Examples with PrimaryPrincipal org.apache.knox.gateway.security.PrimaryPrincipal used on opensource projects

Example 1 with PrimaryPrincipal

use of org.apache.knox.gateway.security.PrimaryPrincipal in project ranger by apache.

the class RangerPDPKnoxFilter method doFilter.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    String sourceUrl = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
    String topologyName = getTopologyName(sourceUrl);
    String serviceName = getServiceName();
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + sourceUrl + ", topologyName=" + topologyName + ")");
    }
    Subject subject = Subject.getSubject(AccessController.getContext());
    Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
    String primaryUser = primaryPrincipal.getName();
    String impersonatedUser = null;
    Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
    if (impersonations != null && impersonations.length > 0) {
        impersonatedUser = ((Principal) impersonations[0]).getName();
    }
    String user = (impersonatedUser != null) ? impersonatedUser : primaryUser;
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user);
    }
    Object[] groupObjects = subject.getPrincipals(GroupPrincipal.class).toArray();
    Set<String> groups = new HashSet<String>();
    for (Object obj : groupObjects) {
        groups.add(((Principal) obj).getName());
    }
    String clientIp = request.getRemoteAddr();
    String clusterName = plugin.getClusterName();
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access primaryUser: " + primaryUser + ", impersonatedUser: " + impersonatedUser + ", effectiveUser: " + user + ", groups: " + groups + ", clientIp: " + clientIp + ", clusterName: " + clusterName);
    }
    RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(user).groups(groups).clientIp(clientIp).clusterName(clusterName).build();
    boolean accessAllowed = false;
    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(accessRequest);
        accessAllowed = result != null && result.getIsAllowed();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Access allowed: " + accessAllowed);
    }
    RangerPerfTracer.log(perf);
    if (accessAllowed) {
        chain.doFilter(request, response);
    } else {
        sendForbidden((HttpServletResponse) response);
    }
}

Example 2 with PrimaryPrincipal

use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.

the class AccessTokenFederationFilter method createSubjectFromToken.

private Subject createSubjectFromToken(JWTToken token) {
    final String principal = token.getPrincipal();
    HashSet emptySet = new HashSet();
    Set<Principal> principals = new HashSet<>();
    Principal p = new PrimaryPrincipal(principal);
    principals.add(p);
    // The newly constructed Sets check whether this Subject has been set read-only
    // before permitting subsequent modifications. The newly created Sets also prevent
    // illegal modifications by ensuring that callers have sufficient permissions.
    // 
    // To modify the Principals Set, the caller must have AuthPermission("modifyPrincipals").
    // To modify the public credential Set, the caller must have AuthPermission("modifyPublicCredentials").
    // To modify the private credential Set, the caller must have AuthPermission("modifyPrivateCredentials").
    javax.security.auth.Subject subject = new javax.security.auth.Subject(true, principals, emptySet, emptySet);
    return subject;
}

Example 3 with PrimaryPrincipal

use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.

the class SSOCookieFederationFilter method doFilter.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    String wireToken = null;
    HttpServletRequest req = (HttpServletRequest) request;
    String loginURL = constructLoginURL(req);
    wireToken = getJWTFromCookie(req);
    if (wireToken == null) {
        if (req.getMethod().equals("OPTIONS")) {
            // CORS preflight requests to determine allowed origins and related config
            // must be able to continue without being redirected
            Subject sub = new Subject();
            sub.getPrincipals().add(new PrimaryPrincipal("anonymous"));
            continueWithEstablishedSecurityContext(sub, req, (HttpServletResponse) response, chain);
        }
        log.sendRedirectToLoginURL(loginURL);
        ((HttpServletResponse) response).sendRedirect(loginURL);
    } else {
        try {
            JWT token = new JWTToken(wireToken);
            if (validateToken((HttpServletRequest) request, (HttpServletResponse) response, chain, token)) {
                Subject subject = createSubjectFromToken(token);
                continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
            }
        } catch (ParseException ex) {
            ((HttpServletResponse) response).sendRedirect(loginURL);
        }
    }
}

Example 4 with PrimaryPrincipal

use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.

the class AbstractJWTFilterTest method testValidAudienceJWT.

@Test
public void testValidAudienceJWT() throws Exception {
    try {
        Properties props = getProperties();
        props.put(getAudienceProperty(), "bar");
        handler.init(new TestFilterConfig(props));
        SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice", new Date(new Date().getTime() + 5000), privateKey);
        HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
        setTokenOnRequest(request, jwt);
        EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes();
        EasyMock.expect(request.getQueryString()).andReturn(null);
        HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
        EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(SERVICE_URL);
        EasyMock.replay(request);
        TestFilterChain chain = new TestFilterChain();
        handler.doFilter(request, response, chain);
        Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled);
        Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
        Assert.assertTrue("No PrimaryPrincipal", !principals.isEmpty());
        Assert.assertEquals("Not the expected principal", "alice", ((Principal) principals.toArray()[0]).getName());
    } catch (ServletException se) {
        fail("Should NOT have thrown a ServletException.");
    }
}

Example 5 with PrimaryPrincipal

use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.

the class AbstractJWTFilterTest method testValidAudienceJWTWhitespace.

@Test
public void testValidAudienceJWTWhitespace() throws Exception {
    try {
        Properties props = getProperties();
        props.put(getAudienceProperty(), " foo, bar ");
        handler.init(new TestFilterConfig(props));
        SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice", new Date(new Date().getTime() + 5000), privateKey);
        HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
        setTokenOnRequest(request, jwt);
        EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes();
        EasyMock.expect(request.getQueryString()).andReturn(null);
        HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
        EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(SERVICE_URL);
        EasyMock.replay(request);
        TestFilterChain chain = new TestFilterChain();
        handler.doFilter(request, response, chain);
        Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled);
        Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
        Assert.assertTrue("No PrimaryPrincipal", !principals.isEmpty());
        Assert.assertEquals("Not the expected principal", "alice", ((Principal) principals.toArray()[0]).getName());
    } catch (ServletException se) {
        fail("Should NOT have thrown a ServletException.");
    }
}