fix(jaas): fix jaas login (#12848)

Author: david-leifker

datahub-frontend/app/security/AuthenticationManager.java

@@ -3,31 +3,65 @@
 import com.google.common.base.Preconditions;
 import javax.annotation.Nonnull;
 import javax.naming.AuthenticationException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
 import org.apache.commons.lang3.StringUtils;
-import org.eclipse.jetty.security.UserPrincipal;
-import org.eclipse.jetty.util.security.Credential;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class AuthenticationManager {
+  private static final Logger log = LoggerFactory.getLogger(AuthenticationManager.class);
+
   private AuthenticationManager() {} // Prevent instantiation
 
   public static void authenticateJaasUser(@Nonnull String userName, @Nonnull String password)
       throws Exception {
     Preconditions.checkArgument(!StringUtils.isAnyEmpty(userName), "Username cannot be empty");
 
     try {
-      // Create and configure credentials for authentication
-      UserPrincipal userPrincipal = new UserPrincipal(userName, Credential.getCredential(password));
+      // Create a login context with our custom callback handler
+      LoginContext loginContext =
+          new LoginContext("WHZ-Authentication", new WHZCallbackHandler(userName, password));
 
-      // Verify credentials
-      if (!userPrincipal.authenticate(password)) {
-        throw new AuthenticationException("Invalid credentials for user: " + userName);
-      }
+      // Attempt login
+      loginContext.login();
+
+      // If we get here, authentication succeeded
+      log.debug("Authentication succeeded for user: {}", userName);
 
-    } catch (Exception e) {
+    } catch (LoginException le) {
+      log.info("Authentication failed for user {}: {}", userName, le.getMessage());
       AuthenticationException authenticationException =
-          new AuthenticationException("Authentication failed");
-      authenticationException.setRootCause(e);
+          new AuthenticationException(le.getMessage());
+      authenticationException.setRootCause(le);
       throw authenticationException;
     }
   }
+
+  private static class WHZCallbackHandler implements CallbackHandler {
+    private final String password;
+    private final String username;
+
+    private WHZCallbackHandler(@Nonnull String username, @Nonnull String password) {
+      this.username = username;
+      this.password = password;
+    }
+
+    @Override
+    public void handle(@Nonnull Callback[] callbacks) {
+      for (Callback callback : callbacks) {
+        if (callback instanceof NameCallback) {
+          NameCallback nc = (NameCallback) callback;
+          nc.setName(username);
+        } else if (callback instanceof PasswordCallback) {
+          PasswordCallback pc = (PasswordCallback) callback;
+          pc.setPassword(password.toCharArray());
+        }
+      }
+    }
+  }
 }

datahub-frontend/app/security/DataHubUserPrincipal.java

@@ -0,0 +1,35 @@
+package security;
+
+import java.security.Principal;
+
+public class DataHubUserPrincipal implements Principal {
+  private final String name;
+
+  public DataHubUserPrincipal(String name) {
+    this.name = name;
+  }
+
+  @Override
+  public String getName() {
+    return name;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) return true;
+    if (o == null || getClass() != o.getClass()) return false;
+
+    DataHubUserPrincipal that = (DataHubUserPrincipal) o;
+    return name.equals(that.name);
+  }
+
+  @Override
+  public int hashCode() {
+    return name.hashCode();
+  }
+
+  @Override
+  public String toString() {
+    return "DataHubUserPrincipal[" + name + "]";
+  }
+}

datahub-frontend/app/security/PropertyFileLoginModule.java

@@ -0,0 +1,139 @@
+package security;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.util.Map;
+import java.util.Properties;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class PropertyFileLoginModule implements LoginModule {
+  private static final Logger log = LoggerFactory.getLogger(PropertyFileLoginModule.class);
+
+  private Subject subject;
+  private CallbackHandler callbackHandler;
+  private boolean debug = false;
+  private String file;
+  private boolean succeeded = false;
+  private String username;
+
+  @Override
+  public void initialize(
+      Subject subject,
+      CallbackHandler callbackHandler,
+      Map<String, ?> sharedState,
+      Map<String, ?> options) {
+    this.subject = subject;
+    this.callbackHandler = callbackHandler;
+
+    // Get configuration options
+    this.debug = "true".equalsIgnoreCase((String) options.get("debug"));
+    this.file = (String) options.get("file");
+
+    if (debug) {
+      log.debug("PropertyFileLoginModule initialized with file: {}", file);
+    }
+  }
+
+  @Override
+  public boolean login() throws LoginException {
+    // If no file specified, this module can't authenticate
+    if (file == null) {
+      if (debug) log.debug("No property file specified");
+      return false;
+    }
+
+    // Get username and password from callbacks
+    NameCallback nameCallback = new NameCallback("Username: ");
+    PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
+
+    try {
+      callbackHandler.handle(new Callback[] {nameCallback, passwordCallback});
+    } catch (IOException | UnsupportedCallbackException e) {
+      if (debug) log.debug("Error getting callbacks", e);
+      throw new LoginException("Error during callback handling: " + e.getMessage());
+    }
+
+    this.username = nameCallback.getName();
+    char[] password = passwordCallback.getPassword();
+    passwordCallback.clearPassword();
+
+    if (username == null || username.isEmpty() || password == null) {
+      if (debug) log.debug("Username or password is empty");
+      return false;
+    }
+
+    // Load properties file
+    Properties props = new Properties();
+    File propsFile = new File(file);
+
+    if (!propsFile.exists() || !propsFile.isFile() || !propsFile.canRead()) {
+      if (debug) log.debug("Cannot read property file: {}", file);
+      return false;
+    }
+
+    try (FileInputStream fis = new FileInputStream(propsFile)) {
+      props.load(fis);
+    } catch (IOException e) {
+      if (debug) log.debug("Failed to load property file", e);
+      throw new LoginException("Error loading property file: " + e.getMessage());
+    }
+
+    // Check if username exists and password matches
+    String storedPassword = props.getProperty(username);
+    if (storedPassword == null) {
+      if (debug) log.debug("User not found: {}", username);
+      return false;
+    }
+
+    // Compare passwords
+    succeeded = storedPassword.equals(new String(password));
+
+    if (debug) {
+      if (succeeded) {
+        log.debug("Authentication succeeded for user: {}", username);
+      } else {
+        log.debug("Authentication failed for user: {}", username);
+      }
+    }
+
+    return succeeded;
+  }
+
+  @Override
+  public boolean commit() throws LoginException {
+    if (!succeeded) {
+      return false;
+    }
+
+    // Add principal to the subject if authentication succeeded
+    subject.getPrincipals().add(new DataHubUserPrincipal(username));
+
+    return true;
+  }
+
+  @Override
+  public boolean abort() throws LoginException {
+    succeeded = false;
+    username = null;
+    return true;
+  }
+
+  @Override
+  public boolean logout() throws LoginException {
+    // Remove principals that were added by this module
+    subject.getPrincipals().removeIf(p -> p instanceof DataHubUserPrincipal);
+    succeeded = false;
+    username = null;
+    return true;
+  }
+}

datahub-frontend/conf/jaas.conf

@@ -1,7 +1,11 @@
 // This is a sample JAAS config that uses the following login module
-// org.eclipse.jetty.jaas.spi.PropertyFileLoginModule -- this module can work with a username and any password defined in the `../conf/user.props` file
+// security.PropertyFileLoginModule -- this module can work with a username and any password defined in the `../conf/user.props` file
 
 WHZ-Authentication {
-  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient debug="true" file="/etc/datahub/plugins/frontend/auth/user.props";
-  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient debug="true" file="/datahub-frontend/conf/user.props";
-};
+  security.PropertyFileLoginModule sufficient
+    debug="true"
+    file="/etc/datahub/plugins/frontend/auth/user.props";
+  security.PropertyFileLoginModule sufficient
+    debug="true"
+    file="/datahub-frontend/conf/user.props";
+};

datahub-frontend/run/jaas.conf

@@ -1,9 +1,8 @@
 // This is a sample JAAS config that uses the following login module
-// This is a sample JAAS config that uses the following login module
-// org.eclipse.jetty.jaas.spi.PropertyFileLoginModule -- this module can work with a username and any password defined in the `../conf/user.props` file
+// security.PropertyFileLoginModule -- this module can work with a username and any password defined in the `../conf/user.props` file
 
 WHZ-Authentication {
-  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient
+  security.PropertyFileLoginModule sufficient
   debug="true"
   file="../conf/user.props";
 };