You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2022/03/16 07:45:00 UTC
[GitHub] [knox] smolnar82 commented on a change in pull request #545: KNOX-2714 - Added doAs support to KnoxToken service
smolnar82 commented on a change in pull request #545:
URL: https://github.com/apache/knox/pull/545#discussion_r827708026
##########
File path: gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateServiceMessages.java
##########
@@ -246,4 +246,7 @@
@Message(level = MessageLevel.ERROR, text = "An error occurred while fetching tokens for user {0} from the database : {1}")
void errorFetchingTokensForUserFromDatabase(String userName, String errorMessage, @StackTrace(level = MessageLevel.DEBUG) Exception e);
+
+ @Message(level = MessageLevel.ERROR, text = "An error occurred while fetching 'doAs' tokens for user {0} from the database : {1}")
Review comment:
Ack.
##########
File path: gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
##########
@@ -140,15 +139,9 @@ public void doFilter(ServletRequest request, ServletResponse response,
private String getAccessToken(final String principalName, String serviceName, long expires) {
String accessToken = null;
- Principal p = new Principal() {
- @Override
- public String getName() {
- return principalName;
- }
- };
JWT token;
try {
- final JWTokenAttributes jwtAttributes = new JWTokenAttributesBuilder().setPrincipal(p).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
+ final JWTokenAttributes jwtAttributes = new JWTokenAttributesBuilder().setUserName(principalName).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
Review comment:
It's actually the name of the user principal who creates the token. I can rename this variable if you want.
The change here is that instead of saving the entire `Principal` object we only save the principal name as `userName` in the token.
##########
File path: gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
##########
@@ -672,7 +682,24 @@ private Response getAuthenticationToken() {
.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
JWTokenAuthority ts = services.getService(ServiceType.TOKEN_SERVICE);
- Principal p = request.getUserPrincipal();
+
+ String userName = request.getUserPrincipal().getName();
+ String createdBy = null;
+ // checking the doAs user only makes sense if tokens are managed (this is where we store the userName information)
+ if (tokenStateService != null) {
+ final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ if (doAsUser != null && !doAsUser.equals(userName)) {
+ try {
+ //this call will authorize the doAs request
+ AuthFilterUtils.getProxyRequest(request, doAsUser);
Review comment:
Ack.
##########
File path: gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
##########
@@ -65,7 +65,7 @@ public void doFilter(ServletRequest request, ServletResponse response,
principalName = mapper.mapUserPrincipal(principalName);
JWT authCode;
try {
- authCode = authority.issueToken(new JWTokenAttributesBuilder().setPrincipal(subject).setAlgorithm(signatureAlgorithm).build());
+ authCode = authority.issueToken(new JWTokenAttributesBuilder().setUserName(principalName).setAlgorithm(signatureAlgorithm).build());
Review comment:
The same as above.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org