From c5498bfabae325dabf8c99c74c261dc9e0bb9311 Mon Sep 17 00:00:00 2001 From: Alberto Codutti Date: Mon, 25 Oct 2021 18:06:52 +0200 Subject: [PATCH] Fixup - Refactored AuthenticatinRealm.doGetAuthenticationInfo of Realms Signed-off-by: Alberto Codutti --- .../realm/AccessTokenAuthenticatingRealm.java | 70 +++++-------------- .../realm/ApiKeyAuthenticatingRealm.java | 7 +- .../shiro/realm/JwtAuthenticatingRealm.java | 8 +-- .../shiro/realm/KapuaAuthenticatingRealm.java | 6 +- .../realm/UserPassAuthenticatingRealm.java | 12 ++-- 5 files changed, 34 insertions(+), 69 deletions(-) diff --git a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/AccessTokenAuthenticatingRealm.java b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/AccessTokenAuthenticatingRealm.java index d56738b9e2c..15b99c0269a 100644 --- a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/AccessTokenAuthenticatingRealm.java +++ b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/AccessTokenAuthenticatingRealm.java @@ -12,30 +12,24 @@ *******************************************************************************/ package org.eclipse.kapua.service.authentication.shiro.realm; -import java.util.Date; - import org.apache.shiro.SecurityUtils; import org.apache.shiro.ShiroException; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.DisabledAccountException; import org.apache.shiro.authc.ExpiredCredentialsException; import org.apache.shiro.authc.UnknownAccountException; +import org.apache.shiro.authc.credential.CredentialsMatcher; import org.apache.shiro.realm.AuthenticatingRealm; import org.apache.shiro.subject.Subject; - -import org.eclipse.kapua.KapuaException; import org.eclipse.kapua.commons.security.KapuaSecurityUtils; import org.eclipse.kapua.commons.security.KapuaSession; import org.eclipse.kapua.locator.KapuaLocator; import org.eclipse.kapua.model.query.predicate.AndPredicate; import org.eclipse.kapua.model.query.predicate.AttributePredicate.Operator; import org.eclipse.kapua.service.account.Account; -import org.eclipse.kapua.service.account.AccountService; import org.eclipse.kapua.service.authentication.AccessTokenCredentials; import org.eclipse.kapua.service.authentication.shiro.AccessTokenCredentialsImpl; -import org.eclipse.kapua.service.authentication.shiro.exceptions.ExpiredAccountException; import org.eclipse.kapua.service.authentication.token.AccessToken; import org.eclipse.kapua.service.authentication.token.AccessTokenAttributes; import org.eclipse.kapua.service.authentication.token.AccessTokenFactory; @@ -43,17 +37,18 @@ import org.eclipse.kapua.service.authentication.token.AccessTokenService; import org.eclipse.kapua.service.user.User; import org.eclipse.kapua.service.user.UserService; -import org.eclipse.kapua.service.user.UserStatus; + +import java.util.Date; /** * {@link AccessTokenCredentials} based {@link AuthenticatingRealm} implementation. - *

- * since 1.0 + * + * @since 1.0.0 */ -public class AccessTokenAuthenticatingRealm extends AuthenticatingRealm { +public class AccessTokenAuthenticatingRealm extends KapuaAuthenticatingRealm { /** - * Realm name + * Realm name. */ public static final String REALM_NAME = "accessTokenAuthenticatingRealm"; @@ -61,19 +56,18 @@ public class AccessTokenAuthenticatingRealm extends AuthenticatingRealm { private static final AccessTokenService ACCESS_TOKEN_SERVICE = LOCATOR.getService(AccessTokenService.class); private static final AccessTokenFactory ACCESS_TOKEN_FACTORY = LOCATOR.getFactory(AccessTokenFactory.class); - private static final AccountService ACCOUNT_SERVICE = LOCATOR.getService(AccountService.class); private static final UserService USER_SERVICE = LOCATOR.getService(UserService.class); /** * Constructor * - * @throws KapuaException + * @since 1.0.0 */ - public AccessTokenAuthenticatingRealm() throws KapuaException { + public AccessTokenAuthenticatingRealm() { setName(REALM_NAME); - // Credential matcher for access tokens - setCredentialsMatcher(new AccessTokenCredentialsMatcher()); + CredentialsMatcher credentialsMatcher = new AccessTokenCredentialsMatcher(); + setCredentialsMatcher(credentialsMatcher); } @Override @@ -101,7 +95,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent } catch (AuthenticationException ae) { throw ae; } catch (Exception e) { - throw new ShiroException("Error while find access token!", e); + throw new ShiroException("Unexpected error while looking for the access token!", e); } // Check existence @@ -123,44 +117,16 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent } catch (AuthenticationException ae) { throw ae; } catch (Exception e) { - throw new ShiroException("Error while find user!", e); - } - - // Check existence - if (user == null) { - throw new UnknownAccountException(); - } - - // Check disabled - if (UserStatus.DISABLED.equals(user.getStatus())) { - throw new DisabledAccountException(); - } - - // Check if expired - if (user.getExpirationDate() != null && !user.getExpirationDate().after(now)) { - throw new ExpiredCredentialsException(); + throw new ShiroException("Unexpected error while looking for the user!", e); } // - // Find account - final Account account; - try { - account = KapuaSecurityUtils.doPrivileged(() -> ACCOUNT_SERVICE.find(user.getScopeId())); - } catch (AuthenticationException ae) { - throw ae; - } catch (Exception e) { - throw new ShiroException("Error while find account!", e); - } + // Check user + checkUser(user); - // Check existence - if (account == null) { - throw new UnknownAccountException(); - } - - // Check account expired - if (account.getExpirationDate() != null && !account.getExpirationDate().after(now)) { - throw new ExpiredAccountException(account.getExpirationDate()); - } + // + // Check account + Account account = checkAccount(user.getScopeId()); // // BuildAuthenticationInfo diff --git a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/ApiKeyAuthenticatingRealm.java b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/ApiKeyAuthenticatingRealm.java index 0e4f0c1f9e4..6f5516b7206 100644 --- a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/ApiKeyAuthenticatingRealm.java +++ b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/ApiKeyAuthenticatingRealm.java @@ -82,7 +82,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent userService = LOCATOR.getService(UserService.class); credentialService = LOCATOR.getService(CredentialService.class); } catch (KapuaRuntimeException kre) { - throw new ShiroException("Error while getting services!", kre); + throw new ShiroException("Unexpected error while loading KapuaServices!", kre); } // @@ -95,8 +95,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent } catch (KapuaIllegalArgumentException ae) { LOG.warn("The given Api Key is not valid. Subsequent UnknownAccountException expected! Given ApiKey: {}", tokenApiKey); } catch (Exception e) { - - throw new ShiroException("Error while find credentials!", e); + throw new ShiroException("Unexpected error while looking for the credentials!", e); } // @@ -120,7 +119,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent } catch (AuthenticationException ae) { throw ae; } catch (Exception e) { - throw new ShiroException("Error while find user!", e); + throw new ShiroException("Unexpected error while looking for the user!", e); } // diff --git a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/JwtAuthenticatingRealm.java b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/JwtAuthenticatingRealm.java index 235784b67d6..dd6097db130 100644 --- a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/JwtAuthenticatingRealm.java +++ b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/JwtAuthenticatingRealm.java @@ -75,7 +75,7 @@ protected void onInit() { jwtProcessor = JwtProcessors.createDefault(); setCredentialsMatcher(new JwtCredentialsMatcher(jwtProcessor)); } catch (OpenIDException se) { - throw new ShiroException("Error while creating Jwt Processor!", se); + throw new ShiroException("Unexpected error while creating Jwt Processor!", se); } } @@ -102,7 +102,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent locator = KapuaLocator.getInstance(); userService = locator.getService(UserService.class); } catch (KapuaRuntimeException kre) { - throw new ShiroException("Error while getting services!", kre); + throw new ShiroException("Unexpected error while loading KapuaServices!", kre); } String id = extractExternalId(idToken); @@ -116,7 +116,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent } catch (AuthenticationException ae) { throw ae; } catch (Exception e) { - throw new ShiroException("Error looking up the user", e); + throw new ShiroException("Unexpected error while looking for the user", e); } // @@ -151,7 +151,7 @@ private String extractExternalId(String jwt) { try { final JwtContext ctx = jwtProcessor.process(jwt); id = ctx.getJwtClaims().getClaimValueAsString(jwtProcessor.getExternalIdClaimName()); - } catch (final Exception e) { + } catch (Exception e) { throw new ShiroException("Failed to parse JWT", e); } diff --git a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/KapuaAuthenticatingRealm.java b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/KapuaAuthenticatingRealm.java index cfa8bfbc17d..474ce85b728 100644 --- a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/KapuaAuthenticatingRealm.java +++ b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/KapuaAuthenticatingRealm.java @@ -93,7 +93,7 @@ protected Account checkAccount(KapuaId accountId) { } catch (AuthenticationException ae) { throw ae; } catch (Exception e) { - throw new ShiroException("Internal error while looking for the account!", e); + throw new ShiroException("Unexpected error while looking for the account!", e); } // Check existence @@ -177,7 +177,7 @@ protected Map getCredentialServiceConfig(KapuaId scopeId) { CredentialService credentialService = LOCATOR.getService(CredentialService.class); return KapuaSecurityUtils.doPrivileged(() -> credentialService.getConfigValues(scopeId)); } catch (KapuaException e) { - throw new ShiroException("Error while find credentials!", e); + throw new ShiroException("Unexpected error while looking for the CredentialService!", e); } } @@ -198,7 +198,7 @@ protected void resetCredentialLockout(Credential credential) { try { KapuaSecurityUtils.doPrivileged(() -> credentialService.update(credential)); } catch (KapuaException kex) { - throw new ShiroException("Error while updating lockout policy", kex); + throw new ShiroException("Unexpected error while looking for the lockout policy", kex); } } diff --git a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java index 6fb425a3696..80eb90602e9 100644 --- a/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java +++ b/service/security/shiro/src/main/java/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java @@ -87,7 +87,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent userService = LOCATOR.getService(UserService.class); credentialService = LOCATOR.getService(CredentialService.class); } catch (KapuaRuntimeException kre) { - throw new ShiroException("Error while getting services!", kre); + throw new ShiroException("Unexpected error while loading KapuaServices!", kre); } // @@ -98,7 +98,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent } catch (AuthenticationException ae) { throw ae; } catch (Exception e) { - throw new ShiroException("Error while find user!", e); + throw new ShiroException("Unexpected error while looking for the user!", e); } // @@ -124,7 +124,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authent } catch (AuthenticationException ae) { throw ae; } catch (Exception e) { - throw new ShiroException("Error while find credentials!", e); + throw new ShiroException("Unexpected error while looking for the credentials!", e); } // @@ -164,8 +164,8 @@ protected void assertCredentialsMatch(AuthenticationToken authcToken, Authentica hasMfa = true; } } catch (KapuaException e) { - LOG.warn("Error while finding User. Error: {}", e.getMessage()); - throw new ShiroException("Error while finding user!", e); + LOG.warn("Unexpected error while looking for the User. Error: {}", e.getMessage()); + throw new ShiroException("Unexpected error while looking for the user!", e); } try { @@ -218,7 +218,7 @@ protected void assertCredentialsMatch(AuthenticationToken authcToken, Authentica credentialService.update(failedCredential); }); } catch (KapuaException kex) { - throw new ShiroException("Error while updating lockout policy", kex); + throw new ShiroException("Unexpected error while updating the lockout policy", kex); } throw authenticationEx; }