author | David Powell <David.Powell@sun.com> |
Sat, 13 Mar 2010 18:48:51 -0800 | |
changeset 468 | 7fa83d27b9f3 |
parent 442 | 1998ce99dcb0 |
child 473 | 18f221b572ce |
permissions | -rw-r--r-- |
391 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
5 |
* Common Development and Distribution License (the "License"). |
|
6 |
* You may not use this file except in compliance with the License. |
|
7 |
* |
|
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
21 |
||
22 |
/* |
|
433
e629b84699e3
14567 JMX connector needs more precise failure handling
David Powell <David.Powell@sun.com>
parents:
396
diff
changeset
|
23 |
* Copyright 2010 Sun Microsystems, Inc. All rights reserved. |
391 | 24 |
* Use is subject to license terms. |
25 |
*/ |
|
26 |
||
27 |
package org.opensolaris.os.vp.client.common; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.net.MalformedURLException; |
|
31 |
import java.security.*; |
|
32 |
import java.security.cert.*; |
|
33 |
import java.security.cert.Certificate; |
|
34 |
import java.util.*; |
|
438
5341dd3e7a04
14761 simplify login dialog
Stephen Talley <stephen.talley@sun.com>
parents:
433
diff
changeset
|
35 |
import javax.management.*; |
391 | 36 |
import javax.management.remote.*; |
438
5341dd3e7a04
14761 simplify login dialog
Stephen Talley <stephen.talley@sun.com>
parents:
433
diff
changeset
|
37 |
import org.opensolaris.os.rad.*; |
5341dd3e7a04
14761 simplify login dialog
Stephen Talley <stephen.talley@sun.com>
parents:
433
diff
changeset
|
38 |
import org.opensolaris.os.rad.api.pam.*; |
391 | 39 |
import org.opensolaris.os.rad.jmx.RadConnector; |
40 |
import org.opensolaris.os.vp.common.panel.MBeanUtil; |
|
438
5341dd3e7a04
14761 simplify login dialog
Stephen Talley <stephen.talley@sun.com>
parents:
433
diff
changeset
|
41 |
import org.opensolaris.os.vp.panel.common.ConnectionInfo; |
391 | 42 |
import org.opensolaris.os.vp.panel.common.action.ActionAbortedException; |
43 |
import org.opensolaris.os.vp.util.misc.*; |
|
44 |
||
45 |
public abstract class RadLoginManager { |
|
46 |
// |
|
47 |
// Static data |
|
48 |
// |
|
49 |
||
50 |
public static final String TRUSTSTORE_PASSWORD = "trustpass"; |
|
51 |
||
52 |
// |
|
53 |
// Instance data |
|
54 |
// |
|
55 |
||
56 |
private ConnectionManager connManager; |
|
57 |
||
58 |
// |
|
59 |
// Constructors |
|
60 |
// |
|
61 |
||
62 |
public RadLoginManager(ConnectionManager connManager) { |
|
63 |
this.connManager = connManager; |
|
64 |
} |
|
65 |
||
66 |
// |
|
67 |
// RadLoginManager methods |
|
68 |
// |
|
69 |
||
70 |
/** |
|
71 |
* Verify the given {@code Certificate} can be added to the truststore. |
|
72 |
* This default implementation does nothing. Subclasses may wish to |
|
73 |
* override this method to display the {@code Certificate} details and |
|
74 |
* prompt for user confirmation. |
|
75 |
* |
|
76 |
* @param host |
|
77 |
* the owner of the {@code Certificate} |
|
78 |
* |
|
79 |
* @param certificate |
|
80 |
* the {@code Certificate} to verify |
|
81 |
* |
|
82 |
* @exception ActionAbortedException |
|
83 |
* if the given {@code Certificate} cannot be added to the |
|
84 |
* truststore |
|
85 |
*/ |
|
86 |
protected abstract void acceptCertificate( |
|
87 |
String host, Certificate certificate) throws ActionAbortedException; |
|
88 |
||
89 |
/** |
|
90 |
* Checks to see if the login process has been cancelled. Subclasses should |
|
91 |
* override this method if they provide a method for the user to cancel the |
|
92 |
* login process. This default implementation does nothing. |
|
93 |
* |
|
94 |
* @exception ActionAbortedException |
|
95 |
* if the action has been cancelled |
|
96 |
*/ |
|
97 |
protected void checkForCancel() throws ActionAbortedException { |
|
98 |
} |
|
99 |
||
100 |
/** |
|
101 |
* Creates an empty truststore file. |
|
102 |
*/ |
|
103 |
protected void createTrustStore(File truststore) throws KeyStoreException, |
|
104 |
IOException, NoSuchAlgorithmException, CertificateException { |
|
105 |
||
106 |
File truststoreDir = truststore.getParentFile(); |
|
107 |
||
108 |
if (!truststoreDir.exists()) { |
|
109 |
if (!truststoreDir.mkdirs()) { |
|
110 |
throw new IOException( |
|
111 |
"could not create truststore directory: " + |
|
112 |
truststoreDir.getAbsolutePath()); |
|
113 |
} |
|
114 |
} |
|
115 |
||
116 |
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); |
|
117 |
char[] password = getTrustStorePassword().toCharArray(); |
|
118 |
||
119 |
// Create empty keystore |
|
120 |
keyStore.load(null, password); |
|
121 |
||
122 |
FileOutputStream fos = new FileOutputStream(truststore); |
|
123 |
keyStore.store(fos, password); |
|
124 |
fos.close(); |
|
125 |
} |
|
126 |
||
127 |
||
128 |
protected boolean handleCertFailure(String host, File truststore, |
|
129 |
Certificate certificate) throws ActionAbortedException, |
|
130 |
KeyStoreException, IOException, NoSuchAlgorithmException, |
|
131 |
CertificateException { |
|
132 |
||
133 |
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); |
|
134 |
char[] password = getTrustStorePassword().toCharArray(); |
|
135 |
||
136 |
// Load truststore |
|
137 |
FileInputStream fis = new FileInputStream(truststore); |
|
138 |
keyStore.load(fis, password); |
|
139 |
fis.close(); |
|
140 |
||
141 |
checkForCancel(); |
|
142 |
||
143 |
// Does the truststore already contain the certificate? |
|
144 |
String alias = keyStore.getCertificateAlias(certificate); |
|
145 |
if (alias != null) |
|
146 |
return false; |
|
147 |
||
148 |
boolean acceptNeeded = true; |
|
149 |
||
150 |
if (NetUtil.isLocalAddress(host)) { |
|
151 |
FileInputStream certFileIn = null; |
|
152 |
try { |
|
153 |
File certFile = new File("/etc/rad/cert.pem"); |
|
154 |
certFileIn = new FileInputStream(certFile); |
|
155 |
Certificate localCert = CertificateFactory. |
|
156 |
getInstance("X.509").generateCertificate(certFileIn); |
|
157 |
||
158 |
if (localCert.equals(certificate)) { |
|
159 |
acceptNeeded = false; |
|
160 |
} |
|
161 |
} catch (Throwable ignore) { |
|
162 |
} finally { |
|
163 |
IOUtil.closeIgnore(certFileIn); |
|
164 |
} |
|
165 |
} |
|
166 |
||
167 |
if (acceptNeeded) { |
|
168 |
// Display the certificate, prompt user to accept |
|
169 |
acceptCertificate(host, certificate); |
|
170 |
} |
|
171 |
||
172 |
// Add certificate |
|
173 |
alias = ((X509Certificate)certificate).getIssuerDN().toString(); |
|
174 |
KeyStore.Entry entry = |
|
175 |
new KeyStore.TrustedCertificateEntry(certificate); |
|
176 |
keyStore.setEntry(alias, entry, null); |
|
177 |
||
178 |
FileOutputStream fos = new FileOutputStream(truststore); |
|
179 |
keyStore.store(fos, password); |
|
180 |
fos.close(); |
|
181 |
||
182 |
return true; |
|
183 |
} |
|
184 |
||
185 |
/** |
|
186 |
* Opens a connection to the server. |
|
187 |
* |
|
188 |
* @exception ActionAbortedException |
|
189 |
* if the action is aborted |
|
190 |
*/ |
|
191 |
public ConnectionInfo getConnectionInfo(ConnectionInfo oldinfo) |
|
192 |
throws ActionAbortedException { |
|
193 |
||
194 |
// Repeat until a ConnectionInfo is created or an |
|
195 |
// ActionAbortedException is thrown |
|
196 |
while (true) { |
|
197 |
||
198 |
// Retrieve login info, presumably from the user -- throws |
|
199 |
// ActionAbortedException if user cancels |
|
200 |
LoginInfo info = getLoginInfo(); |
|
201 |
||
202 |
try { |
|
203 |
return toConnectionInfo(info, oldinfo); |
|
204 |
} |
|
205 |
||
206 |
// Error logging in, display error and restart login process |
|
207 |
catch (LoginFailedException e) { |
|
208 |
showError(e.getMessage(), e.getLoginField(), e.getCause()); |
|
209 |
} |
|
210 |
||
211 |
// User has chosen to restart login process |
|
212 |
catch (ActionAbortedException e) { |
|
213 |
// Do nothing |
|
214 |
} |
|
215 |
} |
|
216 |
} |
|
217 |
||
218 |
public ConnectionManager getConnectionManager() { |
|
219 |
return connManager; |
|
220 |
} |
|
221 |
||
222 |
/** |
|
223 |
* Returns the information needed to login to the server. |
|
224 |
*/ |
|
225 |
protected abstract LoginInfo getLoginInfo() throws ActionAbortedException; |
|
226 |
||
227 |
/** |
|
228 |
* Gets the truststore file. |
|
229 |
*/ |
|
230 |
public abstract File getTrustStoreFile(); |
|
231 |
||
232 |
/** |
|
233 |
* Gets the truststore password. This default implementation returns |
|
234 |
* "{@code trustpass}". |
|
235 |
*/ |
|
236 |
public String getTrustStorePassword() { |
|
237 |
return TRUSTSTORE_PASSWORD; |
|
238 |
} |
|
239 |
||
240 |
/** |
|
241 |
* Sets the (localized) message and cause when an error occurs. Subclasses |
|
242 |
* may wish to override this method -- this default implementation does |
|
243 |
* nothing. |
|
244 |
* |
|
245 |
* @param message |
|
246 |
* the localized message to display |
|
247 |
* |
|
248 |
* @param field |
|
249 |
* the login field that caused this error |
|
250 |
* |
|
251 |
* @param cause |
|
252 |
* the detailed cause of this error |
|
253 |
*/ |
|
254 |
protected void showError(String message, LoginField field, |
|
255 |
Throwable cause) { |
|
256 |
} |
|
257 |
||
258 |
/** |
|
259 |
* Sets the (localized) status of this {@code RadLoginManager}. Subclasses |
|
260 |
* may wish to override this method -- this default implementation does |
|
261 |
* nothing. |
|
262 |
*/ |
|
263 |
protected void showStatus(String status) { |
|
264 |
} |
|
265 |
||
266 |
// |
|
267 |
// Private methods |
|
268 |
// |
|
269 |
||
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
270 |
private void fauxResponse(AuthenticatorMXBean abean, Block answer, |
391 | 271 |
char[] uPassword) throws ObjectException { |
272 |
||
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
273 |
boolean sentPassword = false; |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
274 |
String errorMessage = null; |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
275 |
|
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
276 |
while (answer.getType() != BlockType.success) { |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
277 |
if (answer.getType() == BlockType.error) { |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
278 |
if (errorMessage != null) |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
279 |
throw new SecurityException(errorMessage); |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
280 |
throw new SecurityException(); |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
281 |
} |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
282 |
|
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
283 |
assert (answer.getType() == BlockType.conv); |
391 | 284 |
List<String> response = new LinkedList<String>(); |
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
285 |
for (Message m : answer.getMessages()) { |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
286 |
if (!sentPassword && m.getStyle() == MsgType.prompt_echo_off) { |
391 | 287 |
/* Assume it's Password: */ |
288 |
response.add(new String(uPassword)); |
|
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
289 |
sentPassword = true; |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
290 |
errorMessage = null; /* prompt > error */ |
391 | 291 |
break; |
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
292 |
} else if (m.getStyle() == MsgType.error_msg) { |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
293 |
errorMessage = m.getMessage(); |
391 | 294 |
} |
295 |
} |
|
442
1998ce99dcb0
14787 explicit user login appears to succeed for roles
David Powell <David.Powell@sun.com>
parents:
438
diff
changeset
|
296 |
|
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
297 |
answer = abean.submit(response); |
391 | 298 |
} |
299 |
} |
|
300 |
||
301 |
/** |
|
302 |
* Attempts to create a {@link ConnectionInfo} from the given {@link |
|
303 |
* LoginInfo}. |
|
304 |
* |
|
305 |
* @param oldinfo the previous connection, if any. |
|
306 |
*/ |
|
307 |
private ConnectionInfo toConnectionInfo(LoginInfo info, |
|
308 |
ConnectionInfo oldinfo) |
|
309 |
throws LoginFailedException, ActionAbortedException { |
|
310 |
||
311 |
// Throws LoginFailedException on bad data |
|
312 |
validate(info); |
|
313 |
||
314 |
String host = info.getHost(); |
|
315 |
String user = info.getUser(); |
|
316 |
String role = info.getRole(); |
|
317 |
int port = info.getPort(); |
|
318 |
||
319 |
// Search for an existing connection established for the specified |
|
320 |
// host/user |
|
321 |
ConnectionInfo cInfo = |
|
322 |
getConnectionManager().getConnection(host, port, user, role); |
|
323 |
if (cInfo != null) { |
|
324 |
return cInfo; |
|
325 |
} |
|
326 |
||
327 |
char[] uPassword = info.getUserPassword(); |
|
328 |
char[] rPassword = info.getRolePassword(); |
|
329 |
||
330 |
showStatus(Finder.getString( |
|
331 |
"login.status.host.trusted", host, user)); |
|
332 |
||
333 |
String urlString = "service:jmx:" + RadConnector.PROTOCOL_TLS + "://" + |
|
334 |
host; |
|
335 |
if (port != -1) { |
|
336 |
urlString += ":" + port; |
|
337 |
} |
|
338 |
||
339 |
try { |
|
340 |
File truststore = getTrustStoreFile(); |
|
341 |
if (!truststore.exists()) |
|
342 |
createTrustStore(truststore); |
|
343 |
||
344 |
checkForCancel(); |
|
345 |
||
346 |
showStatus(Finder.getString("login.status.loggingin", host, user)); |
|
347 |
||
348 |
Map<String, Object> env = new HashMap<String, Object>(); |
|
349 |
env.put(RadConnector.KEY_TLS_TRUSTSTORE, |
|
350 |
truststore.getAbsolutePath()); |
|
351 |
env.put(RadConnector.KEY_TLS_TRUSTPASS, |
|
352 |
getTrustStorePassword()); |
|
353 |
||
354 |
JMXServiceURL url = new JMXServiceURL(urlString); |
|
355 |
JMXConnector connector = |
|
356 |
JMXConnectorFactory.newJMXConnector(url, null); |
|
357 |
||
358 |
for (;;) { |
|
359 |
RadTrustManager mtm = null; |
|
360 |
try { |
|
361 |
mtm = new RadTrustManager(); |
|
362 |
env.put(RadConnector.KEY_TLS_RADMANAGER, mtm); |
|
363 |
checkForCancel(); |
|
364 |
connector.connect(env); |
|
365 |
break; |
|
366 |
} catch (IOException e) { |
|
367 |
if (mtm.getBadChain() == null || !handleCertFailure(host, |
|
368 |
truststore, mtm.getBadChain()[0])) { |
|
369 |
||
370 |
throw e; |
|
371 |
} |
|
372 |
} |
|
373 |
} |
|
374 |
||
375 |
MBeanServerConnection mbsc = connector.getMBeanServerConnection(); |
|
376 |
AuthenticatorMXBean abean = JMX.newMXBeanProxy(mbsc, |
|
377 |
MBeanUtil.makeObjectName("org.opensolaris.os.rad", |
|
378 |
"authentication"), AuthenticatorMXBean.class); |
|
379 |
||
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
380 |
Block answer = abean.login("C", user); |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
381 |
fauxResponse(abean, answer, uPassword); |
391 | 382 |
|
383 |
if (role != null) { |
|
468
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
384 |
answer = abean.assume("C", role); |
7fa83d27b9f3
14970 python client misformats setattr requests
David Powell <David.Powell@sun.com>
parents:
442
diff
changeset
|
385 |
fauxResponse(abean, answer, rPassword); |
391 | 386 |
} |
387 |
||
388 |
abean.complete(); |
|
389 |
||
396
ec97b6c8d665
13390 reinstate remote panel access
David Powell <David.Powell@sun.com>
parents:
391
diff
changeset
|
390 |
return new ConnectionInfo(host, port, user, role, connector); |
391 | 391 |
} |
392 |
||
393 |
catch (ObjectException e) { |
|
394 |
throw new LoginFailedException( |
|
395 |
Finder.getString("login.err.security"), e, |
|
396 |
LoginField.USER_PASSWORD); |
|
397 |
} |
|
398 |
||
399 |
// Thrown by createTrustStore |
|
400 |
catch (KeyStoreException e) { |
|
401 |
throw new LoginFailedException( |
|
402 |
Finder.getString("login.err.keystore"), e); |
|
403 |
} |
|
404 |
||
405 |
// Thrown by createTrustStore |
|
406 |
catch (NoSuchAlgorithmException e) { |
|
407 |
throw new LoginFailedException( |
|
408 |
Finder.getString("login.err.keystore"), e); |
|
409 |
} |
|
410 |
||
411 |
// Thrown by getDaemonCertificateChain |
|
412 |
catch (CertificateException e) { |
|
413 |
throw new LoginFailedException( |
|
414 |
Finder.getString("login.err.nocerts", host), e, |
|
415 |
LoginField.HOST); |
|
416 |
} |
|
417 |
||
418 |
// Thrown by getDaemonCertificateChain, new JMXServiceURL |
|
419 |
catch (MalformedURLException e) { |
|
420 |
e.printStackTrace(); |
|
421 |
throw new LoginFailedException( |
|
422 |
Finder.getString("login.err.url.invalid", urlString), |
|
423 |
e, LoginField.HOST); |
|
424 |
} |
|
425 |
||
426 |
// Thrown by JMXConnector.connect() |
|
427 |
catch (SecurityException e) { |
|
428 |
throw new LoginFailedException( |
|
429 |
Finder.getString("login.err.security"), e, |
|
430 |
LoginField.USER_PASSWORD); |
|
431 |
} |
|
432 |
||
433 |
// Thrown by JMXConnector methods |
|
434 |
catch (IOException e) { |
|
435 |
throw new LoginFailedException( |
|
436 |
Finder.getString("login.err.io", host), e); |
|
437 |
} |
|
438 |
||
439 |
finally { |
|
440 |
// Before throwing any of the above exceptions |
|
441 |
checkForCancel(); |
|
442 |
} |
|
443 |
} |
|
444 |
||
445 |
/** |
|
446 |
* Runs a simple validation test of the given {@code LoginInfo}. |
|
447 |
* |
|
448 |
* @param info |
|
449 |
* the data to validate |
|
450 |
* |
|
451 |
* @exception ActionAbortedException |
|
452 |
* if the action has been cancelled |
|
453 |
* |
|
454 |
* @exception LoginFailedException |
|
455 |
* if the data is invalid |
|
456 |
*/ |
|
457 |
private void validate(LoginInfo info) |
|
458 |
throws ActionAbortedException, LoginFailedException { |
|
459 |
||
460 |
checkForCancel(); |
|
461 |
showStatus(Finder.getString("login.status.field.validation")); |
|
462 |
||
463 |
String host = info.getHost(); |
|
464 |
if (host == null || host.isEmpty()) { |
|
465 |
throw new LoginFailedException( |
|
466 |
Finder.getString("login.err.host.empty"), |
|
467 |
LoginField.HOST); |
|
468 |
} |
|
469 |
||
470 |
String port = info.getPortStr(); |
|
471 |
if (port != null && !port.isEmpty()) { |
|
472 |
try { |
|
473 |
info.setPort(Integer.parseInt(port)); |
|
474 |
} catch (NumberFormatException e) { |
|
475 |
throw new LoginFailedException( |
|
476 |
Finder.getString("login.err.port.invalid", port), |
|
477 |
LoginField.PORT); |
|
478 |
} |
|
479 |
} |
|
480 |
||
481 |
String user = info.getUser(); |
|
482 |
if (user == null || user.isEmpty()) { |
|
483 |
throw new LoginFailedException( |
|
484 |
Finder.getString("login.err.user.empty"), |
|
485 |
LoginField.USER); |
|
486 |
} |
|
487 |
} |
|
488 |
} |