ARTEMIS-5959 add option to externalcert login module to populate role…

artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/ExternalCertificateLoginModule.java

@@ -16,35 +16,41 @@
  */
 package org.apache.activemq.artemis.spi.core.security.jaas;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.login.LoginException;
-import java.security.cert.X509Certificate;
 import java.io.IOException;
+import java.lang.invoke.MethodHandles;
 import java.security.Principal;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import java.lang.invoke.MethodHandles;
-
 /**
  * A LoginModule that propagates TLS certificates subject DN as a UserPrincipal.
  */
 public class ExternalCertificateLoginModule implements AuditLoginModule {
 
    private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
+   public static final String SAN_URI_PREFIX_PROP = "sanUriPrefix";
    private CallbackHandler callbackHandler;
    private Subject subject;
    private String userName;
 
    private final Set<Principal> principals = new HashSet<>();
+   private final Set<Principal> roles = new HashSet<>();
+   private String sanURIPrefix;
 
    @Override
    public void initialize(Subject subject,
@@ -53,6 +59,9 @@ public void initialize(Subject subject,
                           Map<String, ?> options) {
       this.subject = subject;
       this.callbackHandler = callbackHandler;
+      if (options != null && options.containsKey(SAN_URI_PREFIX_PROP)) {
+         sanURIPrefix = String.valueOf(options.get(SAN_URI_PREFIX_PROP));
+      }
    }
 
    @Override
@@ -73,6 +82,27 @@ public boolean login() throws LoginException {
          userName = certificates[0].getSubjectDN().getName();
       }
 
+      if (userName != null && sanURIPrefix != null) {
+         // getSubjectAlternativeNames returns a Collection of Lists
+         // Each inner list is [Integer type, Object value]
+         Collection<List<?>> sans = null;
+         try {
+            sans = certificates[0].getSubjectAlternativeNames();
+         } catch (CertificateParsingException e) {
+            throw new LoginException(e.getMessage());
+         }
+
+         if (sans != null) {
+            for (List<?> san : sans) {
+               int type = (Integer) san.get(0);
+               String value = (String) san.get(1);
+               if (type == 6 /* URI */ && value.startsWith(sanURIPrefix)) {
+                  roles.add(new RolePrincipal(value.substring(sanURIPrefix.length())));
+               }
+            }
+         }
+      }
+
       if (logger.isDebugEnabled()) {
          logger.debug("Certificates: {}, userName: {}", Arrays.toString(certificates), userName);
       }
@@ -84,6 +114,7 @@ public boolean login() throws LoginException {
    public boolean commit() throws LoginException {
       if (userName != null) {
          principals.add(new UserPrincipal(userName));
+         principals.addAll(roles);
          subject.getPrincipals().addAll(principals);
       }
 

artemis-server/src/test/java/org/apache/activemq/artemis/spi/core/security/jaas/ExternalCertificateLoginModuleTest.java

@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.spi.core.security.jaas;
+
+import org.apache.activemq.artemis.utils.ClassloadingUtil;
+import org.junit.jupiter.api.Test;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginException;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class ExternalCertificateLoginModuleTest {
+
+   @Test
+   void loginFails() throws LoginException {
+
+      ExternalCertificateLoginModule underTest = new ExternalCertificateLoginModule();
+
+      final Subject subject = new Subject();
+      underTest.initialize(subject, callbacks -> {
+      }, null, null);
+
+      assertFalse(underTest.login());
+      assertTrue(subject.getPrincipals().isEmpty());
+   }
+
+   @Test
+   void loginSuccess() throws Exception {
+      ExternalCertificateLoginModule underTest = new ExternalCertificateLoginModule();
+
+      String ksPath = ClassloadingUtil.findResource("san-keystore.p12").getPath();
+      KeyStore ks = KeyStore.getInstance("PKCS12");
+      try (FileInputStream fis = new FileInputStream(ksPath)) {
+         ks.load(fis, "securepass".toCharArray());
+      }
+      X509Certificate cert = (X509Certificate) ks.getCertificate("san-roles");
+
+      Subject subject = new Subject();
+      underTest.initialize(subject, callbacks -> {
+         ((CertificateCallback) callbacks[0]).setCertificates(new X509Certificate[]{cert});
+      }, null, Map.of(ExternalCertificateLoginModule.SAN_URI_PREFIX_PROP, "urn:jaas:role:"));
+
+      assertTrue(underTest.login());
+      assertTrue(underTest.commit());
+      assertFalse(subject.getPrincipals().isEmpty());
+      assertEquals("CN=ok", subject.getPrincipals(UserPrincipal.class).iterator().next().getName());
+      assertTrue(subject.getPrincipals(RolePrincipal.class).contains(new RolePrincipal("admin")));
+      assertTrue(subject.getPrincipals(RolePrincipal.class).contains(new RolePrincipal("view")));
+
+      // again without the prefix property and same cert
+      underTest = new ExternalCertificateLoginModule();
+      subject = new Subject();
+      underTest.initialize(subject, callbacks -> {
+         ((CertificateCallback) callbacks[0]).setCertificates(new X509Certificate[]{cert});
+      }, null, null);
+
+      assertTrue(underTest.login());
+      assertTrue(underTest.commit());
+      assertFalse(subject.getPrincipals().isEmpty());
+      assertEquals("CN=ok", subject.getPrincipals(UserPrincipal.class).iterator().next().getName());
+      assertTrue(subject.getPrincipals(RolePrincipal.class).isEmpty());
+   }
+}

docs/user-manual/security.adoc

@@ -1125,6 +1125,12 @@ This Principal can then be used for <<role-mapping,role mapping>>.
 
 The external certificate login module is used to propagate a validated TLS client certificate's subjectDN into a JAAS UserPrincipal.
 This allows subsequent login modules to do role mapping for the TLS client certificate.
+It is possible to populate RolePrincipals with values from the certificate Subject Alternative Name(SAN) URIs that match a configured prefix.
+
+sanUriPrefix::
+when non-null, this value is used as a prefix to extract role information from a certificate SAN URIs.
+If keytool was used with -ext "SAN=uri:urn:jaas:role:admin,uri:urn:jaas:role:view" to populate the certificate SAN.
+Then a sanUriPrefix value of `urn:jaas:role:` would extract them into subject RolePrincipals
 
 ----
 org.apache.activemq.artemis.spi.core.security.jaas.ExternalCertificateLoginModule required

tests/security-resources/build.sh

@@ -179,6 +179,9 @@ keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PAS
 ## Combined ca-certs pem to verify loading of multiple certs
 cat client-ca-cert.pem server-ca-cert.pem > client-and-server-ca-certs.pem
 
+## a cert for the ExternalCertificateLoginModule
+keytool -storetype pkcs12 -keystore san-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias san-roles -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ok" -validity $VALIDITY -ext "SAN=uri:urn:jaas:role:admin,uri:urn:jaas:role:view"
+
 # Clean up working files
 # -----------------------
 rm -f *.crt *.csr openssl-*