You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2018/11/13 16:43:43 UTC
knox git commit: KNOX-1550 - TLS/SSL client certificate
authentication provider
Repository: knox
Updated Branches:
refs/heads/master 53e84a25a -> c5061b843
KNOX-1550 - TLS/SSL client certificate authentication provider
Signed-off-by: Kevin Risden <kr...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/c5061b84
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/c5061b84
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/c5061b84
Branch: refs/heads/master
Commit: c5061b843d29bfab5704a2b17915f657d2361292
Parents: 53e84a2
Author: Kevin Risden <kr...@apache.org>
Authored: Thu Nov 1 17:53:24 2018 -0400
Committer: Kevin Risden <kr...@apache.org>
Committed: Tue Nov 13 11:07:45 2018 -0500
----------------------------------------------------------------------
gateway-provider-security-clientcert/pom.xml | 69 +++++++++++
.../deploy/ClientCertDeploymentContributor.java | 64 +++++++++++
.../clientcert/filter/ClientCertFilter.java | 115 +++++++++++++++++++
...gateway.deploy.ProviderDeploymentContributor | 19 +++
.../ClientCertDeploymentContributorTest.java | 81 +++++++++++++
gateway-release/pom.xml | 4 +
pom.xml | 6 +
7 files changed, 358 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/c5061b84/gateway-provider-security-clientcert/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-clientcert/pom.xml b/gateway-provider-security-clientcert/pom.xml
new file mode 100755
index 0000000..d55e23b
--- /dev/null
+++ b/gateway-provider-security-clientcert/pom.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway</artifactId>
+ <version>1.3.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>gateway-provider-security-clientcert</artifactId>
+ <name>gateway-provider-security-clientcert</name>
+ <description>An extension of the gateway for handling client certificate authentication</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-spi</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-util-common</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>javax.servlet-api</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.easymock</groupId>
+ <artifactId>easymock</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.hamcrest</groupId>
+ <artifactId>hamcrest-core</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.jboss.shrinkwrap</groupId>
+ <artifactId>shrinkwrap-api</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
http://git-wip-us.apache.org/repos/asf/knox/blob/c5061b84/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/deploy/ClientCertDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/deploy/ClientCertDeploymentContributor.java b/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/deploy/ClientCertDeploymentContributor.java
new file mode 100755
index 0000000..c37fe86
--- /dev/null
+++ b/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/deploy/ClientCertDeploymentContributor.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.clientcert.deploy;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.clientcert.filter.ClientCertFilter;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class ClientCertDeploymentContributor extends ProviderDeploymentContributorBase {
+ private static final String CLIENTAUTH_FILTER_CLASSNAME = ClientCertFilter.class.getCanonicalName();
+
+ public static final String ROLE = "authentication";
+ public static final String NAME = "ClientCert";
+
+ @Override
+ public String getRole() {
+ return ROLE;
+ }
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ @Override
+ public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+ // blindly add all the provider params as filter init params
+ if (params == null) {
+ params = new ArrayList<>();
+ }
+ Map<String, String> providerParams = provider.getParams();
+ for(Entry<String, String> entry : providerParams.entrySet()) {
+ params.add( resource.createFilterParam().name( entry.getKey().toLowerCase(Locale.ROOT) ).value( entry.getValue() ) );
+ }
+
+ resource.addFilter().name( getName() ).role( getRole() ).impl(CLIENTAUTH_FILTER_CLASSNAME).params( params );
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/c5061b84/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/filter/ClientCertFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/filter/ClientCertFilter.java b/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/filter/ClientCertFilter.java
new file mode 100755
index 0000000..a7f967a
--- /dev/null
+++ b/gateway-provider-security-clientcert/src/main/java/org/apache/knox/gateway/clientcert/filter/ClientCertFilter.java
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.clientcert.filter;
+
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditService;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.filter.AbstractGatewayFilter;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+
+import java.io.IOException;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.security.cert.X509Certificate;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class ClientCertFilter implements Filter {
+ private static AuditService auditService = AuditServiceFactory.getAuditService();
+ private static Auditor auditor = auditService.getAuditor(
+ AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+ AuditConstants.KNOX_COMPONENT_NAME );
+
+ @Override
+ public void init(FilterConfig filterConfig) {
+
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ X509Certificate cert = extractCertificate(httpRequest);
+ if (cert != null) {
+ String principal = cert.getSubjectDN().getName();
+
+ Subject subject = new Subject();
+ subject.getPrincipals().add(new PrimaryPrincipal(principal));
+ auditService.getContext().setUsername(principal);
+ String sourceUri = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
+ auditor.audit(Action.AUTHENTICATION, sourceUri, ResourceType.URI, ActionOutcome.SUCCESS);
+ continueWithEstablishedSecurityContext(subject, httpRequest, (HttpServletResponse) response, filterChain);
+ } else {
+ ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "User not authenticated");
+ }
+ }
+
+ private X509Certificate extractCertificate(HttpServletRequest req) {
+ X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
+ if (null != certs && certs.length > 0) {
+ return certs[0];
+ }
+ return null;
+ }
+
+ private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest request,
+ final HttpServletResponse response, final FilterChain chain)
+ throws IOException, ServletException {
+ try {
+ Subject.doAs(
+ subject,
+ new PrivilegedExceptionAction<Object>() {
+ @Override
+ public Object run() throws Exception {
+ chain.doFilter(request, response);
+ return null;
+ }
+ }
+ );
+ }
+ catch (PrivilegedActionException e) {
+ Throwable t = e.getCause();
+ if (t instanceof IOException) {
+ throw (IOException) t;
+ }
+ else if (t instanceof ServletException) {
+ throw (ServletException) t;
+ }
+ else {
+ throw new ServletException(t);
+ }
+ }
+ }
+
+ @Override
+ public void destroy() {
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/c5061b84/gateway-provider-security-clientcert/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-clientcert/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-clientcert/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
new file mode 100755
index 0000000..547b345
--- /dev/null
+++ b/gateway-provider-security-clientcert/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.knox.gateway.clientcert.deploy.ClientCertDeploymentContributor
http://git-wip-us.apache.org/repos/asf/knox/blob/c5061b84/gateway-provider-security-clientcert/src/test/java/org/apache/knox/gateway/clientcert/ClientCertDeploymentContributorTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-clientcert/src/test/java/org/apache/knox/gateway/clientcert/ClientCertDeploymentContributorTest.java b/gateway-provider-security-clientcert/src/test/java/org/apache/knox/gateway/clientcert/ClientCertDeploymentContributorTest.java
new file mode 100644
index 0000000..bdae540
--- /dev/null
+++ b/gateway-provider-security-clientcert/src/test/java/org/apache/knox/gateway/clientcert/ClientCertDeploymentContributorTest.java
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.clientcert;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributor;
+import org.apache.knox.gateway.clientcert.deploy.ClientCertDeploymentContributor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Topology;
+import org.easymock.EasyMock;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Test;
+
+import java.util.Iterator;
+import java.util.ServiceLoader;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.fail;
+
+public class ClientCertDeploymentContributorTest {
+
+ @SuppressWarnings("rawtypes")
+ @Test
+ public void testServiceLoader() {
+ ServiceLoader loader = ServiceLoader.load( ProviderDeploymentContributor.class );
+ Iterator iterator = loader.iterator();
+ assertThat( "Service iterator empty.", iterator.hasNext() );
+ while( iterator.hasNext() ) {
+ Object object = iterator.next();
+ if( object instanceof ClientCertDeploymentContributor) {
+ return;
+ }
+ }
+ fail( "Failed to find " + ClientCertDeploymentContributor.class.getName() + " via service loader." );
+ }
+
+ @Test
+ public void testDeployment() {
+ WebArchive webArchive = ShrinkWrap.create( WebArchive.class, "test-archive" );
+
+ Provider provider = new Provider();
+ provider.setEnabled( true );
+ provider.setName( ClientCertDeploymentContributor.NAME );
+
+ Topology topology = new Topology();
+ topology.setName( "Sample" );
+
+ DeploymentContext context = EasyMock.createNiceMock( DeploymentContext.class );
+ EasyMock.expect( context.getWebArchive() ).andReturn( webArchive ).anyTimes();
+ EasyMock.expect( context.getTopology() ).andReturn( topology ).anyTimes();
+ EasyMock.replay( context );
+
+ ClientCertDeploymentContributor contributor = new ClientCertDeploymentContributor();
+
+ assertThat( contributor.getRole(), is( ClientCertDeploymentContributor.ROLE ) );
+ assertThat( contributor.getName(), is( ClientCertDeploymentContributor.NAME ) );
+
+ // Just make sure it doesn't blow up.
+ contributor.initializeContribution( context );
+
+ // Just make sure it doesn't blow up.
+ contributor.finalizeContribution( context );
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/c5061b84/gateway-release/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index 691f058..ebbfcd4 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -251,6 +251,10 @@
</dependency>
<dependency>
<groupId>org.apache.knox</groupId>
+ <artifactId>gateway-provider-security-clientcert</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
<artifactId>gateway-provider-security-preauth</artifactId>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/knox/blob/c5061b84/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 2ac1f3d..d900d85 100644
--- a/pom.xml
+++ b/pom.xml
@@ -84,6 +84,7 @@
<module>gateway-provider-security-webappsec</module>
<module>gateway-provider-security-preauth</module>
<module>gateway-provider-security-hadoopauth</module>
+ <module>gateway-provider-security-clientcert</module>
<module>gateway-provider-security-shiro</module>
<module>gateway-provider-security-pac4j</module>
<module>gateway-provider-security-authz-acls</module>
@@ -652,6 +653,11 @@
</dependency>
<dependency>
<groupId>org.apache.knox</groupId>
+ <artifactId>gateway-provider-security-clientcert</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
<artifactId>gateway-provider-security-preauth</artifactId>
<version>${project.version}</version>
</dependency>