ranger git commit: RANGER-1845 - Add support to configure JWT signature algorithms

Fri, 20 Oct 2017 07:28:51 -0700 

Repository: ranger
Updated Branches:
  refs/heads/master 9e8bfb9c2 -> caf373daf


RANGER-1845 - Add support to configure JWT signature algorithms

Signed-off-by: Colm O hEigeartaigh <[email protected]>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/caf373da
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/caf373da
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/caf373da

Branch: refs/heads/master
Commit: caf373daf8cce06c2fad7f6452756708e178cd38
Parents: 9e8bfb9
Author: Colm O hEigeartaigh <[email protected]>
Authored: Thu Oct 19 14:15:39 2017 +0100
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Fri Oct 20 15:19:59 2017 +0100

----------------------------------------------------------------------
 .../filter/RangerSSOAuthenticationFilter.java    | 19 ++++++++++++++++++-
 .../web/filter/SSOAuthenticationProperties.java  |  9 +++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/caf373da/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git 
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
 
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index 5e4207c..22ba524 100644
--- 
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++ 
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -80,9 +80,17 @@ public class RangerSSOAuthenticationFilter implements Filter 
{
        public static final String JWT_ORIGINAL_URL_QUERY_PARAM = 
"ranger.sso.query.param.originalurl";
        public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
        public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = 
"originalUrl";
+        /**
+     * If specified, this configuration property refers to the signature 
algorithm which a received
+     * token must match. Otherwise, the default value "RS256" is used
+     */
+    public static final String JWT_EXPECTED_SIGALG = 
"ranger.sso.expected.sigalg";
+    public static final String JWT_DEFAULT_SIGALG = "RS256";
+
        public static final String LOCAL_LOGIN_URL = "locallogin";
        public static final String DEFAULT_BROWSER_USERAGENT = 
"ranger.default.browser-useragents";
-        public static final String PROXY_RANGER_URL_PATH = "/ranger";
+    public static final String PROXY_RANGER_URL_PATH = "/ranger";
+
 
        private SSOAuthenticationProperties jwtProperties;
 
@@ -438,6 +446,14 @@ public class RangerSSOAuthenticationFilter implements 
Filter {
                                        LOG.warn("Error while validating 
signature", e);
                                }
                        }
+
+                       // Now check that the signature algorithm was as 
expected
+                       if (valid) {
+                         String receivedSigAlg = 
jwtToken.getHeader().getAlgorithm().getName();
+                         if 
(!receivedSigAlg.equals(jwtProperties.getExpectedSigAlg())) {
+                           valid = false;
+                         }
+                       }
                }
                return valid;
        }
@@ -525,6 +541,7 @@ public class RangerSSOAuthenticationFilter implements 
Filter {
             if (audiences != null && !audiences.isEmpty()) {
                 
jwtProperties.setAudiences(Arrays.asList(audiences.split(",")));
             }
+            
jwtProperties.setExpectedSigAlg(PropertiesUtil.getProperty(JWT_EXPECTED_SIGALG, 
JWT_DEFAULT_SIGALG));
                        try {
                                RSAPublicKey publicKey = 
parseRSAPublicKey(publicKeyPath);
                                jwtProperties.setPublicKey(publicKey);

http://git-wip-us.apache.org/repos/asf/ranger/blob/caf373da/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
----------------------------------------------------------------------
diff --git 
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
 
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
index b8246a9..f9d1a40 100644
--- 
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
+++ 
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
@@ -31,6 +31,7 @@ public class SSOAuthenticationProperties {
     private String originalUrlQueryParam;
     private String[] userAgentList;
     private List<String> audiences = Collections.emptyList();
+    private String expectedSigAlg;
 
     public String getAuthenticationProviderUrl() {
         return authenticationProviderUrl;
@@ -85,5 +86,13 @@ public class SSOAuthenticationProperties {
     public void setAudiences(List<String> audiences) {
         this.audiences = audiences;
     }
+
+    public String getExpectedSigAlg() {
+        return expectedSigAlg;
+    }
+
+    public void setExpectedSigAlg(String expectedSigAlg) {
+        this.expectedSigAlg = expectedSigAlg;
+    }
 }

Reply via email to