[GitHub] [knox] pzampino commented on a change in pull request #424: KNOX-2556 - Enhance JWTProvider to accept knox.id as Passcode Token

Thu, 25 Mar 2021 12:03:41 -0700 


pzampino commented on a change in pull request #424:
URL: https://github.com/apache/knox/pull/424#discussion_r601766712



##########
File path: 
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
##########
@@ -93,55 +99,74 @@ public void destroy() {
   @Override
   public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain)
       throws IOException, ServletException {
-    final String wireToken = getWireToken(request);
+    final Pair<TokenType, String> wireToken = getWireToken(request);
 
     if (wireToken != null) {
-      try {
-        JWT token = new JWTToken(wireToken);
-        if (validateToken((HttpServletRequest)request, 
(HttpServletResponse)response, chain, token)) {
-          Subject subject = createSubjectFromToken(token);
-          continueWithEstablishedSecurityContext(subject, 
(HttpServletRequest)request, (HttpServletResponse)response, chain);
+      TokenType tokenType  = wireToken.getLeft();
+      String    tokenValue = wireToken.getRight();
+
+      if (TokenType.JWT.equals(tokenType)) {
+        try {
+          JWT token = new JWTToken(tokenValue);
+          if (validateToken((HttpServletRequest) request, 
(HttpServletResponse) response, chain, token)) {
+            Subject subject = createSubjectFromToken(token);
+            continueWithEstablishedSecurityContext(subject, 
(HttpServletRequest) request, (HttpServletResponse) response, chain);
+          }
+        } catch (ParseException ex) {
+          ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+        }
+      } else if (TokenType.Passcode.equals(tokenType)) {
+        // Validate the token based on the server-managed metadata
+        if (validateToken((HttpServletRequest) request, (HttpServletResponse) 
response, chain, tokenValue)) {
+          Subject subject = createSubjectFromTokenIdentifier(tokenValue);
+          continueWithEstablishedSecurityContext(subject, (HttpServletRequest) 
request, (HttpServletResponse) response, chain);
         }
-      } catch (ParseException ex) {
-        ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
       }
-    }
-    else {
+    } else {
       // no token provided in header
       ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
     }
   }
 
-  public String getWireToken(final ServletRequest request) {
+  public Pair<TokenType, String> getWireToken(final ServletRequest request) {
+      Pair<TokenType, String> parsed = null;
       String token = null;
       final String header = 
((HttpServletRequest)request).getHeader("Authorization");
       if (header != null) {
           if (header.startsWith(BEARER)) {
               // what follows the bearer designator should be the JWT token 
being used
-            // to request or as an access token
+              // to request or as an access token
               token = header.substring(BEARER.length());
-          }
-          else if 
(header.toLowerCase(Locale.ROOT).startsWith(BASIC.toLowerCase(Locale.ROOT))) {
-              // what follows the Basic designator should be the JWT token 
being used
-            // to request or as an access token
-              token = this.parseFromHTTPBasicCredentials(token, header);
+              parsed = Pair.of(TokenType.JWT, token);
+          } else if 
(header.toLowerCase(Locale.ROOT).startsWith(BASIC.toLowerCase(Locale.ROOT))) {
+              // what follows the Basic designator should be the JWT token or 
the unique token ID being used
+              // to request or as an access token
+              parsed = parseFromHTTPBasicCredentials(header);
           }
       }
-      if (token == null) {
+
+      if (parsed == null) {
           token = request.getParameter(this.paramName);
+          if (token != null) {
+            parsed = Pair.of(TokenType.JWT, token);
+          }
       }
-      return token;
+
+      return parsed;
   }
 
-  private String parseFromHTTPBasicCredentials(String token, final String 
header) {
+    private Pair<TokenType, String> parseFromHTTPBasicCredentials(final String 
header) {
+      Pair<TokenType, String> parsed = null;
       final String base64Credentials = header.substring(BASIC.length()).trim();
       final byte[] credDecoded = Base64.getDecoder().decode(base64Credentials);
       final String credentials = new String(credDecoded, 
StandardCharsets.UTF_8);
       final String[] values = credentials.split(":", 2);
-      if (values[0].equalsIgnoreCase(TOKEN)) {
-          token = values[1];
+      String username = values[0];
+      if (TOKEN.equals(username) || PASSCODE.equals(username)) {

Review comment:
       That's a good point, since usernames are typically case-insensitive. 
I'll change the check and add some tests.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to