From commits-return-31920-apmail-karaf-commits-archive=karaf.apache.org@karaf.apache.org Wed Sep 6 14:09:58 2017 Return-Path: X-Original-To: apmail-karaf-commits-archive@minotaur.apache.org Delivered-To: apmail-karaf-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9A224197A4 for ; Wed, 6 Sep 2017 14:09:58 +0000 (UTC) Received: (qmail 46603 invoked by uid 500); 6 Sep 2017 14:09:58 -0000 Delivered-To: apmail-karaf-commits-archive@karaf.apache.org Received: (qmail 46570 invoked by uid 500); 6 Sep 2017 14:09:57 -0000 Mailing-List: contact commits-help@karaf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@karaf.apache.org Delivered-To: mailing list commits@karaf.apache.org Received: (qmail 46561 invoked by uid 99); 6 Sep 2017 14:09:57 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Sep 2017 14:09:57 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 13204E08F6; Wed, 6 Sep 2017 14:09:57 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: gnodet@apache.org To: commits@karaf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: karaf git commit: [KARAF-5330] Require a specific role to access the SSH console Date: Wed, 6 Sep 2017 14:09:57 +0000 (UTC) Repository: karaf Updated Branches: refs/heads/karaf-4.1.x 59eaddd72 -> 1e88deab1 [KARAF-5330] Require a specific role to access the SSH console Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/1e88deab Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/1e88deab Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/1e88deab Branch: refs/heads/karaf-4.1.x Commit: 1e88deab17b3e9f70ca770c2de5186eac6cd5c38 Parents: 59eaddd Author: Guillaume Nodet Authored: Wed Sep 6 16:04:44 2017 +0200 Committer: Guillaume Nodet Committed: Wed Sep 6 16:09:51 2017 +0200 ---------------------------------------------------------------------- .../main/java/org/apache/karaf/shell/ssh/Activator.java | 3 ++- .../apache/karaf/shell/ssh/KarafJaasAuthenticator.java | 11 ++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/1e88deab/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java index f7d2c7a..f8b0676 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java @@ -142,6 +142,7 @@ public class Activator extends BaseActivator implements ManagedService { String sshHost = getString("sshHost", "0.0.0.0"); long sshIdleTimeout = getLong("sshIdleTimeout", 1800000); String sshRealm = getString("sshRealm", "karaf"); + String sshRole = getString("sshRole", null); String hostKey = getString("hostKey", System.getProperty("karaf.etc") + "/host.key"); String hostKeyFormat = getString("hostKeyFormat", "simple"); String authMethods = getString("authMethods", "keyboard-interactive,password,publickey"); @@ -172,7 +173,7 @@ public class Activator extends BaseActivator implements ManagedService { keyPairProvider.setAlgorithm(algorithm); } - KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm); + KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm, sshRole); UserAuthFactoriesFactory authFactoriesFactory = new UserAuthFactoriesFactory(); authFactoriesFactory.setAuthMethods(authMethods); http://git-wip-us.apache.org/repos/asf/karaf/blob/1e88deab/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java index 20a769e..ad9a33a 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java @@ -46,12 +46,14 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA private final Logger LOGGER = LoggerFactory.getLogger(KarafJaasAuthenticator.class); private String realm; + private String role; public KarafJaasAuthenticator() { } - public KarafJaasAuthenticator(String realm) { + public KarafJaasAuthenticator(String realm, String role) { this.realm = realm; + this.role = role; } public String getRealm() { @@ -117,9 +119,13 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA }); loginContext.login(); + boolean hasCorrectRole = role == null || role.isEmpty(); int roleCount = 0; for (Principal principal : subject.getPrincipals()) { if (principal instanceof RolePrincipal) { + if (!hasCorrectRole) { + hasCorrectRole = role.equals(principal.getName()); + } roleCount++; } } @@ -127,6 +133,9 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA if (roleCount == 0) { throw new FailedLoginException("User doesn't have role defined"); } + if (!hasCorrectRole) { + throw new FailedLoginException("User doesn't have the required role " + role); + } session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject); return true;