Repository: nifi Updated Branches: refs/heads/NIFI-655 018c0864e -> 3cf3addd8
NIFI-655: - Adding a few new exceptions for the login identity provider. Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/3cf3addd Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/3cf3addd Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/3cf3addd Branch: refs/heads/NIFI-655 Commit: 3cf3addd85e3734e089d5d41df8075a7a5b5b9f7 Parents: 018c086 Author: Matt Gilman <[email protected]> Authored: Mon Nov 9 09:20:49 2015 -0500 Committer: Matt Gilman <[email protected]> Committed: Mon Nov 9 09:20:49 2015 -0500 ---------------------------------------------------------------------- .../authentication/LoginIdentityProvider.java | 5 +- .../exception/IdentityAccessException.java | 33 +++++++++ .../IdentityRegistrationException.java | 33 +++++++++ .../nifi/authorized/users/AuthorizedUsers.java | 73 ++++++++++++++++++-- .../form/LoginAuthenticationFilter.java | 16 +++-- .../web/security/form/RegistrationFilter.java | 3 + 6 files changed, 151 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/3cf3addd/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java b/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java index 15a20a8..290b694 100644 --- a/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java +++ b/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java @@ -16,6 +16,7 @@ */ package org.apache.nifi.authentication; +import org.apache.nifi.authentication.exception.IdentityAccessException; import org.apache.nifi.authorization.exception.IdentityAlreadyExistsException; import org.apache.nifi.authorization.exception.ProviderCreationException; import org.apache.nifi.authorization.exception.ProviderDestructionException; @@ -37,7 +38,7 @@ public interface LoginIdentityProvider { * * @param credentials the login credentials */ - void register(LoginCredentials credentials) throws IdentityAlreadyExistsException; + void register(LoginCredentials credentials) throws IdentityAlreadyExistsException, IdentityAccessException; /** * Authenticates the specified login credentials. @@ -45,7 +46,7 @@ public interface LoginIdentityProvider { * @param credentials the credentials * @return whether the user was authenticated */ - boolean authenticate(LoginCredentials credentials); + boolean authenticate(LoginCredentials credentials) throws IdentityAccessException; /** * Called immediately after instance creation for implementers to perform additional setup http://git-wip-us.apache.org/repos/asf/nifi/blob/3cf3addd/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityAccessException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityAccessException.java b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityAccessException.java new file mode 100644 index 0000000..b68c675 --- /dev/null +++ b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityAccessException.java @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.authentication.exception; + +/** + * Represents the case when the identity could not be confirmed because it was unable + * to access the backing store. + */ +public class IdentityAccessException extends RuntimeException { + + public IdentityAccessException(String message, Throwable cause) { + super(message, cause); + } + + public IdentityAccessException(String message) { + super(message); + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/3cf3addd/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityRegistrationException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityRegistrationException.java b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityRegistrationException.java new file mode 100644 index 0000000..4b80c61 --- /dev/null +++ b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityRegistrationException.java @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.authentication.exception; + +/** + * Represents the case when the identity could not be registered for some reason. + * Like the credentials did not meet the minimum requirements + */ +public class IdentityRegistrationException extends RuntimeException { + + public IdentityRegistrationException(String message, Throwable cause) { + super(message, cause); + } + + public IdentityRegistrationException(String message) { + super(message); + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/3cf3addd/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorized-users/src/main/java/org/apache/nifi/authorized/users/AuthorizedUsers.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorized-users/src/main/java/org/apache/nifi/authorized/users/AuthorizedUsers.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorized-users/src/main/java/org/apache/nifi/authorized/users/AuthorizedUsers.java index f19514e..b48f348 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorized-users/src/main/java/org/apache/nifi/authorized/users/AuthorizedUsers.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorized-users/src/main/java/org/apache/nifi/authorized/users/AuthorizedUsers.java @@ -123,6 +123,12 @@ public final class AuthorizedUsers { return authorizedUsers; } + /** + * Gets the user identity. + * + * @param user The user + * @return The user identity + */ public String getUserIdentity(final NiFiUser user) { if (User.class.isAssignableFrom(user.getClass())) { return ((User) user).getDn(); @@ -131,6 +137,11 @@ public final class AuthorizedUsers { } } + /** + * Gets all users from configured file. + * + * @return The Users + */ public synchronized Users getUsers() { try { // ensure the directory exists and it can be created @@ -152,6 +163,12 @@ public final class AuthorizedUsers { } } + /** + * Determines if a user exists through the specified HasUser. + * + * @param finder The finder + * @return Whether the user exists + */ public synchronized boolean hasUser(final HasUser finder) { // load the users final Users users = getUsers(); @@ -165,6 +182,13 @@ public final class AuthorizedUsers { return finder.hasUser(nifiUsers); } + /** + * Gets the desired user. + * + * @param finder The finder + * @return The NiFiUser + * @throws UnknownIdentityException If the desired user could not be found + */ public synchronized NiFiUser getUser(final FindUser finder) { // load the users final Users users = getUsers(); @@ -178,6 +202,13 @@ public final class AuthorizedUsers { return finder.findUser(nifiUsers); } + /** + * Gets the desired users. + * + * @param finder The finder + * @return The NiFiUsers + * @throws UnknownIdentityException If the users could not be found + */ public synchronized List<NiFiUser> getUsers(final FindUsers finder) { // load the users final Users users = getUsers(); @@ -191,6 +222,11 @@ public final class AuthorizedUsers { return finder.findUsers(nifiUsers); } + /** + * Creates the user via the specified CreateUser. + * + * @param creator The creator + */ public synchronized void createUser(final CreateUser creator) { // add the user final Users users = getUsers(); @@ -207,6 +243,13 @@ public final class AuthorizedUsers { saveUsers(users); } + /** + * Creates or Updates a user identified by the finder. If the user exists, it's updated otherwise it's created. + * + * @param finder The finder + * @param creator The creator + * @param updater The updater + */ public synchronized void createOrUpdateUser(final FindUser finder, final CreateUser creator, final UpdateUser updater) { try { updateUser(finder, updater); @@ -215,6 +258,12 @@ public final class AuthorizedUsers { } } + /** + * Updates the user identified by the finder. + * + * @param finder The finder + * @param updater The updater + */ public synchronized void updateUser(final FindUser finder, final UpdateUser updater) { // update the user final Users users = getUsers(); @@ -234,6 +283,12 @@ public final class AuthorizedUsers { saveUsers(users); } + /** + * Updates the users identified by the finder. + * + * @param finder The finder + * @param updater The updater + */ public synchronized void updateUsers(final FindUsers finder, final UpdateUsers updater) { // update the user final Users users = getUsers(); @@ -252,7 +307,12 @@ public final class AuthorizedUsers { saveUsers(users); } - public synchronized Users removeUser(final FindUser finder) { + /** + * Removes the user identified by the finder. + * + * @param finder The finder + */ + public synchronized void removeUser(final FindUser finder) { // load the users final Users users = getUsers(); @@ -271,11 +331,14 @@ public final class AuthorizedUsers { // save the users saveUsers(users); - - return users; } - public synchronized Users removeUsers(final FindUsers finder) { + /** + * Removes the users identified by the finder. + * + * @param finder The finder + */ + public synchronized void removeUsers(final FindUsers finder) { // load the users final Users users = getUsers(); @@ -296,8 +359,6 @@ public final class AuthorizedUsers { // save the users saveUsers(users); - - return users; } private synchronized void saveUsers(final Users users) { http://git-wip-us.apache.org/repos/asf/nifi/blob/3cf3addd/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java index dc4cca8..4848801 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.nifi.authentication.LoginCredentials; import org.apache.nifi.authentication.LoginIdentityProvider; +import org.apache.nifi.authentication.exception.IdentityAccessException; import org.apache.nifi.util.StringUtils; import org.apache.nifi.web.security.ProxiedEntitiesUtils; import org.apache.nifi.web.security.jwt.JwtService; @@ -38,6 +39,7 @@ import org.apache.nifi.web.security.x509.X509CertificateValidator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException; +import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -139,10 +141,14 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF throw new BadCredentialsException("Login not supported."); } - if (loginIdentityProvider.authenticate(credentials)) { - return new LoginAuthenticationToken(credentials); - } else { - throw new BadCredentialsException("The supplied username and password are not valid."); + try { + if (loginIdentityProvider.authenticate(credentials)) { + return new LoginAuthenticationToken(credentials); + } else { + throw new BadCredentialsException("The supplied username and password are not valid."); + } + } catch (final IdentityAccessException iae) { + throw new AuthenticationServiceException(iae.getMessage(), iae); } } } @@ -196,6 +202,8 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF if (failed instanceof BadCredentialsException || failed instanceof AuthenticationCredentialsNotFoundException) { response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + } else if (failed instanceof AuthenticationServiceException) { + response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } else { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } http://git-wip-us.apache.org/repos/asf/nifi/blob/3cf3addd/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/RegistrationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/RegistrationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/RegistrationFilter.java index 68d7383..ea54127 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/RegistrationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/RegistrationFilter.java @@ -29,6 +29,7 @@ import org.apache.nifi.admin.service.AdministrationException; import org.apache.nifi.admin.service.UserService; import org.apache.nifi.authentication.LoginCredentials; import org.apache.nifi.authentication.LoginIdentityProvider; +import org.apache.nifi.authentication.exception.IdentityAccessException; import org.apache.nifi.authorization.exception.IdentityAlreadyExistsException; import org.apache.nifi.util.StringUtils; import org.apache.nifi.web.security.jwt.JwtService; @@ -79,6 +80,8 @@ public class RegistrationFilter extends AbstractAuthenticationProcessingFilter { loginIdentityProvider.register(credentials); } catch (final IdentityAlreadyExistsException iaee) { // if the identity already exists, try to create the nifi account request + } catch (final IdentityAccessException iae) { + throw new AuthenticationServiceException(iae.getMessage(), iae); } try {
