smolnar82 commented on a change in pull request #545:
URL: https://github.com/apache/knox/pull/545#discussion_r827708026



##########
File path: 
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateServiceMessages.java
##########
@@ -246,4 +246,7 @@
 
   @Message(level = MessageLevel.ERROR, text = "An error occurred while 
fetching tokens for user {0} from the database : {1}")
   void errorFetchingTokensForUserFromDatabase(String userName, String 
errorMessage, @StackTrace(level = MessageLevel.DEBUG) Exception e);
+
+  @Message(level = MessageLevel.ERROR, text = "An error occurred while 
fetching 'doAs' tokens for user {0} from the database : {1}")

Review comment:
       Ack.

##########
File path: 
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
##########
@@ -140,15 +139,9 @@ public void doFilter(ServletRequest request, 
ServletResponse response,
   private String getAccessToken(final String principalName, String 
serviceName, long expires) {
     String accessToken = null;
 
-    Principal p = new Principal() {
-      @Override
-      public String getName() {
-        return principalName;
-      }
-    };
     JWT token;
     try {
-      final JWTokenAttributes jwtAttributes = new 
JWTokenAttributesBuilder().setPrincipal(p).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
+      final JWTokenAttributes jwtAttributes = new 
JWTokenAttributesBuilder().setUserName(principalName).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();

Review comment:
       It's actually the name of the user principal who creates the token. I 
can rename this variable if you want.
   The change here is that instead of saving the entire `Principal` object we 
only save the principal name as `userName` in the token.

##########
File path: 
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
##########
@@ -672,7 +682,24 @@ private Response getAuthenticationToken() {
         .getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
 
     JWTokenAuthority ts = services.getService(ServiceType.TOKEN_SERVICE);
-    Principal p = request.getUserPrincipal();
+
+    String userName = request.getUserPrincipal().getName();
+    String createdBy = null;
+    // checking the doAs user only makes sense if tokens are managed (this is 
where we store the userName information)
+    if (tokenStateService != null) {
+      final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+      if (doAsUser != null && !doAsUser.equals(userName)) {
+        try {
+          //this call will authorize the doAs request
+          AuthFilterUtils.getProxyRequest(request, doAsUser);

Review comment:
       Ack.

##########
File path: 
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
##########
@@ -65,7 +65,7 @@ public void doFilter(ServletRequest request, ServletResponse 
response,
     principalName = mapper.mapUserPrincipal(principalName);
     JWT authCode;
     try {
-      authCode = authority.issueToken(new 
JWTokenAttributesBuilder().setPrincipal(subject).setAlgorithm(signatureAlgorithm).build());
+      authCode = authority.issueToken(new 
JWTokenAttributesBuilder().setUserName(principalName).setAlgorithm(signatureAlgorithm).build());

Review comment:
       The same as above.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Reply via email to