org.apache.qpid.proton.engine.Sasl Java Examples

public void processSaslExchange() {
    if (protonSasl.getRemoteMechanisms().length > 0) {

        String[] mechanisms = protonSasl.getRemoteMechanisms();
        if (mechanisms != null && mechanisms.length > 0) {
            LOG.debug("SASL [{}} Handshake started.", mechanisms[0]);

            if (mechanisms[0].equalsIgnoreCase("PLAIN")) {
                byte[] data = new byte[protonSasl.pending()];
                protonSasl.recv(data, 0, data.length);
                protonSasl.done(Sasl.SaslOutcome.PN_SASL_OK);
            } else if (mechanisms[0].equalsIgnoreCase("ANONYMOUS")) {
                protonSasl.done(Sasl.SaslOutcome.PN_SASL_OK);
            } else {
                protonSasl.done(Sasl.SaslOutcome.PN_SASL_PERM);
            }

        } else {
            LOG.info("SASL: could not find supported mechanism");
            protonSasl.done(Sasl.SaslOutcome.PN_SASL_PERM);
        }
    }
}
 

@Override
public Sasl sasl()
{
    if(_sasl == null)
    {
        if(_processingStarted)
        {
            throw new IllegalStateException("Sasl can't be initiated after transport has started processing");
        }

        init();
        _sasl = new SaslImpl(this, _remoteMaxFrameSize);
        TransportWrapper transportWrapper = _sasl.wrap(_inputProcessor, _outputProcessor);
        _inputProcessor = transportWrapper;
        _outputProcessor = transportWrapper;
    }
    return _sasl;

}
 

private void handleSaslFail(Sasl sasl) {
    StringBuilder message = new StringBuilder("Client failed to authenticate");
    if (mechanism != null) {
        message.append(" using SASL: ").append(mechanism.getName());
        if (mechanism.getAdditionalFailureInformation() != null) {
            message.append(" (").append(mechanism.getAdditionalFailureInformation()).append(")");
        }
    }

    SaslOutcome outcome = sasl.getOutcome();
    if (outcome.equals(SaslOutcome.PN_SASL_TEMP)) {
        message.append(", due to temporary system error.");
    }

    recordFailure(message.toString(), null, outcome.getCode());
}
 

public void handleSaslOutcome(Sasl sasl, Transport transport) {
    try {
        switch (sasl.getState()) {
            case PN_SASL_FAIL:
                handleSaslFail(sasl);
                break;
            case PN_SASL_PASS:
                handleSaslCompletion(sasl);
                break;
            default:
                break;
        }
    } catch (Throwable error) {
        recordFailure(error.getMessage(), error);
    }
}
 

public void handleSaslMechanisms(Sasl sasl, Transport transport) {
    try {
        String[] remoteMechanisms = sasl.getRemoteMechanisms();
        if (remoteMechanisms != null && remoteMechanisms.length != 0) {
            try {
                mechanism = mechanismFinder.apply(remoteMechanisms);
            } catch (SaslSecurityRuntimeException ssre){
                recordFailure("Could not find a suitable SASL mechanism. " + ssre.getMessage(), ssre);
                return;
            }

            byte[] response = mechanism.getInitialResponse();
            if (response != null) {
                sasl.send(response, 0, response.length);
            }
            sasl.setMechanisms(mechanism.getName());
        }
    } catch (Throwable error) {
        recordFailure("Exception while processing SASL init: " + error.getMessage(), error);
    }
}
 

private void processPending(Sasl sasl) {
   byte[] dataSASL = new byte[sasl.pending()];

   int received = sasl.recv(dataSASL, 0, dataSASL.length);
   if (log.isTraceEnabled()) {
      log.trace("Working on sasl, length:" + received);
   }

   byte[] response = chosenMechanism.processSASL(received != -1 ? dataSASL : null);
   if (response != null) {
      sasl.send(response, 0, response.length);
   }

   saslResult = chosenMechanism.result();
   if (saslResult != null) {
      if (saslResult.isSuccess()) {
         saslComplete(sasl, Sasl.SaslOutcome.PN_SASL_OK);
      } else {
         saslComplete(sasl, Sasl.SaslOutcome.PN_SASL_AUTH);
      }
   }
}
 

@Override
public void onSaslMechanisms(Sasl sasl, Transport transport) {

   dispatchMechanismsOffered(sasl.getRemoteMechanisms());

   if (clientSASLMechanism == null) {
      log.infof("Outbound connection failed - unknown mechanism, offered mechanisms: %s",
                Arrays.asList(sasl.getRemoteMechanisms()));
      dispatchAuthFailed();
   } else {
      sasl.setMechanisms(clientSASLMechanism.getName());
      byte[] initialResponse = clientSASLMechanism.getInitialResponse();
      if (initialResponse != null) {
         sasl.send(initialResponse, 0, initialResponse.length);
      }
   }
}
 

@Override
public void onSaslInit(Sasl s, Transport t)
{
    assertArrayEquals("Server should now know the client's chosen mechanism.",
            new String[]{TESTMECH1}, s.getRemoteMechanisms());

    byte[] serverReceivedInitialBytes = new byte[s.pending()];
    s.recv(serverReceivedInitialBytes, 0, serverReceivedInitialBytes.length);

    assertArrayEquals("Server should now know the client's initial response.",
            INITIAL_RESPONSE_BYTES, serverReceivedInitialBytes);

    s.send(CHALLENGE_BYTES, 0, CHALLENGE_BYTES.length);

    assertFalse("Should not have already received init", initReceived.getAndSet(true));
}
 

@Override
public void onSaslOutcome(Sasl s, Transport t)
{
    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_OK, s.getOutcome());

    byte[] clientReceivedAdditionalBytes = new byte[s.pending()];
    s.recv(clientReceivedAdditionalBytes, 0, clientReceivedAdditionalBytes.length);

    assertArrayEquals("Client should now know the server's outcome additional data", clientReceivedAdditionalBytes,
            clientReceivedAdditionalBytes);

    assertFalse("Should not have already received outcome", outcomeReceived.getAndSet(true));
}
 

private static Transport makeTransport(Connection conn) {
    Transport transport = Transport.Factory.create();
    Sasl sasl = transport.sasl();
    sasl.setMechanisms("ANONYMOUS");
    sasl.client();
    transport.bind(conn);
    return transport;
}
 

public void createServerSASL(String[] mechanisms) {
   requireHandler();
   Sasl sasl = transport.sasl();
   sasl.server();
   sasl.setMechanisms(mechanisms);
   sasl.setListener(this);
}
 

@Override
public void onSaslInit(Sasl sasl, Transport transport) {
   log.debug("onSaslInit: " + sasl);
   dispatchRemoteMechanismChosen(sasl.getRemoteMechanisms()[0]);

   if (chosenMechanism != null) {

      processPending(sasl);

   } else {
      // no auth available, system error
      saslComplete(sasl, Sasl.SaslOutcome.PN_SASL_SYS);
   }
}
 

@Override
public void onSaslChallenge(Sasl sasl, Transport transport) {
   int challengeSize = sasl.pending();
   byte[] challenge = new byte[challengeSize];
   sasl.recv(challenge, 0, challengeSize);
   byte[] response = clientSASLMechanism.getResponse(challenge);
   sasl.send(response, 0, response.length);
}
 

private void saslComplete(Sasl sasl, Sasl.SaslOutcome saslOutcome) {
   log.debug("saslComplete: " + sasl);
   sasl.done(saslOutcome);
   if (chosenMechanism != null) {
      chosenMechanism.done();
      chosenMechanism = null;
   }
}
 

private boolean evaluatePlainResponse(Sasl sasl) {
  byte[] response = new byte[sasl.pending()];
  sasl.recv(response, 0, response.length);

  // Per https://tools.ietf.org/html/rfc4616 the PLAIN message format is: [authzid] UTF8NUL authcid UTF8NUL passwd
  // Break initial response into its constituent parts.
  int authzidTerminatorPos = findNullPosition(response, 0);
  if (authzidTerminatorPos < 0) {
    // Invalid PLAIN encoding, authzid null terminator not found
    return false;
  }

  int authcidTerminatorPos = findNullPosition(response, authzidTerminatorPos + 1);
  if (authcidTerminatorPos < 0) {
    // Invalid PLAIN encoding, authcid null terminator not found
    return false;
  }

  if (authcidTerminatorPos == response.length - 1) {
    // Invalid PLAIN encoding, no password present
    return false;
  }

  // Grab the authcid and password (ignoring authzid if present)
  String authcid = new String(response, authzidTerminatorPos + 1, authcidTerminatorPos - authzidTerminatorPos - 1,
      StandardCharsets.UTF_8);
  String passwd = new String(response, authcidTerminatorPos + 1, response.length - authcidTerminatorPos - 1,
      StandardCharsets.UTF_8);

  // Now verify the given credentials
  if (GOOD_USER.equals(authcid) && PASSWD.equals(passwd)) {
    // Success
    return true;
  }

  return false;
}
 

public void handleSaslChallenge(Sasl sasl, Transport transport) {
    try {
        if (sasl.pending() >= 0) {
            byte[] challenge = new byte[sasl.pending()];
            sasl.recv(challenge, 0, challenge.length);
            byte[] response = mechanism.getChallengeResponse(challenge);
            if (response != null) {
                sasl.send(response, 0, response.length);
            }
        }
    } catch (Throwable error) {
        recordFailure("Exception while processing SASL step: " + error.getMessage(), error);
    }
}
 

private void handleSaslCompletion(Sasl sasl) {
    try {
        if (sasl.pending() != 0) {
            byte[] additionalData = new byte[sasl.pending()];
            sasl.recv(additionalData, 0, additionalData.length);
            mechanism.getChallengeResponse(additionalData);
        }
        mechanism.verifyCompletion();
        complete = true;
    } catch (Throwable error) {
        recordFailure("Exception while processing SASL exchange completion: " + error.getMessage(), error);
    }
}
 

@Override
public void onSaslMechanisms(Sasl s, Transport t)
{
    assertArrayEquals("Client should now know the server's mechanisms.",
            new String[]{TESTMECH1, TESTMECH2}, s.getRemoteMechanisms());
    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, s.getOutcome());

    s.setMechanisms(TESTMECH1);
    s.send(INITIAL_RESPONSE_BYTES, 0, INITIAL_RESPONSE_BYTES.length);

    assertFalse("Should not have already received mechanisms", mechanismsReceived.getAndSet(true));
}
 

public void selected() throws IOException {
    SocketChannel sock = socket.accept();
    System.out.println("ACCEPTED: " + sock);
    Connection conn = Connection.Factory.create();
    conn.collect(collector);
    Transport transport = Transport.Factory.create();
    Sasl sasl = transport.sasl();
    sasl.setMechanisms("ANONYMOUS");
    sasl.server();
    sasl.done(Sasl.PN_SASL_OK);
    transport.bind(conn);
    new ChannelHandler(sock, SelectionKey.OP_READ, transport);
}
 

private void handleOpen(Reactor reactor, Event event) {
    Connection connection = event.getConnection();
    if (connection.getRemoteState() != EndpointState.UNINITIALIZED) {
        return;
    }
    // Outgoing Reactor connections set the virtual host automatically using the
    // following rules:
    String vhost = connection.getHostname();
    if (vhost == null) {
        // setHostname never called, use the host from the connection's
        // socket address as the default virtual host:
        String conAddr = reactor.getConnectionAddress(connection);
        if (conAddr != null) {
            Address addr = new Address(conAddr);
            connection.setHostname(addr.getHost());
        }
    } else if (vhost.isEmpty()) {
        // setHostname called explictly with a null string. This allows
        // the application to completely avoid sending a virtual host
        // name
        connection.setHostname(null);
    } else {
        // setHostname set by application - use it.
    }
    Transport transport = Proton.transport();

    int maxFrameSizeOption = reactor.getOptions().getMaxFrameSize();
    if (maxFrameSizeOption != 0) {
        transport.setMaxFrameSize(maxFrameSizeOption);
    }

    if (reactor.getOptions().isEnableSaslByDefault()) {
        Sasl sasl = transport.sasl();
        sasl.client();
        sasl.setMechanisms("ANONYMOUS");
    }

    transport.bind(connection);
}
 

/** 5.3.2 SASL Negotiation. ...challenge/response step can occur zero or more times*/
@Test
public void testOptionalChallengeResponseStepOmitted() throws Exception
{
    getClient().transport = Proton.transport();
    getServer().transport = Proton.transport();

    Sasl clientSasl = getClient().transport.sasl();
    clientSasl.client();
    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, clientSasl.getOutcome());

    Sasl serverSasl = getServer().transport.sasl();
    serverSasl.server();
    serverSasl.setMechanisms(TESTMECH1);
    assertEquals("Server should not yet know the remote's chosen mechanism.",
                 0,
                 serverSasl.getRemoteMechanisms().length);

    pumpClientToServer();
    pumpServerToClient();

    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, clientSasl.getOutcome());
    clientSasl.setMechanisms(TESTMECH1);

    pumpClientToServer();

    serverSasl.done(SaslOutcome.PN_SASL_OK);
    pumpServerToClient();

    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_OK, clientSasl.getOutcome());
}
 

/**
 *  5.3.3.6 Connection authentication failed due to an unspecified problem with the supplied credentials.
 */
@Test
public void testAuthenticationFails() throws Exception
{
    getClient().transport = Proton.transport();
    getServer().transport = Proton.transport();

    Sasl clientSasl = getClient().transport.sasl();
    clientSasl.client();
    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, clientSasl.getOutcome());

    Sasl serverSasl = getServer().transport.sasl();
    serverSasl.server();
    serverSasl.setMechanisms(TESTMECH1);

    pumpClientToServer();
    pumpServerToClient();

    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, clientSasl.getOutcome());
    clientSasl.setMechanisms(TESTMECH1);

    pumpClientToServer();

    serverSasl.done(SaslOutcome.PN_SASL_AUTH);
    pumpServerToClient();
    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_AUTH, clientSasl.getOutcome());

}
 

@Override
public void onSaslResponse(Sasl s, Transport t)
{
    byte[] serverReceivedResponseBytes = new byte[s.pending()];
    s.recv(serverReceivedResponseBytes, 0, serverReceivedResponseBytes.length);

    assertArrayEquals("Server should now know the client's response", RESPONSE_BYTES, serverReceivedResponseBytes);

    s.send(ADDITIONAL_DATA_BYTES, 0, ADDITIONAL_DATA_BYTES.length);
    s.done(SaslOutcome.PN_SASL_OK);

    assertFalse("Should not have already received response", responseReceived.getAndSet(true));
}
 

@Override
public void onSaslChallenge(Sasl s, Transport t)
{
    byte[] clientReceivedChallengeBytes = new byte[s.pending()];
    s.recv(clientReceivedChallengeBytes, 0, clientReceivedChallengeBytes.length);

    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, s.getOutcome());
    assertArrayEquals("Client should now know the server's challenge",
                      CHALLENGE_BYTES, clientReceivedChallengeBytes);

    s.send(RESPONSE_BYTES, 0, RESPONSE_BYTES.length);

    assertFalse("Should not have already received challenge", challengeReceived.getAndSet(true));
}
 

public void createClientSASL() {
   Sasl sasl = transport.sasl();
   sasl.client();
   sasl.setListener(this);
}
 

public boolean isDone() {
    return protonSasl.getOutcome() != Sasl.SaslOutcome.PN_SASL_NONE;
}
 

private void verifySaslMockReceived(final Sasl sasl, final byte[] response) {
    verify(sasl).send(response, 0, response.length);
}
 

@Override
public void onSaslInit(Sasl s, Transport t) { }
 

@Override
public void run(Selectable selectable) {
    Reactor reactor = selectable.getReactor();
    try {
        SocketChannel socketChannel = ((ServerSocketChannel)selectable.getChannel()).accept();
        if (socketChannel == null) {
            throw new ReactorInternalException("Selectable readable, but no socket to accept");
        }
        Handler handler = BaseHandler.getHandler(AcceptorImpl.this);
        if (handler == null) {
            handler = reactor.getHandler();
        }
        Connection conn = reactor.connection(handler);
        Record conn_recs = conn.attachments();
        conn_recs.set(CONNECTION_ACCEPTOR_KEY, Acceptor.class, AcceptorImpl.this);
        InetSocketAddress peerAddr = (InetSocketAddress)socketChannel.getRemoteAddress();
        if (peerAddr != null) {
            Address addr = new Address();
            addr.setHost(peerAddr.getHostString());
            addr.setPort(Integer.toString(peerAddr.getPort()));
            conn_recs.set(ReactorImpl.CONNECTION_PEER_ADDRESS_KEY, Address.class, addr);
        }
        Transport trans = Proton.transport();

        int maxFrameSizeOption = reactor.getOptions().getMaxFrameSize();
        if (maxFrameSizeOption != 0) {
            trans.setMaxFrameSize(maxFrameSizeOption);
        }

        if(reactor.getOptions().isEnableSaslByDefault()) {
            Sasl sasl = trans.sasl();
            sasl.server();
            sasl.setMechanisms("ANONYMOUS");
            sasl.done(SaslOutcome.PN_SASL_OK);
        }
        trans.bind(conn);
        IOHandler.selectableTransport(reactor, socketChannel.socket(), trans);
    } catch(IOException ioException) {
        sel.error();
    }
}
 

/** 5.3.2 SASL Negotiation. */
@Test
public void testSaslNegotiation() throws Exception
{
    getClient().transport = Proton.transport();
    getServer().transport = Proton.transport();

    Sasl clientSasl = getClient().transport.sasl();
    clientSasl.client();
    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, clientSasl.getOutcome());

    Sasl serverSasl = getServer().transport.sasl();
    serverSasl.server();
    serverSasl.setMechanisms(TESTMECH1, TESTMECH2);
    assertEquals("Server should not yet know the remote's chosen mechanism.",
                 0,
                 serverSasl.getRemoteMechanisms().length);

    pumpClientToServer();
    pumpServerToClient();

    assertArrayEquals("Client should now know the server's mechanisms.",
                      new String[]{TESTMECH1, TESTMECH2},
                      clientSasl.getRemoteMechanisms());
    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, clientSasl.getOutcome());
    clientSasl.setMechanisms(TESTMECH1);

    pumpClientToServer();

    assertArrayEquals("Server should now know the client's chosen mechanism.",
                      new String[]{TESTMECH1},
                      serverSasl.getRemoteMechanisms());

    serverSasl.send(CHALLENGE_BYTES, 0, CHALLENGE_BYTES.length);

    pumpServerToClient();

    byte[] clientReceivedChallengeBytes = new byte[clientSasl.pending()];
    clientSasl.recv(clientReceivedChallengeBytes, 0, clientReceivedChallengeBytes.length);

    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_NONE, clientSasl.getOutcome());
    assertArrayEquals("Client should now know the server's challenge",
                      CHALLENGE_BYTES,
                      clientReceivedChallengeBytes);

    clientSasl.send(RESPONSE_BYTES, 0, RESPONSE_BYTES.length);

    pumpClientToServer();

    byte[] serverReceivedResponseBytes = new byte[serverSasl.pending()];
    serverSasl.recv(serverReceivedResponseBytes, 0, serverReceivedResponseBytes.length);

    assertArrayEquals("Server should now know the client's response",
                      RESPONSE_BYTES,
                      serverReceivedResponseBytes);

    serverSasl.done(SaslOutcome.PN_SASL_OK);
    pumpServerToClient();

    assertEquals("Unexpected SASL outcome at client", SaslOutcome.PN_SASL_OK, clientSasl.getOutcome());
}