You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/04/10 17:18:02 UTC
[2/2] git commit: Another iteration of work toward KNOX-37 in the
investigation of OAuth/OpenID for identity federation. Also fixed issues with
provider resolution by name and various refactorings.
Another iteration of work toward KNOX-37 in the investigation of OAuth/OpenID for identity federation. Also fixed issues with provider resolution by name and various refactorings.
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/61ca72e1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/61ca72e1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/61ca72e1
Branch: refs/heads/master
Commit: 61ca72e10893fac097643aab490147408a306046
Parents: eddbe54
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Apr 10 11:16:57 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Apr 10 11:16:57 2013 -0400
----------------------------------------------------------------------
.../gateway/deploy/impl/DeploymentContributor.java | 2 +-
.../gateway/filter/IdentityAssertionFilter.java | 99 -----------
.../filter/PseudoIdentityAssertionFilter.java | 56 ++++++
gateway-provider-security-jwt/pom.xml | 5 +
.../provider/federation/jwt/AccessToken.java | 87 +++++++++
.../provider/federation/jwt/JWTAuthority.java | 67 +++++++
.../federation/jwt/JWTProviderMessages.java | 36 ++++
.../gateway/provider/federation/jwt/JWTToken.java | 138 +++++++++++++++
.../deploy/JWTAccessTokenAssertionContributor.java | 63 +++++++
.../deploy/JWTAuthCodeAssertionContributor.java | 51 ++++++
.../jwt/deploy/JWTDeploymentContributor.java | 52 ------
.../jwt/deploy/JWTFederationContributor.java | 51 ++++++
.../jwt/filter/JWTAccessTokenAssertionFilter.java | 116 ++++++++++++
.../jwt/filter/JWTAuthCodeAssertionFilter.java | 35 ++++
.../federation/jwt/filter/JWTAuthority.java | 60 -------
.../federation/jwt/filter/JWTFederationFilter.java | 10 +-
.../federation/jwt/filter/JWTProviderMessages.java | 36 ----
.../provider/federation/jwt/filter/JWTToken.java | 138 ---------------
...op.gateway.deploy.ProviderDeploymentContributor | 3 +-
.../gateway/provider/federation/JWTTokenTest.java | 2 +-
.../gateway/filter/PostAuthenticationFilter.java | 74 ++++----
.../org/apache/hadoop/gateway/GatewayServer.java | 3 -
.../gateway/deploy/DeploymentContextImpl.java | 6 +-
.../gateway/services/DefaultGatewayServices.java | 4 -
.../services/GatewayServicesContextListener.java | 2 +-
.../gateway/topology/xml/XmlTopologyRules.java | 1 +
.../gateway/deploy/DeploymentFactoryTest.java | 9 +-
.../gateway/hdfs/HdfsDeploymentContributor.java | 3 +-
.../deploy/ServiceDeploymentContributorBase.java | 11 +-
.../security/AbstractIdentityAssertionFilter.java | 90 ++++++++++
.../hadoop/gateway/security/GroupPrincipal.java | 32 ++++
.../hadoop/gateway/security/PrimaryPrincipal.java | 33 ++++
.../security/principal/SimplePrincipalMapper.java | 2 +-
.../hadoop/gateway/services/GatewayServices.java | 4 +
.../apache/hadoop/gateway/topology/Topology.java | 9 +-
.../hadoop/gateway/GatewayBasicFuncTest.java | 10 +-
gateway-util-common/pom.xml | 4 +
.../org/apache/hadoop/gateway/util/JsonUtils.java | 72 ++++++++
.../apache/hadoop/gateway/util/JsonUtilsTest.java | 49 +++++
pom.xml | 13 ++-
40 files changed, 1086 insertions(+), 452 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
index 9140fcb..da47313 100644
--- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
+++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/deploy/impl/DeploymentContributor.java
@@ -31,7 +31,7 @@ import java.util.List;
public class DeploymentContributor extends ProviderDeploymentContributorBase {
- private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.IdentityAssertionFilter";
+ private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.PseudoIdentityAssertionFilter";
private static final String PRINCIPAL_MAPPING_PARAM_NAME = "principal.mapping";
@Override
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java
deleted file mode 100644
index 7f6b474..0000000
--- a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/IdentityAssertionFilter.java
+++ /dev/null
@@ -1,99 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.filter;
-
-import org.apache.hadoop.gateway.security.principal.PrincipalMapper;
-import org.apache.hadoop.gateway.security.principal.PrincipalMappingException;
-import org.apache.hadoop.gateway.security.principal.SimplePrincipalMapper;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Set;
-
-public class IdentityAssertionFilter implements Filter {
-
- private PrincipalMapper mapper = new SimplePrincipalMapper();
-
- @Override
- public void init( FilterConfig filterConfig ) throws ServletException {
- // load principal mappings
- String principalMapping = filterConfig.getServletContext().getInitParameter("principal.mapping");
- try {
- mapper.loadMappingTable(principalMapping);
- }
- catch (PrincipalMappingException pme) {
- // TODO: log this appropriately
- pme.printStackTrace();
- }
- }
-
- public void destroy() {
-
- }
-
- /**
- * Obtain the standard javax.security.auth.Subject, retrieve the caller principal, map
- * to the identity to be asserted as appropriate and create the provider specific
- * assertion token. Add the assertion token to the request.
- */
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
-// System.out.println("+++++++++++++ Identity Assertion Filtering");
- Subject subject = Subject.getSubject(AccessController.getContext());
-
- String principalName = getPrincipalName(subject);
- principalName = mapper.mapPrincipal(principalName);
-// System.out.println("+++++++++++++ Identity Assertion Filtering with Principal: " + principalName);
-
- IdentityAssertionHttpServletRequestWrapper wrapper =
- new IdentityAssertionHttpServletRequestWrapper(
- (HttpServletRequest)request,
- principalName);
- chain.doFilter( wrapper, response );
- }
-
-
- /**
- * Retrieve the principal to represent the asserted identity from
- * the provided Subject.
- * @param subject
- * @return principalName
- */
- private String getPrincipalName(Subject subject) {
- // LJM TODO: this implementation assumes the first one found
- // should configure through context param based on knowledge
- // of the authentication provider in use
- String name = null;
- Set<Principal> principals = subject.getPrincipals();
- for (Principal p : principals) {
- name = p.getName();
- break;
- }
- return name;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java
new file mode 100644
index 0000000..dd08a01
--- /dev/null
+++ b/gateway-provider-identity-assertion-pseudo/src/main/java/org/apache/hadoop/gateway/filter/PseudoIdentityAssertionFilter.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.filter;
+
+
+import javax.security.auth.Subject;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
+
+import java.io.IOException;
+import java.security.AccessController;
+
+public class PseudoIdentityAssertionFilter extends AbstractIdentityAssertionFilter {
+
+ /**
+ * Obtain the standard javax.security.auth.Subject, retrieve the caller principal, map
+ * to the identity to be asserted as appropriate and create the provider specific
+ * assertion token. Add the assertion token to the request.
+ */
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+// System.out.println("+++++++++++++ Identity Assertion Filtering");
+ Subject subject = Subject.getSubject(AccessController.getContext());
+
+ String principalName = getPrincipalName(subject);
+ principalName = mapper.mapPrincipal(principalName);
+// System.out.println("+++++++++++++ Identity Assertion Filtering with Principal: " + principalName);
+
+ IdentityAssertionHttpServletRequestWrapper wrapper =
+ new IdentityAssertionHttpServletRequestWrapper(
+ (HttpServletRequest)request,
+ principalName);
+ chain.doFilter( wrapper, response );
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/pom.xml b/gateway-provider-security-jwt/pom.xml
index e1d2d31..7364096 100644
--- a/gateway-provider-security-jwt/pom.xml
+++ b/gateway-provider-security-jwt/pom.xml
@@ -42,6 +42,11 @@
</dependency>
<dependency>
+ <groupId>${gateway-group}</groupId>
+ <artifactId>gateway-util-common</artifactId>
+ </dependency>
+
+ <dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</dependency>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
new file mode 100644
index 0000000..219abbd
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/AccessToken.java
@@ -0,0 +1,87 @@
+ /**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import java.io.UnsupportedEncodingException;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.services.security.EncryptionResult;
+
+public class AccessToken {
+ private static final String ENCRYPT_ACCESS_TOKENS = "encrypt_access_tokens";
+ private static final String GATEWAY = "__gateway";
+
+ private CryptoService crypto = null;
+ private String tokenStr = null;
+ private String principalName;
+ private long expires;
+
+ public AccessToken(CryptoService crypto, String principalName, long expires) {
+ this.crypto = crypto;
+ this.principalName = principalName;
+ this.expires = expires;
+ }
+
+ public String toString() {
+ if (tokenStr != null) {
+ return tokenStr;
+ }
+ String claims = principalName + "::" + expires;
+ EncryptionResult result;
+ try {
+ result = crypto.encryptForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS, claims.getBytes("UTF-8"));
+ tokenStr = Base64.encodeBase64URLSafeString(result.iv) + "+" +
+ Base64.encodeBase64URLSafeString(result.salt) + "+" +
+ Base64.encodeBase64URLSafeString(result.cipher);
+ } catch (UnsupportedEncodingException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+ return tokenStr;
+ }
+
+ public static AccessToken parseToken(CryptoService crypto, String wireToken) {
+ AccessToken token = null;
+ String[] parts = wireToken.split("\\+");
+ byte[] bytes = crypto.decryptForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS, Base64.decodeBase64(parts[2]), Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]));
+
+ try {
+ String claims = new String(bytes, "UTF-8");
+ String[] claimz = claims.split("\\::");
+ token = new AccessToken(crypto, claimz[0], Long.parseLong(claimz[1]));
+ token.setTokenStr(wireToken);
+ } catch (UnsupportedEncodingException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+ return token;
+ }
+
+ private void setTokenStr(String wireToken) {
+ this.tokenStr = wireToken;
+ }
+
+ public String getPrincipalName() {
+ return principalName;
+ }
+
+ public long getExpires() {
+ return expires;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
new file mode 100644
index 0000000..9c34773
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTAuthority.java
@@ -0,0 +1,67 @@
+ /**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import java.security.Principal;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.gateway.services.security.CryptoService;
+
+public class JWTAuthority {
+ private CryptoService crypto = null;
+
+ public JWTAuthority(CryptoService crypto) {
+ this.crypto = crypto;
+ }
+
+ public JWTToken issueToken(Subject subject, String algorithm, byte[] secret) {
+ Principal p = (Principal) subject.getPrincipals().toArray()[0];
+ String[] claimArray = new String[4];
+ claimArray[0] = "gateway";
+ claimArray[1] = p.getName();
+ // TODO: what do we need here and how do we determine what it should be?
+ claimArray[2] = "https://login.hadoop.example.org";
+ // TODO: make the validity period configurable
+ claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+
+ JWTToken token = null;
+ if ("RS256".equals(algorithm)) {
+ new JWTToken("RS256", claimArray);
+ signToken(token);
+ }
+ else {
+ // log inappropriate alg
+ }
+
+ return token;
+ }
+
+ private void signToken(JWTToken token) {
+ byte[] signature = null;
+ signature = crypto.sign("SHA256withRSA","gateway-identity",token.getPayloadToSign());
+ token.setSignaturePayload(signature);
+ }
+
+ public boolean verifyToken(JWTToken token) {
+ boolean rc = false;
+ rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
+ return rc;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
new file mode 100644
index 0000000..f2234bc
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTProviderMessages.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import org.apache.hadoop.gateway.i18n.messages.Message;
+import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
+import org.apache.hadoop.gateway.i18n.messages.Messages;
+
+/**
+ *
+ */
+@Messages(logger="org.apache.hadoop.gateway")
+public interface JWTProviderMessages {
+
+ @Message( level = MessageLevel.DEBUG, text = "Rendering JWT Token for the wire: {0}" )
+ void renderingJWTTokenForTheWire(String string);
+
+ @Message( level = MessageLevel.DEBUG, text = "Parsing JWT Token from the wire: {0}" )
+ void parsingToken(String wireToken);
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
new file mode 100644
index 0000000..edc46fe
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTToken.java
@@ -0,0 +1,138 @@
+ /**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt;
+
+import java.io.UnsupportedEncodingException;
+import java.text.MessageFormat;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
+
+import com.jayway.jsonpath.JsonPath;
+
+public class JWTToken {
+ private static final String headerTemplate = "'{'\"alg\": \"{0}\"'}'";
+ private static final String claimTemplate = "'{'\"iss\": \"{0}\", \"prn\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";
+ public static final String PRINCIPAL = "prn";
+ public static final String ISSUER = "iss";
+ public static final String AUDIENCE = "aud";
+ public static final String EXPIRES = "exp";
+ private static JWTProviderMessages log = MessagesFactory.get( JWTProviderMessages.class );
+
+ public String header = null;
+ public String claims = null;
+
+ byte[] payload = null;
+
+ public JWTToken(byte[] header, byte[] claims, byte[] signature) {
+ try {
+ this.header = new String(header, "UTF-8");
+ this.claims = new String(claims, "UTF-8");
+ this.payload = signature;
+ } catch (UnsupportedEncodingException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+ }
+
+ public JWTToken(String alg, String[] claimsArray) {
+ MessageFormat headerFormatter = new MessageFormat(headerTemplate);
+ String[] algArray = new String[1];
+ algArray[0] = alg;
+ header = headerFormatter.format(algArray);
+
+ MessageFormat claimsFormatter = new MessageFormat(claimTemplate);
+ claims = claimsFormatter.format(claimsArray);
+ }
+
+ public String getPayloadToSign() {
+ StringBuffer sb = new StringBuffer();
+ try {
+ sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
+ sb.append(".");
+ sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
+ } catch (UnsupportedEncodingException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+
+ return sb.toString();
+ }
+
+ public String toString() {
+ StringBuffer sb = new StringBuffer();
+ try {
+ sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
+ sb.append(".");
+ sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
+ sb.append(".");
+ sb.append(Base64.encodeBase64URLSafeString(payload));
+ } catch (UnsupportedEncodingException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+
+ log.renderingJWTTokenForTheWire(sb.toString());
+
+ return sb.toString();
+ }
+
+ public void setSignaturePayload(byte[] payload) {
+ this.payload = payload;
+ }
+
+ public byte[] getSignaturePayload() {
+ return this.payload;
+ }
+
+ public static JWTToken parseToken(String wireToken) {
+ JWTToken token = null;
+ log.parsingToken(wireToken);
+ String[] parts = wireToken.split("\\.");
+ token = new JWTToken(Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]), Base64.decodeBase64(parts[2]));
+// System.out.println("header: " + token.header);
+// System.out.println("claims: " + token.claims);
+// System.out.println("payload: " + new String(token.payload));
+
+ return token;
+ }
+
+ public String getClaim(String claimName) {
+ String claim = null;
+
+ claim = JsonPath.read(claims, "$." + claimName);
+
+ return claim;
+ }
+
+ public String getPrincipal() {
+ return getClaim(JWTToken.PRINCIPAL);
+ }
+
+ public String getIssuer() {
+ return getClaim(JWTToken.ISSUER);
+ }
+
+ public String getAudience() {
+ return getClaim(JWTToken.AUDIENCE);
+ }
+
+ public String getExpires() {
+ return getClaim(JWTToken.EXPIRES);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java
new file mode 100644
index 0000000..3920225
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAccessTokenAssertionContributor.java
@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
+
+import java.util.List;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class JWTAccessTokenAssertionContributor extends
+ ProviderDeploymentContributorBase {
+ private static final String ENCRYPT_ACCESS_TOKENS = "encrypt_access_tokens";
+ private static final String GATEWAY = "__gateway";
+ private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTAccessTokenAssertionFilter";
+ private CryptoService crypto;
+
+ @Override
+ public String getRole() {
+ return "identity-assertion";
+ }
+
+ @Override
+ public String getName() {
+ return "JWTAccessTokenAsserter";
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ // TODO Auto-generated method stub
+ super.initializeContribution(context);
+ crypto.createAndStoreEncryptionKeyForCluster(GATEWAY, ENCRYPT_ACCESS_TOKENS);
+ }
+
+ @Override
+ public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+ resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+ }
+
+ public void setCryptoService(CryptoService crypto) {
+ this.crypto = crypto;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java
new file mode 100644
index 0000000..72e8f1c
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTAuthCodeAssertionContributor.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.util.List;
+
+public class JWTAuthCodeAssertionContributor extends ProviderDeploymentContributorBase {
+
+ private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTAuthCodeAssertionFilter";
+
+ @Override
+ public String getRole() {
+ return "identity-assertion";
+ }
+
+ @Override
+ public String getName() {
+ return "JWTAuthCodeAsserter";
+ }
+
+ @Override
+ public void contributeProvider( DeploymentContext context, Provider provider ) {
+ }
+
+ @Override
+ public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+ resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java
deleted file mode 100644
index 32ac572..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTDeploymentContributor.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-import org.jboss.shrinkwrap.api.asset.StringAsset;
-
-import java.util.List;
-
-public class JWTDeploymentContributor extends ProviderDeploymentContributorBase {
-
- private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.authn.jwt.filter.JWTFederationFilter";
-
- @Override
- public String getRole() {
- return "federation";
- }
-
- @Override
- public String getName() {
- return "JWTProvider";
- }
-
- @Override
- public void contributeProvider( DeploymentContext context, Provider provider ) {
- }
-
- @Override
- public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
- resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java
new file mode 100644
index 0000000..466ae6b
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/deploy/JWTFederationContributor.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.deploy;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+import java.util.List;
+
+public class JWTFederationContributor extends ProviderDeploymentContributorBase {
+
+ private static final String FILTER_CLASSNAME = "org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTFederationFilter";
+
+ @Override
+ public String getRole() {
+ return "federation";
+ }
+
+ @Override
+ public String getName() {
+ return "JWTProvider";
+ }
+
+ @Override
+ public void contributeProvider( DeploymentContext context, Provider provider ) {
+ }
+
+ @Override
+ public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+ resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
new file mode 100644
index 0000000..f179932
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.filter;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.AccessController;
+import java.util.HashMap;
+
+import javax.security.auth.Subject;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
+import org.apache.hadoop.gateway.provider.federation.jwt.AccessToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
+import org.apache.hadoop.gateway.services.GatewayServices;
+import org.apache.hadoop.gateway.services.security.CryptoService;
+import org.apache.hadoop.gateway.util.JsonUtils;
+
+public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilter {
+ private static final String EXPIRES_IN = "expires_in";
+ private static final String TOKEN_TYPE = "token_type";
+ private static final String ACCESS_TOKEN = "access_token";
+ private static final String BEARER = "Bearer ";
+ private long validity;
+ private CryptoService crypto = null;
+
+ @Override
+ public void init( FilterConfig filterConfig ) throws ServletException {
+ super.init(filterConfig);
+ String validityStr = filterConfig.getInitParameter("validity");
+ if (validityStr == null) {
+ validityStr = "3600"; // 1 hr. in secs
+ }
+ validity = Long.parseLong(validityStr);
+
+ GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+ crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+ String jsonResponse = null;
+
+ String header = ((HttpServletRequest) request).getHeader("Authorization");
+ if (header != null && header.startsWith(BEARER)) {
+ // what follows the bearer designator should be the JWT token being used to request or as an access token
+ String wireToken = header.substring(BEARER.length());
+ JWTToken token = JWTToken.parseToken(wireToken);
+
+ // authorization of the user for the requested service (and resource?) should have been done by
+ // the JWTFederationFilter - once we get here we can assume that it is authorized and we just need
+ // to assert the identity via an access token
+
+ Subject subject = Subject.getSubject(AccessController.getContext());
+ String principalName = getPrincipalName(subject);
+ principalName = mapper.mapPrincipal(principalName);
+
+ // calculate expiration timestamp: validity * 1000 + currentTimeInMillis
+ long expires = System.currentTimeMillis() + validity * 1000;
+
+ String accessToken = getAccessToken(principalName, expires);
+
+ HashMap<String, Object> map = new HashMap<String, Object>();
+ // TODO: populate map from JWT authorization code
+ map.put(ACCESS_TOKEN, accessToken);
+ map.put(TOKEN_TYPE, BEARER);
+ map.put(EXPIRES_IN, expires);
+
+ jsonResponse = JsonUtils.renderAsJsonString(map);
+
+ response.getWriter().write(jsonResponse);
+ response.getWriter().flush();
+ return; // break filter chain
+ }
+ else {
+ // no token provided in header
+ // something is really wrong since the JWTFederationFilter should have verified its existence already
+ // TODO: may have to check cookie and url as well before sending error
+ ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ return; //break filter chain
+ }
+ }
+
+ private String getAccessToken(String principalName, long expires) {
+ String accessToken = null;
+
+ AccessToken token = new AccessToken(crypto, principalName, expires);
+ accessToken = token.toString();
+
+ return accessToken;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
new file mode 100644
index 0000000..7dfacb5
--- /dev/null
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation.jwt.filter;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter;
+
+public class JWTAuthCodeAssertionFilter extends AbstractIdentityAssertionFilter {
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java
deleted file mode 100644
index 8471ee0..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAuthority.java
+++ /dev/null
@@ -1,60 +0,0 @@
- /**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt.filter;
-
-import java.security.Principal;
-
-import javax.security.auth.Subject;
-
-import org.apache.hadoop.gateway.services.security.CryptoService;
-
-public class JWTAuthority {
- private CryptoService crypto = null;
-
- public JWTAuthority(CryptoService crypto) {
- this.crypto = crypto;
- }
-
- public JWTToken issueToken(Subject subject) {
- Principal p = (Principal) subject.getPrincipals().toArray()[0];
- String[] claimArray = new String[4];
- claimArray[0] = "gateway";
- claimArray[1] = p.getName();
- // TODO: what do we need here and how do we determine what it should be?
- claimArray[2] = "https://login.hadoop.example.org";
- // TODO: make the validity period configurable
- claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
-
- JWTToken token = new JWTToken("RS256", claimArray);
- signToken(token);
-
- return token;
- }
-
- private void signToken(JWTToken token) {
- byte[] signature = null;
- signature = crypto.sign("SHA256withRSA","gateway-identity",token.getPayloadToSign());
- token.setSignaturePayload(signature);
- }
-
- public boolean verifyToken(JWTToken token) {
- boolean rc = false;
- rc = crypto.verify("SHA256withRSA", "gateway-identity", token.getPayloadToSign(), token.getSignaturePayload());
- return rc;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
index 64d6a01..26f1d7b 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
@@ -29,6 +29,10 @@ import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTAuthority;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
+
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
@@ -40,14 +44,13 @@ import java.util.Set;
public class JWTFederationFilter implements Filter {
private static final String BEARER = "Bearer ";
- private static final String GATEWAY_SERVICES_ATTRIBUTE = "org.apache.hadoop.gateway.gateway.services";
private JWTAuthority authority = null;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
- GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GATEWAY_SERVICES_ATTRIBUTE);
- CryptoService crypto = (CryptoService) services.getService("CryptoService");
+ GatewayServices services = (GatewayServices) filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+ CryptoService crypto = (CryptoService) services.getService(GatewayServices.CRYPTO_SERVICE);
authority = new JWTAuthority(crypto);
}
@@ -65,6 +68,7 @@ public class JWTFederationFilter implements Filter {
if (verified) {
// TODO: validate expiration
// TODO: confirm that audience matches intended target
+ // TODO: verify that the user requesting access to the service/resource is authorized for it - need scopes?
Subject subject = createSubjectFromToken(token);
continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response, chain);
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java
deleted file mode 100644
index 8e58c42..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTProviderMessages.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt.filter;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-
-/**
- *
- */
-@Messages(logger="org.apache.hadoop.gateway")
-public interface JWTProviderMessages {
-
- @Message( level = MessageLevel.DEBUG, text = "Rendering JWT Token for the wire: {0}" )
- void renderingJWTTokenForTheWire(String string);
-
- @Message( level = MessageLevel.DEBUG, text = "Parsing JWT Token from the wire: {0}" )
- void parsingToken(String wireToken);
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java
deleted file mode 100644
index 4da185d..0000000
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTToken.java
+++ /dev/null
@@ -1,138 +0,0 @@
- /**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.provider.federation.jwt.filter;
-
-import java.io.UnsupportedEncodingException;
-import java.text.MessageFormat;
-
-import org.apache.commons.codec.binary.Base64;
-import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
-
-import com.jayway.jsonpath.JsonPath;
-
-public class JWTToken {
- private static final String headerTemplate = "'{'\"alg\": \"{0}\"'}'";
- private static final String claimTemplate = "'{'\"iss\": \"{0}\", \"prn\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";
- public static final String PRINCIPAL = "prn";
- public static final String ISSUER = "iss";
- public static final String AUDIENCE = "aud";
- public static final String EXPIRES = "exp";
- private static JWTProviderMessages log = MessagesFactory.get( JWTProviderMessages.class );
-
- public String header = null;
- public String claims = null;
-
- byte[] payload = null;
-
- public JWTToken(byte[] header, byte[] claims, byte[] signature) {
- try {
- this.header = new String(header, "UTF-8");
- this.claims = new String(claims, "UTF-8");
- this.payload = signature;
- } catch (UnsupportedEncodingException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
- }
-
- public JWTToken(String alg, String[] claimsArray) {
- MessageFormat headerFormatter = new MessageFormat(headerTemplate);
- String[] algArray = new String[1];
- algArray[0] = alg;
- header = headerFormatter.format(algArray);
-
- MessageFormat claimsFormatter = new MessageFormat(claimTemplate);
- claims = claimsFormatter.format(claimsArray);
- }
-
- public String getPayloadToSign() {
- StringBuffer sb = new StringBuffer();
- try {
- sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
- sb.append(".");
- sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
- } catch (UnsupportedEncodingException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
-
- return sb.toString();
- }
-
- public String toString() {
- StringBuffer sb = new StringBuffer();
- try {
- sb.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
- sb.append(".");
- sb.append(Base64.encodeBase64URLSafeString(claims.getBytes("UTF-8")));
- sb.append(".");
- sb.append(Base64.encodeBase64URLSafeString(payload));
- } catch (UnsupportedEncodingException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
-
- log.renderingJWTTokenForTheWire(sb.toString());
-
- return sb.toString();
- }
-
- public void setSignaturePayload(byte[] payload) {
- this.payload = payload;
- }
-
- public byte[] getSignaturePayload() {
- return this.payload;
- }
-
- public static JWTToken parseToken(String wireToken) {
- JWTToken token = null;
- log.parsingToken(wireToken);
- String[] parts = wireToken.split("\\.");
- token = new JWTToken(Base64.decodeBase64(parts[0]), Base64.decodeBase64(parts[1]), Base64.decodeBase64(parts[2]));
- System.out.println("header: " + token.header);
- System.out.println("claims: " + token.claims);
- System.out.println("payload: " + new String(token.payload));
-
- return token;
- }
-
- public String getClaim(String claimName) {
- String claim = null;
-
- claim = JsonPath.read(claims, "$." + claimName);
-
- return claim;
- }
-
- public String getPrincipal() {
- return getClaim(JWTToken.PRINCIPAL);
- }
-
- public String getIssuer() {
- return getClaim(JWTToken.ISSUER);
- }
-
- public String getAudience() {
- return getClaim(JWTToken.AUDIENCE);
- }
-
- public String getExpires() {
- return getClaim(JWTToken.EXPIRES);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
index 58c6bf7..5915713 100644
--- a/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ b/gateway-provider-security-jwt/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
@@ -16,4 +16,5 @@
# limitations under the License.
##########################################################################
-org.apache.hadoop.gateway.provider.federation.jwt.deploy.JWTDeploymentContributor
\ No newline at end of file
+org.apache.hadoop.gateway.provider.federation.jwt.deploy.JWTFederationContributor
+org.apache.hadoop.gateway.provider.federation.jwt.deploy.JWTAccessTokenAssertionContributor
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
index c651bd2..41214e2 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
@@ -18,7 +18,7 @@
package org.apache.hadoop.gateway.provider.federation;
import junit.framework.TestCase;
-import org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTToken;
+import org.apache.hadoop.gateway.provider.federation.jwt.JWTToken;
import org.junit.Test;
public class JWTTokenTest extends TestCase {
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
index bdd7154..8b10c15 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/PostAuthenticationFilter.java
@@ -1,37 +1,39 @@
- /**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package org.apache.hadoop.gateway.filter;
- import org.apache.shiro.SecurityUtils;
- import org.apache.shiro.subject.Subject;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import java.io.IOException;
- import java.security.Principal;
- import java.security.PrivilegedExceptionAction;
- import java.util.HashSet;
- import java.util.Set;
- import java.util.concurrent.Callable;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.Callable;
+
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
public class PostAuthenticationFilter implements Filter {
@@ -74,15 +76,11 @@ public class PostAuthenticationFilter implements Filter {
final String principal = (String) shiroSubject.getPrincipal();
HashSet emptySet = new HashSet();
Set<Principal> principals = new HashSet<Principal>();
- Principal p = new Principal() {
- @Override
- public String getName() {
- // TODO Auto-generated method stub
- return principal;
- }
- };
+ Principal p = new PrimaryPrincipal(principal);
principals.add(p);
+ // TODO: add groups through extended JndiLdapRealm implementation once Jira KNOX-4 is resolved
+
// The newly constructed Sets check whether this Subject has been set read-only
// before permitting subsequent modifications. The newly created Sets also prevent
// illegal modifications by ensuring that callers have sufficient permissions.
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
index ef923da..b443040 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/GatewayServer.java
@@ -59,9 +59,6 @@ import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
public class GatewayServer {
-
- public static final String GATEWAY_SERVICES_ATTRIBUTE = "org.apache.hadoop.gateway.gateway.services";
-
private static GatewayResources res = ResourcesFactory.get( GatewayResources.class );
private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
private static GatewayServer server;
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
index 7e599fd..59480ce 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/deploy/DeploymentContextImpl.java
@@ -118,9 +118,9 @@ public class DeploymentContextImpl implements DeploymentContext {
List<FilterParamDescriptor> params ) {
ProviderDeploymentContributor contributor = DeploymentFactory.getProviderContributor( providers, role, name );
Provider provider = getTopology().getProvider( role, name );
- if( provider == null ) {
- provider = getTopology().getProvider( role, null );
- }
+// if( provider != null ) {
+// System.out.println("=================== provider found by name: " + name + " with actual name of: " + provider.getName());
+// }
if( provider == null ) {
provider = new Provider();
provider.setRole( role );
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
index fcd3f66..fddf865 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/DefaultGatewayServices.java
@@ -42,10 +42,6 @@ import org.apache.hadoop.gateway.services.security.impl.JettySSLService;
import org.apache.hadoop.gateway.topology.Provider;
public class DefaultGatewayServices implements Service, ProviderDeploymentContributor, GatewayServices {
- private static final String SSL_SERVICE = "SSLService";
- public static final String CRYPTO_SERVICE = "CryptoService";
- public static final String ALIAS_SERVICE = "AliasService";
-
private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
private Map<String,Service> services = new HashMap<String, Service>();
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
index fa08377..b313c3b 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/GatewayServicesContextListener.java
@@ -27,7 +27,7 @@ public class GatewayServicesContextListener implements ServletContextListener {
@Override
public void contextInitialized(ServletContextEvent sce) {
GatewayServices gs = GatewayServer.getGatewayServices();
- sce.getServletContext().setAttribute(GatewayServer.GATEWAY_SERVICES_ATTRIBUTE, gs);
+ sce.getServletContext().setAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE, gs);
}
@Override
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
index 9f46441..c6913d3 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/topology/xml/XmlTopologyRules.java
@@ -47,6 +47,7 @@ public class XmlTopologyRules extends AbstractRulesModule {
forPattern( ROOT_TAG + "/" + PROVIDER_TAG ).createObject().ofType( Provider.class ).then().setNext( "addProvider" );
forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + ROLE_TAG ).setBeanProperty();
forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + ENABLED_TAG ).setBeanProperty();
+ forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + NAME_TAG ).setBeanProperty();
forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + PARAM_TAG ).createObject().ofType( ProviderParam.class ).then().setNext( "addParam" );
forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + PARAM_TAG + "/" + NAME_TAG ).setBeanProperty();
forPattern( ROOT_TAG + "/" + PROVIDER_TAG + "/" + PARAM_TAG + "/" + VALUE_TAG ).setBeanProperty();
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java b/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
index ad0821a..e1643a6 100644
--- a/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
+++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
@@ -82,6 +82,11 @@ public class DeploymentFactoryTest {
param.setValue( "classpath:app-context-security.xml" );
provider.addParam( param );
topology.addProvider( provider );
+ Provider asserter = new Provider();
+ asserter.setRole( "identity-assertion" );
+ asserter.setName("Pseudo");
+ asserter.setEnabled( true );
+ topology.addProvider( asserter );
WebArchive war = DeploymentFactory.createDeployment( config, topology );
//File dir = new File( System.getProperty( "user.dir" ) );
@@ -113,7 +118,7 @@ public class DeploymentFactoryTest {
assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter" ) ) );
assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/role", equalTo( "identity-assertion" ) ) );
- assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter" ) ) );
+ assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.PseudoIdentityAssertionFilter" ) ) );
assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[6]/role", equalTo( "dispatch" ) ) );
assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[6]/name", equalTo( "http-client" ) ) );
@@ -135,7 +140,7 @@ public class DeploymentFactoryTest {
assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter" ) ) );
assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/role", equalTo( "identity-assertion" ) ) );
- assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter" ) ) );
+ assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.PseudoIdentityAssertionFilter" ) ) );
assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[6]/role", equalTo( "dispatch" ) ) );
assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[6]/name", equalTo( "http-client" ) ) );
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java b/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
index 721d8f0..49a26b2 100644
--- a/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
+++ b/gateway-service-hdfs/src/main/java/org/apache/hadoop/gateway/hdfs/HdfsDeploymentContributor.java
@@ -24,6 +24,7 @@ import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRuleDescriptor;
import org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteRulesDescriptor;
import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteActionRewriteDescriptorExt;
import org.apache.hadoop.gateway.filter.rewrite.ext.UrlRewriteMatchDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
import org.apache.hadoop.gateway.topology.Service;
import java.net.URISyntaxException;
@@ -132,7 +133,7 @@ public class HdfsDeploymentContributor extends ServiceDeploymentContributorBase
}
private void addDispatchFilter(
- DeploymentContext context, Service service, ResourceDescriptor resource, String role, String name ) {
+ DeploymentContext context, Service service, ResourceDescriptor resource, String role, String name ) {
context.contributeFilter( service, resource, role, name, null );
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
index 28d6db7..fbd9865 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/deploy/ServiceDeploymentContributorBase.java
@@ -32,13 +32,20 @@ public abstract class ServiceDeploymentContributorBase extends DeploymentContrib
}
protected boolean topologyContainsProviderType(DeploymentContext context, String role) {
+ Provider provider = getProviderByRole(context, role);
+ return (provider != null);
+ }
+
+ protected Provider getProviderByRole(DeploymentContext context, String role) {
+ Provider p = null;
Collection<Provider> providers = context.getTopology().getProviders();
for (Provider provider : providers) {
if (role.equals(provider.getRole())) {
- return true;
+ p = provider;
+ break;
}
}
- return false;
+ return p;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
new file mode 100644
index 0000000..4e4a5ed
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.java
@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.filter.security;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+import org.apache.hadoop.gateway.security.principal.PrincipalMapper;
+import org.apache.hadoop.gateway.security.principal.PrincipalMappingException;
+import org.apache.hadoop.gateway.security.principal.SimplePrincipalMapper;
+
+public abstract class AbstractIdentityAssertionFilter implements Filter {
+
+ protected PrincipalMapper mapper = new SimplePrincipalMapper();
+
+ public AbstractIdentityAssertionFilter() {
+ super();
+ }
+
+ protected void loadPrincipalMappings(FilterConfig filterConfig) {
+ String principalMapping = filterConfig.getServletContext().getInitParameter("principal.mapping");
+ if (principalMapping != null && !principalMapping.isEmpty()) {
+ try {
+ mapper.loadMappingTable(principalMapping);
+ }
+ catch (PrincipalMappingException pme) {
+ // TODO: log this appropriately
+ pme.printStackTrace();
+ }
+ }
+ }
+
+ /**
+ * Retrieve the principal to represent the asserted identity from
+ * the provided Subject.
+ * @param subject
+ * @return principalName
+ */
+ protected String getPrincipalName(Subject subject) {
+ // look first for the knox specific PrimaryPrincipal to use as the asserted identity
+ // if not found fallback to the first principal found
+ String name = null;
+ Set<PrimaryPrincipal> primaryPrincipals = subject.getPrincipals(PrimaryPrincipal.class);
+ if (primaryPrincipals.size() > 0) {
+ return ((PrimaryPrincipal)primaryPrincipals.toArray()[0]).getName();
+ }
+
+ // LJM TODO: this implementation assumes the first one found
+ // should configure through context param based on knowledge
+ // of the authentication provider in use
+ Set<Principal> principals = subject.getPrincipals();
+ for (Principal p : principals) {
+ name = p.getName();
+ break;
+ }
+ return name;
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ // load principal mappings
+ loadPrincipalMappings(filterConfig);
+ }
+
+ public void destroy() {
+
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java
new file mode 100644
index 0000000..e822269
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/GroupPrincipal.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security;
+
+import java.security.Principal;
+
+public class GroupPrincipal implements Principal {
+ private String name = null;
+
+ public GroupPrincipal(String name) {
+
+ }
+
+ public String getName() {
+ return name;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java
new file mode 100644
index 0000000..b6affad
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/PrimaryPrincipal.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security;
+
+import java.security.Principal;
+
+public class PrimaryPrincipal implements Principal {
+ private String name = null;
+
+ public PrimaryPrincipal(String name) {
+ this.name = name;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
index 08a1d12..b3770e6 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/security/principal/SimplePrincipalMapper.java
@@ -52,7 +52,7 @@ public class SimplePrincipalMapper implements PrincipalMapper {
// do not leave table in an unknown state - clear it instead
// no principal mapping will occur
table.clear();
- throw new PrincipalMappingException("Unable to load mappings from provided string - no principal mapping will be provided.");
+ throw new PrincipalMappingException("Unable to load mappings from provided string: " + principalMapping + " - no principal mapping will be provided.");
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/61ca72e1/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
index c7b8640..f13fe33 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/GatewayServices.java
@@ -21,6 +21,10 @@ import java.util.Collection;
public interface GatewayServices {
+ public static final String GATEWAY_SERVICES_ATTRIBUTE = "org.apache.hadoop.gateway.gateway.services";
+ public static final String SSL_SERVICE = "SSLService";
+ public static final String CRYPTO_SERVICE = "CryptoService";
+ public static final String ALIAS_SERVICE = "AliasService";
public abstract Collection<String> getServiceNames();