Search in sources :

Example 1 with ProviderCreationException

use of org.apache.nifi.authentication.exception.ProviderCreationException in project nifi by apache.

the class AbstractAMQPProcessor method createConnection.

protected Connection createConnection(ProcessContext context) {
    final ConnectionFactory cf = new ConnectionFactory();
    cf.setHost(context.getProperty(HOST).getValue());
    cf.setPort(Integer.parseInt(context.getProperty(PORT).getValue()));
    cf.setUsername(context.getProperty(USER).getValue());
    cf.setPassword(context.getProperty(PASSWORD).getValue());
    final String vHost = context.getProperty(V_HOST).getValue();
    if (vHost != null) {
        cf.setVirtualHost(vHost);
    }
    // handles TLS/SSL aspects
    final Boolean useCertAuthentication = context.getProperty(USE_CERT_AUTHENTICATION).asBoolean();
    final SSLContextService sslService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
    // if the property to use cert authentication is set but the SSL service hasn't been configured, throw an exception.
    if (useCertAuthentication && sslService == null) {
        throw new ProviderCreationException("This processor is configured to use cert authentication, " + "but the SSL Context Service hasn't been configured. You need to configure the SSL Context Service.");
    }
    final String rawClientAuth = context.getProperty(CLIENT_AUTH).getValue();
    if (sslService != null) {
        final SSLContextService.ClientAuth clientAuth;
        if (StringUtils.isBlank(rawClientAuth)) {
            clientAuth = SSLContextService.ClientAuth.REQUIRED;
        } else {
            try {
                clientAuth = SSLContextService.ClientAuth.valueOf(rawClientAuth);
            } catch (final IllegalArgumentException iae) {
                throw new ProviderCreationException(String.format("Unrecognized client auth '%s'. Possible values are [%s]", rawClientAuth, StringUtils.join(SslContextFactory.ClientAuth.values(), ", ")));
            }
        }
        final SSLContext sslContext = sslService.createSSLContext(clientAuth);
        cf.useSslProtocol(sslContext);
        if (useCertAuthentication) {
            // this tells the factory to use the cert common name for authentication and not user name and password
            // REF: https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl
            cf.setSaslConfig(DefaultSaslConfig.EXTERNAL);
        }
    }
    try {
        Connection connection = cf.newConnection();
        return connection;
    } catch (Exception e) {
        throw new IllegalStateException("Failed to establish connection with AMQP Broker: " + cf.toString(), e);
    }
}
Also used : ConnectionFactory(com.rabbitmq.client.ConnectionFactory) ProviderCreationException(org.apache.nifi.authentication.exception.ProviderCreationException) SSLContextService(org.apache.nifi.ssl.SSLContextService) Connection(com.rabbitmq.client.Connection) SSLContext(javax.net.ssl.SSLContext) ProcessException(org.apache.nifi.processor.exception.ProcessException) ProviderCreationException(org.apache.nifi.authentication.exception.ProviderCreationException)

Example 2 with ProviderCreationException

use of org.apache.nifi.authentication.exception.ProviderCreationException in project nifi by apache.

the class LdapProvider method getConfiguredSslContext.

private SSLContext getConfiguredSslContext(final LoginIdentityProviderConfigurationContext configurationContext) {
    final String rawKeystore = configurationContext.getProperty("TLS - Keystore");
    final String rawKeystorePassword = configurationContext.getProperty("TLS - Keystore Password");
    final String rawKeystoreType = configurationContext.getProperty("TLS - Keystore Type");
    final String rawTruststore = configurationContext.getProperty("TLS - Truststore");
    final String rawTruststorePassword = configurationContext.getProperty("TLS - Truststore Password");
    final String rawTruststoreType = configurationContext.getProperty("TLS - Truststore Type");
    final String rawClientAuth = configurationContext.getProperty("TLS - Client Auth");
    final String rawProtocol = configurationContext.getProperty("TLS - Protocol");
    // create the ssl context
    final SSLContext sslContext;
    try {
        if (StringUtils.isBlank(rawKeystore) && StringUtils.isBlank(rawTruststore)) {
            sslContext = null;
        } else {
            // ensure the protocol is specified
            if (StringUtils.isBlank(rawProtocol)) {
                throw new ProviderCreationException("TLS - Protocol must be specified.");
            }
            if (StringUtils.isBlank(rawKeystore)) {
                sslContext = SslContextFactory.createTrustSslContext(rawTruststore, rawTruststorePassword.toCharArray(), rawTruststoreType, rawProtocol);
            } else if (StringUtils.isBlank(rawTruststore)) {
                sslContext = SslContextFactory.createSslContext(rawKeystore, rawKeystorePassword.toCharArray(), rawKeystoreType, rawProtocol);
            } else {
                // determine the client auth if specified
                final ClientAuth clientAuth;
                if (StringUtils.isBlank(rawClientAuth)) {
                    clientAuth = ClientAuth.NONE;
                } else {
                    try {
                        clientAuth = ClientAuth.valueOf(rawClientAuth);
                    } catch (final IllegalArgumentException iae) {
                        throw new ProviderCreationException(String.format("Unrecognized client auth '%s'. Possible values are [%s]", rawClientAuth, StringUtils.join(ClientAuth.values(), ", ")));
                    }
                }
                sslContext = SslContextFactory.createSslContext(rawKeystore, rawKeystorePassword.toCharArray(), rawKeystoreType, rawTruststore, rawTruststorePassword.toCharArray(), rawTruststoreType, clientAuth, rawProtocol);
            }
        }
    } catch (final KeyStoreException | NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyManagementException | IOException e) {
        throw new ProviderCreationException(e.getMessage(), e);
    }
    return sslContext;
}
Also used : ProviderCreationException(org.apache.nifi.authentication.exception.ProviderCreationException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) CertificateException(java.security.cert.CertificateException) SSLContext(javax.net.ssl.SSLContext) KeyStoreException(java.security.KeyStoreException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) IOException(java.io.IOException) ClientAuth(org.apache.nifi.security.util.SslContextFactory.ClientAuth) KeyManagementException(java.security.KeyManagementException)

Example 3 with ProviderCreationException

use of org.apache.nifi.authentication.exception.ProviderCreationException in project nifi by apache.

the class LdapProvider method setTimeout.

private void setTimeout(final LoginIdentityProviderConfigurationContext configurationContext, final Map<String, Object> baseEnvironment, final String configurationProperty, final String environmentKey) {
    final String rawTimeout = configurationContext.getProperty(configurationProperty);
    if (StringUtils.isNotBlank(rawTimeout)) {
        try {
            final Long timeout = FormatUtils.getTimeDuration(rawTimeout, TimeUnit.MILLISECONDS);
            baseEnvironment.put(environmentKey, timeout.toString());
        } catch (final IllegalArgumentException iae) {
            throw new ProviderCreationException(String.format("The %s '%s' is not a valid time duration", configurationProperty, rawTimeout));
        }
    }
}
Also used : ProviderCreationException(org.apache.nifi.authentication.exception.ProviderCreationException)

Example 4 with ProviderCreationException

use of org.apache.nifi.authentication.exception.ProviderCreationException in project nifi by apache.

the class KerberosProvider method onConfigured.

@Override
public final void onConfigured(final LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException {
    final String rawExpiration = configurationContext.getProperty("Authentication Expiration");
    if (StringUtils.isBlank(rawExpiration)) {
        throw new ProviderCreationException("The Authentication Expiration must be specified.");
    }
    try {
        expiration = FormatUtils.getTimeDuration(rawExpiration, TimeUnit.MILLISECONDS);
    } catch (final IllegalArgumentException iae) {
        throw new ProviderCreationException(String.format("The Expiration Duration '%s' is not a valid time duration", rawExpiration));
    }
    provider = new KerberosAuthenticationProvider();
    SunJaasKerberosClient client = new SunJaasKerberosClient();
    client.setDebug(true);
    provider.setKerberosClient(client);
    provider.setUserDetailsService(new KerberosUserDetailsService());
}
Also used : ProviderCreationException(org.apache.nifi.authentication.exception.ProviderCreationException) KerberosAuthenticationProvider(org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider) SunJaasKerberosClient(org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient)

Example 5 with ProviderCreationException

use of org.apache.nifi.authentication.exception.ProviderCreationException in project nifi by apache.

the class LdapProvider method onConfigured.

@Override
public final void onConfigured(final LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException {
    final String rawExpiration = configurationContext.getProperty("Authentication Expiration");
    if (StringUtils.isBlank(rawExpiration)) {
        throw new ProviderCreationException("The Authentication Expiration must be specified.");
    }
    try {
        expiration = FormatUtils.getTimeDuration(rawExpiration, TimeUnit.MILLISECONDS);
    } catch (final IllegalArgumentException iae) {
        throw new ProviderCreationException(String.format("The Expiration Duration '%s' is not a valid time duration", rawExpiration));
    }
    final LdapContextSource context = new LdapContextSource();
    final Map<String, Object> baseEnvironment = new HashMap<>();
    // connect/read time out
    setTimeout(configurationContext, baseEnvironment, "Connect Timeout", "com.sun.jndi.ldap.connect.timeout");
    setTimeout(configurationContext, baseEnvironment, "Read Timeout", "com.sun.jndi.ldap.read.timeout");
    // authentication strategy
    final String rawAuthenticationStrategy = configurationContext.getProperty("Authentication Strategy");
    final LdapAuthenticationStrategy authenticationStrategy;
    try {
        authenticationStrategy = LdapAuthenticationStrategy.valueOf(rawAuthenticationStrategy);
    } catch (final IllegalArgumentException iae) {
        throw new ProviderCreationException(String.format("Unrecognized authentication strategy '%s'. Possible values are [%s]", rawAuthenticationStrategy, StringUtils.join(LdapAuthenticationStrategy.values(), ", ")));
    }
    switch(authenticationStrategy) {
        case ANONYMOUS:
            context.setAnonymousReadOnly(true);
            break;
        default:
            final String userDn = configurationContext.getProperty("Manager DN");
            final String password = configurationContext.getProperty("Manager Password");
            context.setUserDn(userDn);
            context.setPassword(password);
            switch(authenticationStrategy) {
                case SIMPLE:
                    context.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                    break;
                case LDAPS:
                    context.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                    // indicate a secure connection
                    baseEnvironment.put(Context.SECURITY_PROTOCOL, "ssl");
                    // get the configured ssl context
                    final SSLContext ldapsSslContext = getConfiguredSslContext(configurationContext);
                    if (ldapsSslContext != null) {
                        // initialize the ldaps socket factory prior to use
                        LdapsSocketFactory.initialize(ldapsSslContext.getSocketFactory());
                        baseEnvironment.put("java.naming.ldap.factory.socket", LdapsSocketFactory.class.getName());
                    }
                    break;
                case START_TLS:
                    final AbstractTlsDirContextAuthenticationStrategy tlsAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
                    // shutdown gracefully
                    final String rawShutdownGracefully = configurationContext.getProperty("TLS - Shutdown Gracefully");
                    if (StringUtils.isNotBlank(rawShutdownGracefully)) {
                        final boolean shutdownGracefully = Boolean.TRUE.toString().equalsIgnoreCase(rawShutdownGracefully);
                        tlsAuthenticationStrategy.setShutdownTlsGracefully(shutdownGracefully);
                    }
                    // get the configured ssl context
                    final SSLContext startTlsSslContext = getConfiguredSslContext(configurationContext);
                    if (startTlsSslContext != null) {
                        tlsAuthenticationStrategy.setSslSocketFactory(startTlsSslContext.getSocketFactory());
                    }
                    // set the authentication strategy
                    context.setAuthenticationStrategy(tlsAuthenticationStrategy);
                    break;
            }
            break;
    }
    // referrals
    final String rawReferralStrategy = configurationContext.getProperty("Referral Strategy");
    final ReferralStrategy referralStrategy;
    try {
        referralStrategy = ReferralStrategy.valueOf(rawReferralStrategy);
    } catch (final IllegalArgumentException iae) {
        throw new ProviderCreationException(String.format("Unrecognized referral strategy '%s'. Possible values are [%s]", rawReferralStrategy, StringUtils.join(ReferralStrategy.values(), ", ")));
    }
    // using the value as this needs to be the lowercase version while the value is configured with the enum constant
    context.setReferral(referralStrategy.getValue());
    // url
    final String urls = configurationContext.getProperty("Url");
    if (StringUtils.isBlank(urls)) {
        throw new ProviderCreationException("LDAP identity provider 'Url' must be specified.");
    }
    // connection
    context.setUrls(StringUtils.split(urls));
    // search criteria
    final String userSearchBase = configurationContext.getProperty("User Search Base");
    final String userSearchFilter = configurationContext.getProperty("User Search Filter");
    if (StringUtils.isBlank(userSearchBase) || StringUtils.isBlank(userSearchFilter)) {
        throw new ProviderCreationException("LDAP identity provider 'User Search Base' and 'User Search Filter' must be specified.");
    }
    final LdapUserSearch userSearch = new FilterBasedLdapUserSearch(userSearchBase, userSearchFilter, context);
    // bind
    final BindAuthenticator authenticator = new BindAuthenticator(context);
    authenticator.setUserSearch(userSearch);
    // identity strategy
    final String rawIdentityStrategy = configurationContext.getProperty("Identity Strategy");
    if (StringUtils.isBlank(rawIdentityStrategy)) {
        logger.info(String.format("Identity Strategy is not configured, defaulting strategy to %s.", IdentityStrategy.USE_DN));
        // if this value is not configured, default to use dn which was the previous implementation
        identityStrategy = IdentityStrategy.USE_DN;
    } else {
        try {
            // attempt to get the configured identity strategy
            identityStrategy = IdentityStrategy.valueOf(rawIdentityStrategy);
        } catch (final IllegalArgumentException iae) {
            throw new ProviderCreationException(String.format("Unrecognized identity strategy '%s'. Possible values are [%s]", rawIdentityStrategy, StringUtils.join(IdentityStrategy.values(), ", ")));
        }
    }
    // set the base environment is necessary
    if (!baseEnvironment.isEmpty()) {
        context.setBaseEnvironmentProperties(baseEnvironment);
    }
    try {
        // handling initializing beans
        context.afterPropertiesSet();
        authenticator.afterPropertiesSet();
    } catch (final Exception e) {
        throw new ProviderCreationException(e.getMessage(), e);
    }
    // create the underlying provider
    provider = new LdapAuthenticationProvider(authenticator);
}
Also used : BindAuthenticator(org.springframework.security.ldap.authentication.BindAuthenticator) LdapContextSource(org.springframework.ldap.core.support.LdapContextSource) HashMap(java.util.HashMap) SimpleDirContextAuthenticationStrategy(org.springframework.ldap.core.support.SimpleDirContextAuthenticationStrategy) AbstractTlsDirContextAuthenticationStrategy(org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy) SSLContext(javax.net.ssl.SSLContext) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) AuthenticationException(org.springframework.ldap.AuthenticationException) UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) KeyStoreException(java.security.KeyStoreException) IdentityAccessException(org.apache.nifi.authentication.exception.IdentityAccessException) ProviderCreationException(org.apache.nifi.authentication.exception.ProviderCreationException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) ProviderDestructionException(org.apache.nifi.authentication.exception.ProviderDestructionException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) CertificateException(java.security.cert.CertificateException) InvalidLoginCredentialsException(org.apache.nifi.authentication.exception.InvalidLoginCredentialsException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ProviderCreationException(org.apache.nifi.authentication.exception.ProviderCreationException) FilterBasedLdapUserSearch(org.springframework.security.ldap.search.FilterBasedLdapUserSearch) LdapUserSearch(org.springframework.security.ldap.search.LdapUserSearch) FilterBasedLdapUserSearch(org.springframework.security.ldap.search.FilterBasedLdapUserSearch) DefaultTlsDirContextAuthenticationStrategy(org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy) AbstractLdapAuthenticationProvider(org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider) LdapAuthenticationProvider(org.springframework.security.ldap.authentication.LdapAuthenticationProvider)

Aggregations

ProviderCreationException (org.apache.nifi.authentication.exception.ProviderCreationException)8 SSLContext (javax.net.ssl.SSLContext)6 IOException (java.io.IOException)4 SSLContextService (org.apache.nifi.ssl.SSLContextService)4 MongoClient (com.mongodb.MongoClient)2 MongoClientURI (com.mongodb.MongoClientURI)2 KeyManagementException (java.security.KeyManagementException)2 KeyStoreException (java.security.KeyStoreException)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 UnrecoverableKeyException (java.security.UnrecoverableKeyException)2 CertificateException (java.security.cert.CertificateException)2 Cluster (com.datastax.driver.core.Cluster)1 Metadata (com.datastax.driver.core.Metadata)1 Session (com.datastax.driver.core.Session)1 Connection (com.rabbitmq.client.Connection)1 ConnectionFactory (com.rabbitmq.client.ConnectionFactory)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 InetSocketAddress (java.net.InetSocketAddress)1 HashMap (java.util.HashMap)1 OnScheduled (org.apache.nifi.annotation.lifecycle.OnScheduled)1