Example 16 with Credential
use of io.cdap.cdap.proto.security.Credential in project cdap by caskdata.
the class InternalAccessEnforcerTest method testInternalAccessEnforceOnParentSuccess.
@Test
public void testInternalAccessEnforceOnParentSuccess() throws IOException {
NamespaceId ns = new NamespaceId("namespace");
long currentTime = System.currentTimeMillis();
UserIdentity userIdentity = new UserIdentity(SYSTEM_PRINCIPAL, UserIdentity.IdentifierType.INTERNAL, Collections.emptyList(), currentTime, currentTime + 5 * MINUTE_MILLIS);
String encodedIdentity = Base64.getEncoder().encodeToString(accessTokenCodec.encode(tokenManager.signIdentifier(userIdentity)));
Credential credential = new Credential(encodedIdentity, Credential.CredentialType.INTERNAL);
Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
internalAccessEnforcer.enforceOnParent(EntityType.APPLICATION, ns, principal, StandardPermission.GET);
}
Also used :
Credential(io.cdap.cdap.proto.security.Credential)
UserIdentity(io.cdap.cdap.security.auth.UserIdentity)
NamespaceId(io.cdap.cdap.proto.id.NamespaceId)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 17 with Credential
use of io.cdap.cdap.proto.security.Credential in project cdap by caskdata.
the class InternalAccessEnforcerTest method testInternalAccessIsVisibleSuccess.
@Test
public void testInternalAccessIsVisibleSuccess() throws IOException {
NamespaceId ns = new NamespaceId("namespace");
Set<EntityId> entities = Collections.singleton(ns);
long currentTime = System.currentTimeMillis();
UserIdentity userIdentity = new UserIdentity(SYSTEM_PRINCIPAL, UserIdentity.IdentifierType.INTERNAL, Collections.emptyList(), currentTime, currentTime + 5 * MINUTE_MILLIS);
String encodedIdentity = Base64.getEncoder().encodeToString(accessTokenCodec.encode(tokenManager.signIdentifier(userIdentity)));
Credential credential = new Credential(encodedIdentity, Credential.CredentialType.INTERNAL);
Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
Assert.assertEquals(entities, internalAccessEnforcer.isVisible(entities, principal));
}
Also used :
EntityId(io.cdap.cdap.proto.id.EntityId)
Credential(io.cdap.cdap.proto.security.Credential)
UserIdentity(io.cdap.cdap.security.auth.UserIdentity)
NamespaceId(io.cdap.cdap.proto.id.NamespaceId)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 18 with Credential
use of io.cdap.cdap.proto.security.Credential in project cdap by caskdata.
the class DefaultAccessEnforcerTest method testInternalIsVisible.
@Test
public void testInternalIsVisible() throws IOException, AccessException {
Principal userWithInternalCred = new Principal("system", Principal.PrincipalType.USER, null, new Credential("credential", Credential.CredentialType.INTERNAL));
CConfiguration cConfCopy = CConfiguration.copy(CCONF);
cConfCopy.setBoolean(Constants.Security.INTERNAL_AUTH_ENABLED, true);
ControllerWrapper controllerWrapper = createControllerWrapper(cConfCopy, SCONF, new NoOpAccessController());
AccessController accessController = controllerWrapper.accessController;
DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
Set<EntityId> namespaces = ImmutableSet.of(NS);
// Make sure that the actual access controller does not have access.
Assert.assertEquals(Collections.emptySet(), accessController.isVisible(namespaces, userWithInternalCred));
// The no-op access enforcer allows all requests through, so this should succeed if it is using the right
// access controller.
Assert.assertEquals(namespaces, accessEnforcer.isVisible(namespaces, userWithInternalCred));
// Verify the metrics context was called with correct metrics
verify(controllerWrapper.mockMetricsContext, times(1)).increment(Constants.Metrics.Authorization.INTERNAL_VISIBILITY_CHECK_COUNT, 1);
}
Also used :
EntityId(io.cdap.cdap.proto.id.EntityId)
Credential(io.cdap.cdap.proto.security.Credential)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
CConfiguration(io.cdap.cdap.common.conf.CConfiguration)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 19 with Credential
use of io.cdap.cdap.proto.security.Credential in project cdap by caskdata.
the class DefaultAccessEnforcerTest method testAuthEnforceWithEncryptedCredential.
@Test
public void testAuthEnforceWithEncryptedCredential() throws IOException, AccessException, CipherException, GeneralSecurityException {
SConfiguration sConfCopy = enableCredentialEncryption();
TinkCipher cipher = new TinkCipher(sConfCopy);
String cred = cipher.encryptToBase64("credential".getBytes(StandardCharsets.UTF_8), null);
Principal userWithCredEncrypted = new Principal("userFoo", Principal.PrincipalType.USER, null, new Credential(cred, Credential.CredentialType.EXTERNAL_ENCRYPTED));
ControllerWrapper controllerWrapper = createControllerWrapper(CCONF, sConfCopy, null);
AccessController accessController = controllerWrapper.accessController;
DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
assertAuthorizationFailure(accessEnforcer, NS, userWithCredEncrypted, StandardPermission.UPDATE);
accessController.grant(Authorizable.fromEntityId(NS), userWithCredEncrypted, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE));
accessEnforcer.enforce(NS, userWithCredEncrypted, StandardPermission.GET);
accessEnforcer.enforce(NS, userWithCredEncrypted, StandardPermission.UPDATE);
// Verify the metrics context was called with correct metrics
verify(controllerWrapper.mockMetricsContext, times(2)).increment(Constants.Metrics.Authorization.EXTENSION_CHECK_SUCCESS_COUNT, 1);
verify(controllerWrapper.mockMetricsContext, times(1)).increment(Constants.Metrics.Authorization.EXTENSION_CHECK_FAILURE_COUNT, 1);
verify(controllerWrapper.mockMetricsContext, times(3)).gauge(eq(Constants.Metrics.Authorization.EXTENSION_CHECK_MILLIS), any(Long.class));
}
Also used :
Credential(io.cdap.cdap.proto.security.Credential)
NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
SConfiguration(io.cdap.cdap.common.conf.SConfiguration)
TinkCipher(io.cdap.cdap.security.auth.TinkCipher)
Principal(io.cdap.cdap.proto.security.Principal)
Test(org.junit.Test)
Example 20 with Credential
use of io.cdap.cdap.proto.security.Credential in project cdap by cdapio.
the class AuthenticationHandler method channelRead.
@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
if (!(msg instanceof HttpRequest)) {
ctx.fireChannelRead(msg);
return;
}
HttpRequest request = (HttpRequest) msg;
// Pass if security is bypassed or it has valid access token, process to the next handler
if (isBypassed(request)) {
ctx.fireChannelRead(msg);
return;
}
UserIdentityExtractionResponse extractionResponse = userIdentityExtractor.extract(request);
if (extractionResponse.success()) {
UserIdentityPair userIdentityPair = extractionResponse.getIdentityPair();
// User identity extraction succeeded, so set some header properties and allow the call through
request.headers().remove(HttpHeaderNames.AUTHORIZATION);
Credential credential = getUserCredential(userIdentityPair);
// For backwards compatibility, we continue propagating credentials by default. This may change in the future.
if (cConf.getBoolean(Constants.Security.Authentication.PROPAGATE_USER_CREDENTIAL, true) && credential != null) {
request.headers().set(Constants.Security.Headers.RUNTIME_TOKEN, String.format("%s %s", credential.getType().getQualifiedName(), credential.getValue()));
}
request.headers().set(Constants.Security.Headers.USER_ID, userIdentityPair.getUserIdentity().getUsername());
String clientIP = Networks.getIP(ctx.channel().remoteAddress());
if (clientIP != null) {
request.headers().set(Constants.Security.Headers.USER_IP, clientIP);
}
ctx.fireChannelRead(msg);
return;
}
// Response with failure, plus optionally audit log
try {
HttpHeaders headers = new DefaultHttpHeaders();
JsonObject jsonObject = new JsonObject();
if (extractionResponse.getState().equals(UserIdentityExtractionState.ERROR_MISSING_CREDENTIAL)) {
headers.add(HttpHeaderNames.WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\"", realm));
LOG.debug("Authentication failed due to missing credentials");
} else {
String shortError = extractionResponse.getState().toString();
String errorDescription = extractionResponse.getErrorDescription();
headers.add(HttpHeaderNames.WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\" error=\"%s\" error_description=\"%s\"", realm, shortError, errorDescription));
jsonObject.addProperty("error", shortError);
jsonObject.addProperty("error_description", errorDescription);
LOG.debug("Authentication failed due to error {}, reason={};", shortError, errorDescription);
}
jsonObject.add("auth_uri", getAuthenticationURLs());
ByteBuf content = Unpooled.copiedBuffer(jsonObject.toString(), StandardCharsets.UTF_8);
HttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, content);
HttpUtil.setContentLength(response, content.readableBytes());
HttpUtil.setKeepAlive(response, false);
response.headers().setAll(headers);
response.headers().set(HttpHeaderNames.CONTENT_TYPE, "application/json;charset=UTF-8");
auditLogIfNeeded(request, response, ctx.channel());
ctx.writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
} finally {
ReferenceCountUtil.release(msg);
}
}
Also used :
HttpRequest(io.netty.handler.codec.http.HttpRequest)
HttpHeaders(io.netty.handler.codec.http.HttpHeaders)
DefaultHttpHeaders(io.netty.handler.codec.http.DefaultHttpHeaders)
DefaultFullHttpResponse(io.netty.handler.codec.http.DefaultFullHttpResponse)
Credential(io.cdap.cdap.proto.security.Credential)
UserIdentityExtractionResponse(io.cdap.cdap.security.auth.UserIdentityExtractionResponse)
DefaultHttpHeaders(io.netty.handler.codec.http.DefaultHttpHeaders)
JsonObject(com.google.gson.JsonObject)
DefaultFullHttpResponse(io.netty.handler.codec.http.DefaultFullHttpResponse)
HttpResponse(io.netty.handler.codec.http.HttpResponse)
UserIdentityPair(io.cdap.cdap.security.auth.UserIdentityPair)
ByteBuf(io.netty.buffer.ByteBuf)
Aggregations
Credential (io.cdap.cdap.proto.security.Credential)79
Principal (io.cdap.cdap.proto.security.Principal)58
Test (org.junit.Test)53
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)32
UserIdentity (io.cdap.cdap.security.auth.UserIdentity)26
EntityId (io.cdap.cdap.proto.id.EntityId)12
AccessController (io.cdap.cdap.security.spi.authorization.AccessController)10
NoOpAccessController (io.cdap.cdap.security.spi.authorization.NoOpAccessController)10
TinkCipher (io.cdap.cdap.security.auth.TinkCipher)8
CConfiguration (io.cdap.cdap.common.conf.CConfiguration)6
SConfiguration (io.cdap.cdap.common.conf.SConfiguration)6
HttpHeaders (io.netty.handler.codec.http.HttpHeaders)6
IOException (java.io.IOException)6
HttpURLConnection (java.net.HttpURLConnection)6
ArtifactSummary (io.cdap.cdap.api.artifact.ArtifactSummary)4
PreviewRequest (io.cdap.cdap.app.preview.PreviewRequest)4
RemoteClient (io.cdap.cdap.common.internal.remote.RemoteClient)4
RemoteClientFactory (io.cdap.cdap.common.internal.remote.RemoteClientFactory)4
AppRequest (io.cdap.cdap.proto.artifact.AppRequest)4
PreviewConfig (io.cdap.cdap.proto.artifact.preview.PreviewConfig)4
