lmccay commented on code in PR #1257:
URL: https://github.com/apache/knox/pull/1257#discussion_r3398984199
##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -1106,14 +1107,30 @@ protected JWT getJWT(String userName, long expires,
String jku) throws TokenServ
jwtAttributesBuilder.setClientId(tokenIdPrincipals.iterator().next().getName());
}
- // RFC 8693 Token Exchange: Add the "act" claim if delegated auth is
enabled and impersonation occurred
- if (enableDelegatedAuth && SubjectUtils.isImpersonating(subject)) {
- String primaryPrincipalName =
SubjectUtils.getPrimaryPrincipalName(subject);
- String impersonatedPrincipalName =
SubjectUtils.getImpersonatedPrincipalName(subject);
- if (primaryPrincipalName != null && impersonatedPrincipalName != null
&& !primaryPrincipalName.equals(impersonatedPrincipalName)) {
- // The primary principal (the one doing the impersonation) becomes
the actor
- jwtAttributesBuilder.setActor(primaryPrincipalName);
- log.addingActorClaimToToken(primaryPrincipalName,
impersonatedPrincipalName);
+ // RFC 8693 Token Exchange: Build the actor chain if delegated auth is
enabled
+ if (enableDelegatedAuth) {
+ // First check if there's an existing actor chain from a previous
token exchange
+ Set<ActorChainPrincipal> actorChainPrincipals =
subject.getPrincipals(ActorChainPrincipal.class);
+ List<Map<String, Object>> existingChain = null;
+ if (!actorChainPrincipals.isEmpty()) {
+ existingChain =
actorChainPrincipals.iterator().next().getActorChain();
+ log.generalInfoMessage("Found existing actor chain with " +
existingChain.size() + " actors");
+ }
+
+ // Check if impersonation is occurring to add a new actor to the chain
+ if (SubjectUtils.isImpersonating(subject)) {
+ String primaryPrincipalName =
SubjectUtils.getPrimaryPrincipalName(subject);
+ String impersonatedPrincipalName =
SubjectUtils.getImpersonatedPrincipalName(subject);
+ if (primaryPrincipalName != null && impersonatedPrincipalName !=
null && !primaryPrincipalName.equals(impersonatedPrincipalName)) {
+ // Build the new actor chain by adding the current actor (primary
principal) to the existing chain
+ List<Map<String, Object>> newActorChain =
TokenUtils.addActorToChain(existingChain, primaryPrincipalName);
+ jwtAttributesBuilder.setActorChain(newActorChain);
+ log.addingActorClaimToToken(primaryPrincipalName,
impersonatedPrincipalName);
+ }
+ } else if (existingChain != null && !existingChain.isEmpty()) {
+ // No new impersonation, but preserve existing actor chain
+ jwtAttributesBuilder.setActorChain(existingChain);
+ log.generalInfoMessage("Preserving existing actor chain without
adding new actor");
Review Comment:
Got it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
