You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2022/03/15 14:43:47 UTC
[GitHub] [knox] pzampino commented on a change in pull request #545: KNOX-2714 - Added doAs support to KnoxToken service

pzampino commented on a change in pull request #545:
URL: https://github.com/apache/knox/pull/545#discussion_r827007168



##########
File path: gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
##########
@@ -140,15 +139,9 @@ public void doFilter(ServletRequest request, ServletResponse response,
   private String getAccessToken(final String principalName, String serviceName, long expires) {
     String accessToken = null;
 
-    Principal p = new Principal() {
-      @Override
-      public String getName() {
-        return principalName;
-      }
-    };
     JWT token;
     try {
-      final JWTokenAttributes jwtAttributes = new JWTokenAttributesBuilder().setPrincipal(p).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
+      final JWTokenAttributes jwtAttributes = new JWTokenAttributesBuilder().setUserName(principalName).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();

Review comment:
       Do we not need to still set the principal? Is it done indirectly by setting the username?

##########
File path: gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
##########
@@ -65,7 +65,7 @@ public void doFilter(ServletRequest request, ServletResponse response,
     principalName = mapper.mapUserPrincipal(principalName);
     JWT authCode;
     try {
-      authCode = authority.issueToken(new JWTokenAttributesBuilder().setPrincipal(subject).setAlgorithm(signatureAlgorithm).build());
+      authCode = authority.issueToken(new JWTokenAttributesBuilder().setUserName(principalName).setAlgorithm(signatureAlgorithm).build());

Review comment:
       Do we not need to still set the principal? Is it done indirectly by setting the username?

##########
File path: gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
##########
@@ -672,7 +682,24 @@ private Response getAuthenticationToken() {
         .getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
 
     JWTokenAuthority ts = services.getService(ServiceType.TOKEN_SERVICE);
-    Principal p = request.getUserPrincipal();
+
+    String userName = request.getUserPrincipal().getName();
+    String createdBy = null;
+    // checking the doAs user only makes sense if tokens are managed (this is where we store the userName information)
+    if (tokenStateService != null) {
+      final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+      if (doAsUser != null && !doAsUser.equals(userName)) {
+        try {
+          //this call will authorize the doAs request
+          AuthFilterUtils.getProxyRequest(request, doAsUser);

Review comment:
       This is a little confusing since you're not getting a request object here; You're only leveraging the behavior you happen to know about internally to do the authorization. It would probably be better to have a separate method for the authorization, which could be invoked specifically here and also in the implementation of the getProxyRequest() method.

##########
File path: gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateServiceMessages.java
##########
@@ -246,4 +246,7 @@
 
   @Message(level = MessageLevel.ERROR, text = "An error occurred while fetching tokens for user {0} from the database : {1}")
   void errorFetchingTokensForUserFromDatabase(String userName, String errorMessage, @StackTrace(level = MessageLevel.DEBUG) Exception e);
+
+  @Message(level = MessageLevel.ERROR, text = "An error occurred while fetching 'doAs' tokens for user {0} from the database : {1}")

Review comment:
       doAs -> impersonation




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org