/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The SF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.apache.sling.hc.support.impl;
import java.util.Arrays;
import java.util.List;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.hc.api.HealthCheck;
import org.apache.sling.hc.api.Result;
import org.apache.sling.hc.util.FormattingResultLog;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/** {@link HealthCheck} that checks that Sling default logins fail.
* Used to verify that those logins are disabled on production systems */
@Component(
name="org.apache.sling.hc.support.DefaultLoginsHealthCheck",
configurationFactory=true,
policy=ConfigurationPolicy.REQUIRE,
metatype=true,
label="Apache Sling Default Logins Health Check",
description="Expects default logins to fail, used to verify " +
"that they are disabled on production systems")
@Properties({
@Property(name=HealthCheck.NAME,
label="Health Check Name", description="Name of this Health Check service."),
@Property(name=HealthCheck.TAGS, unbounded=PropertyUnbounded.ARRAY,
label="Health Check tags", description="List of tags for this Health Check service, used to select " +
"subsets of Health Check services for execution"),
@Property(name=HealthCheck.MBEAN_NAME,
label="MBean Name", description="Name of the MBean to create for this Health Check.")
})
@Service(value=HealthCheck.class)
public class DefaultLoginsHealthCheck implements HealthCheck {
private final Logger log = LoggerFactory.getLogger(getClass());
@Property(unbounded=PropertyUnbounded.ARRAY,
label="Login credentials",
description="Which credentials to check. Each one is in the format \"user:password\" " +
"like \"admin:admin\" for example. Do *not* put any confidential passwords here, the goal " +
"is just to check that the default/demo logins, which passwords are known anyway, are disabled.")
private static final String PROP_LOGINS = "logins";
private List<String> logins;
@Reference
private SlingRepository repository;
@Activate
public void activate(ComponentContext ctx) {
logins = Arrays.asList(PropertiesUtil.toStringArray(ctx.getProperties().get(PROP_LOGINS), new String[] {}));
log.info("Activated, logins={}", logins);
}
@Override
public Result execute() {
final FormattingResultLog resultLog = new FormattingResultLog();
int checked=0;
int failures=0;
for(String login : logins) {
final String [] parts = login.split(":");
if(parts.length != 2) {
resultLog.warn("Expected login in the form username:password, got [{}]", login);
continue;
}
checked++;
final String username = parts[0].trim();
final String password = parts[1].trim();
final Credentials creds = new SimpleCredentials(username, password.toCharArray());
Session s = null;
try {
s = repository.login(creds);
if(s != null) {
failures++;
resultLog.warn("Login as [{}] succeeded, was expecting it to fail", username);
} else {
resultLog.debug("Login as [{}] didn't throw an Exception but returned null Session", username);
}
} catch(RepositoryException re) {
resultLog.debug("Login as [{}] failed, as expected", username);
} finally {
if(s != null) {
s.logout();
}
}
}
if(checked==0) {
resultLog.warn("Did not check any logins, configured logins={}", logins);
} else if(failures != 0){
resultLog.warn("Checked {} logins, {} failures", checked, failures);
} else {
resultLog.debug("Checked {} logins, all successful", checked, failures);
}
return new Result(resultLog);
}
}