Search in sources :

Example 26 with NiFiUserDetails

use of org.apache.nifi.authorization.user.NiFiUserDetails in project nifi by apache.

the class X509AuthenticationProvider method authenticate.

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    final X509AuthenticationRequestToken request = (X509AuthenticationRequestToken) authentication;
    // attempt to authenticate if certificates were found
    final AuthenticationResponse authenticationResponse;
    try {
        authenticationResponse = certificateIdentityProvider.authenticate(request.getCertificates());
    } catch (final IllegalArgumentException iae) {
        throw new InvalidAuthenticationException(iae.getMessage(), iae);
    }
    if (StringUtils.isBlank(request.getProxiedEntitiesChain())) {
        final String mappedIdentity = mapIdentity(authenticationResponse.getIdentity());
        return new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(mappedIdentity).groups(getUserGroups(mappedIdentity)).clientAddress(request.getClientAddress()).build()));
    } else {
        // build the entire proxy chain if applicable - <end-user><proxy1><proxy2>
        final List<String> proxyChain = new ArrayList<>(ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(request.getProxiedEntitiesChain()));
        proxyChain.add(authenticationResponse.getIdentity());
        // add the chain as appropriate to each proxy
        NiFiUser proxy = null;
        for (final ListIterator<String> chainIter = proxyChain.listIterator(proxyChain.size()); chainIter.hasPrevious(); ) {
            String identity = chainIter.previous();
            // determine if the user is anonymous
            final boolean isAnonymous = StringUtils.isBlank(identity);
            if (isAnonymous) {
                identity = StandardNiFiUser.ANONYMOUS_IDENTITY;
            } else {
                identity = mapIdentity(identity);
            }
            final Set<String> groups = getUserGroups(identity);
            // Only set the client address for client making the request because we don't know the clientAddress of the proxied entities
            String clientAddress = (proxy == null) ? request.getClientAddress() : null;
            proxy = createUser(identity, groups, proxy, clientAddress, isAnonymous);
            if (chainIter.hasPrevious()) {
                try {
                    PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
                } catch (final AccessDeniedException e) {
                    throw new UntrustedProxyException(String.format("Untrusted proxy %s", identity));
                }
            }
        }
        return new NiFiAuthenticationToken(new NiFiUserDetails(proxy));
    }
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) StandardNiFiUser(org.apache.nifi.authorization.user.StandardNiFiUser) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) ArrayList(java.util.ArrayList) AuthenticationResponse(org.apache.nifi.authentication.AuthenticationResponse) InvalidAuthenticationException(org.apache.nifi.web.security.InvalidAuthenticationException) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) UntrustedProxyException(org.apache.nifi.web.security.UntrustedProxyException) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails)

Example 27 with NiFiUserDetails

use of org.apache.nifi.authorization.user.NiFiUserDetails in project nifi by apache.

the class OtpAuthenticationProviderTest method testUiExtensionPath.

@Test
public void testUiExtensionPath() throws Exception {
    final OtpAuthenticationRequestToken request = new OtpAuthenticationRequestToken(UI_EXTENSION_TOKEN, false, null);
    final NiFiAuthenticationToken result = (NiFiAuthenticationToken) otpAuthenticationProvider.authenticate(request);
    final NiFiUserDetails details = (NiFiUserDetails) result.getPrincipal();
    assertEquals(UI_EXTENSION_AUTHENTICATED_USER, details.getUsername());
    verify(otpService, times(1)).getAuthenticationFromUiExtensionToken(UI_EXTENSION_TOKEN);
    verify(otpService, never()).getAuthenticationFromDownloadToken(anyString());
}
Also used : NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Test(org.junit.Test)

Example 28 with NiFiUserDetails

use of org.apache.nifi.authorization.user.NiFiUserDetails in project nifi by apache.

the class X509AuthenticationProviderTest method testNoProxyChain.

@Test
public void testNoProxyChain() {
    final NiFiAuthenticationToken auth = (NiFiAuthenticationToken) x509AuthenticationProvider.authenticate(getX509Request("", IDENTITY_1));
    final NiFiUser user = ((NiFiUserDetails) auth.getDetails()).getNiFiUser();
    assertNotNull(user);
    assertEquals(IDENTITY_1, user.getIdentity());
    assertFalse(user.isAnonymous());
}
Also used : StandardNiFiUser(org.apache.nifi.authorization.user.StandardNiFiUser) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Test(org.junit.Test)

Example 29 with NiFiUserDetails

use of org.apache.nifi.authorization.user.NiFiUserDetails in project nifi by apache.

the class X509AuthenticationProviderTest method testTwoProxies.

@Test
public void testTwoProxies() {
    final NiFiAuthenticationToken auth = (NiFiAuthenticationToken) x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1, PROXY_2), PROXY_1));
    final NiFiUser user = ((NiFiUserDetails) auth.getDetails()).getNiFiUser();
    assertNotNull(user);
    assertEquals(IDENTITY_1, user.getIdentity());
    assertFalse(user.isAnonymous());
    assertNotNull(user.getChain());
    assertEquals(PROXY_2, user.getChain().getIdentity());
    assertFalse(user.getChain().isAnonymous());
    assertNotNull(user.getChain().getChain());
    assertEquals(PROXY_1, user.getChain().getChain().getIdentity());
    assertFalse(user.getChain().getChain().isAnonymous());
}
Also used : StandardNiFiUser(org.apache.nifi.authorization.user.StandardNiFiUser) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Test(org.junit.Test)

Example 30 with NiFiUserDetails

use of org.apache.nifi.authorization.user.NiFiUserDetails in project nifi by apache.

the class X509AuthenticationProviderTest method testOneProxy.

@Test
public void testOneProxy() {
    final NiFiAuthenticationToken auth = (NiFiAuthenticationToken) x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1), PROXY_1));
    final NiFiUser user = ((NiFiUserDetails) auth.getDetails()).getNiFiUser();
    assertNotNull(user);
    assertEquals(IDENTITY_1, user.getIdentity());
    assertFalse(user.isAnonymous());
    assertNotNull(user.getChain());
    assertEquals(PROXY_1, user.getChain().getIdentity());
    assertFalse(user.getChain().isAnonymous());
}
Also used : StandardNiFiUser(org.apache.nifi.authorization.user.StandardNiFiUser) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) Test(org.junit.Test)

Aggregations

NiFiUserDetails (org.apache.nifi.authorization.user.NiFiUserDetails)30 NiFiAuthenticationToken (org.apache.nifi.web.security.token.NiFiAuthenticationToken)29 Test (org.junit.Test)23 Authentication (org.springframework.security.core.Authentication)18 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)13 URI (java.net.URI)12 Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)11 ProcessorEntity (org.apache.nifi.web.api.entity.ProcessorEntity)11 HashSet (java.util.HashSet)10 NodeIdentifier (org.apache.nifi.cluster.protocol.NodeIdentifier)10 Entity (org.apache.nifi.web.api.entity.Entity)8 HashMap (java.util.HashMap)7 StandardNiFiUser (org.apache.nifi.authorization.user.StandardNiFiUser)7 NodeResponse (org.apache.nifi.cluster.manager.NodeResponse)6 InvalidAuthenticationException (org.apache.nifi.web.security.InvalidAuthenticationException)5 Map (java.util.Map)4 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)3 ArgumentMatcher (org.mockito.ArgumentMatcher)3 JwtException (io.jsonwebtoken.JwtException)2 ApiOperation (io.swagger.annotations.ApiOperation)2