Examples with AuthenticationRequest org.apache.nifi.registry.security.authentication.AuthenticationRequest used on opensource projects

Example 6 with AuthenticationRequest

use of org.apache.nifi.registry.security.authentication.AuthenticationRequest in project nifi-registry by apache.

the class AccessResource method createAccessTokenByTryingAllProviders.

/**
 * Creates a token for accessing the REST API.
 *
 * @param httpServletRequest the servlet request
 * @return A JWT (string)
 */
@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.TEXT_PLAIN)
@Path("/token")
@ApiOperation(value = "Creates a token for accessing the REST API via auto-detected method of verifying client identity claim credentials", notes = "The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, " + "the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header " + "in the format 'Authorization: Bearer <token>'.", response = String.class)
@ApiResponses({ @ApiResponse(code = 400, message = HttpStatusMessages.MESSAGE_400), @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), @ApiResponse(code = 409, message = HttpStatusMessages.MESSAGE_409 + " The NiFi Registry may not be configured to support login with username/password."), @ApiResponse(code = 500, message = HttpStatusMessages.MESSAGE_500) })
public Response createAccessTokenByTryingAllProviders(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("Access tokens are only issued over HTTPS");
    }
    List<IdentityProvider> identityProviderWaterfall = generateIdentityProviderWaterfall();
    String token = null;
    for (IdentityProvider provider : identityProviderWaterfall) {
        AuthenticationRequest authenticationRequest = identityProvider.extractCredentials(httpServletRequest);
        if (authenticationRequest == null) {
            continue;
        }
        try {
            token = createAccessToken(identityProvider, authenticationRequest);
            break;
        } catch (final InvalidCredentialsException ice) {
            logger.debug("{}: the supplied client credentials are invalid.", identityProvider.getClass().getSimpleName());
            logger.debug("", ice);
        }
    }
    if (StringUtils.isEmpty(token)) {
        List<IdentityProviderUsage.AuthType> acceptableAuthTypes = identityProviderWaterfall.stream().map(IdentityProvider::getUsageInstructions).map(IdentityProviderUsage::getAuthType).filter(Objects::nonNull).distinct().collect(Collectors.toList());
        throw new UnauthorizedException("Client credentials are missing or invalid according to all configured identity providers.").withAuthenticateChallenge(acceptableAuthTypes);
    }
    // build the response
    final URI uri = URI.create(generateResourceUri("access", "token"));
    return generateCreatedResponse(uri, token).build();
}

Example 7 with AuthenticationRequest

use of org.apache.nifi.registry.security.authentication.AuthenticationRequest in project nifi-registry by apache.

the class AccessResource method testIdentityProviderRecognizesCredentialsFormat.

/**
 * Creates a token for accessing the REST API using a custom identity provider configured using NiFi Registry extensions.
 *
 * @param httpServletRequest the servlet request
 * @return A JWT (string)
 */
@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.TEXT_PLAIN)
@Path("/token/identity-provider/test")
@ApiOperation(value = "Tests the format of the credentials against this identity provider without preforming authentication on the credentials to validate them.", notes = "The user credentials should be passed in a format understood by the custom identity provider as defined by 'GET /access/token/identity-provider/usage'.", response = String.class)
@ApiResponses({ @ApiResponse(code = 400, message = HttpStatusMessages.MESSAGE_400), @ApiResponse(code = 401, message = "The format of the credentials were not recognized by the currently configured identity provider."), @ApiResponse(code = 409, message = HttpStatusMessages.MESSAGE_409 + " The NiFi Registry may not be configured to support login with customized credentials."), @ApiResponse(code = 500, message = HttpStatusMessages.MESSAGE_500) })
public Response testIdentityProviderRecognizesCredentialsFormat(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("Access tokens are only issued over HTTPS");
    }
    // if not configured with custom identity provider, don't consider credentials
    if (identityProvider == null) {
        throw new IllegalStateException("Custom login not supported by this NiFi Registry");
    }
    final Class ipClazz = identityProvider.getClass();
    final String identityProviderName = StringUtils.isNotEmpty(ipClazz.getSimpleName()) ? ipClazz.getSimpleName() : ipClazz.getName();
    // attempt to extract client credentials without authenticating them
    AuthenticationRequest authenticationRequest = identityProvider.extractCredentials(httpServletRequest);
    if (authenticationRequest == null) {
        throw new UnauthorizedException("The format of the credentials were not recognized by the currently configured identity provider " + "'" + identityProviderName + "'. " + identityProvider.getUsageInstructions().getText()).withAuthenticateChallenge(identityProvider.getUsageInstructions().getAuthType());
    }
    final String successMessage = identityProviderName + " recognized the format of the credentials in the HTTP request.";
    return generateOkResponse(successMessage).build();
}

Example 8 with AuthenticationRequest

use of org.apache.nifi.registry.security.authentication.AuthenticationRequest in project nifi-registry by apache.

the class IdentityAuthenticationProvider method authenticate.

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    // Determine if this AuthenticationProvider's identityProvider should be able to support this AuthenticationRequest
    boolean tokenOriginatedFromThisIdentityProvider = checkTokenOriginatedFromThisIdentityProvider(authentication);
    if (!tokenOriginatedFromThisIdentityProvider) {
        // cannot authenticate this token and another provider should be tried.
        return null;
    }
    AuthenticationRequestToken authenticationRequestToken = ((AuthenticationRequestToken) authentication);
    AuthenticationRequest authenticationRequest = authenticationRequestToken.getAuthenticationRequest();
    try {
        AuthenticationResponse authenticationResponse = identityProvider.authenticate(authenticationRequest);
        if (authenticationResponse == null) {
            return null;
        }
        return buildAuthenticatedToken(authenticationRequestToken, authenticationResponse);
    } catch (InvalidCredentialsException e) {
        throw new BadCredentialsException("Identity Provider authentication failed.", e);
    }
}