You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by mc...@apache.org on 2015/11/18 21:44:58 UTC
[1/2] nifi git commit: NIFI-655. - Updated JwtService and
JwtServiceTest to use Key POJO instead of raw String key from KeyService.
Repository: nifi
Updated Branches:
refs/heads/NIFI-655 c94d0271d -> 3da198135
NIFI-655. - Updated JwtService and JwtServiceTest to use Key POJO instead of raw String key from KeyService.
Signed-off-by: Matt Gilman <ma...@gmail.com>
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/0fa68a5b
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/0fa68a5b
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/0fa68a5b
Branch: refs/heads/NIFI-655
Commit: 0fa68a5bac79178836e02627d0030e595a1d8348
Parents: c94d027
Author: Andy LoPresto <an...@andylopresto.com>
Authored: Wed Nov 18 12:19:00 2015 -0800
Committer: Matt Gilman <ma...@gmail.com>
Committed: Wed Nov 18 15:41:08 2015 -0500
----------------------------------------------------------------------
.../org/apache/nifi/web/api/AccessResource.java | 4 +-
.../token/LoginAuthenticationToken.java | 4 +-
.../nifi/web/security/jwt/JwtServiceTest.java | 120 ++++++++++++++-----
3 files changed, 97 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/0fa68a5b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
index 27d7d29..5e52186 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@@ -336,7 +336,7 @@ public class AccessResource extends ApplicationResource {
}
// create the authentication token
- // TODO: Some Spring beans return "" for getClass().getSimpleName(). Using getName() temporarily
+ // TODO: Some Spring beans return "" for getClass().getSimpleName(). Using getName() temporarily, the way that NAR loader works, this value will always be an anonymous inner class
loginAuthenticationToken = new LoginAuthenticationToken(authenticationResponse.getIdentity(), expiration, loginIdentityProvider.getClass().getName());
} catch (final InvalidLoginCredentialsException ilce) {
throw new IllegalArgumentException("The supplied username and password are not valid.", ilce);
@@ -358,7 +358,7 @@ public class AccessResource extends ApplicationResource {
authorizeProxyIfNecessary(proxyChain);
// create the authentication token
- // TODO: Some Spring beans return "" for getClass().getSimpleName(). Using getName() temporarily
+ // TODO: Some Spring beans return "" for getClass().getSimpleName(). Using getName() temporarilyy, the way that NAR loader works, this value will always be an anonymous inner class
loginAuthenticationToken = new LoginAuthenticationToken(proxyChain.get(0), authenticationResponse.getExpiration(), certificateIdentityProvider.getClass().getName());
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/0fa68a5b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/LoginAuthenticationToken.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/LoginAuthenticationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/LoginAuthenticationToken.java
index a06ee89..3591239 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/LoginAuthenticationToken.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/LoginAuthenticationToken.java
@@ -72,7 +72,9 @@ public class LoginAuthenticationToken extends AbstractAuthenticationToken {
}
/**
- * Returns the expiration instant in milliseconds. This value is an absolute point in time (i.e. Nov 16, 2015 11:30:00.000 GMT), not a relative time (i.e. 60 minutes). It is calculated by adding the relative expiration from the constructor to the timestamp at object creation.
+ * Returns the expiration instant in milliseconds. This value is an absolute point in time (i.e. Nov
+ * 16, 2015 11:30:00.000 GMT), not a relative time (i.e. 60 minutes). It is calculated by adding the
+ * relative expiration from the constructor to the timestamp at object creation.
*
* @return the expiration in millis
*/
http://git-wip-us.apache.org/repos/asf/nifi/blob/0fa68a5b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/JwtServiceTest.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/JwtServiceTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/JwtServiceTest.java
index ea3e122..6009c1f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/JwtServiceTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/JwtServiceTest.java
@@ -1,3 +1,19 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package org.apache.nifi.web.security.jwt;
import io.jsonwebtoken.JwtException;
@@ -5,6 +21,7 @@ import org.apache.commons.codec.CharEncoding;
import org.apache.commons.codec.binary.Base64;
import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.admin.service.KeyService;
+import org.apache.nifi.key.Key;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.codehaus.jettison.json.JSONObject;
import org.junit.After;
@@ -22,17 +39,13 @@ import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.LinkedHashMap;
import java.util.Map;
-import org.apache.nifi.key.Key;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
-import static org.mockito.Matchers.anyString;
import static org.mockito.Matchers.anyInt;
+import static org.mockito.Matchers.anyString;
import static org.mockito.Mockito.when;
-/**
- * Created by alopresto on 11/11/15.
- */
public class JwtServiceTest {
private static final Logger logger = LoggerFactory.getLogger(JwtServiceTest.class);
@@ -41,35 +54,76 @@ public class JwtServiceTest {
* These constant strings were generated using the tool at http://jwt.io
*/
- private static final String VALID_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.8fUgH9jLvE1essgrcoV8OCyDhXvSXUH_1xqeqDqWycU";
+ private static final String VALID_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRl" +
+ "ciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZ" +
+ "XJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoxLCJleHAiOjI0NDc4MDg3NjEsIm" +
+ "lhdCI6MTQ0NzgwODcwMX0.r6aGZ6FNNYMOpcXW8BK2VYaQeX1uO0Aw1KJfjB3Q1DU";
// This token has an empty subject field
- private static final String INVALID_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.jcjRBLtDzREmdjkJf3xry-ucyCmSRygBaP-HCWBkwlI";
+ private static final String INVALID_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZG" +
+ "VudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvI" +
+ "iwia2lkIjoxLCJleHAiOjI0NDc4MDg3NjEsImlhdCI6MTQ0NzgwODcwMX0" +
+ ".x_1p2M6E0vwWHWMujIUnSL3GkFoDqqICllRxo2SMNaw";
- private static final String VALID_UNSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9";
+ private static final String VALID_UNSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZC" +
+ "I6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJl" +
+ "c3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9";
// This token has an empty subject field
- private static final String INVALID_UNSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9";
+ private static final String INVALID_UNSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVu" +
+ "dGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoi" +
+ "YWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9";
// Algorithm field is "none"
- private static final String VALID_MALSIGNED_TOKEN = "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoxNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.mPO_wMNMl_zjMNevhNvUoXbSJ9Kx6jAe5OxDIAzKQbI";
+ private static final String VALID_MALSIGNED_TOKEN = "eyJhbGciOiJub25lIn0" +
+ ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZC" +
+ "I6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJl" +
+ "c3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoxNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9" +
+ ".mPO_wMNMl_zjMNevhNvUoXbSJ9Kx6jAe5OxDIAzKQbI";
// Algorithm field is "none" and no signature is present
- private static final String VALID_MALSIGNED_NO_SIG_TOKEN = "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.";
+ private static final String VALID_MALSIGNED_NO_SIG_TOKEN = "eyJhbGciOiJub25lIn0" +
+ ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY" +
+ "2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIj" +
+ "oiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.";
// This token has an empty subject field
- private static final String INVALID_MALSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoxNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.WAwmUY4KHKV2oARNodkqDkbZsfRXGZfD2Ccy64GX9QF";
-
- private static final String EXPIRED_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoxNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.y3M1TlzXZ80cVTkfcNxaHpq6aAlM1y2HGCZWEOcvmSU";
+ private static final String INVALID_MALSIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVud" +
+ "Gl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYW" +
+ "xvcHJlc3RvIiwiZXhwIjoxNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.WAwmUY4KHKV2oARNodkqDkbZsfRXGZfD2Ccy64GX9QF";
+
+ // This token is signed but expired
+ private static final String EXPIRED_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiIiLCJpc3MiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik" +
+ "1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvc" +
+ "HJlc3RvIiwia2lkIjoxLCJleHAiOjE0NDc4MDg3NjEsImlhdCI6MTQ0NzgwODcw" +
+ "MX0.ZPDIhNKuL89vTGXcuztOYaGifwcrQy_gid4j8Sspmto";
// Subject is "mgilman" but signed with "alopresto" key
- private static final String IMPOSTER_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJtZ2lsbWFuIiwiaXNzIjoiTW9ja0lkZW50aXR5UHJvdmlkZXIiLCJhdWQiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsb3ByZXN0byIsImtpZCI6ImFsb3ByZXN0byIsImV4cCI6MjQ0NzgwODc2MSwiaWF0IjoxNDQ3ODA4NzAxfQ.l-9nHmYTEMgLshX8qCEqbc2O4BH_GYBVQIFkUKsJvLA";
+ private static final String IMPOSTER_SIGNED_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiJtZ2lsbWFuIiwiaXNzIjoiTW9ja0lkZW50aXR5UHJvdmlkZXIiLCJ" +
+ "hdWQiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI" +
+ "6ImFsb3ByZXN0byIsImtpZCI6MSwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc" +
+ "4MDg3MDF9.aw5OAvLTnb_sHmSQOQzW-A7NImiZgXJ2ngbbNL2Ymkc";
// Issuer field is set to unknown provider
- private static final String UNKNOWN_ISSUER_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJVbmtub3duSWRlbnRpdHlQcm92aWRlciIsImF1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxvcHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.SAd9tyNwSaijWet9wvAWSNmpxmPSK4XQuLx7h3ARqBo";
+ private static final String UNKNOWN_ISSUER_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiJhbG9wcmVzdG8iLCJpc3MiOiJVbmtub3duSWRlbnRpdHlQcm92aWRlciIsIm" +
+ "F1ZCI6Ik1vY2tJZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxv" +
+ "cHJlc3RvIiwia2lkIjoiYWxvcHJlc3RvIiwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9" +
+ ".SAd9tyNwSaijWet9wvAWSNmpxmPSK4XQuLx7h3ARqBo";
// Issuer field is absent
- private static final String NO_ISSUER_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbG9wcmVzdG8iLCJhdWQiOiJNb2NrSWRlbnRpdHlQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsb3ByZXN0byIsImtpZCI6ImFsb3ByZXN0byIsImV4cCI6MjQ0NzgwODc2MSwiaWF0IjoxNDQ3ODA4NzAxfQ.Hdha7K69sz6224vidvuZ6A6UdGLdZ_U1egS0txuVXAk";
+ private static final String NO_ISSUER_TOKEN = "eyJhbGciOiJIUzI1NiJ9" +
+ ".eyJzdWIiOiJhbG9wcmVzdG8iLCJhdWQiOiJNb2NrSWRlbnRpdHlQcm92a" +
+ "WRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsb3ByZXN0byIsImtpZCI" +
+ "6MSwiZXhwIjoyNDQ3ODA4NzYxLCJpYXQiOjE0NDc4MDg3MDF9.6kDjDanA" +
+ "g0NQDb3C8FmgbBAYDoIfMAEkF4WMVALsbJA";
private static final String DEFAULT_HEADER = "{\"alg\":\"HS256\"}";
private static final String DEFAULT_IDENTITY = "alopresto";
@@ -88,7 +142,8 @@ public class JwtServiceTest {
return generateHS256Token(rawHeader, rawPayload, HMAC_SECRET, isValid, isSigned);
}
- private String generateHS256Token(String rawHeader, String rawPayload, String hmacSecret, boolean isValid, boolean isSigned) {
+ private String generateHS256Token(String rawHeader, String rawPayload, String hmacSecret, boolean isValid,
+ boolean isSigned) {
try {
logger.info("Generating token for " + rawHeader + " + " + rawPayload);
@@ -109,7 +164,8 @@ public class JwtServiceTest {
}
}
- private String generateHMAC(String hmacSecret, String body) throws NoSuchAlgorithmException, UnsupportedEncodingException, InvalidKeyException {
+ private String generateHMAC(String hmacSecret, String body) throws NoSuchAlgorithmException,
+ UnsupportedEncodingException, InvalidKeyException {
Mac hmacSHA256 = Mac.getInstance("HmacSHA256");
SecretKeySpec secret_key = new SecretKeySpec(hmacSecret.getBytes("UTF-8"), "HmacSHA256");
hmacSHA256.init(secret_key);
@@ -120,8 +176,8 @@ public class JwtServiceTest {
@Before
public void setUp() throws Exception {
final Key key = new Key();
- key.setId(0);
- key.setIdentity(HMAC_SECRET);
+ key.setId(1);
+ key.setIdentity(DEFAULT_IDENTITY);
key.setKey(HMAC_SECRET);
mockKeyService = Mockito.mock(KeyService.class);
@@ -295,7 +351,9 @@ public class JwtServiceTest {
// Token expires in 60 seconds
final int EXPIRATION_MILLIS = 60000;
- LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken("alopresto", EXPIRATION_MILLIS, "MockIdentityProvider");
+ LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken("alopresto",
+ EXPIRATION_MILLIS,
+ "MockIdentityProvider");
logger.debug("Generating token for " + loginAuthenticationToken);
final String EXPECTED_HEADER = DEFAULT_HEADER;
@@ -311,7 +369,8 @@ public class JwtServiceTest {
// Split the token, decode the middle section, and form a new String
final String DECODED_PAYLOAD = new String(Base64.decodeBase64(token.split("\\.")[1].getBytes()));
- final long ISSUED_AT_SEC = Long.valueOf(DECODED_PAYLOAD.substring(DECODED_PAYLOAD.lastIndexOf(":") + 1, DECODED_PAYLOAD.length() - 1));
+ final long ISSUED_AT_SEC = Long.valueOf(DECODED_PAYLOAD.substring(DECODED_PAYLOAD.lastIndexOf(":") + 1,
+ DECODED_PAYLOAD.length() - 1));
logger.trace("Actual token was issued at " + ISSUED_AT_SEC);
// Always use LinkedHashMap to enforce order of the keys because the signature depends on order
@@ -320,7 +379,7 @@ public class JwtServiceTest {
claims.put("iss", "MockIdentityProvider");
claims.put("aud", "MockIdentityProvider");
claims.put("preferred_username", "alopresto");
- claims.put("kid", "alopresto");
+ claims.put("kid", 1);
claims.put("exp", TOKEN_EXPIRATION_SEC);
claims.put("iat", ISSUED_AT_SEC);
logger.trace("JSON Object to String: " + new JSONObject(claims).toString());
@@ -351,7 +410,8 @@ public class JwtServiceTest {
public void testShouldNotGenerateTokenWithEmptyIdentity() throws Exception {
// Arrange
final int EXPIRATION_MILLIS = 60000;
- LoginAuthenticationToken emptyIdentityLoginAuthenticationToken = new LoginAuthenticationToken("", EXPIRATION_MILLIS, "MockIdentityProvider");
+ LoginAuthenticationToken emptyIdentityLoginAuthenticationToken = new LoginAuthenticationToken("",
+ EXPIRATION_MILLIS, "MockIdentityProvider");
logger.debug("Generating token for " + emptyIdentityLoginAuthenticationToken);
// Act
@@ -366,7 +426,8 @@ public class JwtServiceTest {
public void testShouldNotGenerateTokenWithNullIdentity() throws Exception {
// Arrange
final int EXPIRATION_MILLIS = 60000;
- LoginAuthenticationToken nullIdentityLoginAuthenticationToken = new LoginAuthenticationToken(null, EXPIRATION_MILLIS, "MockIdentityProvider");
+ LoginAuthenticationToken nullIdentityLoginAuthenticationToken = new LoginAuthenticationToken(null,
+ EXPIRATION_MILLIS, "MockIdentityProvider");
logger.debug("Generating token for " + nullIdentityLoginAuthenticationToken);
// Act
@@ -381,12 +442,15 @@ public class JwtServiceTest {
public void testShouldNotGenerateTokenWithMissingKey() throws Exception {
// Arrange
final int EXPIRATION_MILLIS = 60000;
- LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken("alopresto", EXPIRATION_MILLIS, "MockIdentityProvider");
+ LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken("alopresto",
+ EXPIRATION_MILLIS,
+ "MockIdentityProvider");
logger.debug("Generating token for " + loginAuthenticationToken);
// Set up the bad key service
KeyService missingKeyService = Mockito.mock(KeyService.class);
- when(missingKeyService.getOrCreateKey(anyString())).thenThrow(new AdministrationException("Could not find a key for that user"));
+ when(missingKeyService.getOrCreateKey(anyString())).thenThrow(new AdministrationException("Could not find a " +
+ "key for that user"));
jwtService = new JwtService(missingKeyService);
// Act
[2/2] nifi git commit: NIFI-655: - Fixing typo when loading the ldap
connect timeout. - Providing a better experience for session expiration. -
Using ellipsis for lengthly user name. - Adding an issuer to the
authentication response so the LIP can specif
Posted by mc...@apache.org.
NIFI-655:
- Fixing typo when loading the ldap connect timeout.
- Providing a better experience for session expiration.
- Using ellipsis for lengthly user name.
- Adding an issuer to the authentication response so the LIP can specify the appropriate value.
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/3da19813
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/3da19813
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/3da19813
Branch: refs/heads/NIFI-655
Commit: 3da198135e432341eba36b072dfd0f7f6395b4c6
Parents: 0fa68a5
Author: Matt Gilman <ma...@gmail.com>
Authored: Wed Nov 18 15:44:47 2015 -0500
Committer: Matt Gilman <ma...@gmail.com>
Committed: Wed Nov 18 15:44:47 2015 -0500
----------------------------------------------------------------------
.../authentication/AuthenticationResponse.java | 9 +++++++-
.../org/apache/nifi/web/api/AccessResource.java | 6 ++---
.../util/NiFiTestLoginIdentityProvider.java | 2 +-
.../web/security/x509/X509IdentityProvider.java | 6 +++--
.../nifi-web-ui/src/main/webapp/css/header.css | 3 +++
.../src/main/webapp/js/nf/nf-common.js | 23 ++++++++++----------
.../java/org/apache/nifi/ldap/LdapProvider.java | 6 +++--
7 files changed, 33 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/3da19813/nifi-api/src/main/java/org/apache/nifi/authentication/AuthenticationResponse.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/AuthenticationResponse.java b/nifi-api/src/main/java/org/apache/nifi/authentication/AuthenticationResponse.java
index a64947b..e9999fc 100644
--- a/nifi-api/src/main/java/org/apache/nifi/authentication/AuthenticationResponse.java
+++ b/nifi-api/src/main/java/org/apache/nifi/authentication/AuthenticationResponse.java
@@ -24,6 +24,7 @@ public class AuthenticationResponse {
private final String identity;
private final String username;
private final long expiration;
+ private final String issuer;
/**
* Creates an authentication response. The username and how long the authentication is valid in milliseconds
@@ -31,11 +32,13 @@ public class AuthenticationResponse {
* @param identity The user identity
* @param username The username
* @param expiration The expiration in milliseconds
+ * @param issuer The issuer of the token
*/
- public AuthenticationResponse(final String identity, final String username, final long expiration) {
+ public AuthenticationResponse(final String identity, final String username, final long expiration, final String issuer) {
this.identity = identity;
this.username = username;
this.expiration = expiration;
+ this.issuer = issuer;
}
public String getIdentity() {
@@ -46,6 +49,10 @@ public class AuthenticationResponse {
return username;
}
+ public String getIssuer() {
+ return issuer;
+ }
+
/**
* Returns the expiration of a given authentication in milliseconds.
*
http://git-wip-us.apache.org/repos/asf/nifi/blob/3da19813/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
index 5e52186..b486d74 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@@ -336,8 +336,7 @@ public class AccessResource extends ApplicationResource {
}
// create the authentication token
- // TODO: Some Spring beans return "" for getClass().getSimpleName(). Using getName() temporarily, the way that NAR loader works, this value will always be an anonymous inner class
- loginAuthenticationToken = new LoginAuthenticationToken(authenticationResponse.getIdentity(), expiration, loginIdentityProvider.getClass().getName());
+ loginAuthenticationToken = new LoginAuthenticationToken(authenticationResponse.getIdentity(), expiration, authenticationResponse.getIssuer());
} catch (final InvalidLoginCredentialsException ilce) {
throw new IllegalArgumentException("The supplied username and password are not valid.", ilce);
} catch (final IdentityAccessException iae) {
@@ -358,8 +357,7 @@ public class AccessResource extends ApplicationResource {
authorizeProxyIfNecessary(proxyChain);
// create the authentication token
- // TODO: Some Spring beans return "" for getClass().getSimpleName(). Using getName() temporarilyy, the way that NAR loader works, this value will always be an anonymous inner class
- loginAuthenticationToken = new LoginAuthenticationToken(proxyChain.get(0), authenticationResponse.getExpiration(), certificateIdentityProvider.getClass().getName());
+ loginAuthenticationToken = new LoginAuthenticationToken(proxyChain.get(0), authenticationResponse.getExpiration(), authenticationResponse.getIssuer());
}
// generate JWT for response
http://git-wip-us.apache.org/repos/asf/nifi/blob/3da19813/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
index 8ee51d9..c023ce1 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
@@ -57,7 +57,7 @@ public class NiFiTestLoginIdentityProvider implements LoginIdentityProvider {
@Override
public AuthenticationResponse authenticate(LoginCredentials credentials) throws InvalidLoginCredentialsException, IdentityAccessException {
checkUser(credentials.getUsername(), credentials.getPassword());
- return new AuthenticationResponse(credentials.getUsername(), credentials.getUsername(), TimeUnit.MILLISECONDS.convert(1, TimeUnit.DAYS));
+ return new AuthenticationResponse(credentials.getUsername(), credentials.getUsername(), TimeUnit.MILLISECONDS.convert(1, TimeUnit.DAYS), getClass().getSimpleName());
}
@Override
http://git-wip-us.apache.org/repos/asf/nifi/blob/3da19813/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509IdentityProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509IdentityProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509IdentityProvider.java
index 75a94d3..cae1134 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509IdentityProvider.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509IdentityProvider.java
@@ -31,7 +31,9 @@ import org.springframework.security.web.authentication.preauth.x509.X509Principa
public class X509IdentityProvider {
private static final Logger logger = LoggerFactory.getLogger(X509IdentityProvider.class);
-
+
+ private final String issuer = getClass().getSimpleName();
+
private X509CertificateValidator certificateValidator;
private X509PrincipalExtractor principalExtractor;
@@ -77,7 +79,7 @@ public class X509IdentityProvider {
}
// build the authentication response
- return new AuthenticationResponse(principal, principal, TimeUnit.MILLISECONDS.convert(1, TimeUnit.DAYS));
+ return new AuthenticationResponse(principal, principal, TimeUnit.MILLISECONDS.convert(1, TimeUnit.DAYS), issuer);
}
/* setters */
http://git-wip-us.apache.org/repos/asf/nifi/blob/3da19813/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css
index 8f2450c..49dd3a0 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css
@@ -519,6 +519,9 @@ div.search-glass-pane {
float: left;
margin-right: 8px;
font-weight: bold;
+ max-width: 250px;
+ text-overflow: ellipsis;
+ overflow: hidden;
}
#utilities-container {
http://git-wip-us.apache.org/repos/asf/nifi/blob/3da19813/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js
index 9202819..d71c8ef 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js
@@ -155,7 +155,7 @@ nf.Common = (function () {
}
// set the interval to one hour
- var interval = 10 * nf.Common.MILLIS_PER_MINUTE;
+ var interval = nf.Common.MILLIS_PER_MINUTE;
var checkExpiration = function () {
var expiration = nf.Storage.getItemExpiration('jwt');
@@ -166,7 +166,7 @@ nf.Common = (function () {
var now = new Date();
// get the time remainging plus a little bonus time to reload the token
- var timeRemaining = expirationDate.valueOf() - now.valueOf() - nf.Common.MILLIS_PER_MINUTE;
+ var timeRemaining = expirationDate.valueOf() - now.valueOf() - (30 * nf.Common.MILLIS_PER_SECOND);
if (timeRemaining < interval) {
if ($('#current-user').text() !== nf.Common.ANONYMOUS_USER_TEXT && !$('#anonymous-user-alert').is(':visible')) {
// if the token will expire before the next interval minus some bonus time, notify the user to re-login
@@ -320,9 +320,6 @@ nf.Common = (function () {
// show the error pane
$('#message-pane').show();
-
- // close the canvas
- nf.Common.closeCanvas();
} else {
nf.Dialog.showOkDialog({
dialogContent: 'Your session has expired. Please press Ok to log in again.',
@@ -332,6 +329,9 @@ nf.Common = (function () {
}
});
}
+
+ // close the canvas
+ nf.Common.closeCanvas();
return;
}
@@ -424,19 +424,18 @@ nf.Common = (function () {
* Closes the canvas by removing the splash screen and stats poller.
*/
closeCanvas: function () {
+ if (nf.Storage.getItem('jwt') === null) {
+ $('#user-logout-container').hide();
+ } else {
+ $('#user-logout-container').show();
+ }
+
// ensure this javascript has been loaded in the nf canvas page
if (nf.Common.isDefinedAndNotNull(nf.Canvas)) {
// hide the splash screen if required
if ($('#splash').is(':visible')) {
nf.Canvas.hideSplash();
}
-
- // update the log out link accordingly
- if (nf.Storage.getItem('jwt') === null) {
- $('#user-logout-container').hide();
- } else {
- $('#user-logout-container').show();
- }
// hide the context menu
nf.ContextMenu.hide();
http://git-wip-us.apache.org/repos/asf/nifi/blob/3da19813/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
index cbd5ea4..f3abdb0 100644
--- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
+++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java
@@ -66,10 +66,12 @@ public class LdapProvider implements LoginIdentityProvider {
private static final String TLS = "TLS";
private AbstractLdapAuthenticationProvider provider;
+ private String issuer;
private long expiration;
@Override
public final void initialize(final LoginIdentityProviderInitializationContext initializationContext) throws ProviderCreationException {
+ this.issuer = getClass().getSimpleName();
}
@Override
@@ -251,9 +253,9 @@ public class LdapProvider implements LoginIdentityProvider {
// attempt to get the ldap user details to get the DN
if (authentication.getPrincipal() instanceof LdapUserDetails) {
final LdapUserDetails userDetails = (LdapUserDetails) authentication.getPrincipal();
- return new AuthenticationResponse(userDetails.getDn(), credentials.getUsername(), expiration);
+ return new AuthenticationResponse(userDetails.getDn(), credentials.getUsername(), expiration, issuer);
} else {
- return new AuthenticationResponse(authentication.getName(), credentials.getUsername(), expiration);
+ return new AuthenticationResponse(authentication.getName(), credentials.getUsername(), expiration, issuer);
}
} catch (final CommunicationException | AuthenticationServiceException e) {
logger.error(e.getMessage());