Examples with InvalidCredentialsException org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException used on opensource projects

Example 1 with InvalidCredentialsException

use of org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException in project nifi-registry by apache.

the class AccessResource method createAccessTokenUsingIdentityProviderCredentials.

/**
 * Creates a token for accessing the REST API using a custom identity provider configured using NiFi Registry extensions.
 *
 * @param httpServletRequest the servlet request
 * @return A JWT (string)
 */
@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.TEXT_PLAIN)
@Path("/token/identity-provider")
@ApiOperation(value = "Creates a token for accessing the REST API via a custom identity provider.", notes = "The user credentials must be passed in a format understood by the custom identity provider, e.g., a third-party auth token in an HTTP header. " + "The exact format of the user credentials expected by the custom identity provider can be discovered by 'GET /access/token/identity-provider/usage'. " + "The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, " + "the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header " + "in the format 'Authorization: Bearer <token>'.", response = String.class)
@ApiResponses({ @ApiResponse(code = 400, message = HttpStatusMessages.MESSAGE_400), @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), @ApiResponse(code = 409, message = HttpStatusMessages.MESSAGE_409 + " The NiFi Registry may not be configured to support login with customized credentials."), @ApiResponse(code = 500, message = HttpStatusMessages.MESSAGE_500) })
public Response createAccessTokenUsingIdentityProviderCredentials(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("Access tokens are only issued over HTTPS");
    }
    // if not configured with custom identity provider, don't consider credentials
    if (identityProvider == null) {
        throw new IllegalStateException("Custom login not supported by this NiFi Registry");
    }
    AuthenticationRequest authenticationRequest = identityProvider.extractCredentials(httpServletRequest);
    if (authenticationRequest == null) {
        throw new UnauthorizedException("The client credentials are missing from the request.").withAuthenticateChallenge(identityProvider.getUsageInstructions().getAuthType());
    }
    final String token;
    try {
        token = createAccessToken(identityProvider, authenticationRequest);
    } catch (InvalidCredentialsException ice) {
        throw new UnauthorizedException("The supplied client credentials are not valid.", ice).withAuthenticateChallenge(identityProvider.getUsageInstructions().getAuthType());
    }
    // build the response
    final URI uri = URI.create(generateResourceUri("access", "token"));
    return generateCreatedResponse(uri, token).build();
}

Example 2 with InvalidCredentialsException

use of org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException in project nifi-registry by apache.

the class AccessResource method createAccessTokenUsingKerberosTicket.

@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.TEXT_PLAIN)
@Path("/token/kerberos")
@ApiOperation(value = "Creates a token for accessing the REST API via Kerberos Service Tickets or SPNEGO Tokens (which includes Kerberos Service Tickets)", notes = "The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, " + "the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header " + "in the format 'Authorization: Bearer <token>'.", response = String.class)
@ApiResponses({ @ApiResponse(code = 400, message = HttpStatusMessages.MESSAGE_400), @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), @ApiResponse(code = 409, message = HttpStatusMessages.MESSAGE_409 + " The NiFi Registry may not be configured to support login Kerberos credentials."), @ApiResponse(code = 500, message = HttpStatusMessages.MESSAGE_500) })
public Response createAccessTokenUsingKerberosTicket(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("Access tokens are only issued over HTTPS");
    }
    // if not configured with custom identity provider, don't consider credentials
    if (!properties.isKerberosSpnegoSupportEnabled() || kerberosSpnegoIdentityProvider == null) {
        throw new IllegalStateException("Kerberos service ticket login not supported by this NiFi Registry");
    }
    AuthenticationRequest authenticationRequest = kerberosSpnegoIdentityProvider.extractCredentials(httpServletRequest);
    if (authenticationRequest == null) {
        throw new UnauthorizedException("The client credentials are missing from the request.").withAuthenticateChallenge(kerberosSpnegoIdentityProvider.getUsageInstructions().getAuthType());
    }
    final String token;
    try {
        token = createAccessToken(kerberosSpnegoIdentityProvider, authenticationRequest);
    } catch (final InvalidCredentialsException ice) {
        throw new UnauthorizedException("The supplied client credentials are not valid.", ice).withAuthenticateChallenge(kerberosSpnegoIdentityProvider.getUsageInstructions().getAuthType());
    }
    // build the response
    final URI uri = URI.create(generateResourceUri("access", "token"));
    return generateCreatedResponse(uri, token).build();
}

Example 3 with InvalidCredentialsException

use of org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException in project nifi-registry by apache.

the class X509IdentityProvider method authenticate.

/**
 * For a given {@link AuthenticationRequest}, this validates the client certificate and creates a populated {@link AuthenticationResponse}.
 *
 * The {@link AuthenticationRequest} authenticationRequest paramenter is expected to be populated as:
 *  - username: principal DN from first client cert
 *  - credentials: first client certificate (X509Certificate)
 *  - details: proxied-entities chain (String)
 *
 * @param authenticationRequest the request, containing identity claim credentials for the IdentityProvider to authenticate and determine an identity
 */
@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException {
    if (authenticationRequest == null || authenticationRequest.getUsername() == null) {
        return null;
    }
    String principal = authenticationRequest.getUsername();
    try {
        X509Certificate clientCertificate = (X509Certificate) authenticationRequest.getCredentials();
        validateClientCertificate(clientCertificate);
    } catch (CertificateExpiredException cee) {
        final String message = String.format("Client certificate for (%s) is expired.", principal);
        logger.warn(message, cee);
        throw new InvalidCredentialsException(message, cee);
    } catch (CertificateNotYetValidException cnyve) {
        final String message = String.format("Client certificate for (%s) is not yet valid.", principal);
        logger.warn(message, cnyve);
        throw new InvalidCredentialsException(message, cnyve);
    } catch (final Exception e) {
        logger.warn(e.getMessage(), e);
    }
    // build the authentication response
    return new AuthenticationResponse(principal, principal, expiration, issuer);
}

Example 4 with InvalidCredentialsException

use of org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException in project nifi-registry by apache.

the class KerberosIdentityProvider method authenticate.

@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
    if (provider == null) {
        throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
    }
    try {
        // perform the authentication
        final String username = authenticationRequest.getUsername();
        final Object credentials = authenticationRequest.getCredentials();
        final String password = credentials != null && credentials instanceof String ? (String) credentials : null;
        // perform the authentication
        final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, credentials);
        logger.debug("Created authentication token " + token.toString());
        final Authentication authentication = provider.authenticate(token);
        logger.debug("Ran provider.authenticate(token) and returned authentication for " + "principal={} with name={} and isAuthenticated={}", authentication.getPrincipal(), authentication.getName(), authentication.isAuthenticated());
        return new AuthenticationResponse(authentication.getName(), username, expiration, issuer);
    } catch (final AuthenticationException e) {
        throw new InvalidCredentialsException(e.getMessage(), e);
    }
}

Example 5 with InvalidCredentialsException

use of org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException in project nifi-registry by apache.

the class KerberosSpnegoIdentityProvider method authenticate.

@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
    if (authenticationRequest == null) {
        logger.info("Cannot authenticate null authenticationRequest, returning null.");
        return null;
    }
    final Object credentials = authenticationRequest.getCredentials();
    byte[] kerberosTicket = credentials != null && credentials instanceof byte[] ? (byte[]) authenticationRequest.getCredentials() : null;
    if (credentials == null) {
        logger.info("Kerberos Ticket not found in authenticationRequest credentials, returning null.");
        return null;
    }
    if (kerberosServiceAuthenticationProvider == null) {
        throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
    }
    try {
        KerberosServiceRequestToken kerberosServiceRequestToken = new KerberosServiceRequestToken(kerberosTicket);
        kerberosServiceRequestToken.setDetails(authenticationRequest.getDetails());
        Authentication authentication = kerberosServiceAuthenticationProvider.authenticate(kerberosServiceRequestToken);
        if (authentication == null) {
            throw new InvalidCredentialsException("Kerberos credentials could not be authenticated.");
        }
        final String kerberosPrincipal = authentication.getName();
        return new AuthenticationResponse(kerberosPrincipal, kerberosPrincipal, expiration, issuer);
    } catch (AuthenticationException e) {
        String authFailedMessage = "Kerberos credentials could not be authenticated.";
        /* Kerberos uses encryption with up to AES-256, specifically AES256-CTS-HMAC-SHA1-96.
             * That is not available in every JRE, particularly if Unlimited Strength Encryption
             * policies are not installed in the Java home lib dir. The Kerberos lib does not
             * differentiate between failures due to decryption and those due to bad credentials
             * without walking the causes of the exception, so this check puts something
             * potentially useful in the logs for those troubleshooting Kerberos authentication. */
        if (!Boolean.FALSE.equals(CryptoUtils.isCryptoRestricted())) {
            authFailedMessage += " This Java Runtime does not support unlimited strength encryption. " + "This could cause Kerberos authentication to fail as it can require AES-256.";
        }
        logger.info(authFailedMessage);
        throw new InvalidCredentialsException(authFailedMessage, e);
    }
}