Skip to content

Commit

Permalink
Issue 1322: Add messages and tests for IdentityStore
Browse files Browse the repository at this point in the history
  • Loading branch information
kristip committed Jan 5, 2018
1 parent c77bbc1 commit 47f946d
Show file tree
Hide file tree
Showing 15 changed files with 364 additions and 93 deletions.
34 changes: 34 additions & 0 deletions ...sec/resources/com/ibm/ws/security/javaeesec/internal/resources/JavaEESecMessages.nlsprops
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,37 @@ JAVAEESEC_ERROR_MULTIPLE_HTTPAUTHMECHS.useraction=Make sure that there is only o
JAVAEESEC_WARNING_IDSTORE_CONFIG=CWWKS1916W: An error occurs when the program resolves the ''{0}'' configuration for the identity store. Ensure that the EL expression and the result are valid and ensure any referenced beans that are used in the expression are resolvable. The value defaults to ''{1}''.
JAVAEESEC_WARNING_IDSTORE_CONFIG.explanation=The identity store configuration cannot be resolved to a valid value.
JAVAEESEC_WARNING_IDSTORE_CONFIG.useraction=Make sure that the annotation contains a valid configuration value. If you use EL expressions, ensure that they are valid and that any referenced beans that are used in the expression are resolvable.

JAVAEESEC_ERROR_BAD_HASH_PARAM=CWWKS1917E: A hashAlgorithm parameter provided for the hashAlgorithm, {0}, is in the incorrect format. The parameter received is {1}. The required format is name=value.
JAVAEESEC_ERROR_BAD_HASH_PARAM.explanation=A hashAlgorithm parameter list is in the incorrect format and cannot be parsed.
JAVAEESEC_ERROR_BAD_HASH_PARAM.useraction=Correct the hashAlgorithmParameters element on the DatabaseIdentityStore annotation.

JAVAEESEC_WARNING_GEN_DB=CWWKS1918W: The ''{1}'' query to get the {0} caller failed on the DatabaseIdentityStore with an error: {2}
JAVAEESEC_WARNING_GEN_DB.explanation=The search for the provided caller failed with an error.
JAVAEESEC_WARNING_GEN_DB.useraction=Review the provided error.

JAVAEESEC_WARNING_EXCEPTION_ON_GROUPS=CWWKS1919W: The ''{1}'' query to get the groups for the {0} caller failed on the DatabaseIdentityStore. The partial list of groups is {2}. The error is {3}.
JAVAEESEC_WARNING_EXCEPTION_ON_GROUPS.explanation=The search for groups for the caller failed with an error.
JAVAEESEC_WARNING_EXCEPTION_ON_GROUPS.useraction=Review the provided error. A partial list of groups is returned.

JAVAEESEC_WARNING_WRONG_CRED=CWWKS1920W: The credential provided to the IdentityStore is not a UsernamePasswordCredential and cannot be validated.
JAVAEESEC_WARNING_WRONG_CRED.explanation=The credential provided to the IdentityStore is not a UsernamePasswordCredential and cannot be validated.
JAVAEESEC_WARNING_WRONG_CRED.useraction=Review the type of credential passed into the IdentityStore.

JAVAEESEC_WARNING_NULL_PWD=CWWKS1921W: A null password was provided to the DatabaseIdentityStore and cannot be validated.
JAVAEESEC_WARNING_NULL_PWD.explanation=The UsernamePasswordCredential contained a null password.
JAVAEESEC_WARNING_NULL_PWD.useraction=Supply a valid password.

JAVAEESEC_ERROR_HASH_NOTFOUND=CWWKS1922E: The hash algorithm bean was not found for class {0}.
JAVAEESEC_ERROR_HASH_NOTFOUND.explanation=The hash algorithm listed in the hashAlgorithm element on the DatabaseIdentityStore annotation was not found.
JAVAEESEC_ERROR_HASH_NOTFOUND.useraction=Add the custom hash algorithm as a bean that is available to the application.

JAVAEESEC_WARNING_NO_PWD=CWWKS1923W: The ''{1}'' query did not return a password for the {0} caller on the DatabaseIdentityStore.
JAVAEESEC_WARNING_NO_PWD.explanation=The query did not return a password for the provided caller query.
JAVAEESEC_WARNING_NO_PWD.useraction=If a password was expected, review the caller query and database contents.

JAVAEESEC_WARNING_MULTI_CALLER=CWWKS1924W: The ''{1}'' query returned multiple results for the {0} caller on the DatabaseIdentityStore.
JAVAEESEC_WARNING_MULTI_CALLER.explanation=Multiple results were returned for the requested caller. The caller query should only return a single result.
JAVAEESEC_WARNING_MULTI_CALLER.useraction=Review the caller query and database contents. Change the caller query to return one result.

>>>>>>> Add messages for IdentityStore
94 changes: 53 additions & 41 deletions ...rity.javaeesec/src/com/ibm/ws/security/javaeesec/identitystore/DatabaseIdentityStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ public DatabaseIdentityStore(DatabaseIdentityStoreDefinition idStoreDefinition)
if (p2phi != null) {
passwordHash = p2phi.get();
} else {
Tr.error(tc, "JAVAEESEC_ERROR_HASH_NOTFOUND", new Object[] { this.idStoreDefinition.getHashAlgorithm() });
throw new IllegalArgumentException("Cannot load the password HashAlgorithm, the CDI bean was not found for: " + this.idStoreDefinition.getHashAlgorithm());
}

Expand All @@ -86,6 +87,7 @@ public DatabaseIdentityStore(DatabaseIdentityStoreDefinition idStoreDefinition)
for (String param : params) {
String[] split = param.split("=");
if (split.length != 2) {
Tr.error(tc, "JAVAEESEC_ERROR_BAD_HASH_PARAM", new Object[] { this.idStoreDefinition.getHashAlgorithm(), param });
throw new IllegalArgumentException("Hash algorithm parameter is in the incorrect format. Expected: name=value, received: " + param);
}
prepped.put(split[0], split[1]);
Expand All @@ -112,7 +114,7 @@ public Set<String> getCallerGroups(CredentialValidationResult validationResult)
String caller = validationResult.getCallerPrincipal().getName();
if (caller == null) {
if (tc.isEventEnabled()) {
Tr.event(tc, "Caller is null, cannot get groups.");
Tr.event(tc, "A null caller was passed into getCallerGroups. No groups returned.");
}
return groups;
}
Expand All @@ -124,23 +126,26 @@ public Set<String> getCallerGroups(CredentialValidationResult validationResult)
prep.setString(1, caller);
ResultSet result = runQuery(prep, caller);

while (result.next()) {
String aGroup = result.getString(1);
if (tc.isDebugEnabled()) {
Tr.debug(tc, "For caller " + caller + " found " + aGroup);
if (result == null) {
if (tc.isEventEnabled()) {
Tr.event(tc, "The result query was null looking for groups for caller " + caller + " with query " + idStoreDefinition.getGroupsQuery());
}
if (aGroup != null) {
groups.add(aGroup);
} else {
while (result.next()) {
String aGroup = result.getString(1);
if (tc.isDebugEnabled()) {
Tr.debug(tc, "For caller " + caller + " found " + aGroup);
}
if (aGroup != null) {
groups.add(aGroup);
}
}
}

} finally {
conn.close();
}
} catch (NamingException | SQLException e) {
if (tc.isEventEnabled()) {
Tr.event(tc, "Exception getting groups for caller:" + caller, e);
}
Tr.warning(tc, "JAVAEESEC_WARNING_EXCEPTION_ON_GROUPS", new Object[] { caller, idStoreDefinition.getCallerQuery(), groups, e });
}

/*
Expand All @@ -163,26 +168,23 @@ public CredentialValidationResult validate(Credential credential) {
}

if (!(credential instanceof UsernamePasswordCredential)) {
if (tc.isEventEnabled()) {
Tr.event(tc, "Credential was not UsernamePasswordCredential");
}
Tr.warning(tc, "JAVAEESEC_WARNING_WRONG_CRED");
return CredentialValidationResult.NOT_VALIDATED_RESULT;
}

UsernamePasswordCredential cred = (UsernamePasswordCredential) credential;
String caller = cred.getCaller();
if (caller == null) {
if (caller == null) { // should be prevented when UsernamePasswordCredential is created.
if (tc.isEventEnabled()) {
Tr.event(tc, "Caller is null, cannot validate credential.");
Tr.event(tc, "A null caller was passed in");
}
return CredentialValidationResult.INVALID_RESULT;
}

if (cred.getPassword().getValue() == null) {
if (tc.isEventEnabled()) {
Tr.event(tc, "Password is null, cannot validate credential.");
Tr.event(tc, "A null password was passed in for caller " + caller);
}
return CredentialValidationResult.INVALID_RESULT;
}

ProtectedString dbPassword = null;
Expand All @@ -204,36 +206,36 @@ public CredentialValidationResult validate(Credential credential) {

ResultSet result = runQuery(prep, caller);

if (!result.next()) { // advance to first result
if (result == null) {
if (tc.isEventEnabled()) {
Tr.event(tc, "No users returned for caller: " + caller + ", using query: " + callerQuery);
Tr.event(tc, "The result query was null looking for caller " + caller + " with query " + idStoreDefinition.getGroupsQuery());
}
return CredentialValidationResult.INVALID_RESULT;
}
} else {
if (!result.next()) { // advance to first result
if (tc.isEventEnabled()) {
Tr.event(tc, "The result query was empty looking for caller " + caller + " with query " + idStoreDefinition.getGroupsQuery());
}
return CredentialValidationResult.INVALID_RESULT;
}

String dbreturn = result.getString(1);
if (dbreturn == null) {
if (tc.isEventEnabled()) {
Tr.event(tc, "The password returned from database is null for caller: " + caller);
String dbreturn = result.getString(1);
if (dbreturn == null) {
Tr.warning(tc, "JAVAEESEC_WARNING_NO_PWD", new Object[] { caller, idStoreDefinition.getCallerQuery() });
return CredentialValidationResult.INVALID_RESULT;
}
return CredentialValidationResult.INVALID_RESULT;
}
dbPassword = new ProtectedString(dbreturn.toCharArray());
dbPassword = new ProtectedString(dbreturn.toCharArray());

if (result.next()) { // check if there are additional results.
if (tc.isEventEnabled()) {
Tr.event(tc, "Multiple results returned for caller: " + caller);
if (result.next()) { // check if there are additional results.
Tr.warning(tc, "JAVAEESEC_WARNING_MULTI_CALLER", new Object[] { caller, idStoreDefinition.getCallerQuery() });
return CredentialValidationResult.INVALID_RESULT;
}
return CredentialValidationResult.INVALID_RESULT;
}

} finally {
conn.close();
}
} catch (NamingException | SQLException e) {
if (tc.isEventEnabled()) {
Tr.event(tc, "Exception validating caller: " + caller, e);
}
Tr.warning(tc, "JAVAEESEC_WARNING_GEN_DB", new Object[] { caller, idStoreDefinition.getCallerQuery(), e });
return CredentialValidationResult.INVALID_RESULT;
}

Expand All @@ -254,11 +256,21 @@ public Set<ValidationType> validationTypes() {
}

private ResultSet runQuery(PreparedStatement prep, String caller) throws SQLException {
long startTime = System.currentTimeMillis();
ResultSet result = prep.executeQuery();
long endTime = System.currentTimeMillis();
if (tc.isDebugEnabled()) {
Tr.debug(tc, "Time to run query on caller " + caller + ". Start time: " + startTime + ". End time: " + endTime + ". Total time in ms: " + (endTime - startTime));
long startTime = -1;
ResultSet result = null;

try {
if (tc.isDebugEnabled()) {
startTime = System.currentTimeMillis();
}
result = prep.executeQuery();
} catch (Exception e) {
throw e;
} finally {
if (tc.isDebugEnabled()) {
long endTime = System.currentTimeMillis();
Tr.debug(tc, "Time to run query on caller " + caller + ". Start time: " + startTime + ". End time: " + endTime + ". Total time in ms: " + (endTime - startTime));
}
}
return result;
}
Expand Down
1 change: 1 addition & 0 deletions ...security.javaeesec/src/com/ibm/ws/security/javaeesec/identitystore/LdapIdentityStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,7 @@ public CredentialValidationResult validate(Credential credential) {
* Only support UserPasswordCredential.
*/
if (!(credential instanceof UsernamePasswordCredential)) {
Tr.error(tc, "JAVAEESEC_WARNING_WRONG_CRED");
return CredentialValidationResult.NOT_VALIDATED_RESULT;
}

Expand Down
Loading

0 comments on commit 47f946d

Please sign in to comment.