Search in sources :

Example 1 with NiFiUserDetails

use of org.apache.nifi.registry.security.authorization.user.NiFiUserDetails in project nifi-registry by apache.

the class X509IdentityAuthenticationProvider method buildAuthenticatedToken.

@Override
protected AuthenticationSuccessToken buildAuthenticatedToken(AuthenticationRequestToken requestToken, AuthenticationResponse response) {
    AuthenticationRequest authenticationRequest = requestToken.getAuthenticationRequest();
    String proxiedEntitiesChain = authenticationRequest.getDetails() != null ? (String) authenticationRequest.getDetails() : null;
    if (StringUtils.isBlank(proxiedEntitiesChain)) {
        return super.buildAuthenticatedToken(requestToken, response);
    }
    // build the entire proxy chain if applicable - <end-user><proxy1><proxy2>
    final List<String> proxyChain = ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(proxiedEntitiesChain);
    proxyChain.add(response.getIdentity());
    // add the chain as appropriate to each proxy
    NiFiUser proxy = null;
    for (final ListIterator<String> chainIter = proxyChain.listIterator(proxyChain.size()); chainIter.hasPrevious(); ) {
        String identity = chainIter.previous();
        // determine if the user is anonymous
        final boolean isAnonymous = StringUtils.isBlank(identity);
        if (isAnonymous) {
            identity = StandardNiFiUser.ANONYMOUS_IDENTITY;
        } else {
            identity = mapIdentity(identity);
        }
        final Set<String> groups = getUserGroups(identity);
        // Only set the client address for client making the request because we don't know the clientAddress of the proxied entities
        String clientAddress = (proxy == null) ? requestToken.getClientAddress() : null;
        proxy = createUser(identity, groups, proxy, clientAddress, isAnonymous);
        if (chainIter.hasPrevious()) {
            try {
                PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
            } catch (final AccessDeniedException e) {
                throw new UntrustedProxyException(String.format("Untrusted proxy [%s].", identity));
            }
        }
    }
    return new AuthenticationSuccessToken(new NiFiUserDetails(proxy));
}
Also used : AccessDeniedException(org.apache.nifi.registry.security.authorization.exception.AccessDeniedException) StandardNiFiUser(org.apache.nifi.registry.security.authorization.user.StandardNiFiUser) NiFiUser(org.apache.nifi.registry.security.authorization.user.NiFiUser) UntrustedProxyException(org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException) AuthenticationSuccessToken(org.apache.nifi.registry.web.security.authentication.AuthenticationSuccessToken) AuthenticationRequest(org.apache.nifi.registry.security.authentication.AuthenticationRequest) NiFiUserDetails(org.apache.nifi.registry.security.authorization.user.NiFiUserDetails)

Aggregations

AuthenticationRequest (org.apache.nifi.registry.security.authentication.AuthenticationRequest)1 AccessDeniedException (org.apache.nifi.registry.security.authorization.exception.AccessDeniedException)1 NiFiUser (org.apache.nifi.registry.security.authorization.user.NiFiUser)1 NiFiUserDetails (org.apache.nifi.registry.security.authorization.user.NiFiUserDetails)1 StandardNiFiUser (org.apache.nifi.registry.security.authorization.user.StandardNiFiUser)1 AuthenticationSuccessToken (org.apache.nifi.registry.web.security.authentication.AuthenticationSuccessToken)1 UntrustedProxyException (org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException)1