You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@linkis.apache.org by al...@apache.org on 2022/03/04 06:36:29 UTC
[incubator-linkis] 02/13: Add Utils to get proxy user #1590
This is an automated email from the ASF dual-hosted git repository.
alexkun pushed a commit to branch dev-1.1.1
in repository https://gitbox.apache.org/repos/asf/incubator-linkis.git
commit 1ff097269dfe8781d0bc590647a027c35bf01e00
Author: peacewong <wp...@gmail.com>
AuthorDate: Wed Mar 2 16:09:06 2022 +0800
Add Utils to get proxy user #1590
---
.../org/apache/linkis/proxy/ProxyUserEntity.java | 62 +++++++++++++++
.../org/apache/linkis/proxy/ProxyUserService.java | 6 ++
.../linkis/server/utils/ModuleUserUtils.java | 78 +++++++++++++++++++
.../linkis/server/security/ProxyUserSSOUtils.scala | 90 ++++++++++++++++++++++
.../apache/linkis/server/security/SSOUtils.scala | 27 +------
5 files changed, 237 insertions(+), 26 deletions(-)
diff --git a/linkis-commons/linkis-module/src/main/java/org/apache/linkis/proxy/ProxyUserEntity.java b/linkis-commons/linkis-module/src/main/java/org/apache/linkis/proxy/ProxyUserEntity.java
new file mode 100644
index 0000000..f03fd45
--- /dev/null
+++ b/linkis-commons/linkis-module/src/main/java/org/apache/linkis/proxy/ProxyUserEntity.java
@@ -0,0 +1,62 @@
+package org.apache.linkis.proxy;
+
+import org.apache.commons.lang.StringUtils;
+
+public class ProxyUserEntity {
+
+ private String username;
+
+ private String proxyUser;
+
+ private String desc;
+
+ private Long elapseDay;
+
+ public String getUsername() {
+ return username;
+ }
+
+ public void setUsername(String username) {
+ this.username = username;
+ }
+
+ public String getProxyUser() {
+ return proxyUser;
+ }
+
+ public void setProxyUser(String proxyUser) {
+ this.proxyUser = proxyUser;
+ }
+
+ public String getDesc() {
+ return desc;
+ }
+
+ public void setDesc(String desc) {
+ this.desc = desc;
+ }
+
+ public Long getElapseDay() {
+ return elapseDay;
+ }
+
+ public void setElapseDay(Long elapseDay) {
+ this.elapseDay = elapseDay;
+ }
+
+ public boolean isProxyMode() {
+ return StringUtils.isNotBlank(proxyUser) && !proxyUser.equals(username);
+ }
+
+ @Override
+ public String toString() {
+ return "ProxyUserEntity{"
+ + "username='"
+ + username
+ + '\''
+ + ", proxyUser='"
+ + proxyUser
+ + '\''
+ + '}';
+ }
+}
diff --git a/linkis-commons/linkis-module/src/main/java/org/apache/linkis/proxy/ProxyUserService.java b/linkis-commons/linkis-module/src/main/java/org/apache/linkis/proxy/ProxyUserService.java
new file mode 100644
index 0000000..29f63da
--- /dev/null
+++ b/linkis-commons/linkis-module/src/main/java/org/apache/linkis/proxy/ProxyUserService.java
@@ -0,0 +1,6 @@
+package org.apache.linkis.proxy;
+
+public interface ProxyUserService {
+
+ ProxyUserEntity getProxyUserEntity(String proxyUser, String loginUser);
+}
diff --git a/linkis-commons/linkis-module/src/main/java/org/apache/linkis/server/utils/ModuleUserUtils.java b/linkis-commons/linkis-module/src/main/java/org/apache/linkis/server/utils/ModuleUserUtils.java
new file mode 100644
index 0000000..874db6b
--- /dev/null
+++ b/linkis-commons/linkis-module/src/main/java/org/apache/linkis/server/utils/ModuleUserUtils.java
@@ -0,0 +1,78 @@
+package org.apache.linkis.server.utils;
+
+import org.apache.linkis.proxy.ProxyUserEntity;
+import org.apache.linkis.server.security.ProxyUserSSOUtils;
+import org.apache.linkis.server.security.SecurityFilter;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import scala.Option;
+
+public class ModuleUserUtils {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(ModuleUserUtils.class);
+
+ /**
+ * get ProxyUserEntity 1.if not support proxy return loginUser 2.if proxy user exist return
+ * proxyUser and loginUser
+ *
+ * @param httpServletRequest
+ * @return
+ */
+ public ProxyUserEntity getProxyUserEntity(HttpServletRequest httpServletRequest) {
+ String loginUser = SecurityFilter.getLoginUsername(httpServletRequest);
+ Option<String> proxyUserUsername =
+ ProxyUserSSOUtils.getProxyUserUsername(httpServletRequest);
+ ProxyUserEntity proxyUserEntity = new ProxyUserEntity();
+ proxyUserEntity.setUsername(loginUser);
+ if (proxyUserUsername.isDefined()) {
+ proxyUserEntity.setProxyUser(proxyUserUsername.get());
+ }
+ return proxyUserEntity;
+ }
+
+ /**
+ * get ProxyUserEntity and print operation log
+ *
+ * @param httpServletRequest
+ * @param msg
+ * @return
+ */
+ public ProxyUserEntity getProxyUserEntity(HttpServletRequest httpServletRequest, String msg) {
+ ProxyUserEntity proxyUserEntity = getProxyUserEntity(httpServletRequest);
+ LOGGER.info(
+ "user {} proxy to {} operation {}",
+ proxyUserEntity.getUsername(),
+ proxyUserEntity.getProxyUser(),
+ msg);
+ return proxyUserEntity;
+ }
+
+ public String getOperationUser(HttpServletRequest httpServletRequest) {
+ ProxyUserEntity proxyUserEntity = getProxyUserEntity(httpServletRequest);
+ if (proxyUserEntity.isProxyMode()) {
+ return proxyUserEntity.getProxyUser();
+ } else {
+ return proxyUserEntity.getUsername();
+ }
+ }
+
+ /**
+ * get operation user and print log
+ *
+ * @param httpServletRequest
+ * @param msg
+ * @return
+ */
+ public String getOperationUser(HttpServletRequest httpServletRequest, String msg) {
+ ProxyUserEntity proxyUserEntity = getProxyUserEntity(httpServletRequest, msg);
+ if (proxyUserEntity.isProxyMode()) {
+ return proxyUserEntity.getProxyUser();
+ } else {
+ return proxyUserEntity.getUsername();
+ }
+ }
+}
diff --git a/linkis-commons/linkis-module/src/main/scala/org/apache/linkis/server/security/ProxyUserSSOUtils.scala b/linkis-commons/linkis-module/src/main/scala/org/apache/linkis/server/security/ProxyUserSSOUtils.scala
new file mode 100644
index 0000000..cac0723
--- /dev/null
+++ b/linkis-commons/linkis-module/src/main/scala/org/apache/linkis/server/security/ProxyUserSSOUtils.scala
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.linkis.server.security
+
+import org.apache.commons.lang.StringUtils
+import org.apache.linkis.common.conf.CommonVars
+import org.apache.linkis.common.utils.{DESUtil, Logging}
+import org.apache.linkis.server.conf.ServerConfiguration
+import org.apache.linkis.server.security.SecurityFilter.getLoginUser
+
+import javax.servlet.http.{Cookie, HttpServletRequest}
+
+object ProxyUserSSOUtils extends Logging {
+
+
+ private val PROXY_TICKET_HEADER_CRYPT_KEY = CommonVars("wds.linkis.proxy.ticket.header.crypt.key", "linkis-trust-key").getValue
+
+ private val PROXY_TICKET_HEADER_CONTENT = CommonVars("wds.linkis.proxy.ticket.header.crypt.key", "bfs_").getValue
+
+ private val linkisTrustCode = DESUtil.encrypt(PROXY_TICKET_HEADER_CONTENT, PROXY_TICKET_HEADER_CRYPT_KEY)
+
+ private[security] val PROXY_USER_TICKET_ID_STRING = ServerConfiguration.LINKIS_SERVER_SESSION_PROXY_TICKETID_KEY.getValue
+
+ private val sslEnable: Boolean = ServerConfiguration.BDP_SERVER_SECURITY_SSL.getValue
+
+ private def getProxyUsernameByTicket(ticketId: String): Option[String] = if (StringUtils.isBlank(ticketId)) None
+ else {
+ val userName = DESUtil.decrypt(ticketId, ServerConfiguration.cryptKey)
+ if(userName.startsWith(linkisTrustCode)) Some(userName.substring(linkisTrustCode.length))
+ else None
+ }
+
+ private def getTicketByUsernameAndTrustCode(userName: String, trustCode: String): String = {
+ if (! trustCode.equals(linkisTrustCode)) {
+ logger.info(s"$trustCode error,will be use default username")
+ userName
+ } else {
+ DESUtil.encrypt(trustCode + userName, ServerConfiguration.cryptKey)
+ }
+ }
+
+ def getProxyUserTicketKV(proxyUsername: String, trustCode: String): (String, String) = {
+ val userTicketId = getTicketByUsernameAndTrustCode(proxyUsername, trustCode)
+ (PROXY_USER_TICKET_ID_STRING, userTicketId)
+ }
+
+ def setProxyUserCookie(addCookie: Cookie => Unit, username: String, trustCode: String): Unit = {
+ info(s"add login userTicketCookie for user $username.")
+ val userTicketIdKv = getProxyUserTicketKV(username, trustCode)
+ val cookie = new Cookie(userTicketIdKv._1, userTicketIdKv._2)
+ cookie.setMaxAge(-1)
+ if(sslEnable) cookie.setSecure(true)
+ cookie.setPath("/")
+ addCookie(cookie)
+ }
+
+
+ def removeProxyUser(getCookies: => Array[Cookie]): Unit = {
+ val cookies = getCookies
+ if(cookies != null) cookies.find(_.getName == PROXY_USER_TICKET_ID_STRING).foreach { cookie =>
+ cookie.setValue(null)
+ cookie.setMaxAge(0)
+ }
+ }
+
+ def getProxyUserUsername(req: HttpServletRequest): Option[String] = {
+ val ticketOption = Option(req.getCookies).flatMap(_.find(_.getName == PROXY_USER_TICKET_ID_STRING).map(_.getValue))
+ if (ticketOption.isDefined) {
+ getProxyUsernameByTicket(ticketOption.get)
+ } else {
+ None
+ }
+ }
+
+}
diff --git a/linkis-commons/linkis-module/src/main/scala/org/apache/linkis/server/security/SSOUtils.scala b/linkis-commons/linkis-module/src/main/scala/org/apache/linkis/server/security/SSOUtils.scala
index 6fe2cff..f357c8b 100644
--- a/linkis-commons/linkis-module/src/main/scala/org/apache/linkis/server/security/SSOUtils.scala
+++ b/linkis-commons/linkis-module/src/main/scala/org/apache/linkis/server/security/SSOUtils.scala
@@ -31,8 +31,6 @@ object SSOUtils extends Logging {
private[security] val USER_TICKET_ID_STRING = ServerConfiguration.LINKIS_SERVER_SESSION_TICKETID_KEY.getValue
- private[security] val PROXY_USER_TICKET_ID_STRING = ServerConfiguration.LINKIS_SERVER_SESSION_PROXY_TICKETID_KEY.getValue
-
private val sessionTimeout = ServerConfiguration.BDP_SERVER_WEB_SESSION_TIMEOUT.getValue.toLong
private val userTicketIdToLastAccessTime = new ConcurrentHashMap[String, Long]()
@@ -105,7 +103,7 @@ object SSOUtils extends Logging {
cookie.setValue(null)
cookie.setMaxAge(0)
}
- removeProxyUser(cookies)
+ ProxyUserSSOUtils.removeProxyUser(cookies)
}
def removeLoginUserByAddCookie(addEmptyCookie: Cookie => Unit): Unit = {
@@ -156,29 +154,6 @@ object SSOUtils extends Logging {
def getSessionTimeOut(): Long = sessionTimeout
- def getProxyUserTicketKV(proxyUsername: String): (String, String) = {
- val userTicketId = getUserTicketId(proxyUsername)
- (PROXY_USER_TICKET_ID_STRING, userTicketId)
- }
- def setProxyUserCookie(addCookie: Cookie => Unit, username: String): Unit = {
- info(s"add login userTicketCookie for user $username.")
- val userTicketIdKv = getProxyUserTicketKV(username)
- val cookie = new Cookie(userTicketIdKv._1, userTicketIdKv._2)
- cookie.setMaxAge(-1)
- if(sslEnable) cookie.setSecure(true)
- cookie.setPath("/")
- addCookie(cookie)
- }
-
- def getProxyUser(getCookies: => Array[Cookie]): Option[String] = getLoginUser(_ => Option(getCookies).flatMap(_.find(_.getName == PROXY_USER_TICKET_ID_STRING).map(_.getValue)))
-
- def removeProxyUser(getCookies: => Array[Cookie]): Unit = {
- val cookies = getCookies
- if(cookies != null) cookies.find(_.getName == PROXY_USER_TICKET_ID_STRING).foreach { cookie =>
- cookie.setValue(null)
- cookie.setMaxAge(0)
- }
- }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@linkis.apache.org
For additional commands, e-mail: commits-help@linkis.apache.org