Example 11 with PrimaryPrincipal
use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.
the class AbstractIdentityAssertionFilter method continueChainAsPrincipal.
/**
* Recreate the current Subject based upon the provided mappedPrincipal
* and look for the groups that should be associated with the new Subject.
* Upon finding groups mapped to the principal - add them to the new Subject.
* @param mappedPrincipalName
* @throws ServletException
* @throws IOException
*/
protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse response, final FilterChain chain, String mappedPrincipalName) throws IOException, ServletException {
Subject subject = null;
Principal impersonationPrincipal = null;
Principal primaryPrincipal = null;
// get the current subject and determine whether we need another doAs with
// an impersonatedPrincipal and/or mapped group principals
boolean impersonationNeeded = false;
boolean groupsMapped = false;
// look up the current Java Subject and assosciated group principals
Subject currentSubject = Subject.getSubject(AccessController.getContext());
Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class);
primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
if (primaryPrincipal != null) {
if (!primaryPrincipal.getName().equals(mappedPrincipalName)) {
impersonationNeeded = true;
auditService.getContext().setProxyUsername(mappedPrincipalName);
auditor.audit(Action.IDENTITY_MAPPING, primaryPrincipal.getName(), ResourceType.PRINCIPAL, ActionOutcome.SUCCESS);
}
} else {
// something is amiss - authentication/federation providers should have run
// before identity assertion and should have ensured that the appropriate
// principals were added to the current subject
// TODO: log as appropriate
primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) request).getUserPrincipal().getName());
}
groupsMapped = areGroupsMappedForPrincipal(mappedPrincipalName) || !currentGroups.isEmpty();
if (impersonationNeeded || groupsMapped) {
// gonna need a new subject and doAs
subject = new Subject();
Set<Principal> principals = subject.getPrincipals();
principals.add(primaryPrincipal);
// map group principals from current Subject into newly created Subject
for (Object obj : currentGroups) {
principals.add((Principal) obj);
}
if (impersonationNeeded) {
impersonationPrincipal = new ImpersonatedPrincipal(mappedPrincipalName);
subject.getPrincipals().add(impersonationPrincipal);
}
if (groupsMapped) {
addMappedGroupsToSubject(mappedPrincipalName, subject);
addMappedGroupsToSubject("*", subject);
}
doAs(request, response, chain, subject);
} else {
doFilterInternal(request, response, chain);
}
}
Also used :
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
Subject(javax.security.auth.Subject)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
Principal(java.security.Principal)
Example 12 with PrimaryPrincipal
use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.
the class AnonymousAuthFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String principal = httpRequest.getRemoteUser();
if (principal == null) {
principal = "anonymous";
}
Subject subject = new Subject();
subject.getPrincipals().add(new PrimaryPrincipal(principal));
// KM: Audit Fix
auditService.getContext().setUsername(principal);
String sourceUri = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
auditor.audit(Action.AUTHENTICATION, sourceUri, ResourceType.URI, ActionOutcome.SUCCESS);
continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, filterChain);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
Subject(javax.security.auth.Subject)
Example 13 with PrimaryPrincipal
use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.
the class AclsAuthorizationFilter method enforceAclAuthorizationPolicy.
private boolean enforceAclAuthorizationPolicy(ServletRequest request, ServletResponse response, FilterChain chain) {
HttpServletRequest req = (HttpServletRequest) request;
// which would mean that there are no restrictions
if (parser.users.size() == 0 && parser.groups.size() == 0 && parser.ipv.getIPAddresses().size() == 0) {
return true;
}
boolean userAccess = false;
boolean groupAccess = false;
boolean ipAddrAccess = false;
Subject subject = Subject.getSubject(AccessController.getContext());
Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
log.primaryPrincipal(primaryPrincipal.getName());
Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
if (impersonations.length > 0) {
log.impersonatedPrincipal(((Principal) impersonations[0]).getName());
userAccess = checkUserAcls((Principal) impersonations[0]);
log.impersonatedPrincipalHasAccess(userAccess);
} else {
userAccess = checkUserAcls(primaryPrincipal);
log.primaryPrincipalHasAccess(userAccess);
}
Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
if (groups.length > 0) {
// System.out.println("GroupPrincipal: " + ((Principal)groups[0]).getName());
groupAccess = checkGroupAcls(groups);
log.groupPrincipalHasAccess(groupAccess);
} else {
// make it pass
if (parser.anyGroup && "AND".equals(aclProcessingMode)) {
groupAccess = true;
}
}
log.remoteIPAddress(req.getRemoteAddr());
ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
log.remoteIPAddressHasAccess(ipAddrAccess);
if ("OR".equals(aclProcessingMode)) {
// so, let's set each one that contains '*' to false.
if (parser.anyUser)
userAccess = false;
if (parser.anyGroup)
groupAccess = false;
if (parser.ipv.allowsAnyIP())
ipAddrAccess = false;
return (userAccess || groupAccess || ipAddrAccess);
} else if ("AND".equals(aclProcessingMode)) {
return (userAccess && groupAccess && ipAddrAccess);
}
return false;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
Subject(javax.security.auth.Subject)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
Principal(java.security.Principal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
Example 14 with PrimaryPrincipal
use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.
the class AbstractIdentityAssertionFilter method continueChainAsPrincipal.
/**
* @param wrapper
* @param response
* @param chain
* @param mappedPrincipalName
* @param groups
*/
protected void continueChainAsPrincipal(HttpServletRequestWrapper request, ServletResponse response, FilterChain chain, String mappedPrincipalName, String[] groups) throws IOException, ServletException {
Subject subject = null;
Principal impersonationPrincipal = null;
Principal primaryPrincipal = null;
// get the current subject and determine whether we need another doAs with
// an impersonatedPrincipal and/or mapped group principals
boolean impersonationNeeded = false;
boolean groupsMapped = false;
// look up the current Java Subject and assosciated group principals
Subject currentSubject = Subject.getSubject(AccessController.getContext());
Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class);
primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
if (primaryPrincipal != null) {
if (!primaryPrincipal.getName().equals(mappedPrincipalName)) {
impersonationNeeded = true;
auditService.getContext().setProxyUsername(mappedPrincipalName);
auditor.audit(Action.IDENTITY_MAPPING, primaryPrincipal.getName(), ResourceType.PRINCIPAL, ActionOutcome.SUCCESS, RES.effectiveUser(mappedPrincipalName));
}
} else {
// something is amiss - authentication/federation providers should have run
// before identity assertion and should have ensured that the appropriate
// principals were added to the current subject
// TODO: log as appropriate
primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) request).getUserPrincipal().getName());
}
groupsMapped = groups != null || !currentGroups.isEmpty();
if (impersonationNeeded || groupsMapped) {
// gonna need a new subject and doAs
subject = new Subject();
Set<Principal> principals = subject.getPrincipals();
principals.add(primaryPrincipal);
// map group principals from current Subject into newly created Subject
for (Object obj : currentGroups) {
principals.add((Principal) obj);
}
if (impersonationNeeded) {
impersonationPrincipal = new ImpersonatedPrincipal(mappedPrincipalName);
subject.getPrincipals().add(impersonationPrincipal);
}
if (groupsMapped) {
addMappedGroupsToSubject(mappedPrincipalName, groups, subject);
}
doAs(request, response, chain, subject);
} else {
doFilterInternal(request, response, chain);
}
}
Also used :
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
Subject(javax.security.auth.Subject)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
ImpersonatedPrincipal(org.apache.knox.gateway.security.ImpersonatedPrincipal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
Principal(java.security.Principal)
Example 15 with PrimaryPrincipal
use of org.apache.knox.gateway.security.PrimaryPrincipal in project knox by apache.
the class CommonIdentityAssertionFilterTest method testSimpleFilter.
@Test
public void testSimpleFilter() throws ServletException, IOException, URISyntaxException {
FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
EasyMock.replay(config);
final HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.replay(request);
final HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
EasyMock.replay(response);
final FilterChain chain = new FilterChain() {
@Override
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
}
};
Subject subject = new Subject();
subject.getPrincipals().add(new PrimaryPrincipal("larry"));
subject.getPrincipals().add(new GroupPrincipal("users"));
subject.getPrincipals().add(new GroupPrincipal("admin"));
try {
Subject.doAs(subject, new PrivilegedExceptionAction<Object>() {
public Object run() throws Exception {
filter.doFilter(request, response, chain);
return null;
}
});
} catch (PrivilegedActionException e) {
Throwable t = e.getCause();
if (t instanceof IOException) {
throw (IOException) t;
} else if (t instanceof ServletException) {
throw (ServletException) t;
} else {
throw new ServletException(t);
}
}
assertEquals("LARRY", username);
assertEquals(mappedGroups.length, 2);
assertTrue(mappedGroups[0].equals("USERS") || mappedGroups[0].equals("ADMIN"));
assertTrue(mappedGroups[1], mappedGroups[1].equals("USERS") || mappedGroups[1].equals("ADMIN"));
}
Also used :
ServletRequest(javax.servlet.ServletRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ServletResponse(javax.servlet.ServletResponse)
PrivilegedActionException(java.security.PrivilegedActionException)
FilterChain(javax.servlet.FilterChain)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
PrivilegedActionException(java.security.PrivilegedActionException)
ServletException(javax.servlet.ServletException)
URISyntaxException(java.net.URISyntaxException)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletException(javax.servlet.ServletException)
GroupPrincipal(org.apache.knox.gateway.security.GroupPrincipal)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
FilterConfig(javax.servlet.FilterConfig)
Test(org.junit.Test)
Aggregations
PrimaryPrincipal (org.apache.knox.gateway.security.PrimaryPrincipal)42
Subject (javax.security.auth.Subject)30
Test (org.junit.Test)30
HttpServletRequest (javax.servlet.http.HttpServletRequest)19
ServletContext (javax.servlet.ServletContext)18
FilterConfig (javax.servlet.FilterConfig)17
HttpServletResponse (javax.servlet.http.HttpServletResponse)17
GroupPrincipal (org.apache.knox.gateway.security.GroupPrincipal)16
Principal (java.security.Principal)13
ServletException (javax.servlet.ServletException)12
SignedJWT (com.nimbusds.jwt.SignedJWT)10
Properties (java.util.Properties)10
Date (java.util.Date)9
ImpersonatedPrincipal (org.apache.knox.gateway.security.ImpersonatedPrincipal)4
HashSet (java.util.HashSet)3
IOException (java.io.IOException)2
PrintWriter (java.io.PrintWriter)2
StringWriter (java.io.StringWriter)2
URISyntaxException (java.net.URISyntaxException)2
PrivilegedActionException (java.security.PrivilegedActionException)2
