zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-06-27 14:54:51 +02:00
Code Issues Projects Releases Packages Wiki Activity

Upgrade apache_sshd CL #2: Update to v1_2_0

Browse source 
This changelist makes the newly added v1_2_0 the default and fixes incompatibilities
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=125609347
This commit is contained in:
Ben McIlwain 2016-06-22 14:30:13 -07:00
parent 744648b5d3
commit 84eb3c8666
5 changed files with 67 additions and 191 deletions
Download patch file Download diff file Expand all files Collapse all files

4
java/google/registry/repositories.bzl
View file

@ -446,8 +446,8 @@ def domain_registry_repositories():
native.maven_jar( native.maven_jar(
name = "sshd_core", name = "sshd_core",
artifact = "org.apache.sshd:sshd-core:0.7.0", artifact = "org.apache.sshd:sshd-core:1.2.0",
sha1 = "ef5d0cae23845dead3fc53ecd61bd990ed42f60f", sha1 = "4bc24a8228ba83dac832680366cf219da71dae8e",
) )
native.maven_jar( native.maven_jar(

4
javatests/google/registry/flows/EppXxeAttackTest.java
View file

@ -21,6 +21,10 @@ import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.junit.runners.JUnit4; import org.junit.runners.JUnit4;
/**
* Tests for XXE attacks.
*
*/
@RunWith(JUnit4.class) @RunWith(JUnit4.class)
public class EppXxeAttackTest extends EppTestCase { public class EppXxeAttackTest extends EppTestCase {

5
javatests/google/registry/testing/Providers.java
View file

@ -16,16 +16,13 @@ package google.registry.testing;
import javax.inject.Provider; import javax.inject.Provider;
/** Helper functions for {@link Provider} */ /** Helper functions for {@link Provider}. */
public final class Providers { public final class Providers {
/** /**
* Returns a {@link Provider} that supplies a constant value. * Returns a {@link Provider} that supplies a constant value.
* *
* @deprecated Add {@code //third_party/java/inject_common} as a dependency and then use
* {@link com.google.common.inject.Providers#of} instead.
*/ */
@Deprecated
public static <T> Provider<T> of(final T instance) { public static <T> Provider<T> of(final T instance) {
return new Provider<T>() { return new Provider<T>() {
@Override @Override

4
javatests/google/registry/testing/sftp/SftpServerRule.java
View file

@ -20,7 +20,6 @@ import google.registry.util.NetworkUtils;
import org.apache.ftpserver.FtpServer; import org.apache.ftpserver.FtpServer;
import org.apache.ftpserver.ftplet.FtpException; import org.apache.ftpserver.ftplet.FtpException;
import org.apache.sshd.server.session.SessionFactory;
import org.junit.rules.ExternalResource; import org.junit.rules.ExternalResource;
import java.io.File; import java.io.File;
@ -60,8 +59,7 @@ public final class SftpServerRule extends ExternalResource {
private static FtpServer createSftpServer(String user, String pass, File home, int port) private static FtpServer createSftpServer(String user, String pass, File home, int port)
throws FtpException { throws FtpException {
FtpServer server = FtpServer server = TestSftpServer.createSftpServer(user, pass, null, port, home);
TestSftpServer.createSftpServer(user, pass, null, port, home, new SessionFactory());
server.start(); server.start();
return server; return server;
} }

241
javatests/google/registry/testing/sftp/TestSftpServer.java
View file

@ -15,49 +15,22 @@
package google.registry.testing.sftp; package google.registry.testing.sftp;
import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import org.apache.ftpserver.FtpServer; import org.apache.ftpserver.FtpServer;
import org.apache.ftpserver.ftplet.FtpException; import org.apache.ftpserver.ftplet.FtpException;
import org.apache.sshd.SshServer;
import org.apache.sshd.common.Channel;
import org.apache.sshd.common.Cipher;
import org.apache.sshd.common.Compression;
import org.apache.sshd.common.KeyPairProvider;
import org.apache.sshd.common.Mac;
import org.apache.sshd.common.NamedFactory; import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.Session; import org.apache.sshd.common.file.virtualfs.VirtualFileSystemFactory;
import org.apache.sshd.common.Signature; import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.cipher.AES128CBC;
import org.apache.sshd.common.cipher.AES192CBC;
import org.apache.sshd.common.cipher.AES256CBC;
import org.apache.sshd.common.cipher.BlowfishCBC;
import org.apache.sshd.common.cipher.TripleDESCBC;
import org.apache.sshd.common.compression.CompressionNone;
import org.apache.sshd.common.mac.HMACMD5;
import org.apache.sshd.common.mac.HMACMD596;
import org.apache.sshd.common.mac.HMACSHA1;
import org.apache.sshd.common.mac.HMACSHA196;
import org.apache.sshd.common.random.BouncyCastleRandom;
import org.apache.sshd.common.random.SingletonRandomFactory; import org.apache.sshd.common.random.SingletonRandomFactory;
import org.apache.sshd.common.signature.SignatureDSA;
import org.apache.sshd.common.signature.SignatureRSA;
import org.apache.sshd.server.Command; import org.apache.sshd.server.Command;
import org.apache.sshd.server.FileSystemFactory; import org.apache.sshd.server.ServerBuilder;
import org.apache.sshd.server.FileSystemView; import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.ForwardingAcceptorFactory; import org.apache.sshd.server.auth.password.PasswordAuthenticator;
import org.apache.sshd.server.PasswordAuthenticator; import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
import org.apache.sshd.server.PublickeyAuthenticator; import org.apache.sshd.server.scp.ScpCommandFactory;
import org.apache.sshd.server.SshFile;
import org.apache.sshd.server.channel.ChannelDirectTcpip;
import org.apache.sshd.server.channel.ChannelSession;
import org.apache.sshd.server.filesystem.NativeFileSystemFactory;
import org.apache.sshd.server.filesystem.NativeSshFile;
import org.apache.sshd.server.kex.DHG1;
import org.apache.sshd.server.kex.DHG14;
import org.apache.sshd.server.session.DefaultForwardingAcceptorFactory;
import org.apache.sshd.server.session.ServerSession; import org.apache.sshd.server.session.ServerSession;
import org.apache.sshd.server.session.SessionFactory; import org.apache.sshd.server.subsystem.sftp.SftpSubsystemFactory;
import org.apache.sshd.server.sftp.SftpSubsystem;
import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair; import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.openssl.PEMParser;
@ -70,9 +43,6 @@ import java.security.KeyPair;
import java.security.PublicKey; import java.security.PublicKey;
import java.security.Security; import java.security.Security;
import java.util.Arrays; import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
@ -87,7 +57,6 @@ public class TestSftpServer implements FtpServer {
static { static {
Security.addProvider(new BouncyCastleProvider()); Security.addProvider(new BouncyCastleProvider());
secureRandomFactory = new SingletonRandomFactory(new BouncyCastleRandom.Factory());
} }
private static final String HOST_KEY = "" private static final String HOST_KEY = ""
@ -136,98 +105,69 @@ public class TestSftpServer implements FtpServer {
} }
} }
// Apache provides a NativeFileSystemView, but it assumes that the root
// directory you want is /home/username. Yep.
// So reuse as much as we can.
private static class TestFileSystemView implements FileSystemView {
private final String userName;
private final File home;
public TestFileSystemView(String userName, File home) {
this.userName = userName;
this.home = home;
}
@Override
public SshFile getFile(SshFile arg1, String arg2) {
return null;
}
@Override
public SshFile getFile(String fileName) {
File file = new File(home, fileName);
// Work around demands of NativeSshFile constructor.
String absolutePath = fileName.equals(".") ? "/" : fileName;
return new TestSshFile(absolutePath, file, userName, home);
}
}
private static class TestSshFile extends NativeSshFile {
// Purely an end-run around the protected constructor
@SuppressWarnings("unused")
TestSshFile(String fileName, File file, String userName, File home) {
super(fileName, file, userName);
}
}
public static FtpServer createSftpServer( public static FtpServer createSftpServer(
final String authorizedUser, final String authorizedUser,
@Nullable final String authorizedPassword, @Nullable final String authorizedPassword,
@Nullable final PublicKey authorizedPublicKey, @Nullable final PublicKey authorizedPublicKey,
int port, int port,
final File home, final File home) {
SessionFactory sessionFactory) {
final SshServer server = setUpDefaultServer(); ServerBuilder serverBuilder = ServerBuilder.builder();
serverBuilder.randomFactory(secureRandomFactory);
if (authorizedPublicKey != null) {
// This authenticator checks that the user is presenting the right key. If authenticate
// returns true, then the server will make sure that the user can prove they have that key.
// Not that you would know this from the Apache javadocs.
serverBuilder.publickeyAuthenticator(
new PublickeyAuthenticator() {
@Override
public boolean authenticate(
String username, PublicKey publicKey, ServerSession session) {
return Arrays.equals(publicKey.getEncoded(), authorizedPublicKey.getEncoded());
}
});
}
serverBuilder.fileSystemFactory(new VirtualFileSystemFactory(home.toPath()));
SshServer server = serverBuilder.build();
server.setCommandFactory(new ScpCommandFactory());
server.setPort(port); server.setPort(port);
server.setSessionFactory(sessionFactory);
NamedFactory<Command> sftpSubsystemFactory = new SftpSubsystem.Factory(); NamedFactory<Command> sftpSubsystemFactory = new SftpSubsystemFactory.Builder().build();
server.setSubsystemFactories(ImmutableList.of(sftpSubsystemFactory)); server.setSubsystemFactories(ImmutableList.of(sftpSubsystemFactory));
if (authorizedPassword != null) { if (authorizedPassword != null) {
PasswordAuthenticator passwordAuthenticator = new PasswordAuthenticator() { server.setPasswordAuthenticator(
@Override new PasswordAuthenticator() {
public boolean authenticate(String username, String password, ServerSession session) { @Override
return username.equals(authorizedUser) && password.equals(authorizedPassword); public boolean authenticate(String username, String password, ServerSession session) {
} return username.equals(authorizedUser) && password.equals(authorizedPassword);
}; }
server.setPasswordAuthenticator(passwordAuthenticator); });
} }
// This authenticator checks that the user is presenting the right key. If authenticate KeyPairProvider keyPairProvider =
// returns true, then the server will make sure that the user can prove they have that key. new KeyPairProvider() {
// Not that you would know this from the Apache javadocs. final ImmutableMap<String, KeyPair> keyPairByTypeMap =
if (authorizedPublicKey != null) { ImmutableMap.of(KEY_TYPE, HOST_KEY_PAIR);
PublickeyAuthenticator publicKeyAuthenticator = new PublickeyAuthenticator() {
@Override
public boolean authenticate(String username, PublicKey publicKey, ServerSession session) {
return Arrays.equals(publicKey.getEncoded(), authorizedPublicKey.getEncoded());
}
};
server.setPublickeyAuthenticator(publicKeyAuthenticator);
}
FileSystemFactory fileSystemFactory = new FileSystemFactory() { @Override
@Override public Iterable<KeyPair> loadKeys() {
public FileSystemView createFileSystemView(Session session) { return keyPairByTypeMap.values();
return new TestFileSystemView("anyone", home); }
}
};
server.setFileSystemFactory(fileSystemFactory);
@Override
public Iterable<String> getKeyTypes() {
return keyPairByTypeMap.keySet();
}
KeyPairProvider keyPairProvider = new KeyPairProvider() { @Override
@Override public KeyPair loadKey(final String type) {
public KeyPair loadKey(String type) { return keyPairByTypeMap.get(type);
return (type.equals(KEY_TYPE)) ? HOST_KEY_PAIR : null; }
} };
@Override
public String getKeyTypes() {
return KEY_TYPE;
}
};
server.setKeyPairProvider(keyPairProvider); server.setKeyPairProvider(keyPairProvider);
return new TestSftpServer(server); return new TestSftpServer(server);
@ -250,10 +190,10 @@ public class TestSftpServer implements FtpServer {
public synchronized void stop() { public synchronized void stop() {
try { try {
logger.info("Stopping server"); logger.info("Stopping server");
server.stop(); server.stop(true);
stopped = true; stopped = true;
} catch (InterruptedException e) { } catch (IOException e) {
logger.log(Level.WARNING, "Server shutdown interrupted", e); logger.log(Level.WARNING, "Error shutting down server", e);
} }
} }
@ -283,67 +223,4 @@ public class TestSftpServer implements FtpServer {
public boolean isStopped() { public boolean isStopped() {
return stopped; return stopped;
} }
// More almost-cut-and-paste from Apache. Their version of this method
// creates a new "singleton" random number generator each time it's called,
// which in turn waits for enough securely random bits to be available from
// the system. Certainly for test purposes it's good enough for everyone
// to share the same random seed. SuppressWarnings because Apache is a bit
// more lax about generics than we are.
private static SshServer setUpDefaultServer() {
SshServer sshd = new SshServer();
// DHG14 uses 2048 bits key which are not supported by the default JCE provider
sshd.setKeyExchangeFactories(Arrays.asList(
new DHG14.Factory(),
new DHG1.Factory()));
sshd.setRandomFactory(secureRandomFactory);
setUpDefaultCiphers(sshd);
// Compression is not enabled by default
// sshd.setCompressionFactories(Arrays.<NamedFactory<Compression>>asList(
// new CompressionNone.Factory(),
// new CompressionZlib.Factory(),
// new CompressionDelayedZlib.Factory()));
sshd.setCompressionFactories(Arrays.<NamedFactory<Compression>>asList(
new CompressionNone.Factory()));
sshd.setMacFactories(Arrays.<NamedFactory<Mac>>asList(
new HMACMD5.Factory(),
new HMACSHA1.Factory(),
new HMACMD596.Factory(),
new HMACSHA196.Factory()));
sshd.setChannelFactories(Arrays.<NamedFactory<Channel>>asList(
new ChannelSession.Factory(),
new ChannelDirectTcpip.Factory()));
sshd.setSignatureFactories(Arrays.<NamedFactory<Signature>>asList(
new SignatureDSA.Factory(),
new SignatureRSA.Factory()));
sshd.setFileSystemFactory(new NativeFileSystemFactory());
ForwardingAcceptorFactory faf = new DefaultForwardingAcceptorFactory();
sshd.setTcpipForwardNioSocketAcceptorFactory(faf);
sshd.setX11ForwardNioSocketAcceptorFactory(faf);
return sshd;
}
private static void setUpDefaultCiphers(SshServer sshd) {
List<NamedFactory<Cipher>> avail = new LinkedList<>();
avail.add(new AES128CBC.Factory());
avail.add(new TripleDESCBC.Factory());
avail.add(new BlowfishCBC.Factory());
avail.add(new AES192CBC.Factory());
avail.add(new AES256CBC.Factory());
for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); i.hasNext();) {
final NamedFactory<Cipher> f = i.next();
try {
final Cipher c = f.create();
final byte[] key = new byte[c.getBlockSize()];
final byte[] iv = new byte[c.getIVSize()];
c.init(Cipher.Mode.Encrypt, key, iv);
} catch (Exception e) {
i.remove();
}
}
sshd.setCipherFactories(avail);
}
} }