Examples with X509AuthenticationRequestToken - org.apache.nifi.web.security.x509.X509AuthenticationRequestToken

Example 1 with X509AuthenticationRequestToken

use of org.apache.nifi.web.security.x509.X509AuthenticationRequestToken in project nifi by apache.

the class AccessResource method getAccessStatus.

/**
 * Gets the status the client's access.
 *
 * @param httpServletRequest the servlet request
 * @return A accessStatusEntity
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("")
@ApiOperation(value = "Gets the status the client's access", notes = NON_GUARANTEED_ENDPOINT, response = AccessStatusEntity.class)
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Unable to determine access status because the client could not be authenticated."), @ApiResponse(code = 403, message = "Unable to determine access status because the client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to determine access status because NiFi is not in the appropriate state."), @ApiResponse(code = 500, message = "Unable to determine access status because an unexpected error occurred.") })
public Response getAccessStatus(@Context HttpServletRequest httpServletRequest) {
    // only consider user specific access over https
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("User authentication/authorization is only supported when running over HTTPS.");
    }
    final AccessStatusDTO accessStatus = new AccessStatusDTO();
    try {
        final X509Certificate[] certificates = certificateExtractor.extractClientCertificate(httpServletRequest);
        // if there is not certificate, consider a token
        if (certificates == null) {
            // look for an authorization token
            final String authorization = httpServletRequest.getHeader(JwtAuthenticationFilter.AUTHORIZATION);
            // if there is no authorization header, we don't know the user
            if (authorization == null) {
                accessStatus.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
                accessStatus.setMessage("No credentials supplied, unknown user.");
            } else {
                try {
                    // Extract the Base64 encoded token from the Authorization header
                    final String token = StringUtils.substringAfterLast(authorization, " ");
                    final JwtAuthenticationRequestToken jwtRequest = new JwtAuthenticationRequestToken(token, httpServletRequest.getRemoteAddr());
                    final NiFiAuthenticationToken authenticationResponse = (NiFiAuthenticationToken) jwtAuthenticationProvider.authenticate(jwtRequest);
                    final NiFiUser nifiUser = ((NiFiUserDetails) authenticationResponse.getDetails()).getNiFiUser();
                    // set the user identity
                    accessStatus.setIdentity(nifiUser.getIdentity());
                    // attempt authorize to /flow
                    accessStatus.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                    accessStatus.setMessage("You are already logged in.");
                } catch (JwtException e) {
                    throw new InvalidAuthenticationException(e.getMessage(), e);
                }
            }
        } else {
            try {
                final X509AuthenticationRequestToken x509Request = new X509AuthenticationRequestToken(httpServletRequest.getHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_CHAIN), principalExtractor, certificates, httpServletRequest.getRemoteAddr());
                final NiFiAuthenticationToken authenticationResponse = (NiFiAuthenticationToken) x509AuthenticationProvider.authenticate(x509Request);
                final NiFiUser nifiUser = ((NiFiUserDetails) authenticationResponse.getDetails()).getNiFiUser();
                // set the user identity
                accessStatus.setIdentity(nifiUser.getIdentity());
                // attempt authorize to /flow
                accessStatus.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                accessStatus.setMessage("You are already logged in.");
            } catch (final IllegalArgumentException iae) {
                throw new InvalidAuthenticationException(iae.getMessage(), iae);
            }
        }
    } catch (final UntrustedProxyException upe) {
        throw new AccessDeniedException(upe.getMessage(), upe);
    } catch (final AuthenticationServiceException ase) {
        throw new AdministrationException(ase.getMessage(), ase);
    }
    // create the entity
    final AccessStatusEntity entity = new AccessStatusEntity();
    entity.setAccessStatus(accessStatus);
    return generateOkResponse(entity).build();
}

Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) AccessStatusEntity(org.apache.nifi.web.api.entity.AccessStatusEntity) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) JwtAuthenticationRequestToken(org.apache.nifi.web.security.jwt.JwtAuthenticationRequestToken) AccessStatusDTO(org.apache.nifi.web.api.dto.AccessStatusDTO) AdministrationException(org.apache.nifi.admin.service.AdministrationException) X509AuthenticationRequestToken(org.apache.nifi.web.security.x509.X509AuthenticationRequestToken) X509Certificate(java.security.cert.X509Certificate) InvalidAuthenticationException(org.apache.nifi.web.security.InvalidAuthenticationException) AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException) NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken) UntrustedProxyException(org.apache.nifi.web.security.UntrustedProxyException) JwtException(io.jsonwebtoken.JwtException) NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Aggregations

JwtException (io.jsonwebtoken.JwtException)1 ApiOperation (io.swagger.annotations.ApiOperation)1 ApiResponses (io.swagger.annotations.ApiResponses)1 X509Certificate (java.security.cert.X509Certificate)1 Consumes (javax.ws.rs.Consumes)1 GET (javax.ws.rs.GET)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 AdministrationException (org.apache.nifi.admin.service.AdministrationException)1 AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)1 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)1 NiFiUserDetails (org.apache.nifi.authorization.user.NiFiUserDetails)1 AccessStatusDTO (org.apache.nifi.web.api.dto.AccessStatusDTO)1 AccessStatusEntity (org.apache.nifi.web.api.entity.AccessStatusEntity)1 InvalidAuthenticationException (org.apache.nifi.web.security.InvalidAuthenticationException)1 UntrustedProxyException (org.apache.nifi.web.security.UntrustedProxyException)1 JwtAuthenticationRequestToken (org.apache.nifi.web.security.jwt.JwtAuthenticationRequestToken)1 NiFiAuthenticationToken (org.apache.nifi.web.security.token.NiFiAuthenticationToken)1 X509AuthenticationRequestToken (org.apache.nifi.web.security.x509.X509AuthenticationRequestToken)1 AuthenticationServiceException (org.springframework.security.authentication.AuthenticationServiceException)1