[ELY-2554] Don't exclude mechanisms we don't know about.

We don't know what their credential requirements are so can't exclude them.
wildfly-security · May 21, 2023 · 1c33729 · 1c33729
1 parent d250384
commit 1c33729
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 2 deletions.
diff --git a/...rc/main/java/org/wildfly/security/auth/server/AbstractMechanismAuthenticationFactory.java b/...rc/main/java/org/wildfly/security/auth/server/AbstractMechanismAuthenticationFactory.java
@@ -76,11 +76,25 @@ public M createMechanism(final String name, final UnaryOperator<F> factoryTransf
      */
     protected abstract boolean usesCredentials(String mechName);
 
+    /**
+     * Determine whether the given mechanism name is known to WildFly Elytron.
+     *
+     * If it is not known we can't filter it out as we can not rely upon the other methods being able to
+     * return accurate responses about the mechanisms requirements.
+     *
+     * @param mechName the mechanism name
+     * @return {@code true} if the mechanism is known to WildFly Elytron, {@code false} if it is not
+     */
+    protected abstract boolean isKnownMechanism(String mechName);
+
     public Collection<String> getMechanismNames() {
         final Collection<String> names = new LinkedHashSet<>();
         top: for (String mechName : getAllSupportedMechNames()) {
-            // if the mech doesn't need credentials, then we support it for sure
-            if (! usesCredentials(mechName)) {
+            // If we don't know about the mech we have to support it as it is likely
+            // a custom mechanism so our filtering rules will not be correct.
+            if ((! isKnownMechanism(mechName)) ||
+                 // if the mech doesn't need credentials, then we support it for sure
+                 (! usesCredentials(mechName))) {
                 names.add(mechName);
                 continue;
             }

diff --git a/.../deprecated/src/main/java/org/wildfly/security/auth/server/HttpAuthenticationFactory.java b/.../deprecated/src/main/java/org/wildfly/security/auth/server/HttpAuthenticationFactory.java
@@ -120,6 +120,26 @@ protected boolean usesCredentials(final String mechName) {
         }
     }
 
+    @Override
+    protected boolean isKnownMechanism(String mechName) {
+        switch (mechName) {
+            case HttpConstants.BASIC_NAME:
+            case HttpConstants.CLIENT_CERT_NAME:
+            case HttpConstants.DIGEST_NAME:
+            case HttpConstants.DIGEST_SHA256_NAME:
+            case HttpConstants.DIGEST_SHA512_256_NAME:
+            case HttpConstants.EXTERNAL_NAME:
+            case HttpConstants.FORM_NAME:
+            case HttpConstants.SPNEGO_NAME:
+            case HttpConstants.BEARER_TOKEN: {
+                return true;
+            }
+            default: {
+                return false;
+            }
+        }
+    }
+
     public void shutdownAuthenticationMechanismFactory() {
         super.getFactory().shutdown();
     }

diff --git a/.../deprecated/src/main/java/org/wildfly/security/auth/server/SaslAuthenticationFactory.java b/.../deprecated/src/main/java/org/wildfly/security/auth/server/SaslAuthenticationFactory.java
@@ -97,6 +97,11 @@ protected boolean usesCredentials(final String mechName) {
         return SaslMechanismInformation.needsServerCredentials(mechName);
     }
 
+    @Override
+    protected boolean isKnownMechanism(String mechName) {
+        return SaslMechanismInformation.isKnownMechanism(mechName);
+    }
+
     static final Map<String, String> QUERY_ALL = Collections.singletonMap(WildFlySasl.MECHANISM_QUERY_ALL, "true");
 
     /**

diff --git a/...r/http/src/main/java/org/wildfly/security/auth/server/http/HttpAuthenticationFactory.java b/...r/http/src/main/java/org/wildfly/security/auth/server/http/HttpAuthenticationFactory.java
@@ -121,6 +121,26 @@ protected boolean usesCredentials(final String mechName) {
         }
     }
 
+    @Override
+    protected boolean isKnownMechanism(String mechName) {
+        switch (mechName) {
+            case HttpConstants.BASIC_NAME:
+            case HttpConstants.CLIENT_CERT_NAME:
+            case HttpConstants.DIGEST_NAME:
+            case HttpConstants.DIGEST_SHA256_NAME:
+            case HttpConstants.DIGEST_SHA512_256_NAME:
+            case HttpConstants.EXTERNAL_NAME:
+            case HttpConstants.FORM_NAME:
+            case HttpConstants.SPNEGO_NAME:
+            case HttpConstants.BEARER_TOKEN: {
+                return true;
+            }
+            default: {
+                return false;
+            }
+        }
+    }
+
     public void shutdownAuthenticationMechanismFactory() {
         super.getFactory().shutdown();
     }

diff --git a/...r/sasl/src/main/java/org/wildfly/security/auth/server/sasl/SaslAuthenticationFactory.java b/...r/sasl/src/main/java/org/wildfly/security/auth/server/sasl/SaslAuthenticationFactory.java
@@ -99,6 +99,11 @@ protected boolean usesCredentials(final String mechName) {
         return SaslMechanismInformation.needsServerCredentials(mechName);
     }
 
+    @Override
+    protected boolean isKnownMechanism(String mechName) {
+        return SaslMechanismInformation.isKnownMechanism(mechName);
+    }
+
     static final Map<String, String> QUERY_ALL = Collections.singletonMap(WildFlySasl.MECHANISM_QUERY_ALL, "true");
 
     /**

diff --git a/sasl/base/src/main/java/org/wildfly/security/sasl/util/SaslMechanismInformation.java b/sasl/base/src/main/java/org/wildfly/security/sasl/util/SaslMechanismInformation.java
@@ -154,6 +154,45 @@ private Names() {}
         Names.SECURID
     );
 
+    private static final Set<String> KNOWN_MECHS = nSet(
+            Names.CRAM_MD5,
+            Names.DIGEST_MD5,
+            Names.DIGEST_SHA,
+            Names.DIGEST_SHA_256,
+            Names.DIGEST_SHA_384,
+            Names.DIGEST_SHA_512,
+            Names.DIGEST_SHA_512_256,
+            Names.SCRAM_SHA_1,
+            Names.SCRAM_SHA_1_PLUS,
+            Names.SCRAM_SHA_256,
+            Names.SCRAM_SHA_256_PLUS,
+            Names.SCRAM_SHA_384,
+            Names.SCRAM_SHA_384_PLUS,
+            Names.SCRAM_SHA_512,
+            Names.SCRAM_SHA_512_PLUS,
+            Names.IEC_ISO_9798_M_DSA_SHA1,
+            Names.IEC_ISO_9798_M_ECDSA_SHA1,
+            Names.IEC_ISO_9798_M_RSA_SHA1_ENC,
+            Names.IEC_ISO_9798_U_DSA_SHA1,
+            Names.IEC_ISO_9798_U_ECDSA_SHA1,
+            Names.IEC_ISO_9798_U_RSA_SHA1_ENC,
+            Names.ANONYMOUS,
+            Names.EAP_AES128,
+            Names.EAP_AES128_PLUS,
+            Names.EXTERNAL,
+            Names.JBOSS_LOCAL_USER,
+            Names.OAUTH_10_A,
+            Names.OAUTHBEARER,
+            Names.OPENID20,
+            Names.OTP,
+            Names.SAML20,
+            Names.SECURID,
+            Names.PLAIN,
+            Names.GS2_KRB5,
+            Names.GS2_KRB5_PLUS,
+            Names.GSSAPI
+    );
+
     /**
      * A predicate which is true when the mechanism uses MD5.
      */
@@ -748,6 +787,18 @@ public static boolean doesNotRequireClientCredentials(final String mechName) {
         }
     }
 
+    /**
+     * Determine whether a mechanism is known by WildFly Elytron.
+     *
+     * If the mechanism is not known the other methods in this class can not be relied upon.
+     *
+     * @param mechName the mechanism name
+     * @return {@code true} if the mechanism is known to WildFly Elytron, {@code false} if it is not known
+     */
+    public static boolean isKnownMechanism(final String mechName) {
+        return KNOWN_MECHS.contains(mechName);
+    }
+
     @SafeVarargs
     private static <T> Set<T> nSet(T... values) {
         return unmodifiableSet(new LinkedHashSet<>(asList(values)));