Search in sources :

Example 1 with DISABLED_LOCATION_URI

use of io.trino.server.ui.FormWebUiAuthenticationFilter.DISABLED_LOCATION_URI in project trino by trinodb.

the class OAuth2WebUiAuthenticationFilter method filter.

@Override
public void filter(ContainerRequestContext request) {
    String path = request.getUriInfo().getRequestUri().getPath();
    if (path.equals(DISABLED_LOCATION)) {
        return;
    }
    // doesn't seem very useful if you have OAuth, and would be very complex.
    if (!request.getSecurityContext().isSecure()) {
        // send 401 to REST api calls and redirect to others
        if (path.startsWith("/ui/api/")) {
            sendWwwAuthenticate(request, "Unauthorized", ImmutableSet.of(TRINO_FORM_LOGIN));
            return;
        }
        request.abortWith(Response.seeOther(DISABLED_LOCATION_URI).build());
        return;
    }
    Optional<Map<String, Object>> claims;
    try {
        claims = getAccessToken(request);
        if (claims.isEmpty()) {
            needAuthentication(request);
            return;
        }
    } catch (ChallengeFailedException e) {
        LOG.debug(e, "Invalid token: %s", e.getMessage());
        sendErrorMessage(request, UNAUTHORIZED, "Unauthorized");
        return;
    }
    try {
        Object principal = claims.get().get(principalField);
        if (!isValidPrincipal(principal)) {
            LOG.debug("Invalid principal field: %s. Expected principal to be non-empty", principalField);
            sendErrorMessage(request, UNAUTHORIZED, "Unauthorized");
            return;
        }
        String principalName = (String) principal;
        Identity.Builder builder = Identity.forUser(userMapping.mapUser(principalName));
        builder.withPrincipal(new BasicPrincipal(principalName));
        groupsField.flatMap(field -> Optional.ofNullable((List<String>) claims.get().get(field))).ifPresent(groups -> builder.withGroups(ImmutableSet.copyOf(groups)));
        setAuthenticatedIdentity(request, builder.build());
    } catch (UserMappingException e) {
        sendErrorMessage(request, UNAUTHORIZED, firstNonNull(e.getMessage(), "Unauthorized"));
    }
}
Also used : Logger(io.airlift.log.Logger) OAuth2Service(io.trino.server.security.oauth2.OAuth2Service) TRINO_FORM_LOGIN(io.trino.server.ui.FormWebUiAuthenticationFilter.TRINO_FORM_LOGIN) CALLBACK_ENDPOINT(io.trino.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT) ServletSecurityUtils.sendWwwAuthenticate(io.trino.server.ServletSecurityUtils.sendWwwAuthenticate) ContainerRequestContext(javax.ws.rs.container.ContainerRequestContext) Inject(javax.inject.Inject) ServletSecurityUtils.sendErrorMessage(io.trino.server.ServletSecurityUtils.sendErrorMessage) ServletSecurityUtils.setAuthenticatedIdentity(io.trino.server.ServletSecurityUtils.setAuthenticatedIdentity) Identity(io.trino.spi.security.Identity) Map(java.util.Map) Objects.requireNonNull(java.util.Objects.requireNonNull) DISABLED_LOCATION(io.trino.server.ui.FormWebUiAuthenticationFilter.DISABLED_LOCATION) UserMappingException(io.trino.server.security.UserMappingException) UNAUTHORIZED(javax.ws.rs.core.Response.Status.UNAUTHORIZED) ImmutableSet(com.google.common.collect.ImmutableSet) UserMapping(io.trino.server.security.UserMapping) DISABLED_LOCATION_URI(io.trino.server.ui.FormWebUiAuthenticationFilter.DISABLED_LOCATION_URI) ChallengeFailedException(io.trino.server.security.oauth2.ChallengeFailedException) BasicPrincipal(io.trino.spi.security.BasicPrincipal) OAuth2Config(io.trino.server.security.oauth2.OAuth2Config) List(java.util.List) Response(javax.ws.rs.core.Response) OAUTH2_COOKIE(io.trino.server.ui.OAuthWebUiCookie.OAUTH2_COOKIE) Optional(java.util.Optional) JwtException(io.jsonwebtoken.JwtException) MoreObjects.firstNonNull(com.google.common.base.MoreObjects.firstNonNull) BasicPrincipal(io.trino.spi.security.BasicPrincipal) ChallengeFailedException(io.trino.server.security.oauth2.ChallengeFailedException) UserMappingException(io.trino.server.security.UserMappingException) ServletSecurityUtils.setAuthenticatedIdentity(io.trino.server.ServletSecurityUtils.setAuthenticatedIdentity) Identity(io.trino.spi.security.Identity) Map(java.util.Map)

Aggregations

MoreObjects.firstNonNull (com.google.common.base.MoreObjects.firstNonNull)1 ImmutableSet (com.google.common.collect.ImmutableSet)1 Logger (io.airlift.log.Logger)1 JwtException (io.jsonwebtoken.JwtException)1 ServletSecurityUtils.sendErrorMessage (io.trino.server.ServletSecurityUtils.sendErrorMessage)1 ServletSecurityUtils.sendWwwAuthenticate (io.trino.server.ServletSecurityUtils.sendWwwAuthenticate)1 ServletSecurityUtils.setAuthenticatedIdentity (io.trino.server.ServletSecurityUtils.setAuthenticatedIdentity)1 UserMapping (io.trino.server.security.UserMapping)1 UserMappingException (io.trino.server.security.UserMappingException)1 ChallengeFailedException (io.trino.server.security.oauth2.ChallengeFailedException)1 CALLBACK_ENDPOINT (io.trino.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT)1 OAuth2Config (io.trino.server.security.oauth2.OAuth2Config)1 OAuth2Service (io.trino.server.security.oauth2.OAuth2Service)1 DISABLED_LOCATION (io.trino.server.ui.FormWebUiAuthenticationFilter.DISABLED_LOCATION)1 DISABLED_LOCATION_URI (io.trino.server.ui.FormWebUiAuthenticationFilter.DISABLED_LOCATION_URI)1 TRINO_FORM_LOGIN (io.trino.server.ui.FormWebUiAuthenticationFilter.TRINO_FORM_LOGIN)1 OAUTH2_COOKIE (io.trino.server.ui.OAuthWebUiCookie.OAUTH2_COOKIE)1 BasicPrincipal (io.trino.spi.security.BasicPrincipal)1 Identity (io.trino.spi.security.Identity)1 List (java.util.List)1