Example 16 with HopsSecurityException
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class JWTResource method renewServiceToken.
@PUT
@Path("/service")
@ApiOperation(value = "Renew a service JWT without invalidating the previous token", response = ServiceJWTDTO.class)
public Response renewServiceToken(JsonWebTokenDTO jwt, @Context HttpServletRequest request) throws HopsSecurityException {
// This token should be the one-time renewal token
String token = jWTHelper.getAuthToken(request);
Users user = jWTHelper.getUserPrincipal(request);
if (user == null) {
DecodedJWT decodedJWT = JWT.decode(token);
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.NOT_RENEWABLE_TOKEN, Level.FINE, "User not found associated with that JWT", "Could not find user in the database associated with JWT " + decodedJWT.getId());
}
try {
ServiceJWTDTO renewedTokens = jWTHelper.renewServiceToken(jwt, token, user, request.getRemoteHost());
return Response.ok().entity(renewedTokens).build();
} catch (JWTException | NoSuchAlgorithmException ex) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.NOT_RENEWABLE_TOKEN, Level.WARNING, "Could not renew service JWT", "Could not renew service JWT for " + request.getRemoteHost());
}
}
Also used :
JWTException(io.hops.hopsworks.jwt.exception.JWTException)
Users(io.hops.hopsworks.persistence.entity.user.Users)
ServiceJWTDTO(io.hops.hopsworks.api.user.ServiceJWTDTO)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
Path(javax.ws.rs.Path)
ApiOperation(io.swagger.annotations.ApiOperation)
PUT(javax.ws.rs.PUT)
Example 17 with HopsSecurityException
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class JWTResource method invalidateServiceToken.
@DELETE
@Path("/service/{token}")
@ApiOperation(value = "Invalidate a service JWT and also delete the signing key encoded in the token")
public Response invalidateServiceToken(@ApiParam(value = "Service token to invalidate", required = true) @PathParam("token") String token, @Context HttpServletRequest request) throws HopsSecurityException {
DecodedJWT jwt2invalidate = JWT.decode(token);
Users user = jWTHelper.getUserPrincipal(request);
if (user == null) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.INVALIDATION_ERROR, Level.FINE, "Could not find registered user", "Could not find registered user associated with JWT " + jwt2invalidate.getId());
}
if (!user.getUsername().equals(jwt2invalidate.getSubject())) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.INVALIDATION_ERROR, Level.FINE, "Tried to invalidate token with different subject", "User " + user.getUsername() + " tried to invalidate token with Subject " + jwt2invalidate.getSubject());
}
jWTHelper.invalidateServiceToken(token);
return Response.ok().build();
}
Also used :
Users(io.hops.hopsworks.persistence.entity.user.Users)
DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
Path(javax.ws.rs.Path)
DELETE(javax.ws.rs.DELETE)
ApiOperation(io.swagger.annotations.ApiOperation)
Example 18 with HopsSecurityException
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class AuthService method serviceLogin.
@POST
@Path("/service")
@Produces(MediaType.APPLICATION_JSON)
@JWTNotRequired
public Response serviceLogin(@FormParam("email") String email, @FormParam("password") String password, @Context HttpServletRequest request) throws UserException, GeneralSecurityException, SigningKeyNotFoundException, DuplicateSigningKeyException, HopsSecurityException {
if (Strings.isNullOrEmpty(email)) {
throw new IllegalArgumentException("Email cannot be null or empty");
}
if (Strings.isNullOrEmpty(password)) {
throw new IllegalArgumentException("Password cannot be null or empty");
}
Users user = userFacade.findByEmail(email);
if (user == null) {
throw new LoginException("Could not find registered user with email " + email);
}
if (!needLogin(request, user)) {
return Response.ok().build();
}
if (!userController.isUserInRole(user, "AGENT")) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.REST_ACCESS_CONTROL, Level.FINE, "Users are not allowed to access this endpoint, use auth/login instead", "User " + user.getUsername() + " tried to login but they don't have AGENT role");
}
request.getSession();
Collection roles = user.getBbcGroupCollection();
if (roles == null || roles.isEmpty()) {
throw new UserException(RESTCodes.UserErrorCode.NO_ROLE_FOUND, Level.FINE);
}
statusValidator.checkStatus(user.getStatus());
String saltedPassword = authController.preCustomRealmLoginCheck(user, password, null);
try {
request.login(user.getEmail(), saltedPassword);
} catch (ServletException ex) {
authController.registerAuthenticationFailure(user);
throw new UserException(RESTCodes.UserErrorCode.AUTHENTICATION_FAILURE, Level.FINE, null, ex.getMessage(), ex);
}
// First generate the one-time tokens for renewal of master token
String renewalKeyName = jwtController.getServiceOneTimeJWTSigningKeyname(user.getUsername(), request.getRemoteHost());
LocalDateTime masterExpiration = DateUtils.getNow().plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
LocalDateTime notBefore = jwtController.computeNotBefore4ServiceRenewalTokens(masterExpiration);
LocalDateTime expiresAt = notBefore.plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
List<String> userRoles = userController.getUserRoles(user);
JsonWebToken renewalJWTSpec = new JsonWebToken();
renewalJWTSpec.setSubject(user.getUsername());
renewalJWTSpec.setIssuer(settings.getJWTIssuer());
renewalJWTSpec.setAudience(JWTHelper.SERVICE_RENEW_JWT_AUDIENCE);
renewalJWTSpec.setKeyId(renewalKeyName);
renewalJWTSpec.setNotBefore(DateUtils.localDateTime2Date(notBefore));
renewalJWTSpec.setExpiresAt(DateUtils.localDateTime2Date(expiresAt));
Map<String, Object> claims = new HashMap<>(4);
claims.put(Constants.RENEWABLE, false);
claims.put(Constants.EXPIRY_LEEWAY, 3600);
claims.put(Constants.ROLES, userRoles.toArray(new String[1]));
String[] oneTimeRenewalTokens = jwtController.generateOneTimeTokens4ServiceJWTRenewal(renewalJWTSpec, claims, settings.getJWTSigningKeyName());
// Then generate the master service token
try {
String signingKeyID = jwtController.getSignKeyID(oneTimeRenewalTokens[0]);
claims.clear();
// The rest of JWT claims will be added by JWTHelper
claims.put(Constants.RENEWABLE, false);
claims.put(Constants.SERVICE_JWT_RENEWAL_KEY_ID, signingKeyID);
String token = jWTHelper.createToken(user, settings.getJWTIssuer(), claims);
ServiceJWTDTO renewTokensResponse = new ServiceJWTDTO();
renewTokensResponse.setRenewTokens(oneTimeRenewalTokens);
return Response.ok().header(AUTHORIZATION, Constants.BEARER + token).entity(renewTokensResponse).build();
} catch (Exception ex) {
jwtController.deleteSigningKey(renewalKeyName);
throw ex;
}
}
Also used :
LocalDateTime(java.time.LocalDateTime)
HashMap(java.util.HashMap)
Users(io.hops.hopsworks.persistence.entity.user.Users)
JsonWebToken(io.hops.hopsworks.jwt.JsonWebToken)
LoginException(javax.security.auth.login.LoginException)
ServletException(javax.servlet.ServletException)
MessagingException(javax.mail.MessagingException)
GeneralSecurityException(java.security.GeneralSecurityException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
DuplicateSigningKeyException(io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException)
SigningKeyNotFoundException(io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException)
UserException(io.hops.hopsworks.exceptions.UserException)
InvalidationException(io.hops.hopsworks.jwt.exception.InvalidationException)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
ServletException(javax.servlet.ServletException)
LoginException(javax.security.auth.login.LoginException)
Collection(java.util.Collection)
UserException(io.hops.hopsworks.exceptions.UserException)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
JWTNotRequired(io.hops.hopsworks.api.filter.JWTNotRequired)
Example 19 with HopsSecurityException
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class VariablesService method getVar.
@GET
@Path("{id}")
@Produces(MediaType.APPLICATION_JSON)
@JWTRequired(acceptedTokens = { Audience.API }, allowedUserRoles = { "HOPS_ADMIN", "HOPS_USER" })
@ApiKeyRequired(acceptedScopes = { ApiScope.PROJECT }, allowedUserRoles = { "HOPS_ADMIN", "HOPS_USER" })
public Response getVar(@Context SecurityContext sc, @PathParam("id") String id) throws ServiceException, HopsSecurityException {
Variables variable = settings.findById(id).orElseThrow(() -> new ServiceException(RESTCodes.ServiceErrorCode.VARIABLE_NOT_FOUND, Level.FINE, "Variable: " + id + "not found"));
if (variable.getVisibility() == VariablesVisibility.ADMIN && !sc.isUserInRole("HOPS_ADMIN")) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.REST_ACCESS_CONTROL, Level.FINE, "The requested variable requires admin privileges");
}
RESTApiJsonResponse json = new RESTApiJsonResponse();
json.setSuccessMessage(variable.getValue());
return Response.ok().entity(json).build();
}
Also used :
Variables(io.hops.hopsworks.persistence.entity.util.Variables)
ServiceException(io.hops.hopsworks.exceptions.ServiceException)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
JWTRequired(io.hops.hopsworks.jwt.annotation.JWTRequired)
ApiKeyRequired(io.hops.hopsworks.api.filter.apiKey.ApiKeyRequired)
Example 20 with HopsSecurityException
use of io.hops.hopsworks.exceptions.HopsSecurityException in project hopsworks by logicalclocks.
the class CachedFeaturegroupController method getOfflineFeaturegroupPreview.
/**
* Previews the offline data of a given featuregroup by doing a SELECT LIMIT query on the Hive Table
*
* @param featuregroup the featuregroup to fetch
* @param project the project the user is operating from, in case of shared feature store
* @param user the user making the request
* @param limit number of sample to fetch
* @return list of feature-rows from the Hive table where the featuregroup is stored
* @throws SQLException
* @throws FeaturestoreException
* @throws HopsSecurityException
*/
public FeaturegroupPreview getOfflineFeaturegroupPreview(Featuregroup featuregroup, Project project, Users user, String partition, int limit) throws FeaturestoreException, HopsSecurityException, SQLException {
String tbl = getTblName(featuregroup.getName(), featuregroup.getVersion());
List<FeatureGroupFeatureDTO> features = getFeaturesDTO(featuregroup, project, user);
// This is not great, but at the same time the query runs as the user.
SqlNodeList selectList = new SqlNodeList(SqlParserPos.ZERO);
for (FeatureGroupFeatureDTO feature : features) {
if (feature.getDefaultValue() == null) {
selectList.add(new SqlIdentifier(Arrays.asList("`" + tbl + "`", "`" + feature.getName() + "`"), SqlParserPos.ZERO));
} else {
selectList.add(constructorController.selectWithDefaultAs(new Feature(feature, tbl)));
}
}
SqlNode whereClause = getWhereCondition(partition, features);
SqlSelect select = new SqlSelect(SqlParserPos.ZERO, null, selectList, new SqlIdentifier("`" + tbl + "`", SqlParserPos.ZERO), whereClause, null, null, null, null, null, SqlLiteral.createExactNumeric(String.valueOf(limit), SqlParserPos.ZERO), null);
String db = featurestoreController.getOfflineFeaturestoreDbName(featuregroup.getFeaturestore().getProject());
try {
return executeReadHiveQuery(select.toSqlString(new HiveSqlDialect(SqlDialect.EMPTY_CONTEXT)).getSql(), db, project, user);
} catch (Exception e) {
return executeReadHiveQuery(select.toSqlString(new HiveSqlDialect(SqlDialect.EMPTY_CONTEXT)).getSql(), db, project, user);
}
}
Also used :
FeatureGroupFeatureDTO(io.hops.hopsworks.common.featurestore.feature.FeatureGroupFeatureDTO)
SqlSelect(org.apache.calcite.sql.SqlSelect)
HiveSqlDialect(org.apache.calcite.sql.dialect.HiveSqlDialect)
SqlNodeList(org.apache.calcite.sql.SqlNodeList)
SqlIdentifier(org.apache.calcite.sql.SqlIdentifier)
Feature(io.hops.hopsworks.common.featurestore.query.Feature)
CachedFeature(io.hops.hopsworks.persistence.entity.featurestore.featuregroup.cached.CachedFeature)
CryptoPasswordNotFoundException(io.hops.hopsworks.exceptions.CryptoPasswordNotFoundException)
ProjectException(io.hops.hopsworks.exceptions.ProjectException)
ServiceDiscoveryException(com.logicalclocks.servicediscoverclient.exceptions.ServiceDiscoveryException)
FileNotFoundException(java.io.FileNotFoundException)
KafkaException(io.hops.hopsworks.exceptions.KafkaException)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
FeaturestoreException(io.hops.hopsworks.exceptions.FeaturestoreException)
SQLException(java.sql.SQLException)
SchemaException(io.hops.hopsworks.exceptions.SchemaException)
IOException(java.io.IOException)
ServiceException(io.hops.hopsworks.exceptions.ServiceException)
UserException(io.hops.hopsworks.exceptions.UserException)
SqlNode(org.apache.calcite.sql.SqlNode)
Aggregations
HopsSecurityException (io.hops.hopsworks.exceptions.HopsSecurityException)32
IOException (java.io.IOException)22
Users (io.hops.hopsworks.persistence.entity.user.Users)13
DatasetException (io.hops.hopsworks.exceptions.DatasetException)11
FeaturestoreException (io.hops.hopsworks.exceptions.FeaturestoreException)11
GenericException (io.hops.hopsworks.exceptions.GenericException)10
DistributedFileSystemOps (io.hops.hopsworks.common.hdfs.DistributedFileSystemOps)9
ProjectException (io.hops.hopsworks.exceptions.ProjectException)9
ServiceException (io.hops.hopsworks.exceptions.ServiceException)9
SQLException (java.sql.SQLException)9
Path (javax.ws.rs.Path)9
UserException (io.hops.hopsworks.exceptions.UserException)8
Produces (javax.ws.rs.Produces)8
Project (io.hops.hopsworks.persistence.entity.project.Project)7
ElasticException (io.hops.hopsworks.exceptions.ElasticException)6
KafkaException (io.hops.hopsworks.exceptions.KafkaException)6
ProvenanceException (io.hops.hopsworks.exceptions.ProvenanceException)6
SchemaException (io.hops.hopsworks.exceptions.SchemaException)6
POST (javax.ws.rs.POST)6
Path (org.apache.hadoop.fs.Path)6
