Examples with TinkCipher io.cdap.cdap.security.auth.TinkCipher used on opensource projects

Search in sources :

Example 1 with TinkCipher

use of io.cdap.cdap.security.auth.TinkCipher in project cdap by caskdata.

the class AuthenticationHandler method getUserCredential.

/**
 * Get user credential from {@link UserIdentityPair} and return it in encrypted form if enabled.
 */
@Nullable
private Credential getUserCredential(UserIdentityPair userIdentityPair) throws CipherException {
    String userCredential = userIdentityPair.getUserCredential();
    if (userCredential == null || !sConf.getBoolean(Constants.Security.Authentication.USER_CREDENTIAL_ENCRYPTION_ENABLED, false)) {
        return new Credential(userCredential, Credential.CredentialType.EXTERNAL);
    }
    String encryptedCredential = new TinkCipher(sConf).encryptStringToBase64(userCredential, null);
    return new Credential(encryptedCredential, Credential.CredentialType.EXTERNAL_ENCRYPTED);
}
Also used : Credential(io.cdap.cdap.proto.security.Credential) TinkCipher(io.cdap.cdap.security.auth.TinkCipher) Nullable(javax.annotation.Nullable)

Example 2 with TinkCipher

use of io.cdap.cdap.security.auth.TinkCipher in project cdap by caskdata.

the class DefaultAccessEnforcerTest method testAuthEnforceWithEncryptedCredential.

@Test
public void testAuthEnforceWithEncryptedCredential() throws IOException, AccessException, CipherException, GeneralSecurityException {
    SConfiguration sConfCopy = enableCredentialEncryption();
    TinkCipher cipher = new TinkCipher(sConfCopy);
    String cred = cipher.encryptToBase64("credential".getBytes(StandardCharsets.UTF_8), null);
    Principal userWithCredEncrypted = new Principal("userFoo", Principal.PrincipalType.USER, null, new Credential(cred, Credential.CredentialType.EXTERNAL_ENCRYPTED));
    ControllerWrapper controllerWrapper = createControllerWrapper(CCONF, sConfCopy, null);
    AccessController accessController = controllerWrapper.accessController;
    DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
    assertAuthorizationFailure(accessEnforcer, NS, userWithCredEncrypted, StandardPermission.UPDATE);
    accessController.grant(Authorizable.fromEntityId(NS), userWithCredEncrypted, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE));
    accessEnforcer.enforce(NS, userWithCredEncrypted, StandardPermission.GET);
    accessEnforcer.enforce(NS, userWithCredEncrypted, StandardPermission.UPDATE);
    // Verify the metrics context was called with correct metrics
    verify(controllerWrapper.mockMetricsContext, times(2)).increment(Constants.Metrics.Authorization.EXTENSION_CHECK_SUCCESS_COUNT, 1);
    verify(controllerWrapper.mockMetricsContext, times(1)).increment(Constants.Metrics.Authorization.EXTENSION_CHECK_FAILURE_COUNT, 1);
    verify(controllerWrapper.mockMetricsContext, times(3)).gauge(eq(Constants.Metrics.Authorization.EXTENSION_CHECK_MILLIS), any(Long.class));
}
Also used : Credential(io.cdap.cdap.proto.security.Credential) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) SConfiguration(io.cdap.cdap.common.conf.SConfiguration) TinkCipher(io.cdap.cdap.security.auth.TinkCipher) Principal(io.cdap.cdap.proto.security.Principal) Test(org.junit.Test)

Example 3 with TinkCipher

use of io.cdap.cdap.security.auth.TinkCipher in project cdap by caskdata.

the class DefaultAccessEnforcerTest method testIsVisibleWithEncryptedCredential.

@Test
public void testIsVisibleWithEncryptedCredential() throws IOException, AccessException, CipherException, GeneralSecurityException {
    SConfiguration sConfCopy = enableCredentialEncryption();
    TinkCipher cipher = new TinkCipher(sConfCopy);
    String cred = cipher.encryptToBase64("credential".getBytes(StandardCharsets.UTF_8), null);
    Principal userWithCredEncrypted = new Principal("userFoo", Principal.PrincipalType.USER, null, new Credential(cred, Credential.CredentialType.EXTERNAL_ENCRYPTED));
    ControllerWrapper controllerWrapper = createControllerWrapper(CCONF, sConfCopy, null);
    AccessController accessController = controllerWrapper.accessController;
    DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
    Set<NamespaceId> namespaces = ImmutableSet.of(NS);
    Assert.assertEquals(0, accessEnforcer.isVisible(namespaces, userWithCredEncrypted).size());
    accessController.grant(Authorizable.fromEntityId(NS), userWithCredEncrypted, ImmutableSet.of(StandardPermission.GET, StandardPermission.UPDATE));
    Assert.assertEquals(1, accessEnforcer.isVisible(namespaces, userWithCredEncrypted).size());
    // Verify the metrics context was called with correct metrics
    verify(controllerWrapper.mockMetricsContext, times(2)).increment(Constants.Metrics.Authorization.NON_INTERNAL_VISIBILITY_CHECK_COUNT, 1);
    verify(controllerWrapper.mockMetricsContext, times(2)).gauge(eq(Constants.Metrics.Authorization.EXTENSION_VISIBILITY_MILLIS), any(Long.class));
}
Also used : Credential(io.cdap.cdap.proto.security.Credential) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) SConfiguration(io.cdap.cdap.common.conf.SConfiguration) TinkCipher(io.cdap.cdap.security.auth.TinkCipher) NamespaceId(io.cdap.cdap.proto.id.NamespaceId) Principal(io.cdap.cdap.proto.security.Principal) Test(org.junit.Test)

Example 4 with TinkCipher

use of io.cdap.cdap.security.auth.TinkCipher in project cdap by caskdata.

the class DefaultAccessEnforcerTest method testAuthEnforceWithBadEncryptedCredential.

@Test
public void testAuthEnforceWithBadEncryptedCredential() throws IOException, AccessException, CipherException, GeneralSecurityException {
    thrown.expect(Exception.class);
    thrown.expectMessage("Failed to decrypt credential in principle:");
    SConfiguration sConfCopy = enableCredentialEncryption();
    TinkCipher cipher = new TinkCipher(sConfCopy);
    String badCipherCred = Base64.getEncoder().encodeToString("invalid encrypted credential".getBytes());
    Principal userWithCredEncrypted = new Principal("userFoo", Principal.PrincipalType.USER, null, new Credential(badCipherCred, Credential.CredentialType.EXTERNAL_ENCRYPTED));
    ControllerWrapper controllerWrapper = createControllerWrapper(CCONF, sConfCopy, null);
    AccessController accessController = controllerWrapper.accessController;
    DefaultAccessEnforcer accessEnforcer = controllerWrapper.defaultAccessEnforcer;
    accessController.grant(Authorizable.fromEntityId(NS), userWithCredEncrypted, ImmutableSet.of(StandardPermission.GET, StandardPermission.GET));
    accessEnforcer.enforce(NS, userWithCredEncrypted, StandardPermission.GET);
    // Verify the metrics context was not called
    verify(controllerWrapper.mockMetricsContext, times(0)).increment(any(String.class), any(Long.class));
    verify(controllerWrapper.mockMetricsContext, times(0)).gauge(any(String.class), any(Long.class));
}
Also used : Credential(io.cdap.cdap.proto.security.Credential) NoOpAccessController(io.cdap.cdap.security.spi.authorization.NoOpAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) SConfiguration(io.cdap.cdap.common.conf.SConfiguration) TinkCipher(io.cdap.cdap.security.auth.TinkCipher) Principal(io.cdap.cdap.proto.security.Principal) Test(org.junit.Test)

Aggregations

Credential (io.cdap.cdap.proto.security.Credential)4 TinkCipher (io.cdap.cdap.security.auth.TinkCipher)4 SConfiguration (io.cdap.cdap.common.conf.SConfiguration)3 Principal (io.cdap.cdap.proto.security.Principal)3 AccessController (io.cdap.cdap.security.spi.authorization.AccessController)3 NoOpAccessController (io.cdap.cdap.security.spi.authorization.NoOpAccessController)3 Test (org.junit.Test)3 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)1 Nullable (javax.annotation.Nullable)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial