Example 16 with JWT
use of org.apache.knox.gateway.services.security.token.impl.JWT in project knox by apache.
the class WebSSOResourceTest method testOverflowTTL.
@Test
public void testOverflowTTL() throws Exception {
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(String.valueOf(Long.MAX_VALUE));
EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
EasyMock.replay(principal, services, context, request);
WebSSOResource webSSOResponse = new WebSSOResource();
webSSOResponse.request = request;
webSSOResponse.response = responseWrapper;
webSSOResponse.context = context;
webSSOResponse.init();
// Issue a token
webSSOResponse.doGet();
// Check the cookie
Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
assertNotNull(cookie);
JWT parsedToken = new JWTToken(cookie.getValue());
assertEquals("alice", parsedToken.getSubject());
assertTrue(authority.verifyToken(parsedToken));
Date expiresDate = parsedToken.getExpiresDate();
Date now = new Date();
assertTrue(expiresDate.after(now));
assertTrue((expiresDate.getTime() - now.getTime()) < 30000L);
}
Also used :
Cookie(javax.servlet.http.Cookie)
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
ServletOutputStream(javax.servlet.ServletOutputStream)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken)
Date(java.util.Date)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
ServletContext(javax.servlet.ServletContext)
Principal(java.security.Principal)
Test(org.junit.Test)
Example 17 with JWT
use of org.apache.knox.gateway.services.security.token.impl.JWT in project knox by apache.
the class WebSSOResourceTest method testAudiences.
@Test
public void testAudiences() throws Exception {
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn("recipient1,recipient2");
EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
EasyMock.replay(principal, services, context, request);
WebSSOResource webSSOResponse = new WebSSOResource();
webSSOResponse.request = request;
webSSOResponse.response = responseWrapper;
webSSOResponse.context = context;
webSSOResponse.init();
// Issue a token
webSSOResponse.doGet();
// Check the cookie
Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
assertNotNull(cookie);
JWT parsedToken = new JWTToken(cookie.getValue());
assertEquals("alice", parsedToken.getSubject());
assertTrue(authority.verifyToken(parsedToken));
// Verify the audiences
List<String> audiences = Arrays.asList(parsedToken.getAudienceClaims());
assertEquals(2, audiences.size());
assertTrue(audiences.contains("recipient1"));
assertTrue(audiences.contains("recipient2"));
}
Also used :
Cookie(javax.servlet.http.Cookie)
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
ServletOutputStream(javax.servlet.ServletOutputStream)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
ServletContext(javax.servlet.ServletContext)
Principal(java.security.Principal)
Test(org.junit.Test)
Example 18 with JWT
use of org.apache.knox.gateway.services.security.token.impl.JWT in project knox by apache.
the class WebSSOResourceTest method testCustomTTL.
@Test
public void testCustomTTL() throws Exception {
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.name")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.secure.only")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.max.age")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.cookie.domain.suffix")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.redirect.whitelist.regex")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.audiences")).andReturn(null);
EasyMock.expect(context.getInitParameter("knoxsso.token.ttl")).andReturn("60000");
EasyMock.expect(context.getInitParameter("knoxsso.enable.session")).andReturn(null);
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.expect(request.getParameter("originalUrl")).andReturn("http://localhost:9080/service");
EasyMock.expect(request.getParameterMap()).andReturn(Collections.<String, String[]>emptyMap());
EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class);
CookieResponseWrapper responseWrapper = new CookieResponseWrapper(response, outputStream);
EasyMock.replay(principal, services, context, request);
WebSSOResource webSSOResponse = new WebSSOResource();
webSSOResponse.request = request;
webSSOResponse.response = responseWrapper;
webSSOResponse.context = context;
webSSOResponse.init();
// Issue a token
webSSOResponse.doGet();
// Check the cookie
Cookie cookie = responseWrapper.getCookie("hadoop-jwt");
assertNotNull(cookie);
JWT parsedToken = new JWTToken(cookie.getValue());
assertEquals("alice", parsedToken.getSubject());
assertTrue(authority.verifyToken(parsedToken));
Date expiresDate = parsedToken.getExpiresDate();
Date now = new Date();
assertTrue(expiresDate.after(now));
long diff = expiresDate.getTime() - now.getTime();
assertTrue(diff < 60000L && diff > 30000L);
}
Also used :
Cookie(javax.servlet.http.Cookie)
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
ServletOutputStream(javax.servlet.ServletOutputStream)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken)
Date(java.util.Date)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
ServletContext(javax.servlet.ServletContext)
Principal(java.security.Principal)
Test(org.junit.Test)
Example 19 with JWT
use of org.apache.knox.gateway.services.security.token.impl.JWT in project knox by apache.
the class TokenResource method getAuthenticationToken.
private Response getAuthenticationToken() {
if (clientCertRequired) {
X509Certificate cert = extractCertificate(request);
if (cert != null) {
if (!allowedDNs.contains(cert.getSubjectDN().getName())) {
return Response.status(403).entity("{ \"Unable to get token - untrusted client cert.\" }").build();
}
} else {
return Response.status(403).entity("{ \"Unable to get token - client cert required.\" }").build();
}
}
GatewayServices services = (GatewayServices) request.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
JWTokenAuthority ts = services.getService(GatewayServices.TOKEN_SERVICE);
Principal p = ((HttpServletRequest) request).getUserPrincipal();
long expires = getExpiry();
try {
JWT token = null;
if (targetAudiences.isEmpty()) {
token = ts.issueToken(p, signatureAlgorithm, expires);
} else {
token = ts.issueToken(p, targetAudiences, signatureAlgorithm, expires);
}
if (token != null) {
String accessToken = token.toString();
HashMap<String, Object> map = new HashMap<>();
map.put(ACCESS_TOKEN, accessToken);
map.put(TOKEN_TYPE, BEARER);
map.put(EXPIRES_IN, expires);
if (tokenTargetUrl != null) {
map.put(TARGET_URL, tokenTargetUrl);
}
if (tokenClientDataMap != null) {
map.putAll(tokenClientDataMap);
}
String jsonResponse = JsonUtils.renderAsJsonString(map);
response.getWriter().write(jsonResponse);
return Response.ok().build();
} else {
return Response.serverError().build();
}
} catch (TokenServiceException | IOException e) {
log.unableToIssueToken(e);
}
return Response.ok().entity("{ \"Unable to acquire token.\" }").build();
}
Also used :
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
HashMap(java.util.HashMap)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
Principal(java.security.Principal)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Example 20 with JWT
use of org.apache.knox.gateway.services.security.token.impl.JWT in project knox by apache.
the class TokenServiceResourceTest method testValidClientCert.
@Test
public void testValidClientCert() throws Exception {
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(context.getInitParameter("knox.token.client.cert.required")).andReturn("true");
EasyMock.expect(context.getInitParameter("knox.token.allowed.principals")).andReturn("CN=localhost, OU=Test, O=Hadoop, L=Test, ST=Test, C=US");
HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.expect(request.getServletContext()).andReturn(context).anyTimes();
X509Certificate trustedCertMock = EasyMock.createMock(X509Certificate.class);
EasyMock.expect(trustedCertMock.getSubjectDN()).andReturn(new PrimaryPrincipal("CN=localhost, OU=Test, O=Hadoop, L=Test, ST=Test, C=US")).anyTimes();
ArrayList<X509Certificate> certArrayList = new ArrayList<X509Certificate>();
certArrayList.add(trustedCertMock);
X509Certificate[] certs = {};
EasyMock.expect(request.getAttribute("javax.servlet.request.X509Certificate")).andReturn(certArrayList.toArray(certs)).anyTimes();
Principal principal = EasyMock.createNiceMock(Principal.class);
EasyMock.expect(principal.getName()).andReturn("alice").anyTimes();
EasyMock.expect(request.getUserPrincipal()).andReturn(principal).anyTimes();
GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).andReturn(services);
JWTokenAuthority authority = new TestJWTokenAuthority(publicKey, privateKey);
EasyMock.expect(services.getService(GatewayServices.TOKEN_SERVICE)).andReturn(authority);
StringWriter writer = new StringWriter();
PrintWriter printWriter = new PrintWriter(writer);
HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
EasyMock.expect(response.getWriter()).andReturn(printWriter);
EasyMock.replay(principal, services, context, request, response, trustedCertMock);
TokenResource tr = new TokenResource();
tr.request = request;
tr.response = response;
tr.context = context;
tr.init();
// Issue a token
Response retResponse = tr.doGet();
assertEquals(200, retResponse.getStatus());
// Parse the response
String retString = writer.toString();
String accessToken = getTagValue(retString, "access_token");
assertNotNull(accessToken);
String expiry = getTagValue(retString, "expires_in");
assertNotNull(expiry);
// Verify the token
JWT parsedToken = new JWTToken(accessToken);
assertEquals("alice", parsedToken.getSubject());
assertTrue(authority.verifyToken(parsedToken));
}
Also used :
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
TokenResource(org.apache.knox.gateway.service.knoxtoken.TokenResource)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
ArrayList(java.util.ArrayList)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken)
X509Certificate(java.security.cert.X509Certificate)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Response(javax.ws.rs.core.Response)
StringWriter(java.io.StringWriter)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
JWTokenAuthority(org.apache.knox.gateway.services.security.token.JWTokenAuthority)
ServletContext(javax.servlet.ServletContext)
PrimaryPrincipal(org.apache.knox.gateway.security.PrimaryPrincipal)
Principal(java.security.Principal)
PrintWriter(java.io.PrintWriter)
Test(org.junit.Test)
Aggregations
JWT (org.apache.knox.gateway.services.security.token.impl.JWT)27
Principal (java.security.Principal)23
JWTokenAuthority (org.apache.knox.gateway.services.security.token.JWTokenAuthority)22
HttpServletRequest (javax.servlet.http.HttpServletRequest)20
Test (org.junit.Test)20
JWTToken (org.apache.knox.gateway.services.security.token.impl.JWTToken)19
HttpServletResponse (javax.servlet.http.HttpServletResponse)18
GatewayServices (org.apache.knox.gateway.services.GatewayServices)18
ServletContext (javax.servlet.ServletContext)16
PrimaryPrincipal (org.apache.knox.gateway.security.PrimaryPrincipal)10
PrintWriter (java.io.PrintWriter)9
StringWriter (java.io.StringWriter)9
Response (javax.ws.rs.core.Response)9
TokenResource (org.apache.knox.gateway.service.knoxtoken.TokenResource)9
Date (java.util.Date)8
ServletOutputStream (javax.servlet.ServletOutputStream)7
Cookie (javax.servlet.http.Cookie)7
TokenServiceException (org.apache.knox.gateway.services.security.token.TokenServiceException)5
File (java.io.File)4
GatewayConfig (org.apache.knox.gateway.config.GatewayConfig)4
