Search in sources :

Example 1 with AuthenticationResponse

use of org.apache.nifi.registry.security.authentication.AuthenticationResponse in project nifi-registry by apache.

the class X509IdentityProvider method authenticate.

/**
 * For a given {@link AuthenticationRequest}, this validates the client certificate and creates a populated {@link AuthenticationResponse}.
 *
 * The {@link AuthenticationRequest} authenticationRequest paramenter is expected to be populated as:
 *  - username: principal DN from first client cert
 *  - credentials: first client certificate (X509Certificate)
 *  - details: proxied-entities chain (String)
 *
 * @param authenticationRequest the request, containing identity claim credentials for the IdentityProvider to authenticate and determine an identity
 */
@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException {
    if (authenticationRequest == null || authenticationRequest.getUsername() == null) {
        return null;
    }
    String principal = authenticationRequest.getUsername();
    try {
        X509Certificate clientCertificate = (X509Certificate) authenticationRequest.getCredentials();
        validateClientCertificate(clientCertificate);
    } catch (CertificateExpiredException cee) {
        final String message = String.format("Client certificate for (%s) is expired.", principal);
        logger.warn(message, cee);
        throw new InvalidCredentialsException(message, cee);
    } catch (CertificateNotYetValidException cnyve) {
        final String message = String.format("Client certificate for (%s) is not yet valid.", principal);
        logger.warn(message, cnyve);
        throw new InvalidCredentialsException(message, cnyve);
    } catch (final Exception e) {
        logger.warn(e.getMessage(), e);
    }
    // build the authentication response
    return new AuthenticationResponse(principal, principal, expiration, issuer);
}
Also used : CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException) AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse) X509Certificate(java.security.cert.X509Certificate) SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) SecurityProviderDestructionException(org.apache.nifi.registry.security.exception.SecurityProviderDestructionException) InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException)

Example 2 with AuthenticationResponse

use of org.apache.nifi.registry.security.authentication.AuthenticationResponse in project nifi-registry by apache.

the class KerberosIdentityProvider method authenticate.

@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
    if (provider == null) {
        throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
    }
    try {
        // perform the authentication
        final String username = authenticationRequest.getUsername();
        final Object credentials = authenticationRequest.getCredentials();
        final String password = credentials != null && credentials instanceof String ? (String) credentials : null;
        // perform the authentication
        final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, credentials);
        logger.debug("Created authentication token " + token.toString());
        final Authentication authentication = provider.authenticate(token);
        logger.debug("Ran provider.authenticate(token) and returned authentication for " + "principal={} with name={} and isAuthenticated={}", authentication.getPrincipal(), authentication.getName(), authentication.isAuthenticated());
        return new AuthenticationResponse(authentication.getName(), username, expiration, issuer);
    } catch (final AuthenticationException e) {
        throw new InvalidCredentialsException(e.getMessage(), e);
    }
}
Also used : AuthenticationException(org.springframework.security.core.AuthenticationException) InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException) Authentication(org.springframework.security.core.Authentication) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException) AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse)

Example 3 with AuthenticationResponse

use of org.apache.nifi.registry.security.authentication.AuthenticationResponse in project nifi-registry by apache.

the class KerberosSpnegoIdentityProvider method authenticate.

@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
    if (authenticationRequest == null) {
        logger.info("Cannot authenticate null authenticationRequest, returning null.");
        return null;
    }
    final Object credentials = authenticationRequest.getCredentials();
    byte[] kerberosTicket = credentials != null && credentials instanceof byte[] ? (byte[]) authenticationRequest.getCredentials() : null;
    if (credentials == null) {
        logger.info("Kerberos Ticket not found in authenticationRequest credentials, returning null.");
        return null;
    }
    if (kerberosServiceAuthenticationProvider == null) {
        throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
    }
    try {
        KerberosServiceRequestToken kerberosServiceRequestToken = new KerberosServiceRequestToken(kerberosTicket);
        kerberosServiceRequestToken.setDetails(authenticationRequest.getDetails());
        Authentication authentication = kerberosServiceAuthenticationProvider.authenticate(kerberosServiceRequestToken);
        if (authentication == null) {
            throw new InvalidCredentialsException("Kerberos credentials could not be authenticated.");
        }
        final String kerberosPrincipal = authentication.getName();
        return new AuthenticationResponse(kerberosPrincipal, kerberosPrincipal, expiration, issuer);
    } catch (AuthenticationException e) {
        String authFailedMessage = "Kerberos credentials could not be authenticated.";
        /* Kerberos uses encryption with up to AES-256, specifically AES256-CTS-HMAC-SHA1-96.
             * That is not available in every JRE, particularly if Unlimited Strength Encryption
             * policies are not installed in the Java home lib dir. The Kerberos lib does not
             * differentiate between failures due to decryption and those due to bad credentials
             * without walking the causes of the exception, so this check puts something
             * potentially useful in the logs for those troubleshooting Kerberos authentication. */
        if (!Boolean.FALSE.equals(CryptoUtils.isCryptoRestricted())) {
            authFailedMessage += " This Java Runtime does not support unlimited strength encryption. " + "This could cause Kerberos authentication to fail as it can require AES-256.";
        }
        logger.info(authFailedMessage);
        throw new InvalidCredentialsException(authFailedMessage, e);
    }
}
Also used : InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException) AuthenticationException(org.springframework.security.core.AuthenticationException) Authentication(org.springframework.security.core.Authentication) IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException) AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse) KerberosServiceRequestToken(org.springframework.security.kerberos.authentication.KerberosServiceRequestToken)

Example 4 with AuthenticationResponse

use of org.apache.nifi.registry.security.authentication.AuthenticationResponse in project nifi-registry by apache.

the class JwtIdentityProvider method authenticate.

@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
    if (authenticationRequest == null) {
        logger.info("Cannot authenticate null authenticationRequest, returning null.");
        return null;
    }
    final Object credentials = authenticationRequest.getCredentials();
    String jwtAuthToken = credentials != null && credentials instanceof String ? (String) credentials : null;
    if (credentials == null) {
        logger.info("JWT not found in authenticationRequest credentials, returning null.");
        return null;
    }
    try {
        final String jwtPrincipal = jwtService.getAuthenticationFromToken(jwtAuthToken);
        return new AuthenticationResponse(jwtPrincipal, jwtPrincipal, expiration, issuer);
    } catch (JwtException e) {
        throw new InvalidAuthenticationException(e.getMessage(), e);
    }
}
Also used : JwtException(io.jsonwebtoken.JwtException) AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse) InvalidAuthenticationException(org.apache.nifi.registry.web.security.authentication.exception.InvalidAuthenticationException)

Example 5 with AuthenticationResponse

use of org.apache.nifi.registry.security.authentication.AuthenticationResponse in project nifi-registry by apache.

the class LdapIdentityProvider method authenticate.

@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
    if (authenticationRequest == null || StringUtils.isEmpty(authenticationRequest.getUsername())) {
        logger.debug("Call to authenticate method with null or empty authenticationRequest, returning null without attempting to authenticate");
        return null;
    }
    if (ldapAuthenticationProvider == null) {
        throw new IdentityAccessException("The LDAP authentication provider is not initialized.");
    }
    try {
        final String username = authenticationRequest.getUsername();
        final Object credentials = authenticationRequest.getCredentials();
        final String password = credentials != null && credentials instanceof String ? (String) credentials : null;
        // perform the authentication
        final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, credentials);
        final Authentication authentication = ldapAuthenticationProvider.authenticate(token);
        logger.debug("Created authentication token: {}", token.toString());
        // use dn if configured
        if (IdentityStrategy.USE_DN.equals(identityStrategy)) {
            // attempt to get the ldap user details to get the DN
            if (authentication.getPrincipal() instanceof LdapUserDetails) {
                final LdapUserDetails userDetails = (LdapUserDetails) authentication.getPrincipal();
                return new AuthenticationResponse(userDetails.getDn(), username, expiration, issuer);
            } else {
                logger.warn(String.format("Unable to determine user DN for %s, using username.", authentication.getName()));
                return new AuthenticationResponse(authentication.getName(), username, expiration, issuer);
            }
        } else {
            return new AuthenticationResponse(authentication.getName(), username, expiration, issuer);
        }
    } catch (final BadCredentialsException | UsernameNotFoundException | AuthenticationException e) {
        throw new InvalidCredentialsException(e.getMessage(), e);
    } catch (final Exception e) {
        // there appears to be a bug that generates a InternalAuthenticationServiceException wrapped around an AuthenticationException. this
        // shouldn't be the case as they the service exception suggestions that something was wrong with the service. while the authentication
        // exception suggests that username and/or credentials were incorrect. checking the cause seems to address this scenario.
        final Throwable cause = e.getCause();
        if (cause instanceof AuthenticationException) {
            throw new InvalidCredentialsException(e.getMessage(), e);
        }
        logger.error(e.getMessage());
        if (logger.isDebugEnabled()) {
            logger.debug(StringUtils.EMPTY, e);
        }
        throw new IdentityAccessException("Unable to validate the supplied credentials. Please contact the system administrator.", e);
    }
}
Also used : UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) AuthenticationException(org.springframework.ldap.AuthenticationException) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) AuthenticationException(org.springframework.ldap.AuthenticationException) UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) KeyStoreException(java.security.KeyStoreException) IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) SecurityProviderDestructionException(org.apache.nifi.registry.security.exception.SecurityProviderDestructionException) InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException) SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException) Authentication(org.springframework.security.core.Authentication) LdapUserDetails(org.springframework.security.ldap.userdetails.LdapUserDetails) IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)

Aggregations

AuthenticationResponse (org.apache.nifi.registry.security.authentication.AuthenticationResponse)7 InvalidCredentialsException (org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException)5 IdentityAccessException (org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)4 Authentication (org.springframework.security.core.Authentication)3 JwtException (io.jsonwebtoken.JwtException)2 SecurityProviderCreationException (org.apache.nifi.registry.security.exception.SecurityProviderCreationException)2 SecurityProviderDestructionException (org.apache.nifi.registry.security.exception.SecurityProviderDestructionException)2 BadCredentialsException (org.springframework.security.authentication.BadCredentialsException)2 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)2 AuthenticationException (org.springframework.security.core.AuthenticationException)2 IOException (java.io.IOException)1 KeyManagementException (java.security.KeyManagementException)1 KeyStoreException (java.security.KeyStoreException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 UnrecoverableKeyException (java.security.UnrecoverableKeyException)1 CertificateException (java.security.cert.CertificateException)1 CertificateExpiredException (java.security.cert.CertificateExpiredException)1 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)1 X509Certificate (java.security.cert.X509Certificate)1 AdministrationException (org.apache.nifi.registry.exception.AdministrationException)1