use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.
the class WebSSOResource method getAuthenticationToken.
private Response getAuthenticationToken(int statusCode) {
GatewayServices services = (GatewayServices) request.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
boolean removeOriginalUrlCookie = true;
String original = getCookieValue((HttpServletRequest) request, ORIGINAL_URL_COOKIE_NAME);
if (original == null) {
// in the case where there are no SAML redirects done before here
// we need to get it from the request parameters
removeOriginalUrlCookie = false;
original = getOriginalUrlFromQueryParams();
if (original.isEmpty()) {
log.originalURLNotFound();
throw new WebApplicationException("Original URL not found in the request.", Response.Status.BAD_REQUEST);
}
boolean validRedirect = RegExUtils.checkWhitelist(whitelist, original);
if (!validRedirect) {
log.whiteListMatchFail(original, whitelist);
throw new WebApplicationException("Original URL not valid according to the configured whitelist.", Response.Status.BAD_REQUEST);
}
}
JWTokenAuthority ts = services.getService(GatewayServices.TOKEN_SERVICE);
Principal p = ((HttpServletRequest) request).getUserPrincipal();
try {
JWT token = null;
if (targetAudiences.isEmpty()) {
token = ts.issueToken(p, signatureAlgorithm, getExpiry());
} else {
token = ts.issueToken(p, targetAudiences, signatureAlgorithm, getExpiry());
}
// Coverity CID 1327959
if (token != null) {
addJWTHadoopCookie(original, token);
}
if (removeOriginalUrlCookie) {
removeOriginalUrlCookie(response);
}
log.aboutToRedirectToOriginal(original);
response.setStatus(statusCode);
response.setHeader("Location", original);
try {
response.getOutputStream().close();
} catch (IOException e) {
log.unableToCloseOutputStream(e.getMessage(), Arrays.toString(e.getStackTrace()));
}
} catch (TokenServiceException e) {
log.unableToIssueToken(e);
}
URI location = null;
try {
location = new URI(original);
} catch (URISyntaxException urise) {
// todo log return error response
}
if (!enableSession) {
// invalidate the session to avoid autologin
// Coverity CID 1352857
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
}
return Response.seeOther(location).entity("{ \"redirectTo\" : " + original + " }").build();
}
use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.
the class WebSSOResourceTest method testGetToken.
@Test
public void testGetToken() throws Exception {
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
EasyMock.replay(principal, services, context, request);
WebSSOResource webSSOResponse = new WebSSOResource();
webSSOResponse.request = request;
webSSOResponse.response = responseWrapper;
webSSOResponse.context = context;
webSSOResponse.init();
// Issue a token
webSSOResponse.doGet();
// Check the cookie
Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
assertNotNull(cookie);
JWT parsedToken = new JWTToken(cookie.getValue());
assertEquals("alice", parsedToken.getSubject());
assertTrue(authority.verifyToken(parsedToken));
}
use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.
the class WebSSOResourceTest method testDefaultTTL.
@Test
public void testDefaultTTL() throws Exception {
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
EasyMock.replay(principal, services, context, request);
WebSSOResource webSSOResponse = new WebSSOResource();
webSSOResponse.request = request;
webSSOResponse.response = responseWrapper;
webSSOResponse.context = context;
webSSOResponse.init();
// Issue a token
webSSOResponse.doGet();
// Check the cookie
Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
assertNotNull(cookie);
JWT parsedToken = new JWTToken(cookie.getValue());
assertEquals("alice", parsedToken.getSubject());
assertTrue(authority.verifyToken(parsedToken));
Date expiresDate = parsedToken.getExpiresDate();
Date now = new Date();
assertTrue(expiresDate.after(now));
assertTrue((expiresDate.getTime() - now.getTime()) < 30000L);
}
use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.
the class WebSSOResourceTest method testAudiencesWhitespace.
@Test
public void testAudiencesWhitespace() throws Exception {
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(" recipient1, recipient2 ");
EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
EasyMock.replay(principal, services, context, request);
WebSSOResource webSSOResponse = new WebSSOResource();
webSSOResponse.request = request;
webSSOResponse.response = responseWrapper;
webSSOResponse.context = context;
webSSOResponse.init();
// Issue a token
webSSOResponse.doGet();
// Check the cookie
Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
assertNotNull(cookie);
JWTToken parsedToken = new JWTToken(cookie.getValue());
assertEquals("alice", parsedToken.getSubject());
assertTrue(authority.verifyToken(parsedToken));
// Verify the audiences
List<String> audiences = Arrays.asList(parsedToken.getAudienceClaims());
assertEquals(2, audiences.size());
assertTrue(audiences.contains("recipient1"));
assertTrue(audiences.contains("recipient2"));
}
use of org.apache.knox.gateway.services.security.token.JWTokenAuthority in project knox by apache.
the class DefaultTokenAuthorityServiceTest method testTokenCreationSignatureAlgorithm.
@Test
public void testTokenCreationSignatureAlgorithm() throws Exception {
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("john.doe@example.com");
GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
String basedir = System.getProperty("basedir");
if (basedir == null) {
basedir = new File(".").getCanonicalPath();
}
EasyMock.expect(config.getGatewaySecurityDir()).andReturn(basedir + "/target/test-classes");
EasyMock.expect(config.getSigningKeystoreName()).andReturn("server-keystore.jks");
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
AliasService as = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(as.getGatewayIdentityPassphrase()).andReturn("horton".toCharArray());
EasyMock.replay(principal, config, ms, as);
KeystoreService ks = new DefaultKeystoreService();
((DefaultKeystoreService) ks).setMasterService(ms);
((DefaultKeystoreService) ks).init(config, new HashMap<String, String>());
JWTokenAuthority ta = new DefaultTokenAuthorityService();
((DefaultTokenAuthorityService) ta).setAliasService(as);
((DefaultTokenAuthorityService) ta).setKeystoreService(ks);
((DefaultTokenAuthorityService) ta).init(config, new HashMap<String, String>());
JWT token = ta.issueToken(principal, "RS512");
assertEquals("KNOXSSO", token.getIssuer());
assertEquals("john.doe@example.com", token.getSubject());
assertTrue(token.getHeader().contains("RS512"));
assertTrue(ta.verifyToken(token));
}
Aggregations