Search in sources :

Example 16 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class TokenResource method getAuthenticationToken.

private Response getAuthenticationToken() {
    if (clientCertRequired) {
        X509Certificate cert = extractCertificate(request);
        if (cert != null) {
            if (!allowedDNs.contains(cert.getSubjectDN().getName())) {
                return Response.status(403).entity("{ \"Unable to get token - untrusted client cert.\" }").build();
            }
        } else {
            return Response.status(403).entity("{ \"Unable to get token - client cert required.\" }").build();
        }
    }
    GatewayServices services = (GatewayServices) request.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
    JWTokenAuthority ts = services.getService(GatewayServices.TOKEN_SERVICE);
    Principal p = ((HttpServletRequest) request).getUserPrincipal();
    long expires = getExpiry();
    try {
        JWT token = null;
        if (targetAudiences.isEmpty()) {
            token = ts.issueToken(p, signatureAlgorithm, expires);
        } else {
            token = ts.issueToken(p, targetAudiences, signatureAlgorithm, expires);
        }
        if (token != null) {
            String accessToken = token.toString();
            HashMap<String, Object> map = new HashMap<>();
            map.put(ACCESS_TOKEN, accessToken);
            map.put(TOKEN_TYPE, BEARER);
            map.put(EXPIRES_IN, expires);
            if (tokenTargetUrl != null) {
                map.put(TARGET_URL, tokenTargetUrl);
            }
            if (tokenClientDataMap != null) {
                map.putAll(tokenClientDataMap);
            }
            String jsonResponse = JsonUtils.renderAsJsonString(map);
            response.getWriter().write(jsonResponse);
            return Response.ok().build();
        } else {
            return Response.serverError().build();
        }
    } catch (TokenServiceException | IOException e) {
        log.unableToIssueToken(e);
    }
    return Response.ok().entity("{ \"Unable to acquire token.\" }").build();
}
Also used : GatewayServices(org.apache.knox.gateway.services.GatewayServices) HashMap(java.util.HashMap) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) HttpServletRequest(javax.servlet.http.HttpServletRequest) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) Principal(java.security.Principal) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)

Example 17 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class TokenServiceResourceTest method testValidClientCert.

@Test
public void testValidClientCert() throws Exception {
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(context.getInitParameter("knox.token.client.cert.required")).andReturn("true");
    EasyMock.expect(context.getInitParameter("knox.token.allowed.principals")).andReturn("CN=localhost, OU=Test, O=Hadoop, L=Test, ST=Test, C=US");
    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
    X509Certificate trustedCertMock = EasyMock.createMock(X509Certificate.class);
    EasyMock.expect(trustedCertMock.getSubjectDN()).andReturn(new PrimaryPrincipal("CN=localhost, OU=Test, O=Hadoop, L=Test, ST=Test, C=US")).anyTimes();
    ArrayList<X509Certificate> certArrayList = new ArrayList<X509Certificate>();
    certArrayList.add(trustedCertMock);
    X509Certificate[] certs = {};
    EasyMock.expect(request.getAttribute("javax.servlet.request.X509Certificate")).andReturn(certArrayList.toArray(certs)).anyTimes();
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
    GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
    JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
    EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
    StringWriter writer = new StringWriter();
    PrintWriter printWriter = new PrintWriter(writer);
    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    EasyMock.expect(response.getWriter()).andReturn(printWriter);
    EasyMock.replay(principal, services, context, request, response, trustedCertMock);
    TokenResource tr = new TokenResource();
    tr.request = request;
    tr.response = response;
    tr.context = context;
    tr.init();
    // Issue a token
    Response retResponse = tr.doGet();
    assertEquals(200, retResponse.getStatus());
    // Parse the response
    String retString = writer.toString();
    String accessToken = getTagValue(retString, "access_token");
    assertNotNull(accessToken);
    String expiry = getTagValue(retString, "expires_in");
    assertNotNull(expiry);
    // Verify the token
    JWT parsedToken = new JWTToken(accessToken);
    assertEquals("alice", parsedToken.getSubject());
    assertTrue(authority.verifyToken(parsedToken));
}
Also used : GatewayServices(org.apache.knox.gateway.services.GatewayServices) TokenResource(org.apache.knox.gateway.service.knoxtoken.TokenResource) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) ArrayList(java.util.ArrayList) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) X509Certificate(java.security.cert.X509Certificate) HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(javax.ws.rs.core.Response) StringWriter(java.io.StringWriter) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) ServletContext(javax.servlet.ServletContext) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) Principal(java.security.Principal) PrintWriter(java.io.PrintWriter) Test(org.junit.Test)

Example 18 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class TokenServiceResourceTest method testMissingClientCert.

@Test
public void testMissingClientCert() throws Exception {
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(context.getInitParameter("knox.token.client.cert.required")).andReturn("true");
    EasyMock.expect(context.getInitParameter("knox.token.allowed.principals")).andReturn("CN=remotehost, OU=Test, O=Hadoop, L=Test, ST=Test, C=US");
    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
    EasyMock.expect(request.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null).anyTimes();
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
    GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
    JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
    EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
    StringWriter writer = new StringWriter();
    PrintWriter printWriter = new PrintWriter(writer);
    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    EasyMock.expect(response.getWriter()).andReturn(printWriter);
    EasyMock.replay(principal, services, context, request, response);
    TokenResource tr = new TokenResource();
    tr.request = request;
    tr.response = response;
    tr.context = context;
    tr.init();
    // Issue a token
    Response retResponse = tr.doGet();
    assertEquals(403, retResponse.getStatus());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(javax.ws.rs.core.Response) GatewayServices(org.apache.knox.gateway.services.GatewayServices) StringWriter(java.io.StringWriter) TokenResource(org.apache.knox.gateway.service.knoxtoken.TokenResource) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) ServletContext(javax.servlet.ServletContext) HttpServletResponse(javax.servlet.http.HttpServletResponse) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) Principal(java.security.Principal) PrintWriter(java.io.PrintWriter) Test(org.junit.Test)

Example 19 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class TokenServiceResourceTest method testCustomTTL.

@Test
public void testCustomTTL() throws Exception {
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(context.getInitParameter("knox.token.audiences")).andReturn("recipient1,recipient2");
    EasyMock.expect(context.getInitParameter("knox.token.ttl")).andReturn("60000");
    EasyMock.expect(context.getInitParameter("knox.token.target.url")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knox.token.client.data")).andReturn(null);
    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
    GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
    JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
    EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
    StringWriter writer = new StringWriter();
    PrintWriter printWriter = new PrintWriter(writer);
    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    EasyMock.expect(response.getWriter()).andReturn(printWriter);
    EasyMock.replay(principal, services, context, request, response);
    TokenResource tr = new TokenResource();
    tr.request = request;
    tr.response = response;
    tr.context = context;
    tr.init();
    // Issue a token
    Response retResponse = tr.doGet();
    assertEquals(200, retResponse.getStatus());
    // Parse the response
    String retString = writer.toString();
    String accessToken = getTagValue(retString, "access_token");
    assertNotNull(accessToken);
    String expiry = getTagValue(retString, "expires_in");
    assertNotNull(expiry);
    // Verify the token
    JWT parsedToken = new JWTToken(accessToken);
    assertEquals("alice", parsedToken.getSubject());
    assertTrue(authority.verifyToken(parsedToken));
    Date expiresDate = parsedToken.getExpiresDate();
    Date now = new Date();
    assertTrue(expiresDate.after(now));
    long diff = expiresDate.getTime() - now.getTime();
    assertTrue(diff < 60000L && diff > 30000L);
}
Also used : GatewayServices(org.apache.knox.gateway.services.GatewayServices) TokenResource(org.apache.knox.gateway.service.knoxtoken.TokenResource) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) Date(java.util.Date) HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(javax.ws.rs.core.Response) StringWriter(java.io.StringWriter) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) ServletContext(javax.servlet.ServletContext) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) Principal(java.security.Principal) PrintWriter(java.io.PrintWriter) Test(org.junit.Test)

Example 20 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class TokenServiceResourceTest method testSignatureAlgorithm.

@Test
public void testSignatureAlgorithm() throws Exception {
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(context.getInitParameter("knox.token.audiences")).andReturn("recipient1,recipient2");
    EasyMock.expect(context.getInitParameter("knox.token.ttl")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knox.token.target.url")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knox.token.client.data")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knox.token.sigalg")).andReturn("RS512");
    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
    GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
    JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
    EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
    StringWriter writer = new StringWriter();
    PrintWriter printWriter = new PrintWriter(writer);
    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    EasyMock.expect(response.getWriter()).andReturn(printWriter);
    EasyMock.replay(principal, services, context, request, response);
    TokenResource tr = new TokenResource();
    tr.request = request;
    tr.response = response;
    tr.context = context;
    tr.init();
    // Issue a token
    Response retResponse = tr.doGet();
    assertEquals(200, retResponse.getStatus());
    // Parse the response
    String retString = writer.toString();
    String accessToken = getTagValue(retString, "access_token");
    assertNotNull(accessToken);
    String expiry = getTagValue(retString, "expires_in");
    assertNotNull(expiry);
    // Verify the token
    JWT parsedToken = new JWTToken(accessToken);
    assertEquals("alice", parsedToken.getSubject());
    assertTrue(authority.verifyToken(parsedToken));
    assertTrue(parsedToken.getHeader().contains("RS512"));
}
Also used : GatewayServices(org.apache.knox.gateway.services.GatewayServices) TokenResource(org.apache.knox.gateway.service.knoxtoken.TokenResource) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(javax.ws.rs.core.Response) StringWriter(java.io.StringWriter) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) ServletContext(javax.servlet.ServletContext) PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal) Principal(java.security.Principal) PrintWriter(java.io.PrintWriter) Test(org.junit.Test)

Aggregations

Principal (java.security.Principal)26 JWTokenAuthority (org.apache.knox.gateway.services.security.token.JWTokenAuthority)26 Test (org.junit.Test)24 JWT (org.apache.knox.gateway.services.security.token.impl.JWT)22 HttpServletRequest (javax.servlet.http.HttpServletRequest)21 GatewayServices (org.apache.knox.gateway.services.GatewayServices)21 ServletContext (javax.servlet.ServletContext)19 HttpServletResponse (javax.servlet.http.HttpServletResponse)19 JWTToken (org.apache.knox.gateway.services.security.token.impl.JWTToken)17 PrintWriter (java.io.PrintWriter)11 StringWriter (java.io.StringWriter)11 Response (javax.ws.rs.core.Response)11 PrimaryPrincipal (org.apache.knox.gateway.security.PrimaryPrincipal)11 TokenResource (org.apache.knox.gateway.service.knoxtoken.TokenResource)11 Date (java.util.Date)8 ServletOutputStream (javax.servlet.ServletOutputStream)8 Cookie (javax.servlet.http.Cookie)8 File (java.io.File)5 GatewayConfig (org.apache.knox.gateway.config.GatewayConfig)5 AliasService (org.apache.knox.gateway.services.security.AliasService)5