You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2016/03/11 04:20:56 UTC
knox git commit: KNOX-630 - KnoxSSO Needs to Populate Configured
Audiences
Repository: knox
Updated Branches:
refs/heads/master 3e36bc69b -> 99593c2e7
KNOX-630 - KnoxSSO Needs to Populate Configured Audiences
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/99593c2e
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/99593c2e
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/99593c2e
Branch: refs/heads/master
Commit: 99593c2e7054dc234b00194ccea4f13ba428df44
Parents: 3e36bc6
Author: Larry McCay <lm...@hortonworks.com>
Authored: Thu Mar 10 22:20:44 2016 -0500
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Thu Mar 10 22:20:44 2016 -0500
----------------------------------------------------------------------
.../provider/federation/JWTTokenTest.java | 84 ++++++++++++++++++--
.../federation/SSOCookieProviderTest.java | 6 ++
.../impl/DefaultTokenAuthorityService.java | 26 ++++--
.../gateway/service/knoxsso/WebSSOResource.java | 7 ++
.../security/token/JWTokenAuthority.java | 4 +
.../services/security/token/impl/JWTToken.java | 14 +++-
6 files changed, 127 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
index 8f5a02a..8d8bcab 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
@@ -17,6 +17,7 @@
*/
package org.apache.hadoop.gateway.provider.federation;
+import java.util.ArrayList;
import junit.framework.TestCase;
import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
@@ -43,17 +44,90 @@ public class JWTTokenTest extends TestCase {
// }
// }
- @Test
+ @Test
public void testTokenCreation() throws Exception {
String[] claims = new String[4];
- claims[0] = "HSSO";
+ claims[0] = "KNOXSSO";
claims[1] = "john.doe@example.com";
claims[2] = "https://login.example.com";
claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
JWTToken token = new JWTToken("RS256", claims);
- assertEquals(token.getIssuer(), "HSSO");
- assertEquals(token.getSubject(), "john.doe@example.com");
- assertEquals(token.getAudience(), "https://login.example.com");
+ assertEquals("KNOXSSO", token.getIssuer());
+ assertEquals("john.doe@example.com", token.getSubject());
+ assertEquals("https://login.example.com", token.getAudience());
+ }
+
+ @Test
+ public void testTokenCreationWithAudienceListSingle() throws Exception {
+ String[] claims = new String[4];
+ claims[0] = "KNOXSSO";
+ claims[1] = "john.doe@example.com";
+ claims[2] = null;
+ claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+ ArrayList<String> audiences = new ArrayList<String>();
+ audiences.add("https://login.example.com");
+
+ JWTToken token = new JWTToken("RS256", claims, audiences);
+
+ assertEquals("KNOXSSO", token.getIssuer());
+ assertEquals("john.doe@example.com", token.getSubject());
+ assertEquals("https://login.example.com", token.getAudience());
+ assertEquals(1, token.getAudienceClaims().length);
+ }
+
+ @Test
+ public void testTokenCreationWithAudienceListMultiple() throws Exception {
+ String[] claims = new String[4];
+ claims[0] = "KNOXSSO";
+ claims[1] = "john.doe@example.com";
+ claims[2] = null;
+ claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+ ArrayList<String> audiences = new ArrayList<String>();
+ audiences.add("https://login.example.com");
+ audiences.add("KNOXSSO");
+
+ JWTToken token = new JWTToken("RS256", claims, audiences);
+
+ assertEquals("KNOXSSO", token.getIssuer());
+ assertEquals("john.doe@example.com", token.getSubject());
+ assertEquals("https://login.example.com", token.getAudience());
+ assertEquals(2, token.getAudienceClaims().length);
+ }
+
+ @Test
+ public void testTokenCreationWithAudienceListCombined() throws Exception {
+ String[] claims = new String[4];
+ claims[0] = "KNOXSSO";
+ claims[1] = "john.doe@example.com";
+ claims[2] = "LJM";
+ claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+ ArrayList<String> audiences = new ArrayList<String>();
+ audiences.add("https://login.example.com");
+ audiences.add("KNOXSSO");
+
+ JWTToken token = new JWTToken("RS256", claims, audiences);
+
+ assertEquals("KNOXSSO", token.getIssuer());
+ assertEquals("john.doe@example.com", token.getSubject());
+ assertEquals("https://login.example.com", token.getAudience());
+ assertEquals(3, token.getAudienceClaims().length);
+ }
+
+ @Test
+ public void testTokenCreationWithNullAudienceList() throws Exception {
+ String[] claims = new String[4];
+ claims[0] = "KNOXSSO";
+ claims[1] = "john.doe@example.com";
+ claims[2] = null;
+ claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+ ArrayList<String> audiences = null;
+
+ JWTToken token = new JWTToken("RS256", claims, audiences);
+
+ assertEquals("KNOXSSO", token.getIssuer());
+ assertEquals("john.doe@example.com", token.getSubject());
+ assertEquals(null, token.getAudience());
+ assertEquals(null, token.getAudienceClaims());
}
}
http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
index c613869..c6f1cae 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
@@ -521,6 +521,12 @@ public class SSOCookieProviderTest {
return null;
}
+ @Override
+ public JWTToken issueToken(Principal p, List<String> audiences, String algorithm,
+ long expires) throws TokenServiceException {
+ return null;
+ }
+
/* (non-Javadoc)
* @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, long)
*/
http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
index e5f5767..3fbc789 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
@@ -23,6 +23,8 @@ import java.security.PublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;
+import java.util.List;
+import java.util.ArrayList;
import javax.security.auth.Subject;
@@ -77,27 +79,35 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service {
*/
@Override
public JWTToken issueToken(Principal p, String algorithm, long expires) throws TokenServiceException {
- return issueToken(p, null, algorithm, expires);
+ return issueToken(p, (String)null, algorithm, expires);
}
public JWTToken issueToken(Principal p, String audience, String algorithm)
throws TokenServiceException {
return issueToken(p, audience, algorithm, -1);
}
-
+
/* (non-Javadoc)
* @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String)
*/
@Override
public JWTToken issueToken(Principal p, String audience, String algorithm, long expires)
throws TokenServiceException {
+ ArrayList<String> audiences = null;
+ if (audience != null) {
+ audiences = new ArrayList<String>();
+ audiences.add(audience);
+ }
+ return issueToken(p, audiences, algorithm, expires);
+ }
+
+ @Override
+ public JWTToken issueToken(Principal p, List<String> audiences, String algorithm, long expires)
+ throws TokenServiceException {
String[] claimArray = new String[4];
- claimArray[0] = "HSSO";
+ claimArray[0] = "KNOXSSO";
claimArray[1] = p.getName();
- if (audience == null) {
- audience = "HSSO";
- }
- claimArray[2] = audience;
+ claimArray[2] = null;
// TODO: make the validity period configurable
if (expires == -1) {
claimArray[3] = Long.toString( ( System.currentTimeMillis() ) + 30000);
@@ -108,7 +118,7 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service {
JWTToken token = null;
if ("RS256".equals(algorithm)) {
- token = new JWTToken("RS256", claimArray);
+ token = new JWTToken("RS256", claimArray, audiences);
RSAPrivateKey key;
char[] passphrase = null;
try {
http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
index 73871dc..5dcead1 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
@@ -52,6 +52,7 @@ public class WebSSOResource {
private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = "knoxsso.cookie.max.age";
private static final String SSO_COOKIE_DOMAIN_SUFFIX_PARAM = "knoxsso.cookie.domain.suffix";
private static final String SSO_COOKIE_TOKEN_TTL_PARAM = "knoxsso.token.ttl";
+ private static final String SSO_COOKIE_TOKEN_AUDIENCES_PARAM = "knoxsso.token.audiences";
private static final String SSO_COOKIE_TOKEN_WHITELIST_PARAM = "knoxsso.redirect.whitelist.regex";
private static final String SSO_ENABLE_SESSION_PARAM = "knoxsso.enable.session";
private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl";
@@ -66,6 +67,7 @@ public class WebSSOResource {
private long tokenTTL = 30000l;
private String whitelist = null;
private String domainSuffix = null;
+ private String[] targetAudiences = null;
private boolean enableSession = false;
@Context
@@ -106,6 +108,11 @@ public class WebSSOResource {
whitelist = DEFAULT_WHITELIST;
}
+ String audiences = context.getInitParameter(SSO_COOKIE_TOKEN_AUDIENCES_PARAM);
+ if (audiences != null) {
+ targetAudiences = audiences.split(",");
+ }
+
String ttl = context.getInitParameter(SSO_COOKIE_TOKEN_TTL_PARAM);
if (ttl != null) {
try {
http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
index 7ed3ab5..8cf1676 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.gateway.services.security.token;
import java.security.Principal;
+import java.util.List;
import javax.security.auth.Subject;
@@ -41,4 +42,7 @@ public interface JWTokenAuthority {
long expires) throws TokenServiceException;
JWT issueToken(Principal p, String audience, long l) throws TokenServiceException;
+
+ JWTToken issueToken(Principal p, List<String> audience, String algorithm,
+ long expires) throws TokenServiceException;
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
index 485fd89..4b1e2b0 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
@@ -20,6 +20,8 @@ package org.apache.hadoop.gateway.services.security.token.impl;
import java.io.UnsupportedEncodingException;
import java.text.ParseException;
import java.util.Date;
+import java.util.ArrayList;
+import java.util.List;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
@@ -56,12 +58,22 @@ public class JWTToken implements JWT {
}
public JWTToken(String alg, String[] claimsArray) {
+ this(alg, claimsArray, null);
+ }
+
+ public JWTToken(String alg, String[] claimsArray, List<String> audiences) {
JWSHeader header = new JWSHeader(new JWSAlgorithm(alg));
+ if (claimsArray[2] != null) {
+ if (audiences == null) {
+ audiences = new ArrayList<String>();
+ }
+ audiences.add(claimsArray[2]);
+ }
JWTClaimsSet claims = new JWTClaimsSet.Builder()
.issuer(claimsArray[0])
.subject(claimsArray[1])
- .audience(claimsArray[2])
+ .audience(audiences)
.expirationTime(new Date(Long.parseLong(claimsArray[3])))
.build();