Search in sources :

Example 21 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class WebSSOResource method getAuthenticationToken.

private Response getAuthenticationToken(int statusCode) {
    GatewayServices services = (GatewayServices) request.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
    boolean removeOriginalUrlCookie = true;
    String original = getCookieValue((HttpServletRequest) request, ORIGINAL_URL_COOKIE_NAME);
    if (original == null) {
        // in the case where there are no SAML redirects done before here
        // we need to get it from the request parameters
        removeOriginalUrlCookie = false;
        original = getOriginalUrlFromQueryParams();
        if (original.isEmpty()) {
            log.originalURLNotFound();
            throw new WebApplicationException("Original URL not found in the request.", Response.Status.BAD_REQUEST);
        }
        boolean validRedirect = RegExUtils.checkWhitelist(whitelist, original);
        if (!validRedirect) {
            log.whiteListMatchFail(original, whitelist);
            throw new WebApplicationException("Original URL not valid according to the configured whitelist.", Response.Status.BAD_REQUEST);
        }
    }
    JWTokenAuthority ts = services.getService(GatewayServices.TOKEN_SERVICE);
    Principal p = ((HttpServletRequest) request).getUserPrincipal();
    try {
        JWT token = null;
        if (targetAudiences.isEmpty()) {
            token = ts.issueToken(p, signatureAlgorithm, getExpiry());
        } else {
            token = ts.issueToken(p, targetAudiences, signatureAlgorithm, getExpiry());
        }
        // Coverity CID 1327959
        if (token != null) {
            addJWTHadoopCookie(original, token);
        }
        if (removeOriginalUrlCookie) {
            removeOriginalUrlCookie(response);
        }
        log.aboutToRedirectToOriginal(original);
        response.setStatus(statusCode);
        response.setHeader("Location", original);
        try {
            response.getOutputStream().close();
        } catch (IOException e) {
            log.unableToCloseOutputStream(e.getMessage(), Arrays.toString(e.getStackTrace()));
        }
    } catch (TokenServiceException e) {
        log.unableToIssueToken(e);
    }
    URI location = null;
    try {
        location = new URI(original);
    } catch (URISyntaxException urise) {
    // todo log return error response
    }
    if (!enableSession) {
        // invalidate the session to avoid autologin
        // Coverity CID 1352857
        HttpSession session = request.getSession(false);
        if (session != null) {
            session.invalidate();
        }
    }
    return Response.seeOther(location).entity("{ \"redirectTo\" : " + original + " }").build();
}
Also used : GatewayServices(org.apache.knox.gateway.services.GatewayServices) WebApplicationException(javax.ws.rs.WebApplicationException) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) HttpSession(javax.servlet.http.HttpSession) IOException(java.io.IOException) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI) HttpServletRequest(javax.servlet.http.HttpServletRequest) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) Principal(java.security.Principal) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)

Example 22 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class WebSSOResourceTest method testGetToken.

@Test
public void testGetToken() throws Exception {
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
    EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
    GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
    JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
    EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
    CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
    EasyMock.replay(principal, services, context, request);
    WebSSOResource webSSOResponse = new WebSSOResource();
    webSSOResponse.request = request;
    webSSOResponse.response = responseWrapper;
    webSSOResponse.context = context;
    webSSOResponse.init();
    // Issue a token
    webSSOResponse.doGet();
    // Check the cookie
    Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
    assertNotNull(cookie);
    JWT parsedToken = new JWTToken(cookie.getValue());
    assertEquals("alice", parsedToken.getSubject());
    assertTrue(authority.verifyToken(parsedToken));
}
Also used : Cookie(javax.servlet.http.Cookie) GatewayServices(org.apache.knox.gateway.services.GatewayServices) ServletOutputStream(javax.servlet.ServletOutputStream) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) ServletContext(javax.servlet.ServletContext) Principal(java.security.Principal) Test(org.junit.Test)

Example 23 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class WebSSOResourceTest method testDefaultTTL.

@Test
public void testDefaultTTL() throws Exception {
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
    EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
    GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
    JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
    EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
    CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
    EasyMock.replay(principal, services, context, request);
    WebSSOResource webSSOResponse = new WebSSOResource();
    webSSOResponse.request = request;
    webSSOResponse.response = responseWrapper;
    webSSOResponse.context = context;
    webSSOResponse.init();
    // Issue a token
    webSSOResponse.doGet();
    // Check the cookie
    Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
    assertNotNull(cookie);
    JWT parsedToken = new JWTToken(cookie.getValue());
    assertEquals("alice", parsedToken.getSubject());
    assertTrue(authority.verifyToken(parsedToken));
    Date expiresDate = parsedToken.getExpiresDate();
    Date now = new Date();
    assertTrue(expiresDate.after(now));
    assertTrue((expiresDate.getTime() - now.getTime()) < 30000L);
}
Also used : Cookie(javax.servlet.http.Cookie) GatewayServices(org.apache.knox.gateway.services.GatewayServices) ServletOutputStream(javax.servlet.ServletOutputStream) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) Date(java.util.Date) HttpServletRequest(javax.servlet.http.HttpServletRequest) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) ServletContext(javax.servlet.ServletContext) Principal(java.security.Principal) Test(org.junit.Test)

Example 24 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class WebSSOResourceTest method testAudiencesWhitespace.

@Test
public void testAudiencesWhitespace() throws Exception {
    ServletContext context = EasyMock.createNiceMock(ServletContext.class);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(" recipient1, recipient2 ");
    EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(null);
    EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
    EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
    EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
    EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
    EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
    GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
    JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
    EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
    ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
    CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
    EasyMock.replay(principal, services, context, request);
    WebSSOResource webSSOResponse = new WebSSOResource();
    webSSOResponse.request = request;
    webSSOResponse.response = responseWrapper;
    webSSOResponse.context = context;
    webSSOResponse.init();
    // Issue a token
    webSSOResponse.doGet();
    // Check the cookie
    Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
    assertNotNull(cookie);
    JWTToken parsedToken = new JWTToken(cookie.getValue());
    assertEquals("alice", parsedToken.getSubject());
    assertTrue(authority.verifyToken(parsedToken));
    // Verify the audiences
    List<String> audiences = Arrays.asList(parsedToken.getAudienceClaims());
    assertEquals(2, audiences.size());
    assertTrue(audiences.contains("recipient1"));
    assertTrue(audiences.contains("recipient2"));
}
Also used : Cookie(javax.servlet.http.Cookie) GatewayServices(org.apache.knox.gateway.services.GatewayServices) ServletOutputStream(javax.servlet.ServletOutputStream) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) ServletContext(javax.servlet.ServletContext) Principal(java.security.Principal) Test(org.junit.Test)

Example 25 with JWTokenAuthority

use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.

the class DefaultTokenAuthorityServiceTest method testTokenCreationSignatureAlgorithm.

@Test
public void testTokenCreationSignatureAlgorithm() throws Exception {
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("john.doe@example.com");
    GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
    String basedir = System.getProperty("basedir");
    if (basedir == null) {
        basedir = new File(".").getCanonicalPath();
    }
    EasyMock.expect(config.getGatewaySecurityDir()).andReturn(basedir + "/target/test-classes");
    EasyMock.expect(config.getSigningKeystoreName()).andReturn("server-keystore.jks");
    EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
    MasterService ms = EasyMock.createNiceMock(MasterService.class);
    EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
    AliasService as = EasyMock.createNiceMock(AliasService.class);
    EasyMock.expect(as.getGatewayIdentityPassphrase()).andReturn("horton".toCharArray());
    EasyMock.replay(principal, config, ms, as);
    KeystoreService ks = new DefaultKeystoreService();
    ((DefaultKeystoreService) ks).setMasterService(ms);
    ((DefaultKeystoreService) ks).init(config, new HashMap<String, String>());
    JWTokenAuthority ta = new DefaultTokenAuthorityService();
    ((DefaultTokenAuthorityService) ta).setAliasService(as);
    ((DefaultTokenAuthorityService) ta).setKeystoreService(ks);
    ((DefaultTokenAuthorityService) ta).init(config, new HashMap<String, String>());
    JWT token = ta.issueToken(principal, "RS512");
    assertEquals("KNOXSSO", token.getIssuer());
    assertEquals("john.doe@example.com", token.getSubject());
    assertTrue(token.getHeader().contains("RS512"));
    assertTrue(ta.verifyToken(token));
}
Also used : AliasService(org.apache.knox.gateway.services.security.AliasService) DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority) DefaultKeystoreService(org.apache.knox.gateway.services.security.impl.DefaultKeystoreService) KeystoreService(org.apache.knox.gateway.services.security.KeystoreService) File(java.io.File) MasterService(org.apache.knox.gateway.services.security.MasterService) Principal(java.security.Principal) GatewayConfig(org.apache.knox.gateway.config.GatewayConfig) Test(org.junit.Test)

Aggregations

Principal (java.security.Principal)26 JWTokenAuthority (org.apache.knox.gateway.services.security.token.JWTokenAuthority)26 Test (org.junit.Test)24 JWT (org.apache.knox.gateway.services.security.token.impl.JWT)22 HttpServletRequest (javax.servlet.http.HttpServletRequest)21 GatewayServices (org.apache.knox.gateway.services.GatewayServices)21 ServletContext (javax.servlet.ServletContext)19 HttpServletResponse (javax.servlet.http.HttpServletResponse)19 JWTToken (org.apache.knox.gateway.services.security.token.impl.JWTToken)17 PrintWriter (java.io.PrintWriter)11 StringWriter (java.io.StringWriter)11 Response (javax.ws.rs.core.Response)11 PrimaryPrincipal (org.apache.knox.gateway.security.PrimaryPrincipal)11 TokenResource (org.apache.knox.gateway.service.knoxtoken.TokenResource)11 Date (java.util.Date)8 ServletOutputStream (javax.servlet.ServletOutputStream)8 Cookie (javax.servlet.http.Cookie)8 File (java.io.File)5 GatewayConfig (org.apache.knox.gateway.config.GatewayConfig)5 AliasService (org.apache.knox.gateway.services.security.AliasService)5