dependent on simple authentication and internal config, the client password is now cleared or kept. (#609)

* dependent on simple authentication and internal config, the client password is now cleared or kept.

* add conditional import for hivemq-extension-sdk

* corrected path for extension sdk

---------

Co-authored-by: Daniel Krueger <[email protected]>

Author: Florian-Limpoeck

hivemq-edge/settings.gradle.kts

@@ -25,6 +25,23 @@ includeBuild("./src/frontend") {
     name = "hivemq-edge-frontend"
 }
 
+if (file("../../hivemq-extension-sdk").exists()) {
+    includeBuild("../../hivemq-extension-sdk")
+} else {
+    logger.warn(
+        """
+        ######################################################################################################
+        You can not use the latest changes of or modify the hivemq-extension-sdk.
+        Please checkout the hivemq-extension-sdk repository next to the hivemq-community-edition repository.
+        Execute the following command from your project directory:
+        git clone https://github.com/hivemq/hivemq-extension-sdk.git ../hivemq-extension-sdk
+        You can also clone your fork:
+        git clone https://github.com/<replace-with-your-fork>/hivemq-extension-sdk.git ../hivemq-extension-sdk
+        ######################################################################################################
+        """.trimIndent()
+    )
+}
+
 if (file("../../hivemq-edge-extension-sdk").exists()) {
     includeBuild("../../hivemq-edge-extension-sdk")
 } else {

hivemq-edge/src/main/java/com/hivemq/bootstrap/ClientConnection.java

@@ -41,6 +41,7 @@
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.nio.ByteBuffer;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Optional;
 import java.util.concurrent.ScheduledFuture;
@@ -97,6 +98,7 @@ public class ClientConnection {
     private @Nullable ByteBuffer authData;
     private @Nullable Mqtt5UserProperties authUserProperties;
     private @Nullable ScheduledFuture<?> authFuture;
+    private @Nullable Boolean clearPasswordAfterAuth;
 
     private @Nullable ClientContextImpl extensionClientContext;
     private @Nullable ClientEventListeners extensionClientEventListeners;
@@ -581,6 +583,22 @@ public int getMaxInflightWindow(final int defaultMaxInflightWindow) {
         return Optional.empty();
     }
 
+    public void setClearPasswordAfterAuth(final @Nullable Boolean clearPasswordAfterAuth) {
+        this.clearPasswordAfterAuth = clearPasswordAfterAuth;
+    }
+
+    public @NotNull Optional<Boolean> isClearPasswordAfterAuth() {
+        return Optional.ofNullable(clearPasswordAfterAuth);
+    }
+
+    public void clearPassword(){
+        if(authPassword == null) {
+            return;
+        }
+        Arrays.fill(authPassword, (byte) 0);
+        authPassword = null;
+    }
+
     public @NotNull HashMap<String, Object> getAdditionalInformation() {
         return additionalInformation;
     }

hivemq-edge/src/main/java/com/hivemq/configuration/service/InternalConfigurations.java

@@ -251,6 +251,7 @@ public class InternalConfigurations {
     public static final int NETTY_COUNT_OF_CONNECTIONS_IN_SHUTDOWN_PARTITION = 100;
 
     public static final double MQTT_CONNECTION_KEEP_ALIVE_FACTOR = 1.5;
+    public static final boolean MQTT_CONNECTION_AUTH_CLEAR_PASSWORD = true;
 
     public static final long DISCONNECT_KEEP_ALIVE_BATCH = 100;
 

hivemq-edge/src/main/java/com/hivemq/extensions/auth/ConnectAuthContext.java

@@ -63,6 +63,7 @@ public ConnectAuthContext(
     void succeedAuthentication(final @NotNull ConnectAuthOutput output) {
         super.succeedAuthentication(output);
         final ClientConnection clientConnection = ctx.channel().attr(ClientConnection.CHANNEL_ATTRIBUTE_NAME).get();
+        clientConnection.setClearPasswordAfterAuth(output.isClearPasswordAfterAuth());
         clientConnection.setAuthData(output.getAuthenticationData());
         clientConnection.setAuthUserProperties(Mqtt5UserProperties.of(output.getOutboundUserProperties().asInternalList()));
         connectHandler.connectSuccessfulAuthenticated(ctx, clientConnection, connect, output.getClientSettings());

hivemq-edge/src/main/java/com/hivemq/extensions/auth/ConnectAuthOutput.java

@@ -42,6 +42,7 @@ public class ConnectAuthOutput extends AuthOutput<EnhancedAuthOutput> implements
 
     private @NotNull Mqtt5ConnAckReasonCode reasonCode = Mqtt5ConnAckReasonCode.NOT_AUTHORIZED;
     private @NotNull Mqtt5ConnAckReasonCode timeoutReasonCode = Mqtt5ConnAckReasonCode.NOT_AUTHORIZED;
+    private @Nullable Boolean clearPasswordAfterAuth;
     private final boolean supportsEnhancedAuth;
 
     public ConnectAuthOutput(
@@ -68,6 +69,11 @@ private void setDefaultReasonStrings() {
         timeoutReasonString = ReasonStrings.AUTH_FAILED_EXTENSION_TIMEOUT;
     }
 
+    public void authenticateSuccessfully(final boolean clearPasswordAfterAuth) {
+        this.clearPasswordAfterAuth = clearPasswordAfterAuth;
+        super.authenticateSuccessfully();
+    }
+
     @Override
     public void authenticateSuccessfully(final @NotNull ByteBuffer authenticationData) {
         checkEnhancedAuthSupport();
@@ -194,6 +200,10 @@ void failByThrowable(final @NotNull Throwable throwable) {
         return reasonCode;
     }
 
+    public @Nullable Boolean isClearPasswordAfterAuth() {
+        return clearPasswordAfterAuth;
+    }
+
     private static @NotNull Mqtt5ConnAckReasonCode checkReasonCode(final @NotNull ConnackReasonCode reasonCode) {
         checkNotNull(reasonCode, "CONNACK reason code must never be null");
         checkArgument(

hivemq-edge/src/main/java/com/hivemq/extensions/auth/ConnectSimpleAuthOutput.java

@@ -43,6 +43,11 @@ public void authenticateSuccessfully() {
         delegate.authenticateSuccessfully();
     }
 
+    @Override
+    public void authenticateSuccessfully(final boolean clearPasswordAfterAuth) {
+        delegate.authenticateSuccessfully(clearPasswordAfterAuth);
+    }
+
     @Override
     public void failAuthentication() {
         delegate.failAuthentication();
@@ -150,4 +155,4 @@ public T getOutput() {
             return delegate.getStatus();
         }
     }
-}
+}

hivemq-edge/src/main/java/com/hivemq/mqtt/handler/connect/ConnectHandler.java

@@ -75,6 +75,7 @@
 import javax.inject.Singleton;
 import java.nio.ByteBuffer;
 import java.util.NoSuchElementException;
+import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
 import static com.hivemq.bootstrap.netty.ChannelHandlerNames.AUTH_IN_PROGRESS_MESSAGE_HANDLER;
@@ -84,6 +85,7 @@
 import static com.hivemq.bootstrap.netty.ChannelHandlerNames.MQTT_MESSAGE_BARRIER;
 import static com.hivemq.bootstrap.netty.ChannelHandlerNames.MQTT_PUBLISH_FLOW_HANDLER;
 import static com.hivemq.configuration.service.InternalConfigurations.AUTH_DENY_UNAUTHENTICATED_CONNECTIONS;
+import static com.hivemq.configuration.service.InternalConfigurations.MQTT_CONNECTION_AUTH_CLEAR_PASSWORD;
 import static com.hivemq.mqtt.message.connack.CONNACK.KEEP_ALIVE_NOT_SET;
 import static com.hivemq.mqtt.message.connack.Mqtt5CONNACK.DEFAULT_MAXIMUM_PACKET_SIZE_NO_LIMIT;
 
@@ -210,6 +212,7 @@ public void connectSuccessfulUndecided(
             final @NotNull CONNECT connect,
             final @Nullable ModifiableClientSettingsImpl clientSettings) {
 
+        clearPasswordIfWanted(clientConnection);
         if (AUTH_DENY_UNAUTHENTICATED_CONNECTIONS.get()) {
             mqttConnacker.connackError(
                     clientConnection.getChannel(),
@@ -233,11 +236,25 @@ public void connectSuccessfulAuthenticated(
             final @NotNull CONNECT connect,
             final @Nullable ModifiableClientSettingsImpl clientSettings) {
 
+        clearPasswordIfWanted(clientConnection);
         clientConnection.proposeClientState(ClientState.AUTHENTICATED);
         connectAuthenticated(ctx, clientConnection, connect, clientSettings);
         cleanChannelAttributesAfterAuth(clientConnection);
     }
 
+    private void clearPasswordIfWanted(final @NotNull ClientConnection clientConnection) {
+        final Optional<Boolean> clearPasswordAfterAuthOptional = clientConnection.isClearPasswordAfterAuth();
+        if(clearPasswordAfterAuthOptional.isPresent()) {
+            if(clearPasswordAfterAuthOptional.get()) {
+                clientConnection.clearPassword();
+            }
+        } else {
+            if(MQTT_CONNECTION_AUTH_CLEAR_PASSWORD) {
+                clientConnection.clearPassword();
+            }
+        }
+    }
+
     private static void cleanChannelAttributesAfterAuth(final @NotNull ClientConnection clientConnection) {
         final ChannelPipeline pipeline = clientConnection.getChannel().pipeline();
         if (pipeline.context(AUTH_IN_PROGRESS_MESSAGE_HANDLER) != null) {

hivemq-edge/src/test/java/com/hivemq/mqtt/handler/connect/ConnectHandlerTest.java

@@ -87,12 +87,14 @@
 import util.*;
 
 import javax.inject.Provider;
+import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicReference;
 
+import static com.hivemq.configuration.service.InternalConfigurations.MQTT_CONNECTION_AUTH_CLEAR_PASSWORD;
 import static com.hivemq.extension.sdk.api.auth.parameter.OverloadProtectionThrottlingLevel.NONE;
 import static com.hivemq.mqtt.message.connack.CONNACK.KEEP_ALIVE_NOT_SET;
 import static com.hivemq.mqtt.message.connect.Mqtt5CONNECT.SESSION_EXPIRY_MAX;
@@ -1481,6 +1483,56 @@ public void test_set_client_settings() {
         assertEquals(123, connect.getReceiveMaximum());
     }
 
+    @Test(timeout = 5000)
+    public void test_contextWantsPasswordErasure_passwordCleared() {
+        createHandler();
+        final CONNECT connect = new CONNECT.Mqtt5Builder().withClientIdentifier("client").build();
+
+        final ClientConnection clientConnectionContext = channel.attr(ClientConnection.CHANNEL_ATTRIBUTE_NAME).get();
+        clientConnectionContext.setClearPasswordAfterAuth(true);
+        clientConnectionContext.setAuthPassword("password".getBytes(StandardCharsets.UTF_8));
+
+        final ModifiableClientSettingsImpl clientSettings = new ModifiableClientSettingsImpl(65535, null);
+        handler.connectSuccessfulAuthenticated(ctx, clientConnectionContext, connect, clientSettings);
+
+        assertNull(clientConnectionContext.getAuthPassword());
+    }
+
+    @Test(timeout = 5000)
+    public void test_contextDoesNotWantPasswordErasure_passwordKept() {
+        createHandler();
+        final CONNECT connect = new CONNECT.Mqtt5Builder().withClientIdentifier("client").build();
+
+        final ClientConnection clientConnectionContext = channel.attr(ClientConnection.CHANNEL_ATTRIBUTE_NAME).get();
+        clientConnectionContext.setClearPasswordAfterAuth(false);
+        clientConnectionContext.setAuthPassword("password".getBytes(StandardCharsets.UTF_8));
+
+        final ModifiableClientSettingsImpl clientSettings = new ModifiableClientSettingsImpl(65535, null);
+        handler.connectSuccessfulAuthenticated(ctx, clientConnectionContext, connect, clientSettings);
+
+        assertNotNull(clientConnectionContext.getAuthPassword());
+    }
+
+    @Test(timeout = 5000)
+    public void test_contextDoesNotDecidePasswordErasure_passwordKeptOrCleared() {
+        createHandler();
+        final CONNECT connect =
+                new CONNECT.Mqtt5Builder().withClientIdentifier("client").build();
+
+        final ClientConnection clientConnectionContext = channel.attr(ClientConnection.CHANNEL_ATTRIBUTE_NAME).get();
+        clientConnectionContext.setClearPasswordAfterAuth(null);
+        clientConnectionContext.setAuthPassword("password".getBytes(StandardCharsets.UTF_8));
+
+        final ModifiableClientSettingsImpl clientSettings = new ModifiableClientSettingsImpl(65535, null);
+        handler.connectSuccessfulAuthenticated(ctx, clientConnectionContext, connect, clientSettings);
+
+        if (MQTT_CONNECTION_AUTH_CLEAR_PASSWORD) {
+            assertNull(clientConnectionContext.getAuthPassword());
+        } else {
+            assertNotNull(clientConnectionContext.getAuthPassword());
+        }
+    }
+
     @Test
     public void test_start_connection_persistent() throws Exception {
         final CONNECT connect = new CONNECT.Mqtt3Builder().withClientIdentifier("client")