activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject [activemq] branch activemq-5.15.x updated: AMQ-7230 - Add support for regex based certificate authentication
Date Wed, 07 Aug 2019 05:44:33 GMT
This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch activemq-5.15.x
in repository https://gitbox.apache.org/repos/asf/activemq.git


The following commit(s) were added to refs/heads/activemq-5.15.x by this push:
     new cac38c8  AMQ-7230 - Add support for regex based certificate authentication
cac38c8 is described below

commit cac38c884b61c5c098570ee59db2f0b278c5a96e
Author: Lionel Cons <lionel.cons@cern.ch>
AuthorDate: Mon Jun 17 13:39:13 2019 +0200

    AMQ-7230 - Add support for regex based certificate authentication
---
 .../apache/activemq/jaas/ReloadableProperties.java | 32 +++++++++++++++++++++-
 .../jaas/TextFileCertificateLoginModule.java       | 31 ++++++++++++++++-----
 .../TextFileCertificateLoginModuleTest.java        |  6 ++++
 .../test/resources/cert-users-REGEXP.properties    | 19 +++++++++++++
 4 files changed, 80 insertions(+), 8 deletions(-)

diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java
b/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java
index 95781cc..42427d0 100644
--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java
+++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/ReloadableProperties.java
@@ -24,6 +24,8 @@ import java.util.HashSet;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -33,6 +35,7 @@ public class ReloadableProperties {
     private Properties props = new Properties();
     private Map<String, String> invertedProps;
     private Map<String, Set<String>> invertedValueProps;
+    private Map<String, Pattern> regexpProps;
     private long reloadTime = -1;
     private final PropertiesLoader.FileNameKey key;
 
@@ -51,6 +54,7 @@ public class ReloadableProperties {
                 load(key.file(), props);
                 invertedProps = null;
                 invertedValueProps = null;
+                regexpProps = null;
                 if (key.isDebug()) {
                     LOG.debug("Load of: " + key);
                 }
@@ -69,7 +73,10 @@ public class ReloadableProperties {
         if (invertedProps == null) {
             invertedProps = new HashMap<>(props.size());
             for (Map.Entry<Object, Object> val : props.entrySet()) {
-                invertedProps.put((String) val.getValue(), (String) val.getKey());
+                String str = (String) val.getValue();
+                if (!looksLikeRegexp(str)) {
+                    invertedProps.put(str, (String) val.getKey());
+                }
             }
         }
         return invertedProps;
@@ -93,6 +100,24 @@ public class ReloadableProperties {
         return invertedValueProps;
     }
 
+    public synchronized Map<String, Pattern> regexpPropertiesMap() {
+        if (regexpProps == null) {
+            regexpProps = new HashMap<>(props.size());
+            for (Map.Entry<Object, Object> val : props.entrySet()) {
+                String str = (String) val.getValue();
+                if (looksLikeRegexp(str)) {
+                    try {
+                        Pattern p = Pattern.compile(str.substring(1, str.length() - 1));
+                        regexpProps.put((String) val.getKey(), p);
+                    } catch (PatternSyntaxException e) {
+                        LOG.warn("Ignoring invalid regexp: " + str);
+                    }
+                }
+            }
+        }
+        return regexpProps;
+    }
+
     private void load(final File source, Properties props) throws IOException {
         FileInputStream in = new FileInputStream(source);
         try {
@@ -116,4 +141,9 @@ public class ReloadableProperties {
         return key.file.lastModified() > reloadTime;
     }
 
+    private boolean looksLikeRegexp(String str) {
+        int len = str.length();
+        return len > 2 && str.charAt(0) == '/' && str.charAt(len - 1)
== '/';
+    }
+
 }
diff --git a/activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java
b/activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java
index 42f2c9d..c316367 100644
--- a/activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java
+++ b/activemq-jaas/src/main/java/org/apache/activemq/jaas/TextFileCertificateLoginModule.java
@@ -24,6 +24,7 @@ import java.util.HashSet;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
@@ -32,13 +33,14 @@ import javax.security.auth.login.LoginException;
 /**
  * A LoginModule allowing for SSL certificate based authentication based on
  * Distinguished Names (DN) stored in text files. The DNs are parsed using a
- * Properties class where each line is <user_name>=<user_DN>. This class also
- * uses a group definition file where each line is <group_name>=<user_name_1>,<user_name_2>,etc.
+ * Properties class where each line is either <UserName>=<StringifiedSubjectDN>
+ * or <UserName>=/<SubjectDNRegExp>/. This class also uses a group definition
+ * file where each line is <GroupName>=<UserName1>,<UserName2>,etc.
  * The user and group files' locations must be specified in the
  * org.apache.activemq.jaas.textfiledn.user and
- * org.apache.activemq.jaas.textfiledn.user properties respectively. NOTE: This
- * class will re-read user and group files for every authentication (i.e it does
- * live updates of allowed groups and users).
+ * org.apache.activemq.jaas.textfiledn.group properties respectively.
+ * NOTE: This class will re-read user and group files for every authentication
+ * (i.e it does live updates of allowed groups and users).
  *
  * @author sepandm@gmail.com (Sepand)
  */
@@ -48,6 +50,7 @@ public class TextFileCertificateLoginModule extends CertificateLoginModule
{
     private static final String GROUP_FILE_PROP_NAME = "org.apache.activemq.jaas.textfiledn.group";
 
     private Map<String, Set<String>> groupsByUser;
+    private Map<String, Pattern> regexpByUser;
     private Map<String, String> usersByDn;
 
     /**
@@ -58,6 +61,7 @@ public class TextFileCertificateLoginModule extends CertificateLoginModule
{
         super.initialize(subject, callbackHandler, sharedState, options);
 
         usersByDn = load(USER_FILE_PROP_NAME, "", options).invertedPropertiesMap();
+        regexpByUser = load(USER_FILE_PROP_NAME, "", options).regexpPropertiesMap();
         groupsByUser = load(GROUP_FILE_PROP_NAME, "", options).invertedPropertiesValuesMap();
      }
 
@@ -76,8 +80,8 @@ public class TextFileCertificateLoginModule extends CertificateLoginModule
{
         if (certs == null) {
             throw new LoginException("Client certificates not found. Cannot authenticate.");
         }
-
-        return usersByDn.get(getDistinguishedName(certs));
+        String dn = getDistinguishedName(certs);
+        return usersByDn.containsKey(dn) ? usersByDn.get(dn) : getUserByRegexp(dn);
     }
 
     /**
@@ -96,4 +100,17 @@ public class TextFileCertificateLoginModule extends CertificateLoginModule
{
         }
         return userGroups;
     }
+
+    private synchronized String getUserByRegexp(String dn) {
+        String name = null;
+        for (Map.Entry<String, Pattern> val : regexpByUser.entrySet()) {
+            if (val.getValue().matcher(dn).matches()) {
+                name = val.getKey();
+                break;
+            }
+        }
+        usersByDn.put(dn, name);
+        return name;
+    }
+
 }
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/security/TextFileCertificateLoginModuleTest.java
b/activemq-unit-tests/src/test/java/org/apache/activemq/security/TextFileCertificateLoginModuleTest.java
index 76681c6..9ca43c9 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/security/TextFileCertificateLoginModuleTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/TextFileCertificateLoginModuleTest.java
@@ -38,6 +38,7 @@ public class TextFileCertificateLoginModuleTest {
 
     private static final String CERT_USERS_FILE_SMALL = "cert-users-SMALL.properties";
     private static final String CERT_USERS_FILE_LARGE = "cert-users-LARGE.properties";
+    private static final String CERT_USERS_FILE_REGEXP = "cert-users-REGEXP.properties";
     private static final String CERT_GROUPS_FILE = "cert-groups.properties";
 
     private static final Logger LOG = LoggerFactory.getLogger(TextFileCertificateLoginModuleTest.class);
@@ -76,6 +77,11 @@ public class TextFileCertificateLoginModuleTest {
         loginTest(CERT_USERS_FILE_LARGE, CERT_GROUPS_FILE);
     }
 
+    @Test
+    public void testLoginWithREGEXPUsersFile() throws Exception {
+        loginTest(CERT_USERS_FILE_REGEXP, CERT_GROUPS_FILE);
+    }
+
     private void loginTest(String usersFiles, String groupsFile) throws LoginException {
 
         HashMap options = new HashMap<String, String>();
diff --git a/activemq-unit-tests/src/test/resources/cert-users-REGEXP.properties b/activemq-unit-tests/src/test/resources/cert-users-REGEXP.properties
new file mode 100644
index 0000000..c422738
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/cert-users-REGEXP.properties
@@ -0,0 +1,19 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+CNODD=/DN=TEST_USER_\\d*[13579]/
+CNEVEN=/DN=TEST_USER_\\d*[02468]/


Mime
View raw message