scm-webapp/src/main/java/sonia/scm/security/DefaultRealm.java

/**
 * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer. 2. Redistributions in
 * binary form must reproduce the above copyright notice, this list of
 * conditions and the following disclaimer in the documentation and/or other
 * materials provided with the distribution. 3. Neither the name of SCM-Manager;
 * nor the names of its contributors may be used to endorse or promote products
 * derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * http://bitbucket.org/sdorra/scm-manager
 *
 */


package sonia.scm.security;

//~--- non-JDK imports --------------------------------------------------------

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSet.Builder;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.PasswordMatcher;
import org.apache.shiro.authc.credential.PasswordService;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import sonia.scm.group.Group;
import sonia.scm.group.GroupDAO;
import sonia.scm.group.GroupNames;
import sonia.scm.user.User;
import sonia.scm.user.UserDAO;

import static com.google.common.base.Preconditions.*;

//~--- JDK imports ------------------------------------------------------------

import javax.inject.Inject;
import javax.inject.Singleton;

/**
 *
 * @author Sebastian Sdorra
 *
 * @since 2.0.0
 */
@Singleton
public class DefaultRealm extends AuthorizingRealm
{

  /** Field description */
  @VisibleForTesting
  static final String REALM = "DefaultRealm";

  /**
   *   the logger for DefaultRealm
   */
  private static final Logger logger =
    LoggerFactory.getLogger(DefaultRealm.class);

  //~--- constructors ---------------------------------------------------------

  /**
   * Constructs ...
   *
   *
   * @param service
   * @param collector
   * @param userDAO
   * @param groupDAO
   */
  @Inject
  public DefaultRealm(PasswordService service,
    AuthorizationCollector collector, UserDAO userDAO, GroupDAO groupDAO)
  {
    this.collector = collector;
    this.userDAO = userDAO;
    this.groupDAO = groupDAO;

    PasswordMatcher matcher = new PasswordMatcher();

    matcher.setPasswordService(service);
    setCredentialsMatcher(matcher);
    setAuthenticationTokenClass(UsernamePasswordToken.class);
  }

  //~--- methods --------------------------------------------------------------

  /**
   * Method description
   *
   *
   * @param token
   *
   * @return
   *
   * @throws AuthenticationException
   */
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(
    AuthenticationToken token)
    throws AuthenticationException
  {
    checkArgument(token instanceof UsernamePasswordToken, "%s is required",
      UsernamePasswordToken.class);

    UsernamePasswordToken upt = (UsernamePasswordToken) token;
    String principal = upt.getUsername();

    checkArgument(!Strings.isNullOrEmpty(principal), "username is required");

    logger.debug("try to authenticate {}", principal);

    User user = userDAO.get(principal);

    if (user == null)
    {
      //J-
      throw new UnknownAccountException(
        String.format("unknown account %s", principal)
      );
      //J+
    }

    if (!user.isActive())
    {
      //J-
      throw new DisabledAccountException(
        String.format("account %s is disabled", principal)
      );
      //J+
    }

    SimplePrincipalCollection collection = new SimplePrincipalCollection();

    collection.add(principal, REALM);
    collection.add(user, REALM);
    collection.add(collectGroups(principal), REALM);

    return new SimpleAuthenticationInfo(collection, user.getPassword());
  }

  /**
   * Method description
   *
   *
   * @param principals
   *
   * @return
   */
  @Override
  protected AuthorizationInfo doGetAuthorizationInfo(
    PrincipalCollection principals)
  {
    return collector.collect(principals);
  }

  /**
   * Method description
   *
   *
   * @param principal
   *
   * @return
   */
  private GroupNames collectGroups(String principal)
  {
    Builder<String> builder = ImmutableSet.builder();

    builder.add(GroupNames.AUTHENTICATED);

    for (Group group : groupDAO.getAll())
    {
      if (group.isMember(principal))
      {
        builder.add(group.getName());
      }
    }

    GroupNames groups = new GroupNames(builder.build());

    logger.debug("collected following groups for principal {}: {}", principal,
      groups);

    return groups;
  }

  //~--- fields ---------------------------------------------------------------

  /** Field description */
  private final AuthorizationCollector collector;

  /** Field description */
  private final GroupDAO groupDAO;

  /** Field description */
  private final UserDAO userDAO;
}
replace scm-manager 1.x security api with apache shiro and use PasswordService for stronger password hashes 2014-12-14 12:26:03 +01:00			`/**`
			`* Copyright (c) 2014, Sebastian Sdorra All rights reserved.`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions are met:`
			`*`
			`* 1. Redistributions of source code must retain the above copyright notice,`
			`* this list of conditions and the following disclaimer. 2. Redistributions in`
			`* binary form must reproduce the above copyright notice, this list of`
			`* conditions and the following disclaimer in the documentation and/or other`
			`* materials provided with the distribution. 3. Neither the name of SCM-Manager;`
			`* nor the names of its contributors may be used to endorse or promote products`
			`* derived from this software without specific prior written permission.`
			`*`
			`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
			`* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR`
			`* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
			`* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
			`* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER`
			`* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,`
			`* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
			`* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
			`*`
			`* http://bitbucket.org/sdorra/scm-manager`
			`*`
			`*/`



			`package sonia.scm.security;`

			`//~--- non-JDK imports --------------------------------------------------------`

			`import com.google.common.annotations.VisibleForTesting;`
			`import com.google.common.base.Strings;`
			`import com.google.common.collect.ImmutableSet;`
			`import com.google.common.collect.ImmutableSet.Builder;`

			`import org.apache.shiro.authc.AuthenticationException;`
			`import org.apache.shiro.authc.AuthenticationInfo;`
			`import org.apache.shiro.authc.AuthenticationToken;`
			`import org.apache.shiro.authc.DisabledAccountException;`
			`import org.apache.shiro.authc.SimpleAuthenticationInfo;`
			`import org.apache.shiro.authc.UnknownAccountException;`
			`import org.apache.shiro.authc.UsernamePasswordToken;`
			`import org.apache.shiro.authc.credential.PasswordMatcher;`
			`import org.apache.shiro.authc.credential.PasswordService;`
			`import org.apache.shiro.authz.AuthorizationInfo;`
			`import org.apache.shiro.realm.AuthorizingRealm;`
			`import org.apache.shiro.subject.PrincipalCollection;`
			`import org.apache.shiro.subject.SimplePrincipalCollection;`

			`import org.slf4j.Logger;`
			`import org.slf4j.LoggerFactory;`

			`import sonia.scm.group.Group;`
			`import sonia.scm.group.GroupDAO;`
			`import sonia.scm.group.GroupNames;`
			`import sonia.scm.user.User;`
			`import sonia.scm.user.UserDAO;`

			`import static com.google.common.base.Preconditions.*;`

			`//~--- JDK imports ------------------------------------------------------------`

			`import javax.inject.Inject;`
			`import javax.inject.Singleton;`

			`/**`
			`*`
			`* @author Sebastian Sdorra`
			`*`
			`* @since 2.0.0`
			`*/`
			`@Singleton`
			`public class DefaultRealm extends AuthorizingRealm`
			`{`

			`/** Field description */`
			`@VisibleForTesting`
			`static final String REALM = "DefaultRealm";`

			`/**`
			`* the logger for DefaultRealm`
			`*/`
			`private static final Logger logger =`
			`LoggerFactory.getLogger(DefaultRealm.class);`

			`//~--- constructors ---------------------------------------------------------`

			`/**`
			`* Constructs ...`
			`*`
			`*`
			`* @param service`
			`* @param collector`
			`* @param userDAO`
			`* @param groupDAO`
			`*/`
			`@Inject`
			`public DefaultRealm(PasswordService service,`
			`AuthorizationCollector collector, UserDAO userDAO, GroupDAO groupDAO)`
			`{`
			`this.collector = collector;`
			`this.userDAO = userDAO;`
			`this.groupDAO = groupDAO;`

			`PasswordMatcher matcher = new PasswordMatcher();`

			`matcher.setPasswordService(service);`
			`setCredentialsMatcher(matcher);`
			`setAuthenticationTokenClass(UsernamePasswordToken.class);`
			`}`

			`//~--- methods --------------------------------------------------------------`

			`/**`
			`* Method description`
			`*`
			`*`
			`* @param token`
			`*`
			`* @return`
			`*`
			`* @throws AuthenticationException`
			`*/`
			`@Override`
			`protected AuthenticationInfo doGetAuthenticationInfo(`
			`AuthenticationToken token)`
			`throws AuthenticationException`
			`{`
			`checkArgument(token instanceof UsernamePasswordToken, "%s is required",`
			`UsernamePasswordToken.class);`

			`UsernamePasswordToken upt = (UsernamePasswordToken) token;`
			`String principal = upt.getUsername();`

			`checkArgument(!Strings.isNullOrEmpty(principal), "username is required");`

			`logger.debug("try to authenticate {}", principal);`

			`User user = userDAO.get(principal);`

			`if (user == null)`
			`{`
			`//J-`
			`throw new UnknownAccountException(`
			`String.format("unknown account %s", principal)`
			`);`
			`//J+`
			`}`

			`if (!user.isActive())`
			`{`
			`//J-`
			`throw new DisabledAccountException(`
			`String.format("account %s is disabled", principal)`
			`);`
			`//J+`
			`}`

			`SimplePrincipalCollection collection = new SimplePrincipalCollection();`

			`collection.add(principal, REALM);`
			`collection.add(user, REALM);`
			`collection.add(collectGroups(principal), REALM);`

			`return new SimpleAuthenticationInfo(collection, user.getPassword());`
			`}`

			`/**`
			`* Method description`
			`*`
			`*`
			`* @param principals`
			`*`
			`* @return`
			`*/`
			`@Override`
			`protected AuthorizationInfo doGetAuthorizationInfo(`
			`PrincipalCollection principals)`
			`{`
			`return collector.collect(principals);`
			`}`

			`/**`
			`* Method description`
			`*`
			`*`
			`* @param principal`
			`*`
			`* @return`
			`*/`
			`private GroupNames collectGroups(String principal)`
			`{`
			`Builder<String> builder = ImmutableSet.builder();`

			`builder.add(GroupNames.AUTHENTICATED);`

			`for (Group group : groupDAO.getAll())`
			`{`
			`if (group.isMember(principal))`
			`{`
			`builder.add(group.getName());`
			`}`
			`}`

			`GroupNames groups = new GroupNames(builder.build());`

			`logger.debug("collected following groups for principal {}: {}", principal,`
			`groups);`

			`return groups;`
			`}`

			`//~--- fields ---------------------------------------------------------------`

			`/** Field description */`
			`private final AuthorizationCollector collector;`

			`/** Field description */`
			`private final GroupDAO groupDAO;`

			`/** Field description */`
			`private final UserDAO userDAO;`
			`}`