Search in sources :

Example 1 with UntrustedProxyException

use of org.apache.nifi.web.security.UntrustedProxyException in project nifi by apache.

the class AccessResource method getAccessStatus.

/**
 * Gets the status the client's access.
 *
 * @param httpServletRequest the servlet request
 * @return A accessStatusEntity
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("")
@ApiOperation(value = "Gets the status the client's access", notes = NON_GUARANTEED_ENDPOINT, response = AccessStatusEntity.class)
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Unable to determine access status because the client could not be authenticated."), @ApiResponse(code = 403, message = "Unable to determine access status because the client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to determine access status because NiFi is not in the appropriate state."), @ApiResponse(code = 500, message = "Unable to determine access status because an unexpected error occurred.") })
public Response getAccessStatus(@Context HttpServletRequest httpServletRequest) {
    // only consider user specific access over https
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("User authentication/authorization is only supported when running over HTTPS.");
    }
    final AccessStatusDTO accessStatus = new AccessStatusDTO();
    try {
        final X509Certificate[] certificates = certificateExtractor.extractClientCertificate(httpServletRequest);
        // if there is not certificate, consider a token
        if (certificates == null) {
            // look for an authorization token
            final String authorization = httpServletRequest.getHeader(JwtAuthenticationFilter.AUTHORIZATION);
            // if there is no authorization header, we don't know the user
            if (authorization == null) {
                accessStatus.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
                accessStatus.setMessage("No credentials supplied, unknown user.");
            } else {
                try {
                    // Extract the Base64 encoded token from the Authorization header
                    final String token = StringUtils.substringAfterLast(authorization, " ");
                    final JwtAuthenticationRequestToken jwtRequest = new JwtAuthenticationRequestToken(token, httpServletRequest.getRemoteAddr());
                    final NiFiAuthenticationToken authenticationResponse = (NiFiAuthenticationToken) jwtAuthenticationProvider.authenticate(jwtRequest);
                    final NiFiUser nifiUser = ((NiFiUserDetails) authenticationResponse.getDetails()).getNiFiUser();
                    // set the user identity
                    accessStatus.setIdentity(nifiUser.getIdentity());
                    // attempt authorize to /flow
                    accessStatus.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                    accessStatus.setMessage("You are already logged in.");
                } catch (JwtException e) {
                    throw new InvalidAuthenticationException(e.getMessage(), e);
                }
            }
        } else {
            try {
                final X509AuthenticationRequestToken x509Request = new X509AuthenticationRequestToken(httpServletRequest.getHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_CHAIN), principalExtractor, certificates, httpServletRequest.getRemoteAddr());
                final NiFiAuthenticationToken authenticationResponse = (NiFiAuthenticationToken) x509AuthenticationProvider.authenticate(x509Request);
                final NiFiUser nifiUser = ((NiFiUserDetails) authenticationResponse.getDetails()).getNiFiUser();
                // set the user identity
                accessStatus.setIdentity(nifiUser.getIdentity());
                // attempt authorize to /flow
                accessStatus.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                accessStatus.setMessage("You are already logged in.");
            } catch (final IllegalArgumentException iae) {
                throw new InvalidAuthenticationException(iae.getMessage(), iae);
            }
        }
    } catch (final UntrustedProxyException upe) {
        throw new AccessDeniedException(upe.getMessage(), upe);
    } catch (final AuthenticationServiceException ase) {
        throw new AdministrationException(ase.getMessage(), ase);
    }
    // create the entity
    final AccessStatusEntity entity = new AccessStatusEntity();
    entity.setAccessStatus(accessStatus);
    return generateOkResponse(entity).build();
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) AccessStatusEntity(org.apache.nifi.web.api.entity.AccessStatusEntity) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) JwtAuthenticationRequestToken(org.apache.nifi.web.security.jwt.JwtAuthenticationRequestToken) AccessStatusDTO(org.apache.nifi.web.api.dto.AccessStatusDTO) AdministrationException(org.apache.nifi.admin.service.AdministrationException) X509AuthenticationRequestToken(org.apache.nifi.web.security.x509.X509AuthenticationRequestToken) X509Certificate(java.security.cert.X509Certificate) InvalidAuthenticationException(org.apache.nifi.web.security.InvalidAuthenticationException) AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) UntrustedProxyException(org.apache.nifi.web.security.UntrustedProxyException) JwtException(io.jsonwebtoken.JwtException) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 2 with UntrustedProxyException

use of org.apache.nifi.web.security.UntrustedProxyException in project nifi by apache.

the class X509AuthenticationProvider method authenticate.

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    final X509AuthenticationRequestToken request = (X509AuthenticationRequestToken) authentication;
    // attempt to authenticate if certificates were found
    final AuthenticationResponse authenticationResponse;
    try {
        authenticationResponse = certificateIdentityProvider.authenticate(request.getCertificates());
    } catch (final IllegalArgumentException iae) {
        throw new InvalidAuthenticationException(iae.getMessage(), iae);
    }
    if (StringUtils.isBlank(request.getProxiedEntitiesChain())) {
        final String mappedIdentity = mapIdentity(authenticationResponse.getIdentity());
        return new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(mappedIdentity).groups(getUserGroups(mappedIdentity)).clientAddress(request.getClientAddress()).build()));
    } else {
        // build the entire proxy chain if applicable - <end-user><proxy1><proxy2>
        final List<String> proxyChain = new ArrayList<>(ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(request.getProxiedEntitiesChain()));
        proxyChain.add(authenticationResponse.getIdentity());
        // add the chain as appropriate to each proxy
        NiFiUser proxy = null;
        for (final ListIterator<String> chainIter = proxyChain.listIterator(proxyChain.size()); chainIter.hasPrevious(); ) {
            String identity = chainIter.previous();
            // determine if the user is anonymous
            final boolean isAnonymous = StringUtils.isBlank(identity);
            if (isAnonymous) {
                identity = StandardNiFiUser.ANONYMOUS_IDENTITY;
            } else {
                identity = mapIdentity(identity);
            }
            final Set<String> groups = getUserGroups(identity);
            // Only set the client address for client making the request because we don't know the clientAddress of the proxied entities
            String clientAddress = (proxy == null) ? request.getClientAddress() : null;
            proxy = createUser(identity, groups, proxy, clientAddress, isAnonymous);
            if (chainIter.hasPrevious()) {
                try {
                    PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
                } catch (final AccessDeniedException e) {
                    throw new UntrustedProxyException(String.format("Untrusted proxy %s", identity));
                }
            }
        }
        return new NiFiAuthenticationToken(new NiFiUserDetails(proxy));
    }
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) StandardNiFiUser(org.apache.nifi.authorization.user.StandardNiFiUser) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) ArrayList(java.util.ArrayList) AuthenticationResponse(org.apache.nifi.authentication.AuthenticationResponse) InvalidAuthenticationException(org.apache.nifi.web.security.InvalidAuthenticationException) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) UntrustedProxyException(org.apache.nifi.web.security.UntrustedProxyException) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails)

Aggregations

AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)2 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)2 NiFiUserDetails (org.apache.nifi.authorization.user.NiFiUserDetails)2 InvalidAuthenticationException (org.apache.nifi.web.security.InvalidAuthenticationException)2 UntrustedProxyException (org.apache.nifi.web.security.UntrustedProxyException)2 NiFiAuthenticationToken (org.apache.nifi.web.security.token.NiFiAuthenticationToken)2 JwtException (io.jsonwebtoken.JwtException)1 ApiOperation (io.swagger.annotations.ApiOperation)1 ApiResponses (io.swagger.annotations.ApiResponses)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Consumes (javax.ws.rs.Consumes)1 GET (javax.ws.rs.GET)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 AdministrationException (org.apache.nifi.admin.service.AdministrationException)1 AuthenticationResponse (org.apache.nifi.authentication.AuthenticationResponse)1 StandardNiFiUser (org.apache.nifi.authorization.user.StandardNiFiUser)1 Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)1 AccessStatusDTO (org.apache.nifi.web.api.dto.AccessStatusDTO)1