SaslServerFactoryImpl.java 6.44 KB
Newer Older
1
/*
2
 * Copyright (C) 2004-2008 Jive Software. All rights reserved.
3
 *
4 5 6 7 8 9 10 11 12 13 14
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
15 16
 */

17 18
package org.jivesoftware.openfire.sasl;

19 20 21 22 23 24 25 26
import org.jivesoftware.openfire.session.LocalClientSession;
import org.jivesoftware.openfire.session.LocalIncomingServerSession;
import org.jivesoftware.openfire.session.LocalSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.Arrays;
import java.util.HashSet;
27
import java.util.Map;
28
import java.util.Set;
29

30
import javax.security.auth.callback.CallbackHandler;
31
import javax.security.sasl.Sasl;
32
import javax.security.sasl.SaslException;
33 34 35
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;

36
/**
37
 * Server Factory for supported mechanisms.
38 39 40 41
 *
 * @author Jay Kline
 */

42 43 44
public class SaslServerFactoryImpl implements SaslServerFactory
{
    private final static Logger Log = LoggerFactory.getLogger( SaslServerFactoryImpl.class );
45

46 47 48 49
    /**
     * All mechanisms provided by this factory.
     */
    private final Set<Mechanism> allMechanisms;
50

51 52 53
    public SaslServerFactoryImpl()
    {
        allMechanisms = new HashSet<>();
54
        allMechanisms.add( new Mechanism( "ANONYMOUS", true, true ) );
55
        allMechanisms.add( new Mechanism( "PLAIN", false, true ) );
56
        allMechanisms.add( new Mechanism( "SCRAM-SHA-1", false, false ) );
57 58
        allMechanisms.add( new Mechanism( "JIVE-SHAREDSECRET", true, false ) );
        allMechanisms.add( new Mechanism( "EXTERNAL", false, false ) );
59 60
    }

61 62 63 64 65 66 67 68 69 70 71 72
    @Override
    public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) throws SaslException
    {
        if ( !Arrays.asList( getMechanismNames( props )).contains( mechanism ) )
        {
            Log.debug( "This implementation is unable to create a SaslServer instance for the {} mechanism using the provided properties.", mechanism );
            return null;
        }

        switch ( mechanism.toUpperCase() )
        {
            case "PLAIN":
73
                if ( cbh == null )
74 75 76 77 78 79
                {
                    Log.debug( "Unable to instantiate {} SaslServer: A callbackHandler with support for Password, Name, and AuthorizeCallback required.", mechanism );
                    return null;
                }
                return new SaslServerPlainImpl( protocol, serverName, props, cbh );

80
            case "SCRAM-SHA-1":
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
                return new ScramSha1SaslServer();

            case "ANONYMOUS":
                if ( !props.containsKey( LocalSession.class.getCanonicalName() ) )
                {
                    Log.debug( "Unable to instantiate {} SaslServer: Provided properties do not contain a LocalSession instance.", mechanism );
                    return null;
                }
                else
                {
                    final LocalSession session = (LocalSession) props.get( LocalSession.class.getCanonicalName() );
                    return new AnonymousSaslServer( session );
                }

            case "EXTERNAL":
                if ( !props.containsKey( LocalSession.class.getCanonicalName() ) )
                {
                    Log.debug( "Unable to instantiate {} SaslServer: Provided properties do not contain a LocalSession instance.", mechanism );
                    return null;
                }
                else
                {
                    final Object session = props.get( LocalSession.class.getCanonicalName() );
                    if ( session instanceof LocalClientSession )
                    {
                        return new ExternalClientSaslServer( (LocalClientSession) session );
                    }
                    if ( session instanceof LocalIncomingServerSession )
                    {
                        return new ExternalServerSaslServer( (LocalIncomingServerSession) session );
                    }

                    Log.debug( "Unable to instantiate {} Sasl Server: Provided properties contains neither LocalClientSession nor LocalIncomingServerSession instance.", mechanism );
                    return null;
                }

            case JiveSharedSecretSaslServer.NAME:
                return new JiveSharedSecretSaslServer();

            default:
                throw new IllegalStateException(); // Fail fast - this should not be possible, as the first check in this method already verifies wether the mechanism is supported.
        }
    }
124

125
    @Override
126 127 128 129 130 131
    public String[] getMechanismNames( Map<String, ?> props )
    {
        final Set<String> result = new HashSet<>();

        for ( final Mechanism mechanism : allMechanisms )
        {
132
            if ( props != null )
133
            {
134
                if ( mechanism.allowsAnonymous && props.containsKey( Sasl.POLICY_NOANONYMOUS ) && Boolean.parseBoolean( (String) props.get( Sasl.POLICY_NOANONYMOUS ) ) )
135 136 137 138
                {
                    // Do not include a mechanism that allows anonymous authentication when the 'no anonymous' policy is set.
                    continue;
                }
139

140 141 142 143 144
                if ( mechanism.isPlaintext && props.containsKey( Sasl.POLICY_NOPLAINTEXT ) && Boolean.parseBoolean( (String) props.get( Sasl.POLICY_NOPLAINTEXT ) ) )
                {
                    // Do not include a mechanism that is susceptible to simple plain passive attacks when the 'no plaintext' policy is set.
                    continue;
                }
145 146 147 148
            }

            // Mechanism passed all filters. It should be part of the result.
            result.add( mechanism.name );
149
        }
150 151

        return result.toArray( new String[ result.size() ] );
152 153
    }

154 155 156 157 158
    private static class Mechanism
    {
        final String name;
        final boolean allowsAnonymous;
        final boolean isPlaintext;
159

160 161 162 163 164 165
        private Mechanism( String name, boolean allowsAnonymous, boolean isPlaintext )
        {
            this.name = name;
            this.allowsAnonymous = allowsAnonymous;
            this.isPlaintext = isPlaintext;
        }
166
    }
167
}