@Override public UserAdministration getUserAdministration() throws JasDBStorageException { if(userSession != null) { return new LocalUserAdministration(userSession); } else { throw new JasDBSecurityException("Unable to get user administration, not logged in"); } }
@Override public String hash(String salt, String password) throws JasDBSecurityException { try { String salted = salt + password; MessageDigest messageDigest = MessageDigest.getInstance("SHA-1"); byte[] digest = messageDigest.digest(salted.getBytes(UTF8)); return new String(Hex.encode(digest)); } catch(NoSuchAlgorithmException e) { throw new JasDBSecurityException("Unable to hash", e); } }
public User getUser(String username) throws JasDBStorageException { if(userMetaMap.containsKey(username)) { return userMetaMap.get(username).getMetadataObject(); } else { throw new JasDBSecurityException("Invalid user credentials"); } }
public void delUser(String username) throws JasDBStorageException { MetaWrapper<User> userWrapper = userMetaMap.get(username); if(userWrapper != null) { metadataStore.deleteMetadataEntity(userWrapper.getRecordPointer()); userMetaMap.remove(username); } else { throw new JasDBSecurityException("Unable to delete user, not found"); } }
@Override public String encrypt(String salt, String password, String textToEncrypt) throws JasDBSecurityException { String standardPass = getStandardizedPassword(password); PBEKeySpec keySpec = new PBEKeySpec(standardPass.toCharArray(), Hex.decode(salt), 1024, 128); try { byte[] iv = new byte[IV_SIZE]; secureRandom.nextBytes(iv); SecretKey secretKey = new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(keySpec).getEncoded(), "AES"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, secretKey, new IvParameterSpec(iv)); byte[] encrypted = cipher.doFinal(textToEncrypt.getBytes(UTF8)); return new String(Hex.encode(appendArrays(iv, encrypted))); } catch (InvalidKeySpecException e) { throw new JasDBSecurityException("Unable to encrypt", e); } catch (NoSuchAlgorithmException e) { throw new JasDBSecurityException("Unable to encrypt", e); } catch (NoSuchPaddingException e) { throw new JasDBSecurityException("Unable to encrypt", e); } catch (InvalidAlgorithmParameterException e) { throw new JasDBSecurityException("Unable to encrypt", e); } catch (InvalidKeyException e) { throw new JasDBSecurityException("Unable to encrypt", e); } catch (BadPaddingException e) { throw new JasDBSecurityException("Unable to encrypt", e); } catch (IllegalBlockSizeException e) { throw new JasDBSecurityException("Unable to encrypt", e); } }
throw new JasDBSecurityException("Unable to decrypt", e); } catch (InvalidKeySpecException e) { throw new JasDBSecurityException("Unable to decrypt", e); } catch (InvalidKeyException e) { throw new JasDBSecurityException("Unable to decrypt", e); } catch (InvalidAlgorithmParameterException e) { throw new JasDBSecurityException("Unable to decrypt", e); } catch (NoSuchPaddingException e) { throw new JasDBSecurityException("Unable to decrypt", e); } catch (BadPaddingException e) { throw new JasDBSecurityException("Unable to decrypt", e); } catch (IllegalBlockSizeException e) { throw new JasDBSecurityException("Unable to decrypt", e);
private void validateSession() throws JasDBStorageException { if(session == null || !sessionManager.sessionValid(session.getSessionId())) { throw new JasDBSecurityException("Unable to change security principals, not logged in or session expired"); } } }
@Override public void authorize(UserSession userSession, String object, AccessMode mode) throws JasDBStorageException { StatRecord authRecord = StatisticsMonitor.createRecord("auth:object"); try { if(userSession != null) { String userName = userSession.getUser().getUsername(); boolean granted = checkGrantHierarchy(object, userSession, mode); LOG.debug("User: {} is privileged: {} on object: {}", userName, granted, object); if(!granted) { throw new JasDBSecurityException("User: " + userName + " has insufficient privileges on object: " + object); } } else { throw new JasDBSecurityException("Unable to authorize user, no session"); } } finally { authRecord.stop(); } }
@Override public User getUser(String userName, String sourceHost, String password) throws JasDBStorageException { User user = userMetadataProvider.getUser(userName); LOG.debug("Expected host: {} actual: {}", user.getHost(), sourceHost); CryptoEngine cryptoEngine = CryptoFactory.getEngine(user.getEncryptionEngine()); if(user.getPasswordHash().equals(cryptoEngine.hash(user.getPasswordSalt(), password)) && (user.getHost().equals("*") || user.getHost().equals(sourceHost))) { LOG.debug("User: {} has been authenticated", user); return user; } else { throw new JasDBSecurityException("Could not authenticate, invalid credentials"); } }
@Override public void revoke(UserSession currentSession, String object, String userName) throws JasDBStorageException { authorize(currentSession, "/Grants", AccessMode.DELETE); GrantObject grantObject = getMutableGrantObject(currentSession, object); if(grantObject != null) { grantObject.removeGrant(userName); getGrantProvider().persistGrant(encryptGrants(grantObject, currentSession)); cachedGrants.remove(object); } else { throw new JasDBSecurityException("Unable to revoke grant, no object: " + object + " was found with grantObject for user: " + userName); } }
@Override protected void authenticate(Credentials credentials) throws JasDBStorageException { if(credentials != null) { TokenConnector tokenConnector = RemoteConnectorFactory.createConnector(getNodeInformation(), TokenConnector.class); UserSession session = tokenConnector.loadSession(credentials.getUsername(), credentials.getPassword()); if(StringUtils.stringNotEmpty(session.getAccessToken()) && StringUtils.stringNotEmpty(session.getSessionId())) { context = new RemotingContext(true); context.setUserSession(session); LOG.debug("Token: {} session: {}", session.getAccessToken(), session.getSessionId()); } else { throw new JasDBSecurityException("Unable to obtain access token to service"); } } else { context = new RemotingContext(true); } }