DefaultLoginsHealthCheck.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The SF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */
package org.apache.sling.hc.support.impl;

import java.util.Arrays;
import java.util.List;

import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;

import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.hc.api.HealthCheck;
import org.apache.sling.hc.api.Result;
import org.apache.sling.hc.util.FormattingResultLog;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/** {@link HealthCheck} that checks that Sling default logins fail.
 *  Used to verify that those logins are disabled on production systems */
@Component(
        name="org.apache.sling.hc.support.DefaultLoginsHealthCheck",
        configurationFactory=true,
        policy=ConfigurationPolicy.REQUIRE,
        metatype=true,
        label="Apache Sling Default Logins Health Check",
        description="Expects default logins to fail, used to verify " +
                "that they are disabled on production systems")
@Properties({
    @Property(name=HealthCheck.NAME,
            label="Health Check Name", description="Name of this Health Check service."),
    @Property(name=HealthCheck.TAGS, unbounded=PropertyUnbounded.ARRAY,
             label="Health Check tags", description="List of tags for this Health Check service, used to select " +
               "subsets of Health Check services for execution"),
    @Property(name=HealthCheck.MBEAN_NAME,
             label="MBean Name", description="Name of the MBean to create for this Health Check.")
})
@Service(value=HealthCheck.class)
public class DefaultLoginsHealthCheck implements HealthCheck {

    private final Logger log = LoggerFactory.getLogger(getClass());

    @Property(unbounded=PropertyUnbounded.ARRAY,
            label="Login credentials",
            description="Which credentials to check. Each one is in the format \"user:password\" " +
                "like \"admin:admin\" for example. Do *not* put any confidential passwords here, the goal " +
                "is just to check that the default/demo logins, which passwords are known anyway, are disabled.")
    private static final String PROP_LOGINS = "logins";

    private List<String> logins;

    @Reference
    private SlingRepository repository;

    @Activate
    public void activate(ComponentContext ctx) {
        logins = Arrays.asList(PropertiesUtil.toStringArray(ctx.getProperties().get(PROP_LOGINS), new String[] {}));
        log.info("Activated, logins={}", logins);
    }

    @Override
    public Result execute() {
        final FormattingResultLog resultLog = new FormattingResultLog();
        int checked=0;
        int failures=0;

        for(String login : logins) {
            final String [] parts = login.split(":");
            if(parts.length != 2) {
                resultLog.warn("Expected login in the form username:password, got [{}]", login);
                continue;
            }
            checked++;
            final String username = parts[0].trim();
            final String password = parts[1].trim();
            final Credentials creds = new SimpleCredentials(username, password.toCharArray());
            Session s = null;
            try {
                s = repository.login(creds);
                if(s != null) {
                    failures++;
                    resultLog.warn("Login as [{}] succeeded, was expecting it to fail", username);
                } else {
                    resultLog.debug("Login as [{}] didn't throw an Exception but returned null Session", username);
                }
            } catch(RepositoryException re) {
                resultLog.debug("Login as [{}] failed, as expected", username);
            } finally {
                if(s != null) {
                    s.logout();
                }
            }
        }

        if(checked==0) {
            resultLog.warn("Did not check any logins, configured logins={}", logins);
        } else if(failures != 0){
            resultLog.warn("Checked {} logins, {} failures", checked, failures);
        } else {
            resultLog.debug("Checked {} logins, all successful", checked, failures);
        }
        return new Result(resultLog);
    }
}