pzampino commented on a change in pull request #545:
URL: https://github.com/apache/knox/pull/545#discussion_r827007168
##########
File path:
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
##########
@@ -140,15 +139,9 @@ public void doFilter(ServletRequest request,
ServletResponse response,
private String getAccessToken(final String principalName, String
serviceName, long expires) {
String accessToken = null;
- Principal p = new Principal() {
- @Override
- public String getName() {
- return principalName;
- }
- };
JWT token;
try {
- final JWTokenAttributes jwtAttributes = new
JWTokenAttributesBuilder().setPrincipal(p).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
+ final JWTokenAttributes jwtAttributes = new
JWTokenAttributesBuilder().setUserName(principalName).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
Review comment:
Do we not need to still set the principal? Is it done indirectly by
setting the username?
##########
File path:
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
##########
@@ -65,7 +65,7 @@ public void doFilter(ServletRequest request, ServletResponse
response,
principalName = mapper.mapUserPrincipal(principalName);
JWT authCode;
try {
- authCode = authority.issueToken(new
JWTokenAttributesBuilder().setPrincipal(subject).setAlgorithm(signatureAlgorithm).build());
+ authCode = authority.issueToken(new
JWTokenAttributesBuilder().setUserName(principalName).setAlgorithm(signatureAlgorithm).build());
Review comment:
Do we not need to still set the principal? Is it done indirectly by
setting the username?
##########
File path:
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
##########
@@ -672,7 +682,24 @@ private Response getAuthenticationToken() {
.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
JWTokenAuthority ts = services.getService(ServiceType.TOKEN_SERVICE);
- Principal p = request.getUserPrincipal();
+
+ String userName = request.getUserPrincipal().getName();
+ String createdBy = null;
+ // checking the doAs user only makes sense if tokens are managed (this is
where we store the userName information)
+ if (tokenStateService != null) {
+ final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ if (doAsUser != null && !doAsUser.equals(userName)) {
+ try {
+ //this call will authorize the doAs request
+ AuthFilterUtils.getProxyRequest(request, doAsUser);
Review comment:
This is a little confusing since you're not getting a request object
here; You're only leveraging the behavior you happen to know about internally
to do the authorization. It would probably be better to have a separate method
for the authorization, which could be invoked specifically here and also in the
implementation of the getProxyRequest() method.
##########
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateServiceMessages.java
##########
@@ -246,4 +246,7 @@
@Message(level = MessageLevel.ERROR, text = "An error occurred while
fetching tokens for user {0} from the database : {1}")
void errorFetchingTokensForUserFromDatabase(String userName, String
errorMessage, @StackTrace(level = MessageLevel.DEBUG) Exception e);
+
+ @Message(level = MessageLevel.ERROR, text = "An error occurred while
fetching 'doAs' tokens for user {0} from the database : {1}")
Review comment:
doAs -> impersonation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
