ISSUE-610: Provide JAAS config dynamically via config #610 (#611)

* ISSUE-610: Provide JAAS config dynamically via config #610

* Adding licence for new source files.

Author: guruchai

common-auth/src/main/java/com/hortonworks/registries/auth/AbstractLogin.java

@@ -24,6 +24,7 @@
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 import javax.security.sasl.RealmCallback;
@@ -39,19 +40,33 @@ public abstract class AbstractLogin implements Login {
     protected String loginContextName;
     protected LoginContext loginContext;
     protected static final String JAAS_CONFIG_SYSTEM_PROPERTY = "java.security.auth.login.config";
+    protected Configuration jaasConfiguration;
 
     @Override
     public void configure(Map<String, ?> configs, String loginContextName) {
         this.loginContextName = loginContextName;
     }
 
+    /**
+     * Configures this login instance with a dynamic configuration.
+     */
+    public void configure(Map<String, ?> configs, String loginContextName, Configuration jaasConfiguration) {
+        this.loginContextName = loginContextName;
+        this.jaasConfiguration = jaasConfiguration;
+    }
+
     @Override
     public LoginContext login() throws LoginException {
         String jaasConfigFile = System.getProperty(JAAS_CONFIG_SYSTEM_PROPERTY);
-        if (jaasConfigFile == null) {
-            log.error("System property " + JAAS_CONFIG_SYSTEM_PROPERTY + " for jaas config file is not set, using default JAAS configuration.");
+        if (jaasConfiguration != null) {
+            loginContext =  new LoginContext(loginContextName, null, new LoginCallbackHandler(), jaasConfiguration);
+        } else {
+            if (jaasConfigFile == null) {
+                log.error("System property " + JAAS_CONFIG_SYSTEM_PROPERTY + " for jaas config file is not set, using default JAAS configuration.");
+            }
+            log.debug("Defaulting to static JAAS Config for {}", loginContextName);
+            loginContext = new LoginContext(loginContextName, new LoginCallbackHandler());
         }
-        loginContext = new LoginContext(loginContextName, new LoginCallbackHandler());
         loginContext.login();
         log.info("Successfully logged in.");
         return loginContext;

common-auth/src/main/java/com/hortonworks/registries/auth/KerberosLogin.java

@@ -94,6 +94,30 @@ public void configure(Map<String, ?> configs, final String loginContextName) {
         }
     }
 
+    /**
+     * Method to configure this instance with specific properties
+     * @param loginContextName
+     *               name of section in JAAS file that will be used to login.
+     *               Passed as first param to javax.security.auth.login.LoginContext().
+     * @param configs configure Login with the given key-value pairs.
+     */
+    @Override
+    public void configure(Map<String, ?> configs, final String loginContextName, Configuration jaasConfig) {
+        super.configure(configs, loginContextName, jaasConfig);
+        if (configs.get(TICKET_RENEW_WINDOW_FACTOR) != null) {
+            this.ticketRenewWindowFactor = Double.parseDouble((String) configs.get(TICKET_RENEW_WINDOW_FACTOR));
+        }
+        if (configs.get(TICKET_RENEW_JITTER) != null) {
+            this.ticketRenewJitter = Double.parseDouble((String) configs.get(TICKET_RENEW_JITTER));
+        }
+        if (configs.get(MIN_TIME_BEFORE_RELOGIN) != null) {
+            this.minTimeBeforeRelogin = Long.parseLong((String) configs.get(MIN_TIME_BEFORE_RELOGIN));
+        }
+        if (configs.get(KINIT_CMD) != null) {
+            this.kinitCmd = (String) configs.get(KINIT_CMD);
+        }
+    }
+
     public KerberosLogin() {
         this.tgtRenewalLock = new ReentrantReadWriteLock(true);
         this.tgtRenewalTimeoutMS = DEFAULT_TGT_RENEWAL_TIMEOUT_MS;
@@ -121,7 +145,8 @@ public LoginContext login() throws LoginException {
             return loginContext;
         }
         log.info("It is a Kerberos ticket");
-        AppConfigurationEntry[] entries = Configuration.getConfiguration().getAppConfigurationEntry(loginContextName);
+        AppConfigurationEntry[] entries = (jaasConfiguration != null) ? jaasConfiguration.getAppConfigurationEntry(loginContextName) :
+                Configuration.getConfiguration().getAppConfigurationEntry(loginContextName);
         if (entries.length == 0) {
             isUsingTicketCache = false;
             principal = null;

common-auth/src/main/java/com/hortonworks/registries/auth/util/JaasConfiguration.java

@@ -0,0 +1,119 @@
+/**
+ * Copyright 2016-2019 Cloudera, Inc.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+package com.hortonworks.registries.auth.util;
+
+import java.io.IOException;
+import java.io.StreamTokenizer;
+import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
+
+
+/**
+ * Class representing the Dynamic JAAS configuration.
+ * JAAS configuration can be provided to an application using a static file provided by java.security.auth.login.config property.
+ * Alternately, the JAAS Configuration can be constructed dynamically using this class which parses the configuration string.
+ * <p/>
+ * JAAS configuration file format is described <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/#ConfigFile.html">here</a>.
+ * The format of the property value is:
+ * <pre>
+ * {@code
+ *   <loginModuleClass> <controlFlag> (<optionName>=<optionValue>)*;
+ * }
+ * </pre>
+ */
+public class JaasConfiguration extends Configuration {
+
+    private final String loginContextName;
+    private final List<AppConfigurationEntry> configEntries;
+
+    public JaasConfiguration(String loginContextName, String jaasConfigParams) {
+        StreamTokenizer tokenizer = new StreamTokenizer(new StringReader(jaasConfigParams));
+        tokenizer.slashSlashComments(true);
+        tokenizer.slashStarComments(true);
+        tokenizer.wordChars('-', '-');
+        tokenizer.wordChars('_', '_');
+        tokenizer.wordChars('$', '$');
+
+        try {
+            configEntries = new ArrayList<>();
+            while (tokenizer.nextToken() != StreamTokenizer.TT_EOF) {
+                configEntries.add(parseAppConfigurationEntry(tokenizer));
+            }
+            if (configEntries.isEmpty())
+                throw new IllegalArgumentException("Login module not specified in JAAS config");
+
+            this.loginContextName = loginContextName;
+
+        } catch (IOException e) {
+            throw new IllegalArgumentException("Unexpected exception while parsing JAAS config", e);
+        }
+    }
+
+    @Override
+    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+        if (this.loginContextName.equals(name))
+            return configEntries.toArray(new AppConfigurationEntry[0]);
+        else
+            return  null;
+    }
+
+    private LoginModuleControlFlag loginModuleControlFlag(String flag) {
+        LoginModuleControlFlag controlFlag;
+        switch (flag.toUpperCase(Locale.ROOT)) {
+            case "REQUIRED":
+                controlFlag = LoginModuleControlFlag.REQUIRED;
+                break;
+            case "REQUISITE":
+                controlFlag = LoginModuleControlFlag.REQUISITE;
+                break;
+            case "SUFFICIENT":
+                controlFlag = LoginModuleControlFlag.SUFFICIENT;
+                break;
+            case "OPTIONAL":
+                controlFlag = LoginModuleControlFlag.OPTIONAL;
+                break;
+            default:
+                throw new IllegalArgumentException("Invalid login module control flag '" + flag + "' in JAAS config");
+        }
+        return controlFlag;
+    }
+
+    private AppConfigurationEntry parseAppConfigurationEntry(StreamTokenizer tokenizer) throws IOException {
+        String loginModule = tokenizer.sval;
+        if (tokenizer.nextToken() == StreamTokenizer.TT_EOF)
+            throw new IllegalArgumentException("Login module control flag not specified in JAAS config");
+        LoginModuleControlFlag controlFlag = loginModuleControlFlag(tokenizer.sval);
+        Map<String, String> options = new HashMap<>();
+        while (tokenizer.nextToken() != StreamTokenizer.TT_EOF && tokenizer.ttype != ';') {
+            String key = tokenizer.sval;
+            if (tokenizer.nextToken() != '=' || tokenizer.nextToken() == StreamTokenizer.TT_EOF || tokenizer.sval == null)
+                throw new IllegalArgumentException("Value not specified for key '" + key + "' in JAAS config");
+            String value = tokenizer.sval;
+            options.put(key, value);
+        }
+        if (tokenizer.ttype != ';')
+            throw new IllegalArgumentException("JAAS config entry not terminated by semi-colon");
+        return new AppConfigurationEntry(loginModule, controlFlag, options);
+    }
+}
+

common-auth/src/test/java/com/hortonworks/registries/auth/KerberosTestUtils.java

@@ -47,6 +47,12 @@ public static String getClientPrincipal() {
         return "client@EXAMPLE.COM";
     }
 
+    public static String getJaasConfigForClientPrincipal() {
+        System.out.println(keytabFile);
+        return "com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=false principal=\"client@EXAMPLE.COM\" " +
+                "useKeyTab=true keyTab=\"" + keytabFile +"\" debug=true;";
+    }
+
     public static String getClientPrincipal1() {
         return "client1@EXAMPLE.COM";
     }

common-auth/src/test/java/com/hortonworks/registries/auth/TestKerberosLogin.java

@@ -0,0 +1,147 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package com.hortonworks.registries.auth;
+
+import com.hortonworks.registries.auth.client.KerberosAuthenticator;
+import com.hortonworks.registries.auth.server.AuthenticationToken;
+import com.hortonworks.registries.auth.server.KerberosAuthenticationHandler;
+import com.hortonworks.registries.auth.util.JaasConfiguration;
+import com.hortonworks.registries.auth.util.KerberosUtil;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.File;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.Properties;
+import java.util.concurrent.Callable;
+
+public class TestKerberosLogin extends KerberosSecurityTestcase {
+
+    protected KerberosAuthenticationHandler handler;
+
+    protected KerberosAuthenticationHandler getNewAuthenticationHandler() {
+        return new KerberosAuthenticationHandler();
+    }
+
+    protected Properties getDefaultProperties() {
+        Properties props = new Properties();
+        props.setProperty(KerberosAuthenticationHandler.PRINCIPAL,
+                KerberosTestUtils.getServerPrincipal());
+        props.setProperty(KerberosAuthenticationHandler.KEYTAB,
+                KerberosTestUtils.getKeytabFile());
+        props.setProperty(KerberosAuthenticationHandler.NAME_RULES,
+                "RULE:[1:$1@$0](.*@" + KerberosTestUtils.getRealm() + ")s/@.*//\n");
+        return props;
+    }
+
+    @Before
+    public void setup() throws Exception {
+        // create keytab
+        File keytabFile = new File(KerberosTestUtils.getKeytabFile());
+        String clientPrincipal = KerberosTestUtils.getClientPrincipal();
+        String serverPrincipal = KerberosTestUtils.getServerPrincipal();
+        serverPrincipal = serverPrincipal.substring(0, serverPrincipal.lastIndexOf("@"));
+        clientPrincipal = clientPrincipal.substring(0, clientPrincipal.lastIndexOf("@"));
+        getKdc().createPrincipal(keytabFile, serverPrincipal, clientPrincipal);
+        // handler
+        handler = getNewAuthenticationHandler();
+        Properties props = getDefaultProperties();
+        try {
+            handler.init(props);
+        } catch (Exception ex) {
+            handler = null;
+            throw ex;
+        }
+    }
+
+    @Test(timeout = 60000)
+    public void testRequestWithKerberosAuthorization() throws Exception {
+        KerberosLogin login = new KerberosLogin();
+        System.out.println(KerberosTestUtils.getJaasConfigForClientPrincipal());
+        login.configure(new HashMap<>(), "RegistryClient",
+                new JaasConfiguration("RegistryClient", KerberosTestUtils.getJaasConfigForClientPrincipal()));
+        login.login();
+
+        String token = Subject.doAs(login.loginContext.getSubject(), (PrivilegedExceptionAction<String>) () ->  {
+                GSSManager gssManager = GSSManager.getInstance();
+                GSSContext gssContext = null;
+                try {
+                    String servicePrincipal = KerberosTestUtils.getServerPrincipal();
+                    Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
+                    GSSName serviceName = gssManager.createName(servicePrincipal,
+                            oid);
+                    oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
+                    gssContext = gssManager.createContext(serviceName, oid, null,
+                            GSSContext.DEFAULT_LIFETIME);
+                    gssContext.requestCredDeleg(true);
+                    gssContext.requestMutualAuth(true);
+
+                    byte[] inToken = new byte[0];
+                    byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
+                    Base64 base64 = new Base64(0);
+                    return base64.encodeToString(outToken);
+
+                } finally {
+                    if (gssContext != null) {
+                        gssContext.dispose();
+                    }
+                }
+            }
+        );
+
+        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+        HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+
+        Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
+                .thenReturn(KerberosAuthenticator.NEGOTIATE + " " + token);
+        Mockito.when(request.getServerName()).thenReturn("localhost");
+        Mockito.when(request.getMethod()).thenReturn("GET");
+
+        AuthenticationToken authToken = handler.authenticate(request, response);
+
+        if (authToken != null) {
+            Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
+                    Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
+            Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
+
+            Assert.assertEquals(KerberosTestUtils.getClientPrincipal(), authToken.getName());
+            Assert.assertTrue(KerberosTestUtils.getClientPrincipal().startsWith(authToken.getUserName()));
+        } else {
+            Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
+                    Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
+            Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        }
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        if (handler != null) {
+            handler.destroy();
+            handler = null;
+        }
+    }
+}