karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gno...@apache.org
Subject karaf git commit: [KARAF-5330] Require a specific role to access the SSH console
Date Wed, 06 Sep 2017 14:05:05 GMT
Repository: karaf
Updated Branches:
  refs/heads/master 47451b0ed -> 952593086


[KARAF-5330] Require a specific role to access the SSH console

Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/95259308
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/95259308
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/95259308

Branch: refs/heads/master
Commit: 9525930864b9c21585ce57991854429c48a84c8a
Parents: 47451b0
Author: Guillaume Nodet <gnodet@apache.org>
Authored: Wed Sep 6 16:04:44 2017 +0200
Committer: Guillaume Nodet <gnodet@apache.org>
Committed: Wed Sep 6 16:04:58 2017 +0200

----------------------------------------------------------------------
 .../src/main/resources/resources/etc/users.properties    |  2 +-
 .../features/standard/src/main/feature/feature.xml       |  5 +++++
 .../main/java/org/apache/karaf/shell/ssh/Activator.java  |  3 ++-
 .../apache/karaf/shell/ssh/KarafJaasAuthenticator.java   | 11 ++++++++++-
 4 files changed, 18 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/assemblies/features/base/src/main/resources/resources/etc/users.properties
----------------------------------------------------------------------
diff --git a/assemblies/features/base/src/main/resources/resources/etc/users.properties b/assemblies/features/base/src/main/resources/resources/etc/users.properties
index 0657308..ace2282 100644
--- a/assemblies/features/base/src/main/resources/resources/etc/users.properties
+++ b/assemblies/features/base/src/main/resources/resources/etc/users.properties
@@ -30,4 +30,4 @@
 # with the name "karaf".
 #
 karaf = karaf,_g_:admingroup
-_g_\:admingroup = group,admin,manager,viewer,systembundles
+_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/assemblies/features/standard/src/main/feature/feature.xml
----------------------------------------------------------------------
diff --git a/assemblies/features/standard/src/main/feature/feature.xml b/assemblies/features/standard/src/main/feature/feature.xml
index 45df505..f3fde1f 100644
--- a/assemblies/features/standard/src/main/feature/feature.xml
+++ b/assemblies/features/standard/src/main/feature/feature.xml
@@ -165,6 +165,11 @@
             sshRealm = karaf
 
             #
+            # sshRole defines the role required to access the console through ssh
+            #
+            sshRole = ssh
+
+            #
             # The location of the hostKey file defines where the private/public key of the
server
             # is located. If no file is at the defined location it will be ignored.
             #

http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
index 0ffbbba..4c7667b 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
@@ -146,6 +146,7 @@ public class Activator extends BaseActivator implements ManagedService
{
         long sshIdleTimeout    = getLong("sshIdleTimeout", 1800000);
         int nioWorkers         = getInt("nio-workers", 2);
         String sshRealm        = getString("sshRealm", "karaf");
+        String sshRole         = getString("sshRole", null);
         String hostKey         = getString("hostKey", System.getProperty("karaf.etc") + "/host.key");
         String[] authMethods   = getStringArray("authMethods", "keyboard-interactive,password,publickey");
         int keySize            = getInt("keySize", 2048);
@@ -158,7 +159,7 @@ public class Activator extends BaseActivator implements ManagedService
{
         
         Path serverKeyPath = Paths.get(hostKey);
         KeyPairProvider keyPairProvider = new OpenSSHKeyPairProvider(serverKeyPath.toFile(),
algorithm, keySize);
-        KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm);
+        KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm, sshRole);
         UserAuthFactoriesFactory authFactoriesFactory = new UserAuthFactoriesFactory();
         authFactoriesFactory.setAuthMethods(authMethods);
 

http://git-wip-us.apache.org/repos/asf/karaf/blob/95259308/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index e1420f4..3ab370d 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -45,9 +45,11 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA
     private final Logger LOGGER = LoggerFactory.getLogger(KarafJaasAuthenticator.class);
 
     private String realm;
+    private String role;
 
-    public KarafJaasAuthenticator(String realm) {
+    public KarafJaasAuthenticator(String realm, String role) {
         this.realm = realm;
+        this.role = role;
     }
 
     public boolean authenticate(final String username, final String password, final ServerSession
session) {
@@ -95,15 +97,22 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator,
PublickeyA
     }
 
     private void assertRolePresent(Subject subject) throws FailedLoginException {
+        boolean hasCorrectRole = role == null || role.isEmpty();
         int roleCount = 0;
         for (Principal principal : subject.getPrincipals()) {
             if (principal instanceof RolePrincipal) {
+                if (!hasCorrectRole) {
+                    hasCorrectRole = role.equals(principal.getName());
+                }
                 roleCount++;
             }
         }
         if (roleCount == 0) {
             throw new FailedLoginException("User doesn't have role defined");
         }
+        if (!hasCorrectRole) {
+            throw new FailedLoginException("User doesn't have the required role " + role);
+        }
     }
 
 }


Mime
View raw message