karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gno...@apache.org
Subject karaf git commit: [KARAF-5330] Require a specific role to access the SSH console
Date Wed, 06 Sep 2017 14:09:57 GMT
Repository: karaf
Updated Branches:
  refs/heads/karaf-4.1.x 59eaddd72 -> 1e88deab1


[KARAF-5330] Require a specific role to access the SSH console


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/1e88deab
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/1e88deab
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/1e88deab

Branch: refs/heads/karaf-4.1.x
Commit: 1e88deab17b3e9f70ca770c2de5186eac6cd5c38
Parents: 59eaddd
Author: Guillaume Nodet <gnodet@apache.org>
Authored: Wed Sep 6 16:04:44 2017 +0200
Committer: Guillaume Nodet <gnodet@apache.org>
Committed: Wed Sep 6 16:09:51 2017 +0200

----------------------------------------------------------------------
 .../main/java/org/apache/karaf/shell/ssh/Activator.java  |  3 ++-
 .../apache/karaf/shell/ssh/KarafJaasAuthenticator.java   | 11 ++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/1e88deab/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
index f7d2c7a..f8b0676 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
@@ -142,6 +142,7 @@ public class Activator extends BaseActivator implements ManagedService
{
         String sshHost        = getString("sshHost", "0.0.0.0");
         long sshIdleTimeout   = getLong("sshIdleTimeout", 1800000);
         String sshRealm       = getString("sshRealm", "karaf");
+        String sshRole        = getString("sshRole", null);
         String hostKey        = getString("hostKey", System.getProperty("karaf.etc") + "/host.key");
         String hostKeyFormat  = getString("hostKeyFormat", "simple");
         String authMethods    = getString("authMethods", "keyboard-interactive,password,publickey");
@@ -172,7 +173,7 @@ public class Activator extends BaseActivator implements ManagedService
{
             keyPairProvider.setAlgorithm(algorithm);
         }
 
-        KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm);
+        KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm, sshRole);
 
         UserAuthFactoriesFactory authFactoriesFactory = new UserAuthFactoriesFactory();
         authFactoriesFactory.setAuthMethods(authMethods);

http://git-wip-us.apache.org/repos/asf/karaf/blob/1e88deab/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index 20a769e..ad9a33a 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -46,12 +46,14 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator,
PublickeyA
     private final Logger LOGGER = LoggerFactory.getLogger(KarafJaasAuthenticator.class);
 
     private String realm;
+    private String role;
 
     public KarafJaasAuthenticator() {
     }
 
-    public KarafJaasAuthenticator(String realm) {
+    public KarafJaasAuthenticator(String realm, String role) {
         this.realm = realm;
+        this.role = role;
     }
 
     public String getRealm() {
@@ -117,9 +119,13 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator,
PublickeyA
             });
             loginContext.login();
 
+            boolean hasCorrectRole = role == null || role.isEmpty();
             int roleCount = 0;
             for (Principal principal : subject.getPrincipals()) {
                 if (principal instanceof RolePrincipal) {
+                    if (!hasCorrectRole) {
+                        hasCorrectRole = role.equals(principal.getName());
+                    }
                     roleCount++;
                 }
             }
@@ -127,6 +133,9 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator,
PublickeyA
             if (roleCount == 0) {
                 throw new FailedLoginException("User doesn't have role defined");
             }
+            if (!hasCorrectRole) {
+                throw new FailedLoginException("User doesn't have the required role " + role);
+            }
 
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;


Mime
View raw message