Merge pull request wildfly-security#1952 from Skyllarr:JBEAP-25337 [E…

…LY-2583] Make requestURI and Source-Address available from RealmSuccessfulAuthenticationEvent and RealmFailedAuthenticationEvent
gaol · Sep 13, 2023 · 6f7901a · 6f7901a
2 parents 3dc896a + 6c8e29d
commit 6f7901a
Show file tree

Hide file tree

Showing 5 changed files with 294 additions and 2 deletions.
diff --git a/auth/server/base/src/main/java/org/wildfly/security/auth/server/MechanismInformation.java b/auth/server/base/src/main/java/org/wildfly/security/auth/server/MechanismInformation.java
@@ -53,6 +53,10 @@ public interface MechanismInformation {
      */
     String getProtocol();
 
+    default String getRequestURI() {
+        return null;
+    }
+
     MechanismInformation DEFAULT = new MechanismInformation() {
 
         @Override

diff --git a/...rver/base/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java b/...rver/base/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java
@@ -1108,6 +1108,9 @@ private void handleOne(final Callback[] callbacks, final int idx) throws IOExcep
                                     mi.getMechanismType(), mi.getMechanismName(), mi.getHostName(), mi.getProtocol());
                         }
                         setMechanismInformation(mi);
+                        Attributes runtimeAttributes = new MapAttributes();
+                        runtimeAttributes.addFirst("Request-URI", mi.getRequestURI());
+                        addRuntimeAttributes(runtimeAttributes);
                         handleOne(callbacks, idx + 1);
                     } catch (Exception e) {
                         throw new IOException(e);
@@ -2107,15 +2110,58 @@ void succeed() {
         void fail(final boolean requireInProgress) {
             final SecurityIdentity capturedIdentity = getSourceIdentity();
             final AtomicReference<State> stateRef = getStateRef();
-            if (! stateRef.compareAndSet(this, FAILED)) {
+            if (!stateRef.compareAndSet(this, FAILED)) {
                 stateRef.get().fail(requireInProgress);
                 return;
             }
-            SecurityRealm.safeHandleRealmEvent(getRealmInfo().getSecurityRealm(), new RealmFailedAuthenticationEvent(realmIdentity, null, null));
+            SecurityRealm.safeHandleRealmEvent(getRealmInfo().getSecurityRealm(), new RealmFailedAuthenticationEvent(getRealmIdentityWithRuntimeAttributes(), null, null));
             SecurityDomain.safeHandleSecurityEvent(capturedIdentity.getSecurityDomain(), new SecurityAuthenticationFailedEvent(capturedIdentity, realmIdentity.getRealmIdentityPrincipal()));
             realmIdentity.dispose();
         }
 
+        private RealmIdentity getRealmIdentityWithRuntimeAttributes() {
+            return new RealmIdentity() {
+                @Override
+                public Principal getRealmIdentityPrincipal() {
+                    return realmIdentity.getRealmIdentityPrincipal();
+                }
+
+                @Override
+                public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException {
+                    return realmIdentity.getCredentialAcquireSupport(credentialType, algorithmName, parameterSpec);
+                }
+
+                @Override
+                public <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException {
+                    return realmIdentity.getCredential(credentialType);
+                }
+
+                @Override
+                public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName) throws RealmUnavailableException {
+                    return realmIdentity.getEvidenceVerifySupport(evidenceType, algorithmName);
+                }
+
+                @Override
+                public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
+                    return realmIdentity.verifyEvidence(evidence);
+                }
+
+                @Override
+                public boolean exists() throws RealmUnavailableException {
+                    return realmIdentity.exists();
+                }
+
+                @Override
+                public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException {
+                    if (realmIdentity.exists()) {
+                        return AuthorizationIdentity.basicIdentity(realmIdentity.getAuthorizationIdentity(), runtimeAttributes);
+                    } else {
+                        return AuthorizationIdentity.basicIdentity(AuthorizationIdentity.EMPTY, runtimeAttributes);
+                    }
+                }
+            };
+        }
+
         @Override
         void setPrincipal(final Principal principal, final boolean exclusive) {
             if (isSamePrincipal(principal)) {

diff --git a/...src/main/java/org/wildfly/security/http/util/SetMechanismInformationMechanismFactory.java b/...src/main/java/org/wildfly/security/http/util/SetMechanismInformationMechanismFactory.java
@@ -20,6 +20,7 @@
 import static org.wildfly.security.http.HttpConstants.HOST;
 import static org.wildfly.security.http.util.ElytronMessages.log;
 
+import java.net.URI;
 import java.util.Map;
 
 import javax.security.auth.callback.Callback;
@@ -73,6 +74,7 @@ public String getMechanismName() {
             public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
                 String host = request.getFirstRequestHeaderValue(HOST);
                 String resolvedHostName = null;
+                URI requestedUri = request.getRequestURI();
                 if (host != null) {
                   if (host.startsWith("[")) {
                       int close = host.indexOf(']');
@@ -110,6 +112,11 @@ public String getMechanismName() {
                         public String getHostName() {
                             return hostName;
                         }
+                        @Override
+                        public String getRequestURI() {
+                            return requestedUri.toString();
+                        }
+
                     })});
 
                 } catch (Throwable e) {

diff --git a/tests/base/src/test/java/org/wildfly/security/auth/server/RealmEventTest.java b/tests/base/src/test/java/org/wildfly/security/auth/server/RealmEventTest.java
@@ -0,0 +1,125 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2023 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.wildfly.security.auth.server;
+
+import org.junit.Test;
+import org.wildfly.security.auth.callback.MechanismInformationCallback;
+import org.wildfly.security.auth.permission.LoginPermission;
+import org.wildfly.security.authz.Attributes;
+import org.wildfly.security.authz.MapAttributes;
+import org.wildfly.security.credential.PasswordCredential;
+import org.wildfly.security.password.PasswordFactory;
+import org.wildfly.security.password.WildFlyElytronPasswordProvider;
+import org.wildfly.security.password.interfaces.ClearPassword;
+import org.wildfly.security.password.spec.ClearPasswordSpec;
+import org.wildfly.security.permission.PermissionVerifier;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.spec.InvalidKeySpecException;
+
+import static org.junit.Assert.fail;
+import static org.wildfly.security.authz.RoleDecoder.KEY_SOURCE_ADDRESS;
+
+public class RealmEventTest {
+
+    private static SecurityDomain usersDomain;
+    private static TestCustomRealm.CustomRealm usersRealm;
+    private static final Provider provider = WildFlyElytronPasswordProvider.getInstance();
+
+    private ServerAuthenticationContext setupAndGetServerAuthenticationContext() throws IOException, UnsupportedCallbackException {
+        Security.addProvider(provider);
+
+        usersRealm = new TestCustomRealm.CustomRealm();
+        SecurityDomain.Builder builder = SecurityDomain.builder();
+        builder.addRealm("users", usersRealm).build();
+        builder.setDefaultRealmName("users");
+        builder.setPermissionMapper((permissionMappable, roles) -> PermissionVerifier.from(new LoginPermission()));
+        usersDomain = builder.build();
+
+        ServerAuthenticationContext serverAuthenticationContext = usersDomain.createNewAuthenticationContext();
+        serverAuthenticationContext.addRuntimeAttributes(createRuntimeAttributesWithSourceAddress());
+
+        MechanismInformation mechanismInformation = new MechanismInformation() {
+            @Override
+            public String getMechanismType() {
+                return null;
+            }
+
+            @Override
+            public String getMechanismName() {
+                return null;
+            }
+
+            @Override
+            public String getHostName() {
+                return null;
+            }
+
+            @Override
+            public String getProtocol() {
+                return null;
+            }
+
+            @Override
+            public String getRequestURI() {
+                return "testURI";
+            }
+        };
+
+        CallbackHandler callbackHandler = serverAuthenticationContext.createCallbackHandler();
+        callbackHandler.handle(new MechanismInformationCallback[]{new MechanismInformationCallback(mechanismInformation)});
+        return serverAuthenticationContext;
+    }
+
+    @Test
+    public void testRealmSuccessfulAuthenticationEvent() throws IOException, UnsupportedCallbackException {
+        ServerAuthenticationContext serverAuthenticationContext = setupAndGetServerAuthenticationContext();
+        try {
+            serverAuthenticationContext.setAuthenticationName("myadmin");
+            serverAuthenticationContext.addPublicCredential(new PasswordCredential(
+                    PasswordFactory.getInstance(ClearPassword.ALGORITHM_CLEAR).generatePassword(
+                            new ClearPasswordSpec("mypassword".toCharArray()))));
+
+            serverAuthenticationContext.authorize();
+        } catch (RealmUnavailableException | InvalidKeySpecException | NoSuchAlgorithmException e) {
+            fail();
+        }
+        serverAuthenticationContext.succeed();
+    }
+
+    @Test
+    public void testRealmFailedAuthenticationEvent() throws NoSuchAlgorithmException, IOException, UnsupportedCallbackException, InvalidKeySpecException {
+        ServerAuthenticationContext serverAuthenticationContext = setupAndGetServerAuthenticationContext();
+        serverAuthenticationContext.setAuthenticationName("myadmin");
+        serverAuthenticationContext.addPublicCredential(new PasswordCredential(
+                PasswordFactory.getInstance(ClearPassword.ALGORITHM_CLEAR).generatePassword(
+                        new ClearPasswordSpec("wrongPassword".toCharArray()))));
+        serverAuthenticationContext.fail();
+    }
+
+    private Attributes createRuntimeAttributesWithSourceAddress() {
+        MapAttributes runtimeAttributes = new MapAttributes();
+        runtimeAttributes.addFirst(KEY_SOURCE_ADDRESS, "10.12.14.16");
+        return runtimeAttributes;
+    }
+}
diff --git a/tests/base/src/test/java/org/wildfly/security/auth/server/TestCustomRealm.java b/tests/base/src/test/java/org/wildfly/security/auth/server/TestCustomRealm.java
@@ -0,0 +1,110 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2023 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.wildfly.security.auth.server;
+
+import org.wildfly.security.auth.SupportLevel;
+import org.wildfly.security.auth.server.event.RealmEvent;
+import org.wildfly.security.auth.server.event.RealmFailedAuthenticationEvent;
+import org.wildfly.security.auth.server.event.RealmSuccessfulAuthenticationEvent;
+import org.wildfly.security.credential.Credential;
+import org.wildfly.security.evidence.Evidence;
+import org.wildfly.security.evidence.PasswordGuessEvidence;
+
+import java.security.Principal;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.Arrays;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+public class TestCustomRealm {
+
+    public static class CustomRealm implements SecurityRealm {
+
+        // this realm does not allow acquiring credentials
+        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName,
+                                                        AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException {
+            return SupportLevel.UNSUPPORTED;
+        }
+
+        // this realm will be able to verify password evidences only
+        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName)
+                throws RealmUnavailableException {
+            return PasswordGuessEvidence.class.isAssignableFrom(evidenceType) ? SupportLevel.POSSIBLY_SUPPORTED : SupportLevel.UNSUPPORTED;
+        }
+
+        public RealmIdentity getRealmIdentity(final Principal principal) throws RealmUnavailableException {
+
+            if ("myadmin".equals(principal.getName())) { // identity "myadmin" will have password "mypassword"
+                return new RealmIdentity() {
+                    public Principal getRealmIdentityPrincipal() {
+                        return principal;
+                    }
+
+                    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType,
+                                                                    String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException {
+                        return SupportLevel.UNSUPPORTED;
+                    }
+
+                    public <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException {
+                        return null;
+                    }
+
+                    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName) {
+                        return PasswordGuessEvidence.class.isAssignableFrom(evidenceType) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
+                    }
+
+                    // evidence will be accepted if it is password "mypassword"
+                    public boolean verifyEvidence(Evidence evidence) {
+                        if (evidence instanceof PasswordGuessEvidence) {
+                            PasswordGuessEvidence guess = (PasswordGuessEvidence) evidence;
+                            try {
+                                return Arrays.equals("mypassword".toCharArray(), guess.getGuess());
+
+                            } finally {
+                                guess.destroy();
+                            }
+                        }
+                        return false;
+                    }
+
+                    public boolean exists() {
+                        return true;
+                    }
+                };
+            }
+            return RealmIdentity.NON_EXISTENT;
+        }
+
+        @Override
+        public void handleRealmEvent(RealmEvent event) {
+            if (event instanceof RealmSuccessfulAuthenticationEvent) {
+                assertEquals("10.12.14.16", ((RealmSuccessfulAuthenticationEvent) event).getAuthorizationIdentity().getRuntimeAttributes().get("Source-Address").get(0));
+                assertEquals("testURI", ((RealmSuccessfulAuthenticationEvent) event).getAuthorizationIdentity().getRuntimeAttributes().get("Request-URI").get(0));
+            }
+            if (event instanceof RealmFailedAuthenticationEvent) {
+                try {
+                    assertEquals("10.12.14.16", ((RealmFailedAuthenticationEvent) event).getRealmIdentity().getAuthorizationIdentity().getRuntimeAttributes().get("Source-Address").get(0));
+                    assertEquals("testURI", ((RealmFailedAuthenticationEvent) event).getRealmIdentity().getAuthorizationIdentity().getRuntimeAttributes().get("Request-URI").get(0));
+                } catch (RealmUnavailableException e) {
+                    fail("RealmFailedAuthenticationEvent should have runtime attributes associated");
+                }
+            }
+        }
+    }
+}