Examples with UserIdentity io.cdap.cdap.security.auth.UserIdentity used on opensource projects

Example 6 with UserIdentity

use of io.cdap.cdap.security.auth.UserIdentity in project cdap by caskdata.

the class InternalAccessEnforcerTest method testInternalAccessEnforceOnParentNonInternalTokenType.

@Test(expected = AccessException.class)
public void testInternalAccessEnforceOnParentNonInternalTokenType() throws IOException {
    NamespaceId ns = new NamespaceId("namespace");
    long currentTime = System.currentTimeMillis();
    UserIdentity userIdentity = new UserIdentity(SYSTEM_PRINCIPAL, UserIdentity.IdentifierType.EXTERNAL, Collections.emptyList(), currentTime, currentTime + 5 * MINUTE_MILLIS);
    String encodedIdentity = Base64.getEncoder().encodeToString(accessTokenCodec.encode(tokenManager.signIdentifier(userIdentity)));
    Credential credential = new Credential(encodedIdentity, Credential.CredentialType.INTERNAL);
    Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
    internalAccessEnforcer.enforceOnParent(EntityType.APPLICATION, ns, principal, StandardPermission.GET);
}

Example 7 with UserIdentity

use of io.cdap.cdap.security.auth.UserIdentity in project cdap by caskdata.

the class InternalAccessEnforcerTest method testInternalAccessEnforceOnParentSuccess.

@Test
public void testInternalAccessEnforceOnParentSuccess() throws IOException {
    NamespaceId ns = new NamespaceId("namespace");
    long currentTime = System.currentTimeMillis();
    UserIdentity userIdentity = new UserIdentity(SYSTEM_PRINCIPAL, UserIdentity.IdentifierType.INTERNAL, Collections.emptyList(), currentTime, currentTime + 5 * MINUTE_MILLIS);
    String encodedIdentity = Base64.getEncoder().encodeToString(accessTokenCodec.encode(tokenManager.signIdentifier(userIdentity)));
    Credential credential = new Credential(encodedIdentity, Credential.CredentialType.INTERNAL);
    Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
    internalAccessEnforcer.enforceOnParent(EntityType.APPLICATION, ns, principal, StandardPermission.GET);
}

Example 8 with UserIdentity

use of io.cdap.cdap.security.auth.UserIdentity in project cdap by caskdata.

the class InternalAccessEnforcerTest method testInternalAccessIsVisibleSuccess.

@Test
public void testInternalAccessIsVisibleSuccess() throws IOException {
    NamespaceId ns = new NamespaceId("namespace");
    Set<EntityId> entities = Collections.singleton(ns);
    long currentTime = System.currentTimeMillis();
    UserIdentity userIdentity = new UserIdentity(SYSTEM_PRINCIPAL, UserIdentity.IdentifierType.INTERNAL, Collections.emptyList(), currentTime, currentTime + 5 * MINUTE_MILLIS);
    String encodedIdentity = Base64.getEncoder().encodeToString(accessTokenCodec.encode(tokenManager.signIdentifier(userIdentity)));
    Credential credential = new Credential(encodedIdentity, Credential.CredentialType.INTERNAL);
    Principal principal = new Principal(SYSTEM_PRINCIPAL, Principal.PrincipalType.USER, null, credential);
    Assert.assertEquals(entities, internalAccessEnforcer.isVisible(entities, principal));
}

Example 9 with UserIdentity

use of io.cdap.cdap.security.auth.UserIdentity in project cdap by caskdata.

the class SystemAuthenticationContext method getPrincipal.

@Override
public Principal getPrincipal() {
    // Normally userID and userCredentials should be either null or non-null.
    // For non-null, they are either user or internal user credentials, so propagated as is.
    // For null, it means system originated requests, user and generate a credential as internal user.
    // 
    // It is possible that userID is non-null while userCredential is null, this can happen when we want
    // to launch programs as a userID that is stored in program options' system args. As user credential
    // is currently not stored there, we cannot launch program as the targeted user, instead we run program
    // using system internal identity. We rely on authorization being performed at http handler level upon
    // receiving request.
    String userId = SecurityRequestContext.getUserId();
    Credential userCredential = SecurityRequestContext.getUserCredential();
    if (userId != null && userCredential != null) {
        return new Principal(userId, Principal.PrincipalType.USER, userCredential);
    } else if (userId != null && userCredential == null) {
        LOG.warn("Unexpected SecurityRequestContext state, userId = {} while userCredential = NULL", userId);
    } else if (userId == null && userCredential != null) {
        LOG.warn("Unexpected SecurityRequestContext state, userId = NULL while userCredential = {}", userCredential);
    }
    try {
        userId = UserGroupInformation.getCurrentUser().getShortUserName();
    } catch (IOException e) {
        throw Throwables.propagate(e);
    }
    long currentTimestamp = System.currentTimeMillis();
    UserIdentity identity = new UserIdentity(userId, UserIdentity.IdentifierType.INTERNAL, Collections.emptyList(), currentTimestamp, currentTimestamp + DEFAULT_EXPIRATION);
    AccessToken accessToken = tokenManager.signIdentifier(identity);
    String encodedAccessToken;
    try {
        encodedAccessToken = Base64.getEncoder().encodeToString(accessTokenCodec.encode(accessToken));
        Credential credential = new Credential(encodedAccessToken, Credential.CredentialType.INTERNAL);
        return new Principal(userId, Principal.PrincipalType.USER, credential);
    } catch (IOException e) {
        throw new RuntimeException("Unexpected failure while creating internal system identity", e);
    }
}

Example 10 with UserIdentity

use of io.cdap.cdap.security.auth.UserIdentity in project cdap by caskdata.

the class InternalAccessEnforcer method validateAccessTokenAndIdentity.

private void validateAccessTokenAndIdentity(String principalName, Credential credential) throws AccessException {
    if (credential == null) {
        throw new IllegalStateException("Attempted to internally enforce access on null credential");
    }
    if (!credential.getType().equals(Credential.CredentialType.INTERNAL)) {
        throw new IllegalStateException("Attempted to internally enforce access on non-internal credential type");
    }
    AccessToken accessToken;
    try {
        accessToken = accessTokenCodec.decode(Base64.getDecoder().decode(credential.getValue()));
    } catch (IOException e) {
        throw new AccessException("Failed to deserialize access token", e);
    }
    try {
        tokenManager.validateSecret(accessToken);
    } catch (InvalidTokenException e) {
        throw new AccessException("Failed to validate access token", e);
    }
    UserIdentity userIdentity = accessToken.getIdentifier();
    if (!userIdentity.getUsername().equals(principalName)) {
        LOG.debug(String.format("Internal access token username differs from principal name; got token " + "name '%s', expected principal name '%s'", userIdentity.getUsername(), principalName));
    }
    if (userIdentity.getIdentifierType() == null || !userIdentity.getIdentifierType().equals(UserIdentity.IdentifierType.INTERNAL)) {
        throw new AccessException(String.format("Invalid internal access token type; got '%s', want '%s'", userIdentity.getIdentifierType(), UserIdentity.IdentifierType.INTERNAL));
    }
}