/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2011 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*/
package com.sun.enterprise.security.admin.cli;
import com.sun.enterprise.config.serverbeans.AdminService;
import com.sun.enterprise.config.serverbeans.AuthRealm;
import com.sun.enterprise.config.serverbeans.SecureAdminHelper;
import com.sun.enterprise.security.auth.realm.BadRealmException;
import com.sun.enterprise.security.auth.realm.NoSuchRealmException;
import com.sun.enterprise.security.auth.realm.NoSuchUserException;
import com.sun.enterprise.security.auth.realm.file.FileRealm;
import com.sun.enterprise.security.auth.realm.file.FileRealmUser;
import com.sun.enterprise.security.ssl.SSLUtils;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.glassfish.security.common.MasterPassword;
import org.jvnet.hk2.annotations.Inject;
import org.jvnet.hk2.annotations.Scoped;
import org.jvnet.hk2.annotations.Service;
import org.jvnet.hk2.component.PerLookup;
/**
* Various utility methods which support secure admin operations.
*
* @author Tim Quinn
*/
@Service
@Scoped(PerLookup.class)
public class SecureAdminHelperImpl implements SecureAdminHelper {
private final static String DOMAIN_ADMIN_GROUP_NAME = "asadmin";
@Inject
private SSLUtils sslUtils;
@Inject(name="Security SSL Password Provider Service")
private MasterPassword masterPasswordHelper;
@Inject
private volatile AdminService as;
/**
* Returns the correct DN to use for a given secure admin principal, mapping
* the alias (if it's an alias specified) to the DN for the corresponding
* cert in the trust store.
*
* @param value user-provided value (alias name or the actual DN)
* @param isAlias whether the value is an alias
* @return DN to use
* @throws IOException if there is an error accessing the trust store
* @throws KeyStoreException if the keystore has not been initialized
* @throws IllegalArgumentException if the cert for the specified alias as fetched from the trust store is not an X509 certificate
*/
@Override
public String getDN(final String value, final boolean isAlias) throws IOException, KeyStoreException {
if (isAlias) {
final KeyStore trustStore = sslUtils.getTrustStore();
if (trustStore == null) {
throw new RuntimeException(Strings.get("noTruststore"));
}
final Certificate cert = trustStore.getCertificate(value);
if (cert == null) {
throw new IllegalArgumentException(Strings.get("noAlias", value));
}
if ( ! (cert instanceof X509Certificate)) {
throw new IllegalArgumentException(Strings.get("certNotX509Certificate", value));
}
return (((X509Certificate) cert).getSubjectX500Principal().getName());
} else {
return value;
}
}
/**
* Makes sure the username is a valid admin username and that the password
* alias is defined. This method does NOT make sure that the password
* associated with the username and the password associated with the
* password alias are the same.
*
* @param username user-provided username
* @param passwordAlias name of the password alias
*/
@Override
public void validateInternalUsernameAndPasswordAlias(String username, String passwordAlias) {
try {
validateUser(username);
validatePasswordAlias(passwordAlias);
} catch (Exception ex) {
throw new RuntimeException(Strings.get("errVal"), ex);
}
}
private void validateUser(final String username) throws BadRealmException, NoSuchRealmException {
final AuthRealm ar = as.getAssociatedAuthRealm();
if (FileRealm.class.getName().equals(ar.getClassname())) {
String adminKeyFilePath = ar.getPropertyValue("file");
FileRealm fr = new FileRealm(adminKeyFilePath);
try {
FileRealmUser fru = (FileRealmUser)fr.getUser(username);
for (String group : fru.getGroups()) {
if (group.equals(DOMAIN_ADMIN_GROUP_NAME)) {
return;
}
}
/*
* The user is valid but is not in the admin group.
*/
throw new RuntimeException(Strings.get("notAdminUser", username));
} catch (NoSuchUserException ex) {
/*
* The user is not valid, but use the same error as if the user
* IS present but is not an admin user. This provides a would-be
* intruder a little less information by not distinguishing
* between a valid user that's not an admin user and an
* invalid user.
*/
throw new RuntimeException(Strings.get("notAdminUser", username));
}
}
}
private void validatePasswordAlias(final String passwordAlias)
throws CertificateException, NoSuchAlgorithmException,
KeyStoreException, NoSuchAlgorithmException, IOException {
if ( ! masterPasswordHelper.getMasterPasswordAdapter().aliasExists(passwordAlias)) {
throw new RuntimeException(Strings.get("noAlias", passwordAlias));
}
}
}