public static SimpleEntity toEntity(User user) { SimpleEntity entity = new SimpleEntity(); entity.addProperty(Constants.USER_NAME, user.getUsername()); entity.addProperty(Constants.HOST, user.getHost()); entity.addProperty(Constants.USER_CONTENT_KEY, user.getEncryptedContentKey()); entity.addProperty(Constants.SALT, user.getPasswordSalt()); entity.addProperty(Constants.USER_PASSWORD_HASH, user.getPasswordHash()); entity.addProperty(Constants.USER_ENGINE, user.getEncryptionEngine()); entity.addProperty(Constants.META_TYPE, UserMetadataProvider.USERMETA_TYPE); return entity; }
@Override public User getUser(String userName, String sourceHost, String password) throws JasDBStorageException { User user = userMetadataProvider.getUser(userName); LOG.debug("Expected host: {} actual: {}", user.getHost(), sourceHost); CryptoEngine cryptoEngine = CryptoFactory.getEngine(user.getEncryptionEngine()); if(user.getPasswordHash().equals(cryptoEngine.hash(user.getPasswordSalt(), password)) && (user.getHost().equals("*") || user.getHost().equals(sourceHost))) { LOG.debug("User: {} has been authenticated", user); return user; } else { throw new JasDBSecurityException("Could not authenticate, invalid credentials"); } }
@Override public UserSession startSession(Credentials credentials) throws JasDBStorageException { User user = userManager.authenticate(credentials); String sessionId = UUID.randomUUID().toString(); String token = UUID.randomUUID().toString(); CryptoEngine userEncryptionEngine = CryptoFactory.getEngine(user.getEncryptionEngine()); String encryptedContentKey = user.getEncryptedContentKey(); String contentKey = userEncryptionEngine.decrypt(user.getPasswordSalt(), credentials.getPassword(), encryptedContentKey); encryptedContentKey = userEncryptionEngine.encrypt(user.getPasswordSalt(), token, contentKey); UserSession session = new UserSessionImpl(sessionId, token, encryptedContentKey, user); userManager.authorize(session, "/", AccessMode.CONNECT); secureUserSessionMap.put(sessionId, new SecureUserSession(session)); return session; }
@Override public String apply(User user) { return user.getUsername(); } });
@Override public User addUser(UserSession currentSession, String userName, String allowedHost, String password) throws JasDBStorageException { authorize(currentSession, "/Users", AccessMode.WRITE); User currentUser = currentSession.getUser(); CryptoEngine cryptoEngine = CryptoFactory.getEngine(); String contentKey = cryptoEngine.decrypt(currentUser.getPasswordSalt(), currentSession.getAccessToken(), currentSession.getEncryptedContentKey()); return credentialsProvider.addUser(userName, allowedHost, contentKey, password); }
@Override public void registerMetadataEntity(Entity entity, long recordPointer) throws JasDBStorageException { User user = UserMeta.fromEntity(entity); userMetaMap.put(user.getUsername(), new MetaWrapper<>(user, recordPointer)); } }
private GrantObject decrypt(UserSession session, EncryptedGrants encryptedGrants) throws JasDBStorageException { CryptoEngine contentCryptoEngine = CryptoFactory.getEngine(); String contentKey = contentCryptoEngine.decrypt(session.getUser().getPasswordSalt(), session.getAccessToken(), session.getEncryptedContentKey()); CryptoEngine cryptoEngine = CryptoFactory.getEngine(encryptedGrants.getEncryptionEngine()); String decryptedData = cryptoEngine.decrypt(encryptedGrants.getSalt(), contentKey, encryptedGrants.getEncryptedData()); return GrantObjectMeta.fromEntity(SimpleEntity.fromJson(decryptedData)); }
public void addUser(User user) throws JasDBStorageException { SimpleEntity entity = UserMeta.toEntity(user); long recordPointer = metadataStore.addMetadataEntity(entity); userMetaMap.put(user.getUsername(), new MetaWrapper<>(user, recordPointer)); }
private EncryptedGrants encryptGrants(GrantObject grantObject, UserSession userSession) throws JasDBStorageException { CryptoEngine cryptoEngine = CryptoFactory.getEngine(); String contentKey = CryptoFactory.getEngine().decrypt(userSession.getUser().getPasswordSalt(), userSession.getAccessToken(), userSession.getEncryptedContentKey()); String salt = cryptoEngine.generateSalt(); String unencryptedData = SimpleEntity.toJson(GrantObjectMeta.toEntity(grantObject)); String encryptedData = cryptoEngine.encrypt(salt, contentKey, unencryptedData); return new EncryptedGrants(grantObject.getObjectName(), encryptedData, salt, cryptoEngine.getDescriptor()); }
private boolean checkGrantHierarchy(String objectName, UserSession userSession, AccessMode objectMode) throws JasDBStorageException { String userName = userSession.getUser().getUsername(); LOG.debug("Checking grant hierarchy for: {} for user: {}", objectName, userName); //check root read access StringBuilder currentPath = new StringBuilder(); currentPath.append(Constants.OBJECT_SEPARATOR); AccessMode grantedMode = getGrantedMode(currentPath.toString(), userSession); LOG.debug("Root access mode: {} for user: {}", grantedMode, userName); grantedMode = grantedMode == null ? AccessMode.NONE : grantedMode; String[] pathElements = objectName.replaceFirst(Constants.OBJECT_SEPARATOR, "").split(Constants.OBJECT_SEPARATOR); for(String pathElement : pathElements) { currentPath.append(pathElement); AccessMode mode = getGrantedMode(currentPath.toString(), userSession); if(mode != null) { grantedMode = mode; if(mode == AccessMode.NONE) { break; } } currentPath.append(Constants.OBJECT_SEPARATOR); } LOG.debug("Grant level: {} for path: {}", grantedMode, currentPath.toString()); boolean granted = grantedMode != null ? grantedMode.getRank() >= objectMode.getRank() : false; return granted; }
private AccessMode getGrantedMode(String objectName, UserSession userSession) throws JasDBStorageException { StatRecord getGrantRecord = StatisticsMonitor.createRecord("auth:grant:check"); try { String username = userSession.getUser().getUsername(); if(cachedGrants.containsKey(objectName)) { return verifyGrantMode(cachedGrants.get(objectName), username); } else { GrantObject objectGrantObject = getMutableGrantObject(userSession, objectName); if(objectGrantObject != null) { cachedGrants.put(objectName, objectGrantObject); return verifyGrantMode(objectGrantObject, username); } else { return null; } } } finally { getGrantRecord.stop(); } }
@Override public void authorize(UserSession userSession, String object, AccessMode mode) throws JasDBStorageException { StatRecord authRecord = StatisticsMonitor.createRecord("auth:object"); try { if(userSession != null) { String userName = userSession.getUser().getUsername(); boolean granted = checkGrantHierarchy(object, userSession, mode); LOG.debug("User: {} is privileged: {} on object: {}", userName, granted, object); if(!granted) { throw new JasDBSecurityException("User: " + userName + " has insufficient privileges on object: " + object); } } else { throw new JasDBSecurityException("Unable to authorize user, no session"); } } finally { authRecord.stop(); } }