Search in sources :

Example 1 with GroupPrincipal

use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.

the class AclsAuthorizationFilter method enforceAclAuthorizationPolicy.

private boolean enforceAclAuthorizationPolicy(ServletRequest request, ServletResponse response, FilterChain chain) {
    HttpServletRequest req = (HttpServletRequest) request;
    // which would mean that there are no restrictions
    if (parser.users.size() == 0 && parser.groups.size() == 0 && parser.ipv.getIPAddresses().size() == 0) {
        return true;
    }
    boolean userAccess = false;
    boolean groupAccess = false;
    boolean ipAddrAccess = false;
    Subject subject = Subject.getSubject(AccessController.getContext());
    Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
    log.primaryPrincipal(primaryPrincipal.getName());
    Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
    if (impersonations.length > 0) {
        log.impersonatedPrincipal(((Principal) impersonations[0]).getName());
        userAccess = checkUserAcls((Principal) impersonations[0]);
        log.impersonatedPrincipalHasAccess(userAccess);
    } else {
        userAccess = checkUserAcls(primaryPrincipal);
        log.primaryPrincipalHasAccess(userAccess);
    }
    Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
    if (groups.length > 0) {
        // System.out.println("GroupPrincipal: " + ((Principal)groups[0]).getName());
        groupAccess = checkGroupAcls(groups);
        log.groupPrincipalHasAccess(groupAccess);
    } else {
        // make it pass
        if (parser.anyGroup && "AND".equals(aclProcessingMode)) {
            groupAccess = true;
        }
    }
    log.remoteIPAddress(req.getRemoteAddr());
    ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
    log.remoteIPAddressHasAccess(ipAddrAccess);
    if ("OR".equals(aclProcessingMode)) {
        // so, let's set each one that contains '*' to false.
        if (parser.anyUser)
            userAccess = false;
        if (parser.anyGroup)
            groupAccess = false;
        if (parser.ipv.allowsAnyIP())
            ipAddrAccess = false;
        return (userAccess || groupAccess || ipAddrAccess);
    } else if ("AND".equals(aclProcessingMode)) {
        return (userAccess && groupAccess && ipAddrAccess);
    }
    return false;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) Subject(javax.security.auth.Subject) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal) Principal(java.security.Principal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)

Example 2 with GroupPrincipal

use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.

the class CommonIdentityAssertionFilterTest method testSimpleFilter.

@Test
public void testSimpleFilter() throws ServletException, IOException, URISyntaxException {
    FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
    EasyMock.replay(config);
    final HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.replay(request);
    final HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    EasyMock.replay(response);
    final FilterChain chain = new FilterChain() {

        @Override
        public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
        }
    };
    Subject subject = new Subject();
    subject.getPrincipals().add(new PrimaryPrincipal("larry"));
    subject.getPrincipals().add(new GroupPrincipal("users"));
    subject.getPrincipals().add(new GroupPrincipal("admin"));
    try {
        Subject.doAs(subject, new PrivilegedExceptionAction<Object>() {

            public Object run() throws Exception {
                filter.doFilter(request, response, chain);
                return null;
            }
        });
    } catch (PrivilegedActionException e) {
        Throwable t = e.getCause();
        if (t instanceof IOException) {
            throw (IOException) t;
        } else if (t instanceof ServletException) {
            throw (ServletException) t;
        } else {
            throw new ServletException(t);
        }
    }
    assertEquals("LARRY", username);
    assertEquals(mappedGroups.length, 2);
    assertTrue(mappedGroups[0].equals("USERS") || mappedGroups[0].equals("ADMIN"));
    assertTrue(mappedGroups[1], mappedGroups[1].equals("USERS") || mappedGroups[1].equals("ADMIN"));
}
Also used : ServletRequest(javax.servlet.ServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServletResponse(javax.servlet.ServletResponse) PrivilegedActionException(java.security.PrivilegedActionException) FilterChain(javax.servlet.FilterChain) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) Subject(javax.security.auth.Subject) PrivilegedActionException(java.security.PrivilegedActionException) ServletException(javax.servlet.ServletException) URISyntaxException(java.net.URISyntaxException) IOException(java.io.IOException) HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletException(javax.servlet.ServletException) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) FilterConfig(javax.servlet.FilterConfig) Test(org.junit.Test)

Example 3 with GroupPrincipal

use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.

the class RegexIdentityAssertionFilterTest method testExtractUsernameFromEmail.

@Test
public void testExtractUsernameFromEmail() throws Exception {
    FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
    EasyMock.expect(config.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
    EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    EasyMock.replay(config);
    EasyMock.replay(context);
    RegexIdentityAssertionFilter filter = new RegexIdentityAssertionFilter();
    Subject subject = new Subject();
    subject.getPrincipals().add(new PrimaryPrincipal("member@us.apache.org"));
    subject.getPrincipals().add(new GroupPrincipal("user"));
    subject.getPrincipals().add(new GroupPrincipal("admin"));
    // First test is with no config.  Since the output template is the empty string that should be the result.
    filter.init(config);
    String actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
    String[] groups = filter.mapGroupPrincipals(actual, subject);
    assertThat(actual, is(""));
    // means for the caller to use the existing subject groups
    assertThat(groups, is(nullValue()));
    // Test what is effectively a static mapping
    config = EasyMock.createNiceMock(FilterConfig.class);
    EasyMock.expect(config.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
    EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    EasyMock.expect(config.getInitParameter("output")).andReturn("test-output").anyTimes();
    EasyMock.replay(config);
    EasyMock.replay(context);
    filter.init(config);
    actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
    assertEquals(actual, "test-output");
    // Test username extraction.
    config = EasyMock.createNiceMock(FilterConfig.class);
    EasyMock.expect(config.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
    EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    EasyMock.expect(config.getInitParameter("input")).andReturn("(.*)@.*").anyTimes();
    EasyMock.expect(config.getInitParameter("output")).andReturn("prefix_{1}_suffix").anyTimes();
    EasyMock.replay(config);
    EasyMock.replay(context);
    filter.init(config);
    actual = filter.mapUserPrincipal("member@us.apache.org");
    assertEquals(actual, "prefix_member_suffix");
}
Also used : GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ServletContext(javax.servlet.ServletContext) FilterConfig(javax.servlet.FilterConfig) Subject(javax.security.auth.Subject) Principal(java.security.Principal) GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) Test(org.junit.Test)

Example 4 with GroupPrincipal

use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.

the class SwitchCaseIdentityAssertionFilterTest method testDefaultGroupsConfFromUsers.

@Test
public void testDefaultGroupsConfFromUsers() throws Exception {
    FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
    EasyMock.expect(config.getInitParameter("principal.case")).andReturn("UPPER").anyTimes();
    EasyMock.expect(config.getInitParameter("group.principal.case")).andReturn(null).anyTimes();
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
    EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    EasyMock.replay(config);
    EasyMock.replay(context);
    SwitchCaseIdentityAssertionFilter filter = new SwitchCaseIdentityAssertionFilter();
    Subject subject = new Subject();
    subject.getPrincipals().add(new PrimaryPrincipal("Member@us.apache.org"));
    subject.getPrincipals().add(new GroupPrincipal("users"));
    subject.getPrincipals().add(new GroupPrincipal("Admin"));
    filter.init(config);
    String actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
    String[] groups = filter.mapGroupPrincipals(actual, subject);
    assertThat(actual, is("MEMBER@US.APACHE.ORG"));
    assertThat(groups, is(arrayContainingInAnyOrder("ADMIN", "USERS")));
}
Also used : GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ServletContext(javax.servlet.ServletContext) FilterConfig(javax.servlet.FilterConfig) Subject(javax.security.auth.Subject) Test(org.junit.Test)

Example 5 with GroupPrincipal

use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.

the class SwitchCaseIdentityAssertionFilterTest method testNone.

@Test
public void testNone() throws Exception {
    FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
    EasyMock.expect(config.getInitParameter("principal.case")).andReturn("none").anyTimes();
    EasyMock.expect(config.getInitParameter("group.principal.case")).andReturn("none").anyTimes();
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
    EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
    EasyMock.replay(config);
    EasyMock.replay(context);
    SwitchCaseIdentityAssertionFilter filter = new SwitchCaseIdentityAssertionFilter();
    Subject subject = new Subject();
    subject.getPrincipals().add(new PrimaryPrincipal("Member@us.apache.org"));
    subject.getPrincipals().add(new GroupPrincipal("users"));
    subject.getPrincipals().add(new GroupPrincipal("Admin"));
    filter.init(config);
    String actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
    String[] groups = filter.mapGroupPrincipals(actual, subject);
    assertThat(actual, is("Member@us.apache.org"));
    assertThat(groups, is(nullValue()));
}
Also used : GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) ServletContext(javax.servlet.ServletContext) FilterConfig(javax.servlet.FilterConfig) Subject(javax.security.auth.Subject) Test(org.junit.Test)

Aggregations

GroupPrincipal (org.apache.knox.gateway.security.GroupPrincipal)14 Subject (javax.security.auth.Subject)13 PrimaryPrincipal (org.apache.knox.gateway.security.PrimaryPrincipal)13 FilterConfig (javax.servlet.FilterConfig)12 Test (org.junit.Test)12 ServletContext (javax.servlet.ServletContext)11 Principal (java.security.Principal)5 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 IOException (java.io.IOException)1 URISyntaxException (java.net.URISyntaxException)1 PrivilegedActionException (java.security.PrivilegedActionException)1 FilterChain (javax.servlet.FilterChain)1 ServletException (javax.servlet.ServletException)1 ServletRequest (javax.servlet.ServletRequest)1 ServletResponse (javax.servlet.ServletResponse)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 ImpersonatedPrincipal (org.apache.knox.gateway.security.ImpersonatedPrincipal)1