allowedMechs == null || allowedMechs.contains(mechName))) { client.tracef("SASL mechanism %s added to allowed set", mechName); saslMechs.add(mechName); } break; } case Protocol.CAP_STARTTLS: { client.trace("Client received capability: STARTTLS"); starttls = true; break; } default: { client.tracef( "Client received unknown capability %02x", Integer.valueOf(type & 0xff)); // unknown, skip it for forward compatibility. break; } } } if (starttls) { // only initiate starttls if not forbidden by config if (optionMap.get(Options.SSL_STARTTLS, true)) { // Prepare the request message body final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate(); final ByteBuffer sendBuffer = pooledSendBuffer.getResource(); sendBuffer.put(Protocol.STARTTLS); sendBuffer.flip(); connection.setReadListener(new StartTls(serverName)); connection.send(pooledSendBuffer); // all set return; } } if (saslMechs.isEmpty()) { connection.handleException( new SaslException("No more authentication mechanisms to try")); return; } // OK now send our authentication request final OptionMap optionMap = connection.getOptionMap(); final String userName = optionMap.get(RemotingOptions.AUTHORIZE_ID); final Map<String, ?> propertyMap = SaslUtils.createPropertyMap( optionMap, Channels.getOption(channel, Options.SECURE, false)); final SaslClient saslClient; try { saslClient = AccessController.doPrivileged( new PrivilegedExceptionAction<SaslClient>() { public SaslClient run() throws SaslException { return Sasl.createSaslClient( saslMechs.toArray(new String[saslMechs.size()]), userName, "remote", serverName, propertyMap, callbackHandler); } }, accessControlContext); } catch (PrivilegedActionException e) { final SaslException se = (SaslException) e.getCause(); connection.handleException(se); return; } final String mechanismName = saslClient.getMechanismName(); client.tracef("Client initiating authentication using mechanism %s", mechanismName); // Prepare the request message body final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate(); final ByteBuffer sendBuffer = pooledSendBuffer.getResource(); sendBuffer.put(Protocol.AUTH_REQUEST); Buffers.putModifiedUtf8(sendBuffer, mechanismName); sendBuffer.flip(); connection.send(pooledSendBuffer); connection.setReadListener(new Authentication(saslClient, serverName)); return; } default: { client.unknownProtocolId(msgType); connection.handleException(client.invalidMessage(connection)); return; } } } catch (BufferUnderflowException e) { connection.handleException(client.invalidMessage(connection)); return; } catch (BufferOverflowException e) { connection.handleException(client.invalidMessage(connection)); return; } finally { pooledReceiveBuffer.free(); } }
public void handleEvent(final ConnectedMessageChannel channel) { final Pooled<ByteBuffer> pooledBuffer = connection.allocate(); boolean free = true; try { final ByteBuffer buffer = pooledBuffer.getResource(); synchronized (connection.getLock()) { final int res; try { res = channel.receive(buffer); } catch (IOException e) { connection.handleException(e); saslDispose(saslClient); return; } if (res == 0) { return; } if (res == -1) { connection.handleException(client.abruptClose(connection)); saslDispose(saslClient); return; } } buffer.flip(); final byte msgType = buffer.get(); switch (msgType) { case Protocol.CONNECTION_ALIVE: { client.trace("Client received connection alive"); connection.sendAliveResponse(); return; } case Protocol.CONNECTION_ALIVE_ACK: { client.trace("Client received connection alive ack"); return; } case Protocol.CONNECTION_CLOSE: { client.trace("Client received connection close request"); connection.handlePreAuthCloseRequest(); saslDispose(saslClient); return; } case Protocol.AUTH_CHALLENGE: { client.trace("Client received authentication challenge"); channel.suspendReads(); connection .getExecutor() .execute( () -> { try { final boolean clientComplete = saslClient.isComplete(); if (clientComplete) { connection.handleException( new SaslException("Received extra auth message after completion")); return; } final byte[] response; final byte[] challenge = Buffers.take(buffer, buffer.remaining()); try { response = saslClient.evaluateChallenge(challenge); } catch (Throwable e) { final String mechanismName = saslClient.getMechanismName(); client.debugf( "Client authentication failed for mechanism %s: %s", mechanismName, e); failedMechs.put(mechanismName, e.toString()); saslDispose(saslClient); sendCapRequest(serverName); return; } client.trace("Client sending authentication response"); final Pooled<ByteBuffer> pooled = connection.allocate(); boolean ok = false; try { final ByteBuffer sendBuffer = pooled.getResource(); sendBuffer.put(Protocol.AUTH_RESPONSE); sendBuffer.put(response); sendBuffer.flip(); connection.send(pooled); ok = true; channel.resumeReads(); } finally { if (!ok) pooled.free(); } return; } finally { pooledBuffer.free(); } }); free = false; return; } case Protocol.AUTH_COMPLETE: { client.trace("Client received authentication complete"); channel.suspendReads(); connection .getExecutor() .execute( () -> { try { final boolean clientComplete = saslClient.isComplete(); final byte[] challenge = Buffers.take(buffer, buffer.remaining()); if (!clientComplete) try { final byte[] response = saslClient.evaluateChallenge(challenge); if (response != null && response.length > 0) { connection.handleException( new SaslException( "Received extra auth message after completion")); saslDispose(saslClient); return; } if (!saslClient.isComplete()) { connection.handleException( new SaslException( "Client not complete after processing auth complete message")); saslDispose(saslClient); return; } } catch (Throwable e) { final String mechanismName = saslClient.getMechanismName(); client.debugf( "Client authentication failed for mechanism %s: %s", mechanismName, e); failedMechs.put(mechanismName, e.toString()); saslDispose(saslClient); sendCapRequest(serverName); return; } final Object qop = saslClient.getNegotiatedProperty(Sasl.QOP); if ("auth-int".equals(qop) || "auth-conf".equals(qop)) { connection.setSaslWrapper(SaslWrapper.create(saslClient)); } // auth complete. final ConnectionHandlerFactory connectionHandlerFactory = connectionContext -> { // this happens immediately. final RemoteConnectionHandler connectionHandler = new RemoteConnectionHandler( connectionContext, connection, maxInboundChannels, maxOutboundChannels, remoteEndpointName, behavior); connection.setReadListener( new RemoteReadListener(connectionHandler, connection), false); connection .getRemoteConnectionProvider() .addConnectionHandler(connectionHandler); return connectionHandler; }; connection.getResult().setResult(connectionHandlerFactory); channel.resumeReads(); return; } finally { pooledBuffer.free(); } }); free = false; return; } case Protocol.AUTH_REJECTED: { final String mechanismName = saslClient.getMechanismName(); client.debugf( "Client received authentication rejected for mechanism %s", mechanismName); failedMechs.put(mechanismName, "Server rejected authentication"); saslDispose(saslClient); sendCapRequest(serverName); return; } default: { client.unknownProtocolId(msgType); connection.handleException(client.invalidMessage(connection)); saslDispose(saslClient); return; } } } finally { if (free) pooledBuffer.free(); } }
public void handleEvent(final ConnectedMessageChannel channel) { final Pooled<ByteBuffer> pooledReceiveBuffer = connection.allocate(); try { final ByteBuffer receiveBuffer = pooledReceiveBuffer.getResource(); synchronized (connection.getLock()) { int res; try { res = channel.receive(receiveBuffer); } catch (IOException e) { connection.handleException(e); return; } if (res == -1) { connection.handleException(client.abruptClose(connection)); return; } if (res == 0) { return; } } receiveBuffer.flip(); boolean starttls = false; final Set<String> serverSaslMechs = new LinkedHashSet<String>(); final byte msgType = receiveBuffer.get(); switch (msgType) { case Protocol.CONNECTION_ALIVE: { client.trace("Client received connection alive"); connection.sendAliveResponse(); return; } case Protocol.CONNECTION_ALIVE_ACK: { client.trace("Client received connection alive ack"); return; } case Protocol.CONNECTION_CLOSE: { client.trace("Client received connection close request"); connection.handlePreAuthCloseRequest(); return; } case Protocol.CAPABILITIES: { client.trace("Client received capabilities response"); String remoteEndpointName = null; int version = Protocol.VERSION; int behavior = Protocol.BH_FAULTY_MSG_SIZE; boolean useDefaultChannels = true; int channelsIn = 40; int channelsOut = 40; while (receiveBuffer.hasRemaining()) { final byte type = receiveBuffer.get(); final int len = receiveBuffer.get() & 0xff; final ByteBuffer data = Buffers.slice(receiveBuffer, len); switch (type) { case Protocol.CAP_VERSION: { version = data.get() & 0xff; client.tracef( "Client received capability: version %d", Integer.valueOf(version & 0xff)); break; } case Protocol.CAP_SASL_MECH: { final String mechName = Buffers.getModifiedUtf8(data); client.tracef("Client received capability: SASL mechanism %s", mechName); if (!failedMechs.containsKey(mechName) && !disallowedMechs.contains(mechName) && (allowedMechs == null || allowedMechs.contains(mechName))) { client.tracef("SASL mechanism %s added to allowed set", mechName); serverSaslMechs.add(mechName); } break; } case Protocol.CAP_STARTTLS: { client.trace("Client received capability: STARTTLS"); starttls = true; break; } case Protocol.CAP_ENDPOINT_NAME: { remoteEndpointName = Buffers.getModifiedUtf8(data); client.tracef( "Client received capability: remote endpoint name \"%s\"", remoteEndpointName); break; } case Protocol.CAP_MESSAGE_CLOSE: { behavior |= Protocol.BH_MESSAGE_CLOSE; // remote side must be >= 3.2.11.GA // but, we'll assume it's >= 3.2.14.GA because no AS or EAP release included // 3.2.8.SP1 < x < 3.2.14.GA behavior &= ~Protocol.BH_FAULTY_MSG_SIZE; client.tracef("Client received capability: message close protocol supported"); break; } case Protocol.CAP_VERSION_STRING: { // remote side must be >= 3.2.16.GA behavior &= ~Protocol.BH_FAULTY_MSG_SIZE; final String remoteVersionString = Buffers.getModifiedUtf8(data); client.tracef( "Client received capability: remote version is \"%s\"", remoteVersionString); break; } case Protocol.CAP_CHANNELS_IN: { useDefaultChannels = false; // their channels in is our channels out channelsOut = ProtocolUtils.readIntData(data, len); client.tracef( "Client received capability: remote channels in is \"%d\"", channelsOut); break; } case Protocol.CAP_CHANNELS_OUT: { useDefaultChannels = false; // their channels out is our channels in channelsIn = ProtocolUtils.readIntData(data, len); client.tracef( "Client received capability: remote channels out is \"%d\"", channelsIn); break; } default: { client.tracef( "Client received unknown capability %02x", Integer.valueOf(type & 0xff)); // unknown, skip it for forward compatibility. break; } } } if (useDefaultChannels) { channelsIn = 40; channelsOut = 40; } if (starttls) { // only initiate starttls if not forbidden by config if (optionMap.get(Options.SSL_STARTTLS, true)) { // Prepare the request message body final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate(); boolean ok = false; try { final ByteBuffer sendBuffer = pooledSendBuffer.getResource(); sendBuffer.put(Protocol.STARTTLS); sendBuffer.flip(); connection.setReadListener(new StartTls(remoteServerName), true); connection.send(pooledSendBuffer); ok = true; // all set return; } finally { if (!ok) pooledSendBuffer.free(); } } } if (serverSaslMechs.isEmpty()) { if (failedMechs.isEmpty()) { connection.handleException( new SaslException( "Authentication failed: the server presented no authentication mechanisms")); } else { // At this point we have been attempting to use mechanisms as they have been // presented to us but we have now exhausted the list. connection.handleException(allMechanismsFailed()); } return; } // OK now send our authentication request final AuthenticationContextConfigurationClient configurationClient = AUTH_CONFIGURATION_CLIENT; AuthenticationConfiguration configuration = configurationClient.getAuthenticationConfiguration(uri, authenticationContext); final SaslClient saslClient; try { saslClient = configurationClient.createSaslClient( uri, configuration, saslClientFactory, serverSaslMechs); } catch (SaslException e) { // apparently no more mechanisms can succeed connection.handleException(e); return; } if (saslClient == null) { connection.handleException(allMechanismsFailed()); return; } final String mechanismName = saslClient.getMechanismName(); client.tracef("Client initiating authentication using mechanism %s", mechanismName); connection.getChannel().suspendReads(); final int negotiatedVersion = version; final SaslClient usedSaslClient = saslClient; final Authentication authentication = new Authentication( usedSaslClient, remoteServerName, remoteEndpointName, behavior, channelsIn, channelsOut); connection .getExecutor() .execute( () -> { final byte[] response; try { response = usedSaslClient.hasInitialResponse() ? usedSaslClient.evaluateChallenge(EMPTY_BYTES) : null; } catch (SaslException e) { client.tracef("Client authentication failed: %s", e); saslDispose(usedSaslClient); failedMechs.put(mechanismName, e.toString()); sendCapRequest(remoteServerName); return; } // Prepare the request message body final Pooled<ByteBuffer> pooledSendBuffer = connection.allocate(); boolean ok = false; try { final ByteBuffer sendBuffer = pooledSendBuffer.getResource(); sendBuffer.put(Protocol.AUTH_REQUEST); if (negotiatedVersion < 1) { sendBuffer.put(mechanismName.getBytes(Protocol.UTF_8)); } else { ProtocolUtils.writeString(sendBuffer, mechanismName); if (response != null) { sendBuffer.put(response); } } sendBuffer.flip(); connection.send(pooledSendBuffer); ok = true; connection.setReadListener(authentication, true); return; } finally { if (!ok) pooledSendBuffer.free(); } }); return; } default: { client.unknownProtocolId(msgType); connection.handleException(client.invalidMessage(connection)); return; } } } catch (BufferUnderflowException | BufferOverflowException e) { connection.handleException(client.invalidMessage(connection)); return; } finally { pooledReceiveBuffer.free(); } }
private void doAuth() { SaslClient saslClient = null; try { saslClient = Sasl.createSaslClient( authInfo.getMechanisms(), null, "memcached", memcachedTCPSession.getRemoteSocketAddress().toString(), null, this.authInfo.getCallbackHandler()); final AtomicBoolean done = new AtomicBoolean(false); byte[] response = saslClient.hasInitialResponse() ? saslClient.evaluateChallenge(EMPTY_BYTES) : EMPTY_BYTES; CountDownLatch latch = new CountDownLatch(1); Command command = this.commandFactory.createAuthStartCommand( saslClient.getMechanismName(), latch, response); if (!this.memcachedTCPSession.isClosed()) this.memcachedTCPSession.write(command); else { log.error("Authentication fail,because the connection has been closed"); throw new RuntimeException("Authentication fai,connection has been close"); } while (!done.get()) { try { latch.await(); } catch (InterruptedException e) { Thread.currentThread().interrupt(); done.set(true); } ResponseStatus responseStatus = ((BaseBinaryCommand) command).getResponseStatus(); switch (responseStatus) { case NO_ERROR: done.set(true); log.info( "Authentication to " + this.memcachedTCPSession.getRemoteSocketAddress() + " successfully"); break; case AUTH_REQUIRED: log.error( "Authentication failed to " + this.memcachedTCPSession.getRemoteSocketAddress()); log.warn( "Reopen connection to " + this.memcachedTCPSession.getRemoteSocketAddress() + ",beacause auth fail"); this.memcachedTCPSession.setAuthFailed(true); // It it is not first time,try to sleep 1 second if (!this.authInfo.isFirstTime()) { Thread.sleep(1000); } this.memcachedTCPSession.close(); done.set(true); break; case FUTHER_AUTH_REQUIRED: String result = (String) command.getResult(); response = saslClient.evaluateChallenge(ByteUtils.getBytes(result)); latch = new CountDownLatch(1); command = commandFactory.createAuthStepCommand( saslClient.getMechanismName(), latch, response); if (!this.memcachedTCPSession.isClosed()) this.memcachedTCPSession.write(command); else { log.error("Authentication fail,because the connection has been closed"); throw new RuntimeException("Authentication fai,connection has been close"); } break; default: done.set(true); log.error( "Authentication failed to " + this.memcachedTCPSession.getRemoteSocketAddress() + ",response status=" + responseStatus); break; } } } catch (Exception e) { log.error("Create saslClient error", e); } finally { if (saslClient != null) { try { saslClient.dispose(); } catch (SaslException e) { log.error("Dispose saslClient error", e); } } } }