Alon Bar-Lev has uploaded a new change for review. Change subject: aaa: filters: add Prefer new-auth option ......................................................................
aaa: filters: add Prefer new-auth option this enforces opening a new http session, this is useful when remote wants to enforce new session and authorization in persist mode. Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1161734 Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1161730 Change-Id: I78e91d9c1994203bd4b278d878b26c843eaad3cf Signed-off-by: Alon Bar-Lev <[email protected]> --- M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionValidationFilter.java M backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/filters/FiltersHelperTest.java 4 files changed, 41 insertions(+), 29 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/88/35188/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java index d082349..5c856cf 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java @@ -33,6 +33,9 @@ public static final String HEADER_ENGINE_AUTH_TOKEN = "OVIRT-INTERNAL-ENGINE-AUTH-TOKEN"; } + public static final int PREFER_NEW_AUTH = (1<<0); + public static final int PREFER_PERSISTENCE_AUTH = (1<<1); + private static final String HMAC_ALGO = "HmacSHA1"; private static SecretKey instanceKey; @@ -59,7 +62,8 @@ || request.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY) != null; } - public static boolean isPersistentAuth(HttpServletRequest req) { + public static int getPrefer(HttpServletRequest req) { + int ret = 0; Enumeration<String> headerValues = req.getHeaders(Constants.HEADER_PREFER); while (headerValues.hasMoreElements()) { String headerValue = headerValues.nextElement(); @@ -67,13 +71,16 @@ if (headerElements != null) { for (HeaderElement headerElement : headerElements) { String elementName = headerElement.getName(); + if ("new-auth".equalsIgnoreCase(elementName)) { + ret |= PREFER_NEW_AUTH; + } if ("persistent-auth".equalsIgnoreCase(elementName)) { - return true; + ret |= PREFER_PERSISTENCE_AUTH; } } } } - return false; + return ret; } private static String hmacString(String s) { diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java index 6fd1e70..090a95c 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java @@ -52,8 +52,8 @@ throw new ServletException("No engine session"); } - boolean persistentAuth = FiltersHelper.isPersistentAuth(req); - if (persistentAuth) { + int prefer = FiltersHelper.getPrefer(req); + if ((prefer & FiltersHelper.PREFER_PERSISTENCE_AUTH) != 0) { HttpSession session = req.getSession(true); session.setAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY, engineSessionId); try { @@ -70,7 +70,7 @@ try { if (FiltersHelper.isAuthenticated(req)) { - if (persistentAuth) { + if ((prefer & FiltersHelper.PREFER_PERSISTENCE_AUTH) != 0) { if (!Boolean.TRUE.equals(request.getAttribute(SessionConstants.REQUEST_ASYNC_KEY))) { HttpSession session = req.getSession(false); if (session != null) { diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionValidationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionValidationFilter.java index 8717d8b..61fa48b 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionValidationFilter.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionValidationFilter.java @@ -21,7 +21,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; - if (!FiltersHelper.isPersistentAuth(req)) { + int prefer = FiltersHelper.getPrefer(req); + if ((prefer & FiltersHelper.PREFER_NEW_AUTH) != 0 || (prefer & FiltersHelper.PREFER_PERSISTENCE_AUTH) == 0) { HttpSession session = req.getSession(false); if (session != null) { session.invalidate(); diff --git a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/filters/FiltersHelperTest.java b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/filters/FiltersHelperTest.java index 583e93d..427e4b4 100644 --- a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/filters/FiltersHelperTest.java +++ b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/filters/FiltersHelperTest.java @@ -1,7 +1,6 @@ package org.ovirt.engine.core.aaa.filters; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertEquals; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -19,18 +18,20 @@ */ @Test public void testPersistentAuthWithSeveralHeaders() { - assertTrue(isPersistentAuth("persistent-auth", "x", "y")); - assertTrue(isPersistentAuth("x", "persistent-auth", "y")); - assertTrue(isPersistentAuth("x", "y", "persistent-auth")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("persistent-auth", "x", "y")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("x", "persistent-auth", "y")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("x", "y", "persistent-auth")); } /** * Check that the persistent authentication preference is recognized regardless of case. */ @Test - public void testPersistentAuthIgnoresCase() { - assertTrue(isPersistentAuth("Persistent-Auth")); - assertTrue(isPersistentAuth("PERSISTENT-AUTH")); + public void testPreferIgnoresCase() { + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("Persistent-Auth")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("PERSISTENT-AUTH")); + assertEquals(FiltersHelper.PREFER_NEW_AUTH, getPrefer("new-auth")); + assertEquals(FiltersHelper.PREFER_NEW_AUTH, getPrefer("NEW-AUTH")); } /** @@ -39,9 +40,9 @@ */ @Test public void testPersistentAuthOtherPreferencesInSameHeader() { - assertTrue(isPersistentAuth("persistent-auth, x, y")); - assertTrue(isPersistentAuth("x, persistent-auth, y")); - assertTrue(isPersistentAuth("x, y, persistent-auth")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("persistent-auth, x, y")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("x, persistent-auth, y")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("x, y, persistent-auth")); } /** @@ -49,10 +50,12 @@ * ignored). */ @Test - public void testPersistentAuthWithValue() { - assertTrue(isPersistentAuth("persistent-auth=false")); - assertTrue(isPersistentAuth("persistent-auth=true")); - assertTrue(isPersistentAuth("persistent-auth=junk")); + public void testPreferWithValue() { + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("persistent-auth=false")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("persistent-auth=true")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("persistent-auth=junk")); + assertEquals(FiltersHelper.PREFER_NEW_AUTH, getPrefer("new-auth=false")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH | FiltersHelper.PREFER_NEW_AUTH, getPrefer("persistent-auth=false, new-auth=false")); } /** @@ -60,8 +63,9 @@ * should be ignored). */ @Test - public void testPersistentAuthWithParameters() { - assertTrue(isPersistentAuth("persistent-auth; x=0; y=0")); + public void testPreferParameters() { + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH, getPrefer("persistent-auth; x=0; y=0")); + assertEquals(FiltersHelper.PREFER_PERSISTENCE_AUTH | FiltersHelper.PREFER_NEW_AUTH, getPrefer("persistent-auth, new-auth; x=0; y=0")); } /** @@ -69,9 +73,9 @@ */ @Test public void testPersistentAuthDisabled() { - assertFalse(isPersistentAuth()); - assertFalse(isPersistentAuth("x", "y")); - assertFalse(isPersistentAuth("x", "y")); + assertEquals(0, getPrefer()); + assertEquals(0, getPrefer("x", "y")); + assertEquals(0, getPrefer("x", "y")); } /** @@ -80,7 +84,7 @@ * * @param values the values of the {@code Prefer} header */ - private boolean isPersistentAuth(String... values) { + private int getPrefer(String... values) { // Create a vector containing the values of the header: Vector<String> vector = new Vector<>(); Collections.addAll(vector, values); @@ -90,7 +94,7 @@ when(request.getHeaders(FiltersHelper.Constants.HEADER_PREFER)).thenReturn(vector.elements()); // Call the method that checks for persistent authentication: - return FiltersHelper.isPersistentAuth(request); + return FiltersHelper.getPrefer(request); } } -- To view, visit http://gerrit.ovirt.org/35188 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I78e91d9c1994203bd4b278d878b26c843eaad3cf Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
