[
https://issues.apache.org/jira/browse/KNOX-2792?focusedWorklogId=803512&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-803512
]
ASF GitHub Bot logged work on KNOX-2792:
----------------------------------------
Author: ASF GitHub Bot
Created on: 25/Aug/22 08:48
Start Date: 25/Aug/22 08:48
Worklog Time Spent: 10m
Work Description: zeroflag commented on code in PR #625:
URL: https://github.com/apache/knox/pull/625#discussion_r954686408
##########
gateway-service-auth/src/main/java/org/apache/knox/gateway/service/auth/PreAuthResource.java:
##########
@@ -0,0 +1,127 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.auth;
+
+import static javax.ws.rs.core.Response.ok;
+import static javax.ws.rs.core.Response.status;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+import javax.annotation.PostConstruct;
+import javax.security.auth.Subject;
+import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.security.SubjectUtils;
+
+@Path(PreAuthResource.RESOURCE_PATH)
+public class PreAuthResource {
+ static final String RESOURCE_PATH = "auth/api/v1/pre";
+ private static final AuthMessages LOG =
MessagesFactory.get(AuthMessages.class);
+ static final String AUTH_ACTOR_ID_HEADER_NAME =
"preauth.auth.header.actor.id.name";
+ static final String AUTH_ACTOR_GROUPS_HEADER_PREFIX =
"preauth.auth.header.actor.groups.prefix";
+ static final String GROUP_FILTER_PATTERN = "preauth.group.filter.pattern";
+
+ static final String DEFAULT_AUTH_ACTOR_ID_HEADER_NAME = "X-Knox-Actor-ID";
+ static final String DEFAULT_AUTH_ACTOR_GROUPS_HEADER_PREFIX =
"X-Knox-Actor-Groups";
+ private static final Pattern DEFAULT_GROUP_FILTER_PATTERN =
Pattern.compile(".*");
+
+ private static final int MAX_HEADER_LENGTH = 1000;
+ private static final String ACTOR_GROUPS_HEADER_FORMAT = "%s-%d";
+
+ @Context
+ HttpServletResponse response;
+
+ @Context
+ ServletContext context;
+
+ private String authHeaderActorIDName;
+ private String authHeaderActorGroupsPrefix;
+ private Pattern groupFilterPattern;
+
+ @PostConstruct
+ public void init() {
+ authHeaderActorIDName = getInitParameter(AUTH_ACTOR_ID_HEADER_NAME,
DEFAULT_AUTH_ACTOR_ID_HEADER_NAME);
+ authHeaderActorGroupsPrefix =
getInitParameter(AUTH_ACTOR_GROUPS_HEADER_PREFIX,
DEFAULT_AUTH_ACTOR_GROUPS_HEADER_PREFIX);
+ final String groupFilterPatternString =
context.getInitParameter(GROUP_FILTER_PATTERN);
+ groupFilterPattern = groupFilterPatternString == null ?
DEFAULT_GROUP_FILTER_PATTERN : Pattern.compile(groupFilterPatternString);
+ }
+
+ private String getInitParameter(String paramName, String defaultValue) {
+ final String initParam = context.getInitParameter(paramName);
+ return initParam == null ? defaultValue : initParam;
+ }
+
+ @GET
+ public Response doGet() {
+ final Subject subject = SubjectUtils.getCurrentSubject();
Review Comment:
According to the javadoc this might return null. Should handle that case
explicitly?
Issue Time Tracking
-------------------
Worklog Id: (was: 803512)
Time Spent: 20m (was: 10m)
> New Knox service to add custom auth headers in the response
> -----------------------------------------------------------
>
> Key: KNOX-2792
> URL: https://issues.apache.org/jira/browse/KNOX-2792
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> A simple REST service is needed to perform centralized authentication and
> authorization of incoming requests. Combined with nginx's external
> authentication capability it allows for every request to be checked for valid
> authentication before being forwarded to the upstream service.
> If a valid principal is found, a header is added to the response, by default
> {{X-Knox-Actor-ID}}, with the principal. In addition, if the authenticated
> subject has groups, these are added into comma-separated headers of the
> default form {{X-Knox-Actor-Groups-num}}. Each group header has a character
> limit of 1000 to keep them reasonably sized. The header names can be
> customized via configuration properties.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
