http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java new file mode 100644 index 0000000..aa8a518 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java @@ -0,0 +1,180 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.integration.util; + +import java.util.EnumSet; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import org.apache.nifi.authorization.Authority; +import org.apache.nifi.authorization.AuthorityProvider; +import org.apache.nifi.authorization.AuthorityProviderConfigurationContext; +import org.apache.nifi.authorization.AuthorityProviderInitializationContext; +import org.apache.nifi.authorization.exception.AuthorityAccessException; +import org.apache.nifi.authorization.exception.ProviderCreationException; +import org.apache.nifi.authorization.exception.UnknownIdentityException; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.authorization.DownloadAuthorization; + +/** + * + */ +public class NiFiTestAuthorizationProvider implements AuthorityProvider { + + private final Map<String, Set<Authority>> users; + + /** + * Creates a new FileAuthorizationProvider. + */ + public NiFiTestAuthorizationProvider() { + users = new HashMap<>(); + users.put("CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US", EnumSet.of(Authority.ROLE_PROXY)); + users.put("CN=Lastname Firstname Middlename monitor, OU=Unknown, OU=Unknown, OU=Unknown, O=Unknown, C=Unknown", EnumSet.of(Authority.ROLE_MONITOR)); + users.put("CN=Lastname Firstname Middlename dfm, OU=Unknown, OU=Unknown, OU=Unknown, O=Unknown, C=Unknown", EnumSet.of(Authority.ROLE_DFM)); + users.put("CN=Lastname Firstname Middlename admin, OU=Unknown, OU=Unknown, OU=Unknown, O=Unknown, C=Unknown", EnumSet.of(Authority.ROLE_ADMIN)); + users.put("user@nifi", EnumSet.of(Authority.ROLE_DFM)); + } + + @Override + public void initialize(AuthorityProviderInitializationContext initializationContext) throws ProviderCreationException { + } + + @Override + public void onConfigured(AuthorityProviderConfigurationContext configurationContext) throws ProviderCreationException { + } + + @Override + public void preDestruction() { + } + + private void checkDn(String dn) throws UnknownIdentityException { + if (!users.containsKey(dn)) { + throw new UnknownIdentityException("Unknown user: " + dn); + } + } + + /** + * Determines if the specified dn is known to this authority provider. + * + * @param dn dn + * @return True if he dn is known, false otherwise + */ + @Override + public boolean doesDnExist(String dn) throws AuthorityAccessException { + try { + checkDn(dn); + return true; + } catch (UnknownIdentityException uie) { + return false; + } + } + + /** + * Loads the authorities for the specified user. + * + * @param dn dn + * @return authorities + * @throws UnknownIdentityException ex + * @throws AuthorityAccessException ex + */ + @Override + public Set<Authority> getAuthorities(String dn) throws UnknownIdentityException, AuthorityAccessException { + checkDn(dn); + return new HashSet<>(users.get(dn)); + } + + /** + * Sets the specified authorities to the specified user. + * + * @param dn dn + * @param authorities authorities + * @throws AuthorityAccessException ex + */ + @Override + public void setAuthorities(String dn, Set<Authority> authorities) throws UnknownIdentityException, AuthorityAccessException { + } + + /** + * Adds the specified user. + * + * @param dn dn + * @param group group + * @throws UnknownIdentityException ex + * @throws AuthorityAccessException ex + */ + @Override + public void addUser(String dn, String group) throws AuthorityAccessException { + } + + /** + * Gets the users for the specified authority. + * + * @param authority authority + * @return users + * @throws AuthorityAccessException ex + */ + @Override + public Set<String> getUsers(Authority authority) throws AuthorityAccessException { + Set<String> usersForAuthority = new HashSet<>(); + for (String dn : users.keySet()) { + if (users.get(dn).contains(authority)) { + usersForAuthority.add(dn); + } + } + return usersForAuthority; + } + + /** + * Removes the specified user. + * + * @param dn dn + * @throws UnknownIdentityException ex + * @throws AuthorityAccessException ex + */ + @Override + public void revokeUser(String dn) throws UnknownIdentityException, AuthorityAccessException { + } + + @Override + public String getGroupForUser(String dn) throws UnknownIdentityException, AuthorityAccessException { + return StringUtils.EMPTY; + } + + @Override + public void revokeGroup(String group) throws UnknownIdentityException, AuthorityAccessException { + } + + @Override + public void setUsersGroup(Set<String> dn, String group) throws UnknownIdentityException, AuthorityAccessException { + } + + @Override + public void ungroupUser(String dn) throws UnknownIdentityException, AuthorityAccessException { + } + + @Override + public void ungroup(String group) throws UnknownIdentityException, AuthorityAccessException { + } + + @Override + public DownloadAuthorization authorizeDownload(List<String> dnChain, Map<String, String> attributes) throws UnknownIdentityException, AuthorityAccessException { + return DownloadAuthorization.approved(); + } + +}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java deleted file mode 100644 index 5795b69..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.integration.util; - -import org.apache.nifi.authorization.AuthorizationRequest; -import org.apache.nifi.authorization.AuthorizationResult; -import org.apache.nifi.authorization.Authorizer; -import org.apache.nifi.authorization.AuthorizerConfigurationContext; -import org.apache.nifi.authorization.AuthorizerInitializationContext; -import org.apache.nifi.authorization.exception.AuthorizationAccessException; -import org.apache.nifi.authorization.exception.AuthorizerCreationException; - -/** - * - */ -public class NiFiTestAuthorizer implements Authorizer { - - - /** - * Creates a new FileAuthorizationProvider. - */ - public NiFiTestAuthorizer() { - } - - @Override - public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException { - } - - @Override - public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException { - } - - @Override - public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { - return AuthorizationResult.approved(); - } - - @Override - public void preDestruction() { - } - -} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java index 967f652..c023ce1 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java @@ -16,6 +16,10 @@ */ package org.apache.nifi.integration.util; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.TimeUnit; +import org.apache.nifi.authorization.exception.ProviderCreationException; import org.apache.nifi.authentication.AuthenticationResponse; import org.apache.nifi.authentication.LoginCredentials; import org.apache.nifi.authentication.LoginIdentityProvider; @@ -23,11 +27,6 @@ import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext; import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext; import org.apache.nifi.authentication.exception.IdentityAccessException; import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException; -import org.apache.nifi.authentication.exception.ProviderCreationException; - -import java.util.HashMap; -import java.util.Map; -import java.util.concurrent.TimeUnit; /** * http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider new file mode 100644 index 0000000..dcdc53e --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider @@ -0,0 +1,15 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +org.apache.nifi.integration.util.NiFiTestAuthorizationProvider \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer deleted file mode 100644 index e7d65f4..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer +++ /dev/null @@ -1,15 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -org.apache.nifi.integration.util.NiFiTestAuthorizer \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml index a3fb088..418f717 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml @@ -19,6 +19,6 @@ <authorityProviders> <provider> <identifier>test-provider</identifier> - <class>org.apache.nifi.integration.util.NiFiTestAuthorizer</class> + <class>org.apache.nifi.integration.util.NiFiTestAuthorizationProvider</class> </provider> </authorityProviders> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java index 7108edb..0520ac8 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java @@ -25,15 +25,19 @@ import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.user.NiFiUser; import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken; import org.apache.nifi.web.security.user.NiFiUserUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.AccountStatusException; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.web.filter.GenericFilterBean; /** @@ -61,41 +65,72 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean { } private boolean requiresAuthentication(final HttpServletRequest request) { - return NiFiUserUtils.getNiFiUser() == null; + // continue attempting authorization if the user is anonymous + if (isAnonymousUser()) { + return true; + } + + // or there is no user yet + return NiFiUserUtils.getNiFiUser() == null && NiFiUserUtils.getNewAccountRequest() == null; + } + + private boolean isAnonymousUser() { + final NiFiUser user = NiFiUserUtils.getNiFiUser(); + return user != null && NiFiUser.ANONYMOUS_USER_IDENTITY.equals(user.getIdentity()); } private void authenticate(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException { String dnChain = null; try { - final Authentication authenticationRequest = attemptAuthentication(request); - if (authenticationRequest != null) { + final NiFiAuthorizationRequestToken authenticated = attemptAuthentication(request); + if (authenticated != null) { + dnChain = ProxiedEntitiesUtils.formatProxyDn(StringUtils.join(authenticated.getChain(), "><")); + // log the request attempt - response details will be logged later - log.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", authenticationRequest.toString(), request.getMethod(), + log.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", dnChain, request.getMethod(), request.getRequestURL().toString(), request.getRemoteAddr())); // attempt to authorize the user - final Authentication authenticated = authenticationManager.authenticate(authenticationRequest); - successfulAuthorization(request, response, authenticated); + final Authentication authorized = authenticationManager.authenticate(authenticated); + successfulAuthorization(request, response, authorized); } // continue chain.doFilter(request, response); - } catch (final AuthenticationException ae) { + } catch (final InvalidAuthenticationException iae) { // invalid authentication - always error out - unsuccessfulAuthorization(request, response, ae); + unsuccessfulAuthorization(request, response, iae); + } catch (final AuthenticationException ae) { + // other authentication exceptions... if we are already the anonymous user, allow through otherwise error out + if (isAnonymousUser()) { + if (dnChain == null) { + log.info(String.format("Continuing as anonymous user. Unable to authenticate %s: %s", dnChain, ae)); + } else { + log.info(String.format("Continuing as anonymous user. Unable to authenticate: %s", ae)); + } + + chain.doFilter(request, response); + } else { + unsuccessfulAuthorization(request, response, ae); + } } } /** - * Attempt to extract an authentication attempt from the specified request. + * Attempt to authenticate the client making the request. If the request does not contain an authentication attempt, this method should return null. If the request contains an authentication + * request, the implementation should convert it to a NiFiAuthorizationRequestToken (which is used when authorizing the client). Implementations should throw InvalidAuthenticationException when + * the request contains an authentication request but it could not be authenticated. * * @param request The request - * @return The authentication attempt or null if none is found int he request + * @return The NiFiAutorizationRequestToken used to later authorized the client + * @throws InvalidAuthenticationException If the request contained an authentication attempt, but could not authenticate */ - public abstract Authentication attemptAuthentication(HttpServletRequest request); + public abstract NiFiAuthorizationRequestToken attemptAuthentication(HttpServletRequest request); protected void successfulAuthorization(HttpServletRequest request, HttpServletResponse response, Authentication authResult) { - log.info("Authentication success for " + authResult); + if (log.isDebugEnabled()) { + log.debug("Authentication success: " + authResult); + } SecurityContextHolder.getContext().setAuthentication(authResult); ProxiedEntitiesUtils.successfulAuthorization(request, response, authResult); @@ -112,9 +147,20 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean { PrintWriter out = response.getWriter(); // use the type of authentication exception to determine the response code - if (ae instanceof InvalidAuthenticationException) { + if (ae instanceof UsernameNotFoundException) { + if (properties.getSupportNewAccountRequests()) { + response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + out.println("Not authorized."); + } else { + response.setStatus(HttpServletResponse.SC_FORBIDDEN); + out.println("Access is denied."); + } + } else if (ae instanceof InvalidAuthenticationException) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); out.println(ae.getMessage()); + } else if (ae instanceof AccountStatusException) { + response.setStatus(HttpServletResponse.SC_FORBIDDEN); + out.println(ae.getMessage()); } else if (ae instanceof UntrustedProxyException) { response.setStatus(HttpServletResponse.SC_FORBIDDEN); out.println(ae.getMessage()); @@ -137,6 +183,39 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean { } } + /** + * Determines if the specified request is attempting to register a new user account. + * + * @param request http request + * @return true if new user + */ + protected final boolean isNewAccountRequest(HttpServletRequest request) { + if ("POST".equalsIgnoreCase(request.getMethod())) { + String path = request.getPathInfo(); + if (StringUtils.isNotBlank(path)) { + if ("/controller/users".equals(path)) { + return true; + } + } + } + return false; + } + + /** + * Extracts the justification from the specified request. + * + * @param request The request + * @return The justification + */ + protected final String getJustification(HttpServletRequest request) { + // get the justification + String justification = request.getParameter("justification"); + if (justification == null) { + justification = StringUtils.EMPTY; + } + return justification; + } + @Override public void destroy() { } http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java new file mode 100644 index 0000000..e51a26e --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java @@ -0,0 +1,73 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security; + +import org.apache.nifi.web.security.token.NewAccountAuthorizationRequestToken; +import org.apache.nifi.web.security.token.NewAccountAuthorizationToken; +import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken; +import org.apache.nifi.web.security.token.NiFiAuthorizationToken; +import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UsernameNotFoundException; + +/** + * + */ +public class NiFiAuthenticationProvider implements AuthenticationProvider { + + private final AuthenticationUserDetailsService<NiFiAuthorizationRequestToken> userDetailsService; + + public NiFiAuthenticationProvider(final AuthenticationUserDetailsService<NiFiAuthorizationRequestToken> userDetailsService) { + this.userDetailsService = userDetailsService; + } + + @Override + public Authentication authenticate(Authentication authentication) throws AuthenticationException { + final NiFiAuthorizationRequestToken request = (NiFiAuthorizationRequestToken) authentication; + + try { + // defer to the nifi user details service to authorize the user + final UserDetails userDetails = userDetailsService.loadUserDetails(request); + + // build a token for accesing nifi + final NiFiAuthorizationToken result = new NiFiAuthorizationToken(userDetails); + result.setDetails(request.getDetails()); + return result; + } catch (final UsernameNotFoundException unfe) { + // if the authorization request is for a new account and it could not be authorized because the user was not found, + // return the token so the new account could be created. this must go here to ensure that any proxies have been authorized + if (isNewAccountAuthenticationToken(request)) { + return new NewAccountAuthorizationToken(((NewAccountAuthorizationRequestToken) authentication).getNewAccountRequest()); + } else { + throw unfe; + } + } + } + + private boolean isNewAccountAuthenticationToken(final Authentication authentication) { + return NewAccountAuthorizationRequestToken.class.isAssignableFrom(authentication.getClass()); + } + + @Override + public boolean supports(Class<?> authentication) { + return NiFiAuthorizationRequestToken.class.isAssignableFrom(authentication); + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java index 19ae0bb..05c5fb8 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java @@ -16,17 +16,20 @@ */ package org.apache.nifi.web.security.anonymous; +import java.util.EnumSet; +import javax.servlet.http.HttpServletRequest; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.admin.service.AdministrationException; import org.apache.nifi.admin.service.UserService; +import org.apache.nifi.authorization.Authority; import org.apache.nifi.user.NiFiUser; -import org.apache.nifi.web.security.token.NiFiAuthenticationToken; import org.apache.nifi.web.security.user.NiFiUserDetails; +import org.apache.nifi.web.security.token.NiFiAuthorizationToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; -import javax.servlet.http.HttpServletRequest; - /** * Custom AnonymouseAuthenticationFilter used to grant additional authorities depending on the current operating mode. */ @@ -44,7 +47,35 @@ public class NiFiAnonymousUserFilter extends AnonymousAuthenticationFilter { @Override protected Authentication createAuthentication(HttpServletRequest request) { - return new NiFiAuthenticationToken(new NiFiUserDetails(NiFiUser.ANONYMOUS)); + Authentication authentication = null; + + try { + // load the anonymous user from the database + NiFiUser user = userService.getUserByDn(NiFiUser.ANONYMOUS_USER_IDENTITY); + + // if this is an unsecure request allow full access + if (!request.isSecure()) { + user.getAuthorities().addAll(EnumSet.allOf(Authority.class)); + } + + // only create an authentication token if the anonymous user has some authorities or they are accessing a ui + // extension. ui extensions have run this security filter but we shouldn't require authentication/authorization + // when accessing static resources like images, js, and css. authentication/authorization is required when + // interacting with nifi however and that will be verified in the NiFiWebContext or NiFiWebConfigurationContext + if (!user.getAuthorities().isEmpty() || !request.getContextPath().startsWith("/nifi-api")) { + NiFiUserDetails userDetails = new NiFiUserDetails(user); + + // get the granted authorities + authentication = new NiFiAuthorizationToken(userDetails); + } + } catch (AdministrationException ase) { + // record the issue + anonymousUserFilterLogger.warn("Unable to load anonymous user from accounts database: " + ase.getMessage()); + if (anonymousUserFilterLogger.isDebugEnabled()) { + anonymousUserFilterLogger.warn(StringUtils.EMPTY, ase); + } + } + return authentication; } /* setters */ http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java new file mode 100644 index 0000000..dd87cfa --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java @@ -0,0 +1,171 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.authorization; + +import java.util.ArrayList; +import java.util.List; +import java.util.ListIterator; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.admin.service.AccountDisabledException; +import org.apache.nifi.admin.service.AccountNotFoundException; +import org.apache.nifi.admin.service.AccountPendingException; +import org.apache.nifi.admin.service.AdministrationException; +import org.apache.nifi.admin.service.UserService; +import org.apache.nifi.authorization.Authority; +import org.apache.nifi.user.NiFiUser; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.UntrustedProxyException; +import org.apache.nifi.web.security.user.NiFiUserDetails; +import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.dao.DataAccessException; +import org.springframework.security.authentication.AccountStatusException; +import org.springframework.security.authentication.AuthenticationServiceException; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UsernameNotFoundException; + +/** + * UserDetailsService that will verify user identity and grant user authorities. + */ +public class NiFiAuthorizationService implements AuthenticationUserDetailsService<NiFiAuthorizationRequestToken> { + + private static final Logger logger = LoggerFactory.getLogger(NiFiAuthorizationService.class); + + private UserService userService; + private NiFiProperties properties; + + /** + * Loads the user details for the specified dn. + * + * Synchronizing because we want each request to be authorized atomically since each may contain any number of DNs. We wanted an access decision made for each individual request as a whole + * (without other request potentially impacting it). + * + * @param request request + * @return user details + * @throws UsernameNotFoundException ex + * @throws org.springframework.dao.DataAccessException ex + */ + @Override + public synchronized UserDetails loadUserDetails(NiFiAuthorizationRequestToken request) throws UsernameNotFoundException, DataAccessException { + NiFiUserDetails userDetails = null; + final List<String> chain = new ArrayList<>(request.getChain()); + + // ensure valid input + if (chain.isEmpty()) { + logger.warn("Malformed proxy chain: " + StringUtils.join(request.getChain())); + throw new UntrustedProxyException("Malformed proxy chain."); + } + + NiFiUser proxy = null; + + // process each part of the proxy chain + for (final ListIterator<String> chainIter = request.getChain().listIterator(chain.size()); chainIter.hasPrevious();) { + final String dn = chainIter.previous(); + + // if there is another dn after this one, this dn is a proxy for the request + if (chainIter.hasPrevious()) { + try { + // get the user details for the proxy + final NiFiUserDetails proxyDetails = getNiFiUserDetails(dn); + final NiFiUser user = proxyDetails.getNiFiUser(); + + // verify the proxy has the appropriate role + if (!user.getAuthorities().contains(Authority.ROLE_PROXY)) { + logger.warn(String.format("Proxy '%s' must have '%s' authority. Current authorities: %s", dn, Authority.ROLE_PROXY.toString(), StringUtils.join(user.getAuthorities(), ", "))); + throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", dn, Authority.ROLE_PROXY.toString())); + } + + // if we've already encountered a proxy, update the chain + if (proxy != null) { + user.setChain(proxy); + } + + // record this user as the proxy for the next user in the chain + proxy = user; + } catch (UsernameNotFoundException unfe) { + // if this proxy is a new user, conditionally create a new account automatically + if (properties.getSupportNewAccountRequests()) { + try { + logger.warn(String.format("Automatic account request generated for unknown proxy: %s", dn)); + + // attempt to create a new user account for the proxying client + userService.createPendingUserAccount(dn, "Automatic account request generated for unknown proxy."); + } catch (AdministrationException ae) { + throw new AuthenticationServiceException(String.format("Unable to create an account request for '%s': %s", dn, ae.getMessage()), ae); + } catch (IllegalArgumentException iae) { + // check then modified... account didn't exist when getting the user details but did when + // attempting to auto create the user account request + final String message = String.format("Account request was already submitted for '%s'", dn); + logger.warn(message); + throw new AccountStatusException(message) { + }; + } + } + + logger.warn(String.format("Untrusted proxy '%s' must be authorized with '%s' authority: %s", dn, Authority.ROLE_PROXY.toString(), unfe.getMessage())); + throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", dn, Authority.ROLE_PROXY.toString())); + } catch (AuthenticationException ae) { + logger.warn(String.format("Untrusted proxy '%s' must be authorized with '%s' authority: %s", dn, Authority.ROLE_PROXY.toString(), ae.getMessage())); + throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", dn, Authority.ROLE_PROXY.toString())); + } + } else { + userDetails = getNiFiUserDetails(dn); + + // if we've already encountered a proxy, update the chain + if (proxy != null) { + final NiFiUser user = userDetails.getNiFiUser(); + user.setChain(proxy); + } + } + } + + return userDetails; + } + + /** + * Loads the user details for the specified dn. + * + * @param dn user dn + * @return user detail + */ + private NiFiUserDetails getNiFiUserDetails(String dn) { + try { + NiFiUser user = userService.checkAuthorization(dn); + return new NiFiUserDetails(user); + } catch (AdministrationException ase) { + throw new AuthenticationServiceException(String.format("An error occurred while accessing the user credentials for '%s': %s", dn, ase.getMessage()), ase); + } catch (AccountDisabledException | AccountPendingException e) { + throw new AccountStatusException(e.getMessage(), e) { + }; + } catch (AccountNotFoundException anfe) { + throw new UsernameNotFoundException(anfe.getMessage()); + } + } + + /* setters */ + public void setUserService(UserService userService) { + this.userService = userService; + } + + public void setProperties(NiFiProperties properties) { + this.properties = properties; + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java index 4f7383e..bd468e4 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java @@ -16,13 +16,18 @@ */ package org.apache.nifi.web.security.jwt; +import io.jsonwebtoken.JwtException; import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.web.security.InvalidAuthenticationException; import org.apache.nifi.web.security.NiFiAuthenticationFilter; +import org.apache.nifi.web.security.token.NewAccountAuthorizationRequestToken; +import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken; +import org.apache.nifi.web.security.user.NewAccountRequest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.core.Authentication; import javax.servlet.http.HttpServletRequest; +import java.util.Arrays; /** */ @@ -31,11 +36,12 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter { private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class); public static final String AUTHORIZATION = "Authorization"; - public static final String BEARER = "Bearer "; + + private JwtService jwtService; @Override - public Authentication attemptAuthentication(final HttpServletRequest request) { - // only support jwt login when running securely + public NiFiAuthorizationRequestToken attemptAuthentication(final HttpServletRequest request) { + // only suppport jwt login when running securely if (!request.isSecure()) { return null; } @@ -46,12 +52,28 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter { final String authorization = request.getHeader(AUTHORIZATION); // if there is no authorization header, we don't know the user - if (authorization == null || !StringUtils.startsWith(authorization, BEARER)) { + if (authorization == null || !StringUtils.startsWith(authorization, "Bearer ")) { return null; } else { // Extract the Base64 encoded token from the Authorization header final String token = StringUtils.substringAfterLast(authorization, " "); - return new JwtAuthenticationRequestToken(token); + + try { + final String jwtPrincipal = jwtService.getAuthenticationFromToken(token); + + if (isNewAccountRequest(request)) { + return new NewAccountAuthorizationRequestToken(new NewAccountRequest(Arrays.asList(jwtPrincipal), getJustification(request))); + } else { + return new NiFiAuthorizationRequestToken(Arrays.asList(jwtPrincipal)); + } + } catch (JwtException e) { + throw new InvalidAuthenticationException(e.getMessage(), e); + } } } + + public void setJwtService(JwtService jwtService) { + this.jwtService = jwtService; + } + } http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java deleted file mode 100644 index 289cc87..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.web.security.jwt; - -import io.jsonwebtoken.JwtException; -import org.apache.nifi.user.NiFiUser; -import org.apache.nifi.web.security.InvalidAuthenticationException; -import org.apache.nifi.web.security.token.NiFiAuthenticationToken; -import org.apache.nifi.web.security.user.NiFiUserDetails; -import org.springframework.security.authentication.AuthenticationProvider; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; - -/** - * - */ -public class JwtAuthenticationProvider implements AuthenticationProvider { - - private final JwtService jwtService; - - public JwtAuthenticationProvider(JwtService jwtService) { - this.jwtService = jwtService; - } - - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - final JwtAuthenticationRequestToken request = (JwtAuthenticationRequestToken) authentication; - - try { - final String jwtPrincipal = jwtService.getAuthenticationFromToken(request.getToken()); - final NiFiUser user = new NiFiUser(jwtPrincipal); - return new NiFiAuthenticationToken(new NiFiUserDetails(user)); - } catch (JwtException e) { - throw new InvalidAuthenticationException(e.getMessage(), e); - } - } - - @Override - public boolean supports(Class<?> authentication) { - return JwtAuthenticationRequestToken.class.isAssignableFrom(authentication); - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java deleted file mode 100644 index 0be30bf..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.web.security.jwt; - -import org.springframework.security.authentication.AbstractAuthenticationToken; - -/** - * This is an authentication request with a given JWT token. - */ -public class JwtAuthenticationRequestToken extends AbstractAuthenticationToken { - - private final String token; - - /** - * Creates a representation of the jwt authentication request for a user. - * - * @param token The unique token for this user - */ - public JwtAuthenticationRequestToken(final String token) { - super(null); - setAuthenticated(false); - this.token = token; - } - - @Override - public Object getCredentials() { - return null; - } - - @Override - public Object getPrincipal() { - return token; - } - - public String getToken() { - return token; - } - - @Override - public String toString() { - return getName(); - } - -} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java new file mode 100644 index 0000000..8b834a1 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.kerberos; + +import org.apache.nifi.util.NiFiProperties; +import org.springframework.beans.factory.FactoryBean; +import org.springframework.core.io.FileSystemResource; +import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider; +import org.springframework.security.kerberos.authentication.KerberosTicketValidator; +import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator; + +public class KerberosServiceFactoryBean implements FactoryBean<KerberosService> { + + private KerberosService kerberosService = null; + private NiFiProperties properties = null; + + @Override + public KerberosService getObject() throws Exception { + if (kerberosService == null && properties.isKerberosServiceSupportEnabled()) { + kerberosService = new KerberosService(); + kerberosService.setKerberosServiceAuthenticationProvider(createKerberosServiceAuthenticationProvider()); + } + + return kerberosService; + } + + @Override + public Class<?> getObjectType() { + return KerberosService.class; + } + + @Override + public boolean isSingleton() { + return true; + } + + public void setProperties(NiFiProperties properties) { + this.properties = properties; + } + + private KerberosServiceAuthenticationProvider createKerberosServiceAuthenticationProvider() throws Exception { + KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = new KerberosServiceAuthenticationProvider(); + kerberosServiceAuthenticationProvider.setTicketValidator(createTicketValidator()); + kerberosServiceAuthenticationProvider.setUserDetailsService(createAlternateKerberosUserDetailsService()); + kerberosServiceAuthenticationProvider.afterPropertiesSet(); + return kerberosServiceAuthenticationProvider; + } + + private AlternateKerberosUserDetailsService createAlternateKerberosUserDetailsService() { + return new AlternateKerberosUserDetailsService(); + } + + private KerberosTicketValidator createTicketValidator() throws Exception { + SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator(); + ticketValidator.setServicePrincipal(properties.getKerberosServicePrincipal()); + ticketValidator.setKeyTabLocation(new FileSystemResource(properties.getKerberosKeytabLocation())); + ticketValidator.afterPropertiesSet(); + return ticketValidator; + } +} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java index 03e1400..a3e6c3c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java @@ -30,7 +30,7 @@ import org.apache.nifi.authentication.AuthenticationResponse; import org.apache.nifi.web.security.user.NiFiUserDetails; import org.apache.nifi.user.NiFiUser; import org.apache.nifi.util.NiFiProperties; -import org.apache.nifi.web.security.token.NiFiAuthenticationToken; +import org.apache.nifi.web.security.token.NiFiAuthorizationToken; import org.apache.nifi.web.security.x509.X509CertificateExtractor; import org.apache.nifi.web.security.x509.X509IdentityProvider; import org.apache.nifi.web.util.WebUtils; @@ -96,7 +96,7 @@ public class NodeAuthorizedUserFilter extends GenericFilterBean { httpServletRequest.getRequestURL().toString(), request.getRemoteAddr())); // create the authorized nifi token - final NiFiAuthenticationToken token = new NiFiAuthenticationToken(userDetails); + final NiFiAuthorizationToken token = new NiFiAuthorizationToken(userDetails); SecurityContextHolder.getContext().setAuthentication(token); } } http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java index 5f5a3cd..7cf3eeb 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java @@ -16,12 +16,14 @@ */ package org.apache.nifi.web.security.otp; +import org.apache.nifi.web.security.InvalidAuthenticationException; import org.apache.nifi.web.security.NiFiAuthenticationFilter; +import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.core.Authentication; import javax.servlet.http.HttpServletRequest; +import java.util.Arrays; import java.util.regex.Pattern; /** @@ -39,8 +41,10 @@ public class OtpAuthenticationFilter extends NiFiAuthenticationFilter { protected static final String ACCESS_TOKEN = "access_token"; + private OtpService otpService; + @Override - public Authentication attemptAuthentication(final HttpServletRequest request) { + public NiFiAuthorizationRequestToken attemptAuthentication(final HttpServletRequest request) { // only support otp login when running securely if (!request.isSecure()) { return null; @@ -53,18 +57,27 @@ public class OtpAuthenticationFilter extends NiFiAuthenticationFilter { if (accessToken == null) { return null; } else { - if (request.getContextPath().equals("/nifi-api")) { - if (isDownloadRequest(request.getPathInfo())) { - // handle download requests - return new OtpAuthenticationRequestToken(accessToken, true); + try { + String identity = null; + if (request.getContextPath().equals("/nifi-api")) { + if (isDownloadRequest(request.getPathInfo())) { + // handle download requests + identity = otpService.getAuthenticationFromDownloadToken(accessToken); + } + } else { + // handle requests to other context paths (other UI extensions) + identity = otpService.getAuthenticationFromUiExtensionToken(accessToken); } - } else { - // handle requests to other context paths (other UI extensions) - return new OtpAuthenticationRequestToken(accessToken, false); - } - // the path is a support path for otp tokens - return null; + // the path is a support path for otp tokens + if (identity == null) { + return null; + } + + return new NiFiAuthorizationRequestToken(Arrays.asList(identity)); + } catch (final OtpAuthenticationException oae) { + throw new InvalidAuthenticationException(oae.getMessage(), oae); + } } } @@ -72,4 +85,8 @@ public class OtpAuthenticationFilter extends NiFiAuthenticationFilter { return PROVENANCE_DOWNLOAD_PATTERN.matcher(pathInfo).matches() || QUEUE_DOWNLOAD_PATTERN.matcher(pathInfo).matches() || TEMPLATE_DOWNLOAD_PATTERN.matcher(pathInfo).matches(); } + public void setOtpService(OtpService otpService) { + this.otpService = otpService; + } + } http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java deleted file mode 100644 index 411efc1..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.web.security.otp; - -import org.apache.nifi.user.NiFiUser; -import org.apache.nifi.web.security.InvalidAuthenticationException; -import org.apache.nifi.web.security.token.NiFiAuthenticationToken; -import org.apache.nifi.web.security.user.NiFiUserDetails; -import org.springframework.security.authentication.AuthenticationProvider; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; - -/** - * - */ -public class OtpAuthenticationProvider implements AuthenticationProvider { - - private OtpService otpService; - - public OtpAuthenticationProvider(OtpService otpService) { - this.otpService = otpService; - } - - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - final OtpAuthenticationRequestToken request = (OtpAuthenticationRequestToken) authentication; - - try { - final String otpPrincipal; - if (request.isDownloadToken()) { - otpPrincipal = otpService.getAuthenticationFromDownloadToken(request.getToken()); - } else { - otpPrincipal = otpService.getAuthenticationFromUiExtensionToken(request.getToken()); - } - final NiFiUser user = new NiFiUser(otpPrincipal); - return new NiFiAuthenticationToken(new NiFiUserDetails(user)); - } catch (OtpAuthenticationException e) { - throw new InvalidAuthenticationException(e.getMessage(), e); - } - } - - @Override - public boolean supports(Class<?> authentication) { - return OtpAuthenticationRequestToken.class.isAssignableFrom(authentication); - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java deleted file mode 100644 index e5dd6ee..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.web.security.otp; - -import org.springframework.security.authentication.AbstractAuthenticationToken; - -/** - * This is an authentication request with a given OTP token. - */ -public class OtpAuthenticationRequestToken extends AbstractAuthenticationToken { - - private final String token; - private final boolean isDownloadToken; - - /** - * Creates a representation of the otp authentication request for a user. - * - * @param token The unique token for this user - */ - public OtpAuthenticationRequestToken(final String token, final boolean isDownloadToken) { - super(null); - setAuthenticated(false); - this.token = token; - this.isDownloadToken = isDownloadToken; - } - - @Override - public Object getCredentials() { - return null; - } - - @Override - public Object getPrincipal() { - return token; - } - - public String getToken() { - return token; - } - - public boolean isDownloadToken() { - return isDownloadToken; - } - - @Override - public String toString() { - return getName(); - } - -} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java deleted file mode 100644 index bbe15d1..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.web.security.spring; - -import org.apache.nifi.util.NiFiProperties; -import org.apache.nifi.web.security.kerberos.AlternateKerberosUserDetailsService; -import org.apache.nifi.web.security.kerberos.KerberosService; -import org.springframework.beans.factory.FactoryBean; -import org.springframework.core.io.FileSystemResource; -import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider; -import org.springframework.security.kerberos.authentication.KerberosTicketValidator; -import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator; - -public class KerberosServiceFactoryBean implements FactoryBean<KerberosService> { - - private KerberosService kerberosService = null; - private NiFiProperties properties = null; - - @Override - public KerberosService getObject() throws Exception { - if (kerberosService == null && properties.isKerberosServiceSupportEnabled()) { - kerberosService = new KerberosService(); - kerberosService.setKerberosServiceAuthenticationProvider(createKerberosServiceAuthenticationProvider()); - } - - return kerberosService; - } - - @Override - public Class<?> getObjectType() { - return KerberosService.class; - } - - @Override - public boolean isSingleton() { - return true; - } - - public void setProperties(NiFiProperties properties) { - this.properties = properties; - } - - private KerberosServiceAuthenticationProvider createKerberosServiceAuthenticationProvider() throws Exception { - KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = new KerberosServiceAuthenticationProvider(); - kerberosServiceAuthenticationProvider.setTicketValidator(createTicketValidator()); - kerberosServiceAuthenticationProvider.setUserDetailsService(createAlternateKerberosUserDetailsService()); - kerberosServiceAuthenticationProvider.afterPropertiesSet(); - return kerberosServiceAuthenticationProvider; - } - - private AlternateKerberosUserDetailsService createAlternateKerberosUserDetailsService() { - return new AlternateKerberosUserDetailsService(); - } - - private KerberosTicketValidator createTicketValidator() throws Exception { - SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator(); - ticketValidator.setServicePrincipal(properties.getKerberosServicePrincipal()); - ticketValidator.setKeyTabLocation(new FileSystemResource(properties.getKerberosKeytabLocation())); - ticketValidator.afterPropertiesSet(); - return ticketValidator; - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java index 2ee187a..92a27ae 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java @@ -16,6 +16,21 @@ */ package org.apache.nifi.web.security.spring; +import java.io.File; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.util.HashMap; +import java.util.Map; +import javax.xml.XMLConstants; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; +import javax.xml.transform.stream.StreamSource; +import javax.xml.validation.Schema; +import javax.xml.validation.SchemaFactory; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.authentication.AuthenticationResponse; import org.apache.nifi.authentication.LoginCredentials; @@ -24,11 +39,11 @@ import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext; import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext; import org.apache.nifi.authentication.LoginIdentityProviderLookup; import org.apache.nifi.authentication.annotation.LoginIdentityProviderContext; -import org.apache.nifi.authentication.exception.ProviderCreationException; -import org.apache.nifi.authentication.exception.ProviderDestructionException; import org.apache.nifi.authentication.generated.LoginIdentityProviders; import org.apache.nifi.authentication.generated.Property; import org.apache.nifi.authentication.generated.Provider; +import org.apache.nifi.authorization.exception.ProviderCreationException; +import org.apache.nifi.authorization.exception.ProviderDestructionException; import org.apache.nifi.nar.ExtensionManager; import org.apache.nifi.nar.NarCloseable; import org.apache.nifi.util.NiFiProperties; @@ -38,22 +53,6 @@ import org.springframework.beans.factory.DisposableBean; import org.springframework.beans.factory.FactoryBean; import org.xml.sax.SAXException; -import javax.xml.XMLConstants; -import javax.xml.bind.JAXBContext; -import javax.xml.bind.JAXBElement; -import javax.xml.bind.JAXBException; -import javax.xml.bind.Unmarshaller; -import javax.xml.transform.stream.StreamSource; -import javax.xml.validation.Schema; -import javax.xml.validation.SchemaFactory; -import java.io.File; -import java.lang.reflect.Constructor; -import java.lang.reflect.Field; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; -import java.util.HashMap; -import java.util.Map; - /** * */ http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java new file mode 100644 index 0000000..693d420 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.token; + +import org.apache.nifi.web.security.user.NewAccountRequest; + +/** + * An authentication token that is used as an authorization request when submitting a new account. + */ +public class NewAccountAuthorizationRequestToken extends NiFiAuthorizationRequestToken { + + final NewAccountRequest newAccountRequest; + + public NewAccountAuthorizationRequestToken(final NewAccountRequest newAccountRequest) { + super(newAccountRequest.getChain()); + this.newAccountRequest = newAccountRequest; + } + + public String getJustification() { + return newAccountRequest.getJustification(); + } + + public NewAccountRequest getNewAccountRequest() { + return newAccountRequest; + } +} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java new file mode 100644 index 0000000..de0fde6 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.token; + +import org.apache.nifi.web.security.user.NewAccountRequest; +import org.springframework.security.authentication.AbstractAuthenticationToken; + +/** + * This is an Authentication Token for a user that has been authenticated but is not authorized to access the NiFi APIs. Typically, this authentication token is used successfully when requesting a + * NiFi account. Requesting any other endpoint would be rejected due to lack of roles. + */ +public class NewAccountAuthorizationToken extends AbstractAuthenticationToken { + + final NewAccountRequest newAccountRequest; + + public NewAccountAuthorizationToken(final NewAccountRequest newAccountRequest) { + super(null); + super.setAuthenticated(true); + this.newAccountRequest = newAccountRequest; + } + + @Override + public Object getCredentials() { + return null; + } + + @Override + public Object getPrincipal() { + return newAccountRequest; + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java deleted file mode 100644 index f7964f5..0000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.web.security.token; - -import org.springframework.security.authentication.AbstractAuthenticationToken; -import org.springframework.security.core.userdetails.UserDetails; - -/** - * An authentication token that represents an Authenticated and Authorized user of the NiFi Apis. The authorities are based off the specified UserDetails. - */ -public class NiFiAuthenticationToken extends AbstractAuthenticationToken { - - final UserDetails nifiUserDetails; - - public NiFiAuthenticationToken(final UserDetails nifiUserDetails) { - super(nifiUserDetails.getAuthorities()); - super.setAuthenticated(true); - setDetails(nifiUserDetails); - this.nifiUserDetails = nifiUserDetails; - } - - @Override - public Object getCredentials() { - return nifiUserDetails.getPassword(); - } - - @Override - public Object getPrincipal() { - return nifiUserDetails; - } - - @Override - public final void setAuthenticated(boolean authenticated) { - throw new IllegalArgumentException("Cannot change the authenticated state."); - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java new file mode 100644 index 0000000..c20aaf3 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.token; + +import java.util.Collections; +import java.util.List; +import org.springframework.security.authentication.AbstractAuthenticationToken; + +/** + * An authentication token that is used as an authorization request. The request has already been authenticated and is now going to be authorized. + * The request chain is specified during creation and is used authorize the user(s). + */ +public class NiFiAuthorizationRequestToken extends AbstractAuthenticationToken { + + private final List<String> chain; + + public NiFiAuthorizationRequestToken(final List<String> chain) { + super(null); + this.chain = chain; + } + + @Override + public Object getCredentials() { + return null; + } + + @Override + public Object getPrincipal() { + return chain; + } + + public List<String> getChain() { + return Collections.unmodifiableList(chain); + } + + @Override + public final void setAuthenticated(boolean authenticated) { + throw new IllegalArgumentException("Cannot change the authenticated state."); + } +}
