Author: shawkins Date: 2009-04-08 16:38:18 -0400 (Wed, 08 Apr 2009) New Revision: 732 Modified: trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java Log: TEIID-476 adding a property to restrict root logons Modified: trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java =================================================================== --- trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java 2009-04-08 15:36:10 UTC (rev 731) +++ trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java 2009-04-08 20:38:18 UTC (rev 732) @@ -64,6 +64,7 @@ public static final String ADMIN_PASSWORD = ConfigurationPropertyNames.MEMBERSHIP_ADMIN_PASSWORD; public static final String ADMIN_USERNAME = ConfigurationPropertyNames.MEMBERSHIP_ADMIN_USERNAME; public static final String DOMAIN_ACTIVE = "activate"; //$NON-NLS-1$ + public static final String ADMIN_HOSTS = "metamatrix.security.admin.allowedHosts"; //$NON-NLS-1$ public static final String SECURITY_ENABLED = ConfigurationPropertyNames.MEMBERSHIP_SECURITY_ENABLED; public static final String DOMAIN_PROPERTIES = "propertiesFile"; //$NON-NLS-1$ Modified: trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java =================================================================== --- trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java 2009-04-08 15:36:10 UTC (rev 731) +++ trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java 2009-04-08 20:38:18 UTC (rev 732) @@ -38,7 +38,10 @@ import java.util.List; import java.util.Properties; import java.util.Set; +import java.util.regex.Pattern; +import org.teiid.dqp.internal.process.DQPWorkContext; + import com.metamatrix.admin.api.exception.security.MetaMatrixSecurityException; import com.metamatrix.api.exception.security.InvalidPrincipalException; import com.metamatrix.api.exception.security.InvalidUserException; @@ -111,6 +114,8 @@ private String adminUsername = DEFAULT_ADMIN_USERNAME; private String adminCredentials; + private Pattern allowedAddresses; + private boolean isSecurityEnabled = true; public MembershipServiceImpl() { @@ -137,6 +142,11 @@ throw new ServiceException(PlatformPlugin.Util.getString("MembershipServiceImpl.Root_password_required")); //$NON-NLS-1$ } + String property = env.getProperty(ADMIN_HOSTS); + if (property != null && property.length() > 0) { + this.allowedAddresses = Pattern.compile(property); + } + isSecurityEnabled = Boolean.valueOf(env.getProperty(SECURITY_ENABLED)).booleanValue(); LogManager.logDetail(LogSecurityConstants.CTX_MEMBERSHIP, "Security Enabled: " + isSecurityEnabled); //$NON-NLS-1$ @@ -266,6 +276,14 @@ protected void killService() { this.shutdownDomains(); } + + void setAllowedAddresses(Pattern allowedAddresses) { + this.allowedAddresses = allowedAddresses; + } + + void setAdminCredentials(String adminCredentials) { + this.adminCredentials = adminCredentials; + } /** * Authenticate a user with the specified username and credential @@ -306,6 +324,17 @@ } if (isSuperUser(username)) { + if (isSecurityEnabled && allowedAddresses != null) { + String address = DQPWorkContext.getWorkContext().getClientAddress(); + if (address == null) { + LogManager.logWarning(LogSecurityConstants.CTX_MEMBERSHIP, PlatformPlugin.Util.getString("MembershipServiceImpl.unknown_host")); //$NON-NLS-1$ + return new FailedAuthenticationToken(); + } + if (!allowedAddresses.matcher(address).matches() || address.equals(CurrentConfiguration.getInstance().getHostAddress().getHostAddress())) { + LogManager.logWarning(LogSecurityConstants.CTX_MEMBERSHIP, PlatformPlugin.Util.getString("MembershipServiceImpl.invalid_host", address, allowedAddresses.pattern())); //$NON-NLS-1$ + return new FailedAuthenticationToken(); + } + } // decrypt admin password for comparison if ((credential != null && adminCredentials.equals(String.valueOf(credential.getCredentialsAsCharArray())))) { return new SuccessfulAuthenticationToken(trustedPayload, username); Modified: trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties =================================================================== --- trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties 2009-04-08 15:36:10 UTC (rev 731) +++ trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties 2009-04-08 20:38:18 UTC (rev 732) @@ -1267,6 +1267,8 @@ MembershipServiceImpl.Decrypt_failed=Could not decrypt the encrypted password for user ''{0}'' MembershipServiceImpl.source_exception=Membership Domain ''{0}'' failed to perform the desired operation, please check the settings for this domain MembershipServiceImpl.load_error=Could not load file ''{0}'' from the classpath, the file system, or as a URL. +MembershipServiceImpl.unknown_host=Did not allow root user authentication attempt, since root logons are restricted and could not determine the remote host. +MembershipServiceImpl.invalid_host=Could not authenticate root user, since the client address {0} is not in the allowed values {1} LDAPMembershipDomain.No_annonymous=Annonymous user authentications are not allowed in domain {0} LDAPMembershipDomain.Required_property=Required property {0} was missing. Modified: trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java =================================================================== --- trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java 2009-04-08 15:36:10 UTC (rev 731) +++ trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java 2009-04-08 20:38:18 UTC (rev 732) @@ -23,9 +23,12 @@ package com.metamatrix.platform.security.membership.service; import java.util.Properties; +import java.util.regex.Pattern; import junit.framework.TestCase; +import org.teiid.dqp.internal.process.DQPWorkContext; + import com.metamatrix.api.exception.security.InvalidPrincipalException; import com.metamatrix.common.util.crypto.CryptoUtil; import com.metamatrix.platform.security.api.Credentials; @@ -86,6 +89,26 @@ return membershipService; } + public void testSuperAuthenticate() throws Exception { + MembershipServiceImpl membershipService = createMembershipService(); + membershipService.setAllowedAddresses(Pattern.compile("192[.]168[.]0[.]2")); //$NON-NLS-1$ + membershipService.setAdminCredentials("pass1"); //$NON-NLS-1$ + + AuthenticationToken at = membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$ + + assertFalse(at.isAuthenticated()); + DQPWorkContext.getWorkContext().setClientAddress("192.168.0.1"); //$NON-NLS-1$ + at = membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$ + + assertFalse(at.isAuthenticated()); + DQPWorkContext.getWorkContext().setClientAddress("192.168.0.2"); //$NON-NLS-1$ + at = membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$ + + assertTrue(at.isAuthenticated()); + } + + + public void testGetPrincipal() throws Exception { MembershipServiceImpl membershipService = createMembershipService();