use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class Pac4jDispatcherFilter method init.
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// JWT service
final ServletContext context = filterConfig.getServletContext();
CryptoService cryptoService = null;
String clusterName = null;
if (context != null) {
GatewayServices services = (GatewayServices) context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
clusterName = (String) context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE);
if (services != null) {
keystoreService = (KeystoreService) services.getService(GatewayServices.KEYSTORE_SERVICE);
cryptoService = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
aliasService = (AliasService) services.getService(GatewayServices.ALIAS_SERVICE);
masterService = (MasterService) services.getService("MasterService");
}
}
// crypto service, alias service and cluster name are mandatory
if (cryptoService == null || aliasService == null || clusterName == null) {
log.cryptoServiceAndAliasServiceAndClusterNameRequired();
throw new ServletException("The crypto service, alias service and cluster name are required.");
}
try {
aliasService.getPasswordFromAliasForCluster(clusterName, KnoxSessionStore.PAC4J_PASSWORD, true);
} catch (AliasServiceException e) {
log.unableToGenerateAPasswordForEncryption(e);
throw new ServletException("Unable to generate a password for encryption.");
}
// url to SSO authentication provider
String pac4jCallbackUrl = filterConfig.getInitParameter(PAC4J_CALLBACK_URL);
if (pac4jCallbackUrl == null) {
log.ssoAuthenticationProviderUrlRequired();
throw new ServletException("Required pac4j callback URL is missing.");
}
// add the callback parameter to know it's a callback
pac4jCallbackUrl = CommonHelper.addParameter(pac4jCallbackUrl, PAC4J_CALLBACK_PARAMETER, "true");
final Config config;
final String clientName;
// client name from servlet parameter (mandatory)
final String clientNameParameter = filterConfig.getInitParameter("clientName");
if (clientNameParameter == null) {
log.clientNameParameterRequired();
throw new ServletException("Required pac4j clientName parameter is missing.");
}
if (TEST_BASIC_AUTH.equalsIgnoreCase(clientNameParameter)) {
// test configuration
final IndirectBasicAuthClient indirectBasicAuthClient = new IndirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
indirectBasicAuthClient.setRealmName("Knox TEST");
config = new Config(pac4jCallbackUrl, indirectBasicAuthClient);
clientName = "IndirectBasicAuthClient";
} else {
// get clients from the init parameters
final Map<String, String> properties = new HashMap<>();
final Enumeration<String> names = filterConfig.getInitParameterNames();
addDefaultConfig(clientNameParameter, properties);
while (names.hasMoreElements()) {
final String key = names.nextElement();
properties.put(key, filterConfig.getInitParameter(key));
}
final PropertiesConfigFactory propertiesConfigFactory = new PropertiesConfigFactory(pac4jCallbackUrl, properties);
config = propertiesConfigFactory.build();
final List<Client> clients = config.getClients().getClients();
if (clients == null || clients.size() == 0) {
log.atLeastOnePac4jClientMustBeDefined();
throw new ServletException("At least one pac4j client must be defined.");
}
if (CommonHelper.isBlank(clientNameParameter)) {
clientName = clients.get(0).getName();
} else {
clientName = clientNameParameter;
}
}
callbackFilter = new CallbackFilter();
callbackFilter.init(filterConfig);
callbackFilter.setConfigOnly(config);
securityFilter = new SecurityFilter();
securityFilter.setClients(clientName);
securityFilter.setConfigOnly(config);
final String domainSuffix = filterConfig.getInitParameter(PAC4J_COOKIE_DOMAIN_SUFFIX_PARAM);
final String sessionStoreVar = filterConfig.getInitParameter(PAC4J_SESSION_STORE);
SessionStore sessionStore;
if (!StringUtils.isBlank(sessionStoreVar) && J2ESessionStore.class.getName().contains(sessionStoreVar)) {
sessionStore = new J2ESessionStore();
} else {
sessionStore = new KnoxSessionStore(cryptoService, clusterName, domainSuffix);
}
config.setSessionStore(sessionStore);
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class RESTInvoker method invoke.
JSONObject invoke(String url, String username, String passwordAlias) {
JSONObject result = null;
CloseableHttpResponse response = null;
try {
HttpGet request = new HttpGet(url);
// If no configured username, then use default username alias
String password = null;
if (username == null) {
if (aliasService != null) {
try {
char[] defaultUser = aliasService.getPasswordFromAliasForGateway(DEFAULT_USER_ALIAS);
if (defaultUser != null) {
username = new String(defaultUser);
}
} catch (AliasServiceException e) {
log.aliasServiceUserError(DEFAULT_USER_ALIAS, e.getLocalizedMessage());
}
}
// If username is still null
if (username == null) {
log.aliasServiceUserNotFound();
throw new ConfigurationException("No username is configured for Ambari service discovery.");
}
}
if (aliasService != null) {
// If no password alias is configured, then try the default alias
if (passwordAlias == null) {
passwordAlias = DEFAULT_PWD_ALIAS;
}
try {
char[] pwd = aliasService.getPasswordFromAliasForGateway(passwordAlias);
if (pwd != null) {
password = new String(pwd);
}
} catch (AliasServiceException e) {
log.aliasServicePasswordError(passwordAlias, e.getLocalizedMessage());
}
}
// If the password could not be determined
if (password == null) {
log.aliasServicePasswordNotFound();
throw new ConfigurationException("No password is configured for Ambari service discovery.");
}
// Add an auth header if credentials are available
String encodedCreds = org.apache.commons.codec.binary.Base64.encodeBase64String((username + ":" + password).getBytes());
request.addHeader(new BasicHeader("Authorization", "Basic " + encodedCreds));
// Ambari CSRF protection
request.addHeader("X-Requested-By", "Knox");
response = httpClient.execute(request);
if (HttpStatus.SC_OK == response.getStatusLine().getStatusCode()) {
HttpEntity entity = response.getEntity();
if (entity != null) {
result = (JSONObject) JSONValue.parse((EntityUtils.toString(entity)));
log.debugJSON(result.toJSONString());
} else {
log.noJSON(url);
}
} else {
log.unexpectedRestResponseStatusCode(url, response.getStatusLine().getStatusCode());
}
} catch (ConnectTimeoutException e) {
log.restInvocationTimedOut(url, e);
} catch (IOException e) {
log.restInvocationError(url, e);
} finally {
if (response != null) {
try {
response.close();
} catch (IOException e) {
// Ignore
}
}
}
return result;
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class DefaultAliasService method getPasswordFromAliasForCluster.
/* (non-Javadoc)
* @see org.apache.knox.gateway.services.security.impl.AliasService#getAliasForCluster(java.lang.String, java.lang.String, boolean)
*/
@Override
public char[] getPasswordFromAliasForCluster(String clusterName, String alias, boolean generate) throws AliasServiceException {
char[] credential = null;
try {
credential = keystoreService.getCredentialForCluster(clusterName, alias);
if (credential == null) {
if (generate) {
generateAliasForCluster(clusterName, alias);
credential = keystoreService.getCredentialForCluster(clusterName, alias);
}
}
} catch (KeystoreServiceException e) {
LOG.failedToGetCredentialForCluster(clusterName, e);
throw new AliasServiceException(e);
}
return credential;
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class DefaultAliasService method generateAliasForCluster.
@Override
public void generateAliasForCluster(String clusterName, String alias) throws AliasServiceException {
try {
keystoreService.getCredentialStoreForCluster(clusterName);
} catch (KeystoreServiceException e) {
LOG.failedToGenerateAliasForCluster(clusterName, e);
throw new AliasServiceException(e);
}
String passwordString = generatePassword(16);
addAliasForCluster(clusterName, alias, passwordString);
}
use of org.apache.knox.gateway.services.security.AliasServiceException in project knox by apache.
the class JettySSLService method logAndValidateCertificate.
private void logAndValidateCertificate() throws ServiceLifecycleException {
// let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL debugging
Certificate cert;
try {
cert = as.getCertificateForGateway("gateway-identity");
} catch (AliasServiceException e) {
throw new ServiceLifecycleException("Cannot Retreive Gateway SSL Certificate. Server will not start.", e);
}
if (cert != null) {
if (cert instanceof X509Certificate) {
X500Principal x500Principal = ((X509Certificate) cert).getSubjectX500Principal();
X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
log.certificateHostNameForGateway(parser.getCN());
Date notBefore = ((X509Certificate) cert).getNotBefore();
Date notAfter = ((X509Certificate) cert).getNotAfter();
log.certificateValidityPeriod(notBefore, notAfter);
// let's not even start if the current date is not within the validity period for the SSL cert
try {
((X509Certificate) cert).checkValidity();
} catch (CertificateExpiredException e) {
throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
} catch (CertificateNotYetValidException e) {
throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e);
}
} else {
throw new ServiceLifecycleException("Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias.");
}
} else {
throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
}
}
Aggregations