diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml index 69a01c6f2c..2cbcd425c1 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml @@ -50,10 +50,6 @@ org.apache.nifi nifi-properties - - org.apache.nifi - nifi-security-utils - com.h2database h2 @@ -78,10 +74,6 @@ org.aspectj aspectjweaver - - org.springframework.security - spring-security-core - org.apache.commons commons-collections4 diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/IdpDataSourceFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/IdpDataSourceFactoryBean.java deleted file mode 100644 index 8ccf71873f..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/IdpDataSourceFactoryBean.java +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin; - -import org.apache.commons.lang3.StringUtils; -import org.apache.nifi.util.NiFiProperties; -import org.h2.jdbcx.JdbcConnectionPool; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.FactoryBean; - -import java.io.File; -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -public class IdpDataSourceFactoryBean implements FactoryBean { - - private static final Logger logger = LoggerFactory.getLogger(IdpDataSourceFactoryBean.class); - private static final String NF_USERNAME_PASSWORD = "nf"; - private static final int MAX_CONNECTIONS = 5; - - // database file name - private static final String IDP_DATABASE_FILE_NAME = "nifi-identity-providers"; - - // ---------- - // idp tables - // ---------- - - private static final String IDP_USER_GROUP_TABLE_NAME = "IDENTITY_PROVIDER_USER_GROUP"; - - private static final String CREATE_IDP_USER_GROUP_TABLE = "CREATE TABLE " + IDP_USER_GROUP_TABLE_NAME + " (" - + "ID INT NOT NULL PRIMARY KEY AUTO_INCREMENT, " - + "IDENTITY VARCHAR2(4096) NOT NULL, " - + "IDP_TYPE VARCHAR2(200) NOT NULL, " - + "GROUP_NAME VARCHAR2(4096) NOT NULL, " - + "CREATED TIMESTAMP NOT NULL, " - + "CONSTRAINT UK__IDENTITY_GROUP_NAME UNIQUE (IDENTITY, GROUP_NAME)" + - ")"; - - private JdbcConnectionPool connectionPool; - - private NiFiProperties properties; - - @Override - public JdbcConnectionPool getObject() throws Exception { - if (connectionPool == null) { - - // locate the repository directory - String repositoryDirectoryPath = properties.getProperty(NiFiProperties.REPOSITORY_DATABASE_DIRECTORY); - - // ensure the repository directory is specified - if (repositoryDirectoryPath == null) { - throw new NullPointerException("Database directory must be specified."); - } - - // create a handle to the repository directory - File repositoryDirectory = new File(repositoryDirectoryPath); - - // create a handle to the database directory and file - File dbFileNoExtension = new File(repositoryDirectory, IDP_DATABASE_FILE_NAME); - String databaseUrl = getDatabaseUrl(dbFileNoExtension); - - // create the pool - connectionPool = JdbcConnectionPool.create(databaseUrl, NF_USERNAME_PASSWORD, NF_USERNAME_PASSWORD); - connectionPool.setMaxConnections(MAX_CONNECTIONS); - - Connection connection = null; - ResultSet rs = null; - Statement statement = null; - try { - // get a connection - connection = connectionPool.getConnection(); - connection.setAutoCommit(false); - - // create a statement for creating/updating the database - statement = connection.createStatement(); - - // determine if the idp tables need to be created - rs = connection.getMetaData().getTables(null, null, IDP_USER_GROUP_TABLE_NAME, null); - if (!rs.next()) { - statement.execute(CREATE_IDP_USER_GROUP_TABLE); - } - - // commit any changes - connection.commit(); - } catch (SQLException sqle) { - RepositoryUtils.rollback(connection, logger); - throw sqle; - } finally { - RepositoryUtils.closeQuietly(rs); - RepositoryUtils.closeQuietly(statement); - RepositoryUtils.closeQuietly(connection); - } - } - - return connectionPool; - } - - private String getDatabaseUrl(File databaseFile) { - String databaseUrl = "jdbc:h2:" + databaseFile + ";AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3"; - String databaseUrlAppend = properties.getProperty(NiFiProperties.H2_URL_APPEND); - if (StringUtils.isNotBlank(databaseUrlAppend)) { - databaseUrl += databaseUrlAppend; - } - return databaseUrl; - } - - @Override - public Class getObjectType() { - return JdbcConnectionPool.class; - } - - @Override - public boolean isSingleton() { - return true; - } - - public void setProperties(NiFiProperties properties) { - this.properties = properties; - } - - public void shutdown() { - // shutdown the connection pool - if (connectionPool != null) { - try { - connectionPool.dispose(); - } catch (Exception e) { - logger.warn("Unable to dispose of connection pool: " + e.getMessage()); - if (logger.isDebugEnabled()) { - logger.warn(StringUtils.EMPTY, e); - } - } - } - } - -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DAOFactory.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DAOFactory.java index 0d2ca9ddc6..0635179ccc 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DAOFactory.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DAOFactory.java @@ -22,7 +22,4 @@ package org.apache.nifi.admin.dao; public interface DAOFactory { ActionDAO getActionDAO(); - - IdpUserGroupDAO getIdpUserGroupDAO(); - } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DataAccessException.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DataAccessException.java index 05bf4afa49..8fe1f8e9ed 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DataAccessException.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/DataAccessException.java @@ -32,8 +32,4 @@ public class DataAccessException extends RuntimeException { public DataAccessException(String message) { super(message); } - - public DataAccessException() { - } - } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/IdpUserGroupDAO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/IdpUserGroupDAO.java deleted file mode 100644 index 34b5b90a75..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/IdpUserGroupDAO.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.dao; - -import org.apache.nifi.idp.IdpUserGroup; - -import java.util.List; - -public interface IdpUserGroupDAO { - - IdpUserGroup createUserGroup(IdpUserGroup userGroup) throws DataAccessException; - - List createUserGroups(List userGroups) throws DataAccessException; - - IdpUserGroup findUserGroupById(int id) throws DataAccessException; - - List findUserGroupsByIdentity(String identity) throws DataAccessException; - - int deleteUserGroupById(int id) throws DataAccessException; - - int deleteUserGroupsByIdentity(String identity) throws DataAccessException; - -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/DAOFactoryImpl.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/DAOFactoryImpl.java index f2b01a73b9..f6ebd151c3 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/DAOFactoryImpl.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/DAOFactoryImpl.java @@ -18,7 +18,6 @@ package org.apache.nifi.admin.dao.impl; import org.apache.nifi.admin.dao.ActionDAO; import org.apache.nifi.admin.dao.DAOFactory; -import org.apache.nifi.admin.dao.IdpUserGroupDAO; import java.sql.Connection; @@ -37,9 +36,4 @@ public class DAOFactoryImpl implements DAOFactory { public ActionDAO getActionDAO() { return new StandardActionDAO(connection); } - - @Override - public IdpUserGroupDAO getIdpUserGroupDAO() { - return new StandardIdpUserGroupDAO(connection); - } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardIdpUserGroupDAO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardIdpUserGroupDAO.java deleted file mode 100644 index dd171b3bd3..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/dao/impl/StandardIdpUserGroupDAO.java +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.dao.impl; - -import org.apache.nifi.admin.RepositoryUtils; -import org.apache.nifi.admin.dao.DataAccessException; -import org.apache.nifi.admin.dao.IdpUserGroupDAO; -import org.apache.nifi.idp.IdpType; -import org.apache.nifi.idp.IdpUserGroup; - -import java.sql.Connection; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.ArrayList; -import java.util.Date; -import java.util.List; - -public class StandardIdpUserGroupDAO implements IdpUserGroupDAO { - - private static final String INSERT_USER_GROUP = "INSERT INTO IDENTITY_PROVIDER_USER_GROUP " + - "(IDENTITY, IDP_TYPE, GROUP_NAME, CREATED) VALUES (?, ?, ?, ?)"; - - private static final String SELECT_USER_GROUP_BY_ID = "SELECT ID, IDENTITY, IDP_TYPE, GROUP_NAME, CREATED " + - "FROM IDENTITY_PROVIDER_USER_GROUP " + - "WHERE ID =?"; - - private static final String SELECT_USER_GROUP_BY_IDENTITY = "SELECT ID, IDENTITY, IDP_TYPE, GROUP_NAME, CREATED " + - "FROM IDENTITY_PROVIDER_USER_GROUP " + - "WHERE IDENTITY =?"; - - private static final String DELETE_USER_GROUPS_BY_ID = "DELETE FROM IDENTITY_PROVIDER_USER_GROUP " + - "WHERE ID = ?"; - - private static final String DELETE_USER_GROUPS_BY_IDENTITY = "DELETE FROM IDENTITY_PROVIDER_USER_GROUP " + - "WHERE IDENTITY = ?"; - - private final Connection connection; - - public StandardIdpUserGroupDAO(final Connection connection) { - this.connection = connection; - } - - @Override - public IdpUserGroup createUserGroup(final IdpUserGroup userGroup) throws DataAccessException { - if (userGroup == null) { - throw new IllegalArgumentException("UserGroup cannot be null"); - } - - PreparedStatement statement = null; - ResultSet rs = null; - try { - // populate the parameters - statement = connection.prepareStatement(INSERT_USER_GROUP, Statement.RETURN_GENERATED_KEYS); - populateStatement(statement, userGroup); - - // execute the insert - int updateCount = statement.executeUpdate(); - rs = statement.getGeneratedKeys(); - - // verify the results - if (updateCount == 1 && rs.next()) { - userGroup.setId(rs.getInt(1)); - return userGroup; - } else { - throw new DataAccessException("Unable to save IDP User Group."); - } - } catch (SQLException sqle) { - throw new DataAccessException(sqle); - } finally { - RepositoryUtils.closeQuietly(rs); - RepositoryUtils.closeQuietly(statement); - } - } - - @Override - public List createUserGroups(final List userGroups) throws DataAccessException { - if (userGroups == null) { - throw new IllegalArgumentException("UserGroups cannot be null"); - } - - PreparedStatement statement = null; - ResultSet rs = null; - try { - // populate the parameters - statement = connection.prepareStatement(INSERT_USER_GROUP, Statement.RETURN_GENERATED_KEYS); - - for (final IdpUserGroup userGroup : userGroups) { - populateStatement(statement, userGroup); - statement.addBatch(); - } - - int[] updateCounts = statement.executeBatch(); - if (updateCounts.length != userGroups.size()) { - throw new DataAccessException("Unable to save IDP User Groups"); - } - - for (int i=0; i < updateCounts.length; i++) { - if (updateCounts[i] == 0) { - throw new DataAccessException("Unable to save IDP User Groups"); - } - } - - rs = statement.getGeneratedKeys(); - - int count = 0; - while (rs.next()) { - final int id = rs.getInt(1); - final IdpUserGroup userGroup = userGroups.get(count); - userGroup.setId(id); - count++; - } - - } catch (SQLException sqle) { - throw new DataAccessException(sqle); - } finally { - RepositoryUtils.closeQuietly(rs); - RepositoryUtils.closeQuietly(statement); - } - - return userGroups; - } - - private void populateStatement(PreparedStatement statement, IdpUserGroup userGroup) throws SQLException { - statement.setString(1, userGroup.getIdentity()); - statement.setString(2, userGroup.getType().name()); - statement.setString(3, userGroup.getGroupName()); - statement.setTimestamp(4, new java.sql.Timestamp(userGroup.getCreated().getTime())); - } - - @Override - public IdpUserGroup findUserGroupById(final int id) throws DataAccessException { - IdpUserGroup userGroup = null; - - PreparedStatement statement = null; - ResultSet rs = null; - try { - // set parameters - statement = connection.prepareStatement(SELECT_USER_GROUP_BY_ID); - statement.setInt(1, id); - - // execute the query - rs = statement.executeQuery(); - - // if the group was found, add it - if (rs.next()) { - userGroup = new IdpUserGroup(); - populateUserGroup(rs, userGroup); - } - } catch (SQLException sqle) { - throw new DataAccessException(sqle); - } finally { - RepositoryUtils.closeQuietly(rs); - RepositoryUtils.closeQuietly(statement); - } - - return userGroup; - } - - @Override - public List findUserGroupsByIdentity(final String identity) throws DataAccessException { - final List userGroups = new ArrayList<>(); - - PreparedStatement statement = null; - ResultSet rs = null; - try { - // set parameters - statement = connection.prepareStatement(SELECT_USER_GROUP_BY_IDENTITY); - statement.setString(1, identity); - - // execute the query - rs = statement.executeQuery(); - - // add any found groups to the result list - while (rs.next()) { - final IdpUserGroup userGroup = new IdpUserGroup(); - populateUserGroup(rs, userGroup); - userGroups.add(userGroup); - } - } catch (SQLException sqle) { - throw new DataAccessException(sqle); - } finally { - RepositoryUtils.closeQuietly(rs); - RepositoryUtils.closeQuietly(statement); - } - - return userGroups; - } - - @Override - public int deleteUserGroupById(int id) throws DataAccessException { - PreparedStatement statement = null; - try { - statement = connection.prepareStatement(DELETE_USER_GROUPS_BY_ID); - statement.setInt(1, id); - return statement.executeUpdate(); - } catch (SQLException sqle) { - throw new DataAccessException(sqle); - } catch (DataAccessException dae) { - throw dae; - } finally { - RepositoryUtils.closeQuietly(statement); - } - } - - @Override - public int deleteUserGroupsByIdentity(final String identity) throws DataAccessException { - PreparedStatement statement = null; - try { - statement = connection.prepareStatement(DELETE_USER_GROUPS_BY_IDENTITY); - statement.setString(1, identity); - return statement.executeUpdate(); - } catch (SQLException sqle) { - throw new DataAccessException(sqle); - } catch (DataAccessException dae) { - throw dae; - } finally { - RepositoryUtils.closeQuietly(statement); - } - } - - private void populateUserGroup(final ResultSet rs, final IdpUserGroup userGroup) throws SQLException { - userGroup.setId(rs.getInt("ID")); - userGroup.setIdentity(rs.getString("IDENTITY")); - userGroup.setType(IdpType.valueOf(rs.getString("IDP_TYPE"))); - userGroup.setGroupName(rs.getString("GROUP_NAME")); - userGroup.setCreated(new Date(rs.getTimestamp("CREATED").getTime())); - } -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/IdpUserGroupService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/IdpUserGroupService.java deleted file mode 100644 index 244de1d6ad..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/IdpUserGroupService.java +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.service; - -import org.apache.nifi.idp.IdpType; -import org.apache.nifi.idp.IdpUserGroup; - -import java.util.List; -import java.util.Set; - -/** - * Manages IDP User Groups. - */ -public interface IdpUserGroupService { - - /** - * Creates the given user group. - * - * @param userGroup the user group to create - * @return the created user group - */ - IdpUserGroup createUserGroup(IdpUserGroup userGroup); - - /** - * Creates the given user groups. - * - * @param userGroups the user group to create - * @return the created user group - */ - List createUserGroups(List userGroups); - - /** - * Gets the user groups for the given identity. - * - * @param identity the user identity - * @return the list of user groups - */ - List getUserGroups(String identity); - - /** - * Deletes the user groups for the given identity. - * - * @param identity the user identity - */ - void deleteUserGroups(String identity); - - /** - * Replaces any existing groups for the given user identity with a new set specified by the set of group names. - * - * @param userIdentity the user identity - * @param idpType the idp type for the groups - * @param groupNames the group names, should already have identity mappings applied if necessary - * @return the created groups - */ - List replaceUserGroups(String userIdentity, IdpType idpType, Set groupNames); - -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/CreateIdpUserGroup.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/CreateIdpUserGroup.java deleted file mode 100644 index 9c95c4f751..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/CreateIdpUserGroup.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.service.action; - -import org.apache.nifi.admin.dao.DAOFactory; -import org.apache.nifi.admin.dao.IdpUserGroupDAO; -import org.apache.nifi.idp.IdpUserGroup; - -public class CreateIdpUserGroup implements AdministrationAction { - - final IdpUserGroup userGroup; - - public CreateIdpUserGroup(final IdpUserGroup userGroup) { - this.userGroup = userGroup; - } - - @Override - public IdpUserGroup execute(DAOFactory daoFactory) { - final IdpUserGroupDAO userGroupDAO = daoFactory.getIdpUserGroupDAO(); - return userGroupDAO.createUserGroup(userGroup); - } - -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/CreateIdpUserGroups.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/CreateIdpUserGroups.java deleted file mode 100644 index b6e319b1c4..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/CreateIdpUserGroups.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.service.action; - -import org.apache.nifi.admin.dao.DAOFactory; -import org.apache.nifi.admin.dao.IdpUserGroupDAO; -import org.apache.nifi.idp.IdpUserGroup; - -import java.util.List; - -public class CreateIdpUserGroups implements AdministrationAction> { - - private final List userGroups; - - public CreateIdpUserGroups(List userGroups) { - this.userGroups = userGroups; - } - - @Override - public List execute(DAOFactory daoFactory) { - final IdpUserGroupDAO userGroupDAO = daoFactory.getIdpUserGroupDAO(); - return userGroupDAO.createUserGroups(userGroups); - } -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/DeleteIdpUserGroupsByIdentity.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/DeleteIdpUserGroupsByIdentity.java deleted file mode 100644 index 2c6d0703fb..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/DeleteIdpUserGroupsByIdentity.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.service.action; - -import org.apache.nifi.admin.dao.DAOFactory; -import org.apache.nifi.admin.dao.IdpUserGroupDAO; - -public class DeleteIdpUserGroupsByIdentity implements AdministrationAction { - - final String identity; - - public DeleteIdpUserGroupsByIdentity(String identity) { - this.identity = identity; - } - - @Override - public Integer execute(DAOFactory daoFactory) { - final IdpUserGroupDAO userGroupDAO = daoFactory.getIdpUserGroupDAO(); - return userGroupDAO.deleteUserGroupsByIdentity(identity); - } -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/GetIdpUserGroupsByIdentity.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/GetIdpUserGroupsByIdentity.java deleted file mode 100644 index 6a51bc3c5c..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/action/GetIdpUserGroupsByIdentity.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.service.action; - -import org.apache.nifi.admin.dao.DAOFactory; -import org.apache.nifi.admin.dao.IdpUserGroupDAO; -import org.apache.nifi.idp.IdpUserGroup; - -import java.util.List; - -public class GetIdpUserGroupsByIdentity implements AdministrationAction> { - - final String identity; - - public GetIdpUserGroupsByIdentity(String identity) { - this.identity = identity; - } - - @Override - public List execute(DAOFactory daoFactory) { - final IdpUserGroupDAO userGroupDAO = daoFactory.getIdpUserGroupDAO(); - return userGroupDAO.findUserGroupsByIdentity(identity); - } -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/impl/StandardIdpUserGroupService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/impl/StandardIdpUserGroupService.java deleted file mode 100644 index 23facfc518..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/service/impl/StandardIdpUserGroupService.java +++ /dev/null @@ -1,247 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.admin.service.impl; - -import org.apache.nifi.admin.dao.DataAccessException; -import org.apache.nifi.admin.service.AdministrationException; -import org.apache.nifi.admin.service.IdpUserGroupService; -import org.apache.nifi.admin.service.action.CreateIdpUserGroup; -import org.apache.nifi.admin.service.action.CreateIdpUserGroups; -import org.apache.nifi.admin.service.action.DeleteIdpUserGroupsByIdentity; -import org.apache.nifi.admin.service.action.GetIdpUserGroupsByIdentity; -import org.apache.nifi.admin.service.transaction.Transaction; -import org.apache.nifi.admin.service.transaction.TransactionBuilder; -import org.apache.nifi.admin.service.transaction.TransactionException; -import org.apache.nifi.idp.IdpType; -import org.apache.nifi.idp.IdpUserGroup; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.Date; -import java.util.List; -import java.util.Set; -import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReentrantReadWriteLock; - -public class StandardIdpUserGroupService implements IdpUserGroupService { - - private static Logger LOGGER = LoggerFactory.getLogger(StandardIdpUserGroupService.class); - - private final ReentrantReadWriteLock lock = new ReentrantReadWriteLock(); - private final Lock readLock = lock.readLock(); - private final Lock writeLock = lock.writeLock(); - - private TransactionBuilder transactionBuilder; - - @Override - public IdpUserGroup createUserGroup(final IdpUserGroup userGroup) { - Transaction transaction = null; - IdpUserGroup createdUserGroup; - - writeLock.lock(); - try { - // ensure the created date is set - if (userGroup.getCreated() == null) { - userGroup.setCreated(new Date()); - } - - // start the transaction - transaction = transactionBuilder.start(); - - // create the user group - final CreateIdpUserGroup action = new CreateIdpUserGroup(userGroup); - createdUserGroup = transaction.execute(action); - - // commit the transaction - transaction.commit(); - } catch (TransactionException | DataAccessException te) { - rollback(transaction); - throw new AdministrationException(te); - } catch (Throwable t) { - rollback(transaction); - throw t; - } finally { - closeQuietly(transaction); - writeLock.unlock(); - } - - return createdUserGroup; - } - - @Override - public List createUserGroups(final List userGroups) { - Transaction transaction = null; - List createdUserGroups; - - writeLock.lock(); - try { - // ensure the created date is set - for (final IdpUserGroup userGroup : userGroups) { - if (userGroup.getCreated() == null) { - userGroup.setCreated(new Date()); - } - } - - // start the transaction - transaction = transactionBuilder.start(); - - // create the user group - final CreateIdpUserGroups action = new CreateIdpUserGroups(userGroups); - createdUserGroups = transaction.execute(action); - - // commit the transaction - transaction.commit(); - } catch (TransactionException | DataAccessException te) { - rollback(transaction); - throw new AdministrationException(te); - } catch (Throwable t) { - rollback(transaction); - throw t; - } finally { - closeQuietly(transaction); - writeLock.unlock(); - } - - return createdUserGroups; - } - - @Override - public List getUserGroups(final String identity) { - Transaction transaction = null; - List userGroups; - - readLock.lock(); - try { - // start the transaction - transaction = transactionBuilder.start(); - - // get the user groups - final GetIdpUserGroupsByIdentity action = new GetIdpUserGroupsByIdentity(identity); - userGroups = transaction.execute(action); - - // commit the transaction - transaction.commit(); - } catch (TransactionException | DataAccessException te) { - rollback(transaction); - throw new AdministrationException(te); - } catch (Throwable t) { - rollback(transaction); - throw t; - } finally { - closeQuietly(transaction); - readLock.unlock(); - } - - return userGroups; - } - - @Override - public void deleteUserGroups(final String identity) { - Transaction transaction = null; - - writeLock.lock(); - try { - // start the transaction - transaction = transactionBuilder.start(); - - // delete the credential - final DeleteIdpUserGroupsByIdentity action = new DeleteIdpUserGroupsByIdentity(identity); - Integer rowsDeleted = transaction.execute(action); - LOGGER.debug("Deleted {} user groups for identity {}", rowsDeleted, identity); - - // commit the transaction - transaction.commit(); - } catch (TransactionException | DataAccessException te) { - rollback(transaction); - throw new AdministrationException(te); - } catch (Throwable t) { - rollback(transaction); - throw t; - } finally { - closeQuietly(transaction); - writeLock.unlock(); - } - } - - @Override - public List replaceUserGroups(final String userIdentity, final IdpType idpType, final Set groupNames) { - Transaction transaction = null; - List createdUserGroups; - - writeLock.lock(); - try { - // start the transaction - transaction = transactionBuilder.start(); - - // delete the existing groups - final DeleteIdpUserGroupsByIdentity deleteAction = new DeleteIdpUserGroupsByIdentity(userIdentity); - Integer rowsDeleted = transaction.execute(deleteAction); - LOGGER.debug("Deleted {} user groups for identity {}", rowsDeleted, userIdentity); - - // create the user groups - final List idpUserGroups = new ArrayList<>(); - for (final String groupName : groupNames) { - final IdpUserGroup idpUserGroup = new IdpUserGroup(); - idpUserGroup.setIdentity(userIdentity); - idpUserGroup.setType(idpType); - idpUserGroup.setGroupName(groupName); - idpUserGroup.setCreated(new Date()); - idpUserGroups.add(idpUserGroup); - LOGGER.debug("{} belongs to {}", userIdentity, groupName); - } - - final CreateIdpUserGroups createAction = new CreateIdpUserGroups(idpUserGroups); - createdUserGroups = transaction.execute(createAction); - - // commit the transaction - transaction.commit(); - } catch (TransactionException | DataAccessException te) { - rollback(transaction); - throw new AdministrationException(te); - } catch (Throwable t) { - rollback(transaction); - throw t; - } finally { - closeQuietly(transaction); - writeLock.unlock(); - } - - return createdUserGroups; - } - - private void rollback(final Transaction transaction) { - if (transaction != null) { - transaction.rollback(); - } - } - - private void closeQuietly(final Transaction transaction) { - if (transaction != null) { - try { - transaction.close(); - } catch (final IOException ioe) { - } - } - } - - public void setTransactionBuilder(TransactionBuilder transactionBuilder) { - this.transactionBuilder = transactionBuilder; - } - -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/idp/IdpType.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/idp/IdpType.java deleted file mode 100644 index cc3c5ff0fa..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/idp/IdpType.java +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.idp; - -/** - * Types of identity providers. - */ -public enum IdpType { - - OIDC, - SAML; - -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/idp/IdpUserGroup.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/idp/IdpUserGroup.java deleted file mode 100644 index 2daf0b6682..0000000000 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/idp/IdpUserGroup.java +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.idp; - -import java.util.Date; - -public class IdpUserGroup { - - private int id; - private String identity; - private IdpType type; - private String groupName; - private Date created; - - public IdpUserGroup() { - - } - - public IdpUserGroup(int id, String identity, IdpType type, String groupName) { - this(id, identity, type, groupName, new Date()); - } - - public IdpUserGroup(int id, String identity, IdpType type, String groupName, Date created) { - this.id = id; - this.identity = identity; - this.type = type; - this.groupName = groupName; - this.created = created; - } - - public int getId() { - return id; - } - - public void setId(int id) { - this.id = id; - } - - public String getIdentity() { - return identity; - } - - public void setIdentity(String identity) { - this.identity = identity; - } - - public IdpType getType() { - return type; - } - - public void setType(IdpType type) { - this.type = type; - } - - public String getGroupName() { - return groupName; - } - - public void setGroupName(String groupName) { - this.groupName = groupName; - } - - public Date getCreated() { - return created; - } - - public void setCreated(Date created) { - this.created = created; - } - -} diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/resources/nifi-administration-context.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/resources/nifi-administration-context.xml index 25e219c5b1..f24ce960f3 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/resources/nifi-administration-context.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/resources/nifi-administration-context.xml @@ -23,29 +23,14 @@ - - - - - - - - - - - - - - - diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java index 911a7f767d..47a254a5bd 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java @@ -22,7 +22,6 @@ import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; import com.nimbusds.jwt.proc.DefaultJWTProcessor; import com.nimbusds.jwt.proc.JWTClaimsSetVerifier; import com.nimbusds.jwt.proc.JWTProcessor; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.Authorizer; import org.apache.nifi.components.state.StateManager; import org.apache.nifi.components.state.StateManagerProvider; @@ -79,15 +78,14 @@ public class JwtAuthenticationSecurityConfiguration { SupportedClaim.EXPIRATION.getClaim(), SupportedClaim.NOT_BEFORE.getClaim(), SupportedClaim.ISSUED_AT.getClaim(), - SupportedClaim.JWT_ID.getClaim() + SupportedClaim.JWT_ID.getClaim(), + SupportedClaim.GROUPS.getClaim() )); private final NiFiProperties niFiProperties; private final Authorizer authorizer; - private final IdpUserGroupService idpUserGroupService; - private final StateManagerProvider stateManagerProvider; private final Duration keyRotationPeriod; @@ -96,12 +94,10 @@ public class JwtAuthenticationSecurityConfiguration { public JwtAuthenticationSecurityConfiguration( final NiFiProperties niFiProperties, final Authorizer authorizer, - final IdpUserGroupService idpUserGroupService, final StateManagerProvider stateManagerProvider ) { this.niFiProperties = niFiProperties; this.authorizer = authorizer; - this.idpUserGroupService = idpUserGroupService; this.stateManagerProvider = stateManagerProvider; this.keyRotationPeriod = niFiProperties.getSecurityUserJwsKeyRotationPeriod(); } @@ -180,7 +176,7 @@ public class JwtAuthenticationSecurityConfiguration { @Bean public StandardJwtAuthenticationConverter jwtAuthenticationConverter() { - return new StandardJwtAuthenticationConverter(authorizer, idpUserGroupService, niFiProperties); + return new StandardJwtAuthenticationConverter(authorizer, niFiProperties); } @Bean diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/OidcSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/OidcSecurityConfiguration.java index 14e99d50bf..850028c3ca 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/OidcSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/OidcSecurityConfiguration.java @@ -19,7 +19,6 @@ package org.apache.nifi.web.security.configuration; import com.github.benmanes.caffeine.cache.Cache; import com.github.benmanes.caffeine.cache.Caffeine; import okhttp3.OkHttpClient; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.util.IdentityMappingUtil; import org.apache.nifi.components.state.StateManager; import org.apache.nifi.components.state.StateManagerProvider; @@ -129,8 +128,6 @@ public class OidcSecurityConfiguration { private final BearerTokenResolver bearerTokenResolver; - private final IdpUserGroupService idpUserGroupService; - private final JwtDecoder jwtDecoder; private final LogoutRequestManager logoutRequestManager; @@ -142,7 +139,6 @@ public class OidcSecurityConfiguration { final PropertyEncryptor propertyEncryptor, final BearerTokenProvider bearerTokenProvider, final BearerTokenResolver bearerTokenResolver, - final IdpUserGroupService idpUserGroupService, final JwtDecoder jwtDecoder, final LogoutRequestManager logoutRequestManager ) { @@ -151,7 +147,6 @@ public class OidcSecurityConfiguration { this.propertyEncryptor = Objects.requireNonNull(propertyEncryptor, "Property Encryptor required"); this.bearerTokenProvider = Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required"); this.bearerTokenResolver = Objects.requireNonNull(bearerTokenResolver, "Bearer Token Resolver required"); - this.idpUserGroupService = Objects.requireNonNull(idpUserGroupService, "User Group Service required"); this.jwtDecoder = Objects.requireNonNull(jwtDecoder, "JWT Decoder required"); this.logoutRequestManager = Objects.requireNonNull(logoutRequestManager, "Logout Request Manager required"); this.keyRotationPeriod = properties.getSecurityUserJwsKeyRotationPeriod(); @@ -261,7 +256,6 @@ public class OidcSecurityConfiguration { public LogoutSuccessHandler oidcLogoutSuccessHandler() { return new OidcLogoutSuccessHandler( logoutRequestManager, - idpUserGroupService, clientRegistrationRepository(), authorizedClientRepository(), tokenRevocationResponseClient() @@ -480,7 +474,6 @@ public class OidcSecurityConfiguration { return new OidcAuthenticationSuccessHandler( bearerTokenProvider, - idpUserGroupService, IdentityMappingUtil.getIdentityMappings(properties), IdentityMappingUtil.getGroupMappings(properties), userClaimNames, diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java index 8cc90d370c..bf43a4b291 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java @@ -18,7 +18,6 @@ package org.apache.nifi.web.security.configuration; import com.github.benmanes.caffeine.cache.Cache; import com.github.benmanes.caffeine.cache.Caffeine; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.util.IdentityMappingUtil; import org.apache.nifi.util.FormatUtils; import org.apache.nifi.util.NiFiProperties; @@ -93,19 +92,15 @@ public class SamlAuthenticationSecurityConfiguration { private final LogoutRequestManager logoutRequestManager; - private final IdpUserGroupService idpUserGroupService; - @Autowired public SamlAuthenticationSecurityConfiguration( final NiFiProperties properties, final BearerTokenProvider bearerTokenProvider, - final LogoutRequestManager logoutRequestManager, - final IdpUserGroupService idpUserGroupService + final LogoutRequestManager logoutRequestManager ) { this.properties = Objects.requireNonNull(properties, "Properties required"); this.bearerTokenProvider = Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required"); this.logoutRequestManager = Objects.requireNonNull(logoutRequestManager, "Logout Request Manager required"); - this.idpUserGroupService = Objects.requireNonNull(idpUserGroupService, "User Group Service required"); } /** @@ -336,7 +331,7 @@ public class SamlAuthenticationSecurityConfiguration { */ @Bean public Saml2LogoutSuccessHandler saml2LogoutSuccessHandler() { - return new Saml2LogoutSuccessHandler(logoutRequestManager, idpUserGroupService); + return new Saml2LogoutSuccessHandler(logoutRequestManager); } /** @@ -373,7 +368,6 @@ public class SamlAuthenticationSecurityConfiguration { final String issuer = entityId == null ? Saml2RegistrationProperty.REGISTRATION_ID.getProperty() : entityId; final Saml2AuthenticationSuccessHandler handler = new Saml2AuthenticationSuccessHandler( bearerTokenProvider, - idpUserGroupService, IdentityMappingUtil.getIdentityMappings(properties), IdentityMappingUtil.getGroupMappings(properties), expiration, diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java index 035ab2561e..e5abdd1460 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.web.security.jwt.converter; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.Authorizer; import org.apache.nifi.authorization.user.NiFiUser; import org.apache.nifi.authorization.user.NiFiUserDetails; @@ -24,15 +23,16 @@ import org.apache.nifi.authorization.user.StandardNiFiUser; import org.apache.nifi.authorization.util.IdentityMapping; import org.apache.nifi.authorization.util.IdentityMappingUtil; import org.apache.nifi.authorization.util.UserGroupUtil; -import org.apache.nifi.idp.IdpUserGroup; import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.provider.SupportedClaim; import org.apache.nifi.web.security.token.NiFiAuthenticationToken; import org.springframework.core.convert.converter.Converter; import org.springframework.security.oauth2.jwt.Jwt; +import java.util.Collections; +import java.util.LinkedHashSet; import java.util.List; import java.util.Set; -import java.util.stream.Collectors; /** * Standard Converter from JSON Web Token to NiFi Authentication Token @@ -40,13 +40,10 @@ import java.util.stream.Collectors; public class StandardJwtAuthenticationConverter implements Converter { private final Authorizer authorizer; - private final IdpUserGroupService idpUserGroupService; - private final List identityMappings; - public StandardJwtAuthenticationConverter(final Authorizer authorizer, final IdpUserGroupService idpUserGroupService, final NiFiProperties properties) { + public StandardJwtAuthenticationConverter(final Authorizer authorizer, final NiFiProperties properties) { this.authorizer = authorizer; - this.idpUserGroupService = idpUserGroupService; this.identityMappings = IdentityMappingUtil.getIdentityMappings(properties); } @@ -65,16 +62,23 @@ public class StandardJwtAuthenticationConverter implements Converter providedGroups = getProvidedGroups(jwt); return new StandardNiFiUser.Builder() .identity(identity) .groups(UserGroupUtil.getUserGroups(authorizer, identity)) - .identityProviderGroups(getIdentityProviderGroups(identity)) + .identityProviderGroups(providedGroups) .build(); } - private Set getIdentityProviderGroups(final String identity) { - return idpUserGroupService.getUserGroups(identity).stream() - .map(IdpUserGroup::getGroupName) - .collect(Collectors.toSet()); + private Set getProvidedGroups(final Jwt jwt) { + final List claimGroups = jwt.getClaimAsStringList(SupportedClaim.GROUPS.getClaim()); + + final Set providedGroups; + if (claimGroups == null) { + providedGroups = Collections.emptySet(); + } else { + providedGroups = new LinkedHashSet<>(claimGroups); + } + return providedGroups; } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProvider.java index aca6e40cf1..9ba3295faf 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProvider.java @@ -28,15 +28,19 @@ import org.apache.nifi.web.security.jwt.jws.JwsSignerProvider; import org.apache.nifi.web.security.token.LoginAuthenticationToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.core.GrantedAuthority; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; import java.time.Duration; import java.time.Instant; +import java.util.Collection; import java.util.Date; +import java.util.List; import java.util.Objects; import java.util.UUID; +import java.util.stream.Collectors; /** * Standard Bearer Token Provider supports returning serialized and signed JSON Web Tokens @@ -68,6 +72,7 @@ public class StandardBearerTokenProvider implements BearerTokenProvider { final String subject = Objects.requireNonNull(loginAuthenticationToken.getPrincipal(), "Principal required").toString(); final String username = loginAuthenticationToken.getName(); + final List groups = getGroups(loginAuthenticationToken.getAuthorities()); final String issuer = getUrlEncoded(loginAuthenticationToken.getIssuer()); final Date now = new Date(); final Date expirationTime = getExpirationTime(loginAuthenticationToken); @@ -80,6 +85,7 @@ public class StandardBearerTokenProvider implements BearerTokenProvider { .issueTime(now) .expirationTime(expirationTime) .claim(SupportedClaim.PREFERRED_USERNAME.getClaim(), username) + .claim(SupportedClaim.GROUPS.getClaim(), groups) .build(); return getSignedBearerToken(claims); } @@ -131,4 +137,8 @@ public class StandardBearerTokenProvider implements BearerTokenProvider { throw new IllegalArgumentException(String.format("URL Encoding [%s] Failed", string), e); } } + + private List getGroups(final Collection authorities) { + return authorities.stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()); + } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/SupportedClaim.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/SupportedClaim.java index d71e41d269..21d3f4dbce 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/SupportedClaim.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/SupportedClaim.java @@ -42,7 +42,10 @@ public enum SupportedClaim { JWT_ID("jti"), /** Preferred Username defined in OpenID Connect Core 1.0 Standard Claims */ - PREFERRED_USERNAME("preferred_username"); + PREFERRED_USERNAME("preferred_username"), + + /** RFC 7643 Section 4.1.2 */ + GROUPS("groups"); private final String claim; diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandler.java index 661feb79d8..905f816b88 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandler.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandler.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.web.security.oidc.logout; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.cookie.ApplicationCookieService; import org.apache.nifi.web.security.cookie.StandardApplicationCookieService; @@ -71,8 +70,6 @@ public class OidcLogoutSuccessHandler implements LogoutSuccessHandler { private final LogoutRequestManager logoutRequestManager; - private final IdpUserGroupService idpUserGroupService; - private final ClientRegistrationRepository clientRegistrationRepository; private final OAuth2AuthorizedClientRepository authorizedClientRepository; @@ -83,20 +80,17 @@ public class OidcLogoutSuccessHandler implements LogoutSuccessHandler { * OpenID Connect Logout Success Handler with RP-Initiated Logout 1.0 and RFC 7009 Token Revocation * * @param logoutRequestManager Application Logout Request Manager - * @param idpUserGroupService User Group Service for clearing cached groups * @param clientRegistrationRepository OIDC Client Registry Repository for configuration information * @param authorizedClientRepository OIDC Authorized Client Repository for cached tokens * @param tokenRevocationResponseClient OIDC Revocation Response Client for revoking Refresh Tokens */ public OidcLogoutSuccessHandler( final LogoutRequestManager logoutRequestManager, - final IdpUserGroupService idpUserGroupService, final ClientRegistrationRepository clientRegistrationRepository, final OAuth2AuthorizedClientRepository authorizedClientRepository, final TokenRevocationResponseClient tokenRevocationResponseClient ) { this.logoutRequestManager = Objects.requireNonNull(logoutRequestManager, "Logout Request Manager required"); - this.idpUserGroupService = Objects.requireNonNull(idpUserGroupService, "User Group Service required"); this.clientRegistrationRepository = Objects.requireNonNull(clientRegistrationRepository, "Client Registration Repository required"); this.authorizedClientRepository = Objects.requireNonNull(authorizedClientRepository, "Authorized Client Repository required"); this.tokenRevocationResponseClient = Objects.requireNonNull(tokenRevocationResponseClient, "Revocation Response Client required"); @@ -123,7 +117,6 @@ public class OidcLogoutSuccessHandler implements LogoutSuccessHandler { targetUrl = getPostLogoutRedirectUri(request); } else { final String mappedUserIdentity = logoutRequest.getMappedUserIdentity(); - idpUserGroupService.deleteUserGroups(mappedUserIdentity); targetUrl = processLogoutRequest(request, response, requestIdentifier, mappedUserIdentity); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandler.java index bd0967956f..8dbbc1c24b 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandler.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandler.java @@ -16,10 +16,8 @@ */ package org.apache.nifi.web.security.oidc.web.authentication; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.util.IdentityMapping; import org.apache.nifi.authorization.util.IdentityMappingUtil; -import org.apache.nifi.idp.IdpType; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.cookie.ApplicationCookieService; import org.apache.nifi.web.security.cookie.StandardApplicationCookieService; @@ -28,6 +26,8 @@ import org.apache.nifi.web.security.oidc.OidcConfigurationException; import org.apache.nifi.web.security.token.LoginAuthenticationToken; import org.apache.nifi.web.util.RequestUriBuilder; import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2Token; @@ -59,8 +59,6 @@ public class OidcAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc private final BearerTokenProvider bearerTokenProvider; - private final IdpUserGroupService idpUserGroupService; - private final List userIdentityMappings; private final List groupIdentityMappings; @@ -73,7 +71,6 @@ public class OidcAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc * OpenID Connect Authentication Success Handler requires Bearer Token Provider and expiration for generated tokens * * @param bearerTokenProvider Bearer Token Provider - * @param idpUserGroupService User Group Service for persisting groups from the Identity Provider * @param userIdentityMappings User Identity Mappings * @param groupIdentityMappings Group Identity Mappings * @param userClaimNames Claim Names for User Identity @@ -81,14 +78,12 @@ public class OidcAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc */ public OidcAuthenticationSuccessHandler( final BearerTokenProvider bearerTokenProvider, - final IdpUserGroupService idpUserGroupService, final List userIdentityMappings, final List groupIdentityMappings, final List userClaimNames, final String groupsClaimName ) { this.bearerTokenProvider = Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required"); - this.idpUserGroupService = Objects.requireNonNull(idpUserGroupService, "User Group Service required"); this.userIdentityMappings = Objects.requireNonNull(userIdentityMappings, "User Identity Mappings required"); this.groupIdentityMappings = Objects.requireNonNull(groupIdentityMappings, "Group Identity Mappings required"); this.userClaimNames = Objects.requireNonNull(userClaimNames, "User Claim Names required"); @@ -117,17 +112,17 @@ public class OidcAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc final OidcUser oidcUser = getOidcUser(authenticationToken); final String identity = getIdentity(oidcUser); final Set groups = getGroups(oidcUser); - idpUserGroupService.replaceUserGroups(identity, IdpType.OIDC, groups); final OAuth2AccessToken accessToken = getAccessToken(authenticationToken); - final String bearerToken = getBearerToken(identity, oidcUser, accessToken); + final String bearerToken = getBearerToken(identity, oidcUser, accessToken, groups); applicationCookieService.addSessionCookie(resourceUri, response, ApplicationCookieName.AUTHORIZATION_BEARER, bearerToken); } - private String getBearerToken(final String identity, final OidcUser oidcUser, final OAuth2AccessToken accessToken) { + private String getBearerToken(final String identity, final OidcUser oidcUser, final OAuth2AccessToken accessToken, final Set groups) { final long sessionExpiration = getSessionExpiration(accessToken); final String issuer = oidcUser.getIssuer().toString(); - final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(identity, identity, sessionExpiration, issuer); + final Set authorities = groups.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet()); + final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(identity, identity, sessionExpiration, issuer, authorities); return bearerTokenProvider.getBearerToken(loginAuthenticationToken); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java index 646a5e5ab6..866d0928d4 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandler.java @@ -16,10 +16,8 @@ */ package org.apache.nifi.web.security.saml2.web.authentication; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.util.IdentityMapping; import org.apache.nifi.authorization.util.IdentityMappingUtil; -import org.apache.nifi.idp.IdpType; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.cookie.ApplicationCookieService; import org.apache.nifi.web.security.cookie.StandardApplicationCookieService; @@ -29,6 +27,7 @@ import org.apache.nifi.web.util.RequestUriBuilder; import org.springframework.core.convert.converter.Converter; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; @@ -53,8 +52,6 @@ public class Saml2AuthenticationSuccessHandler extends SimpleUrlAuthenticationSu private final BearerTokenProvider bearerTokenProvider; - private final IdpUserGroupService idpUserGroupService; - private final List userIdentityMappings; private final List groupIdentityMappings; @@ -69,7 +66,6 @@ public class Saml2AuthenticationSuccessHandler extends SimpleUrlAuthenticationSu * SAML 2 Authentication Success Handler requires Bearer Token Provider and expiration for generated tokens * * @param bearerTokenProvider Bearer Token Provider - * @param idpUserGroupService User Group Service for persisting groups from the Identity Provider * @param userIdentityMappings User Identity Mappings * @param groupIdentityMappings Group Identity Mappings * @param expiration Expiration for generated tokens @@ -77,14 +73,12 @@ public class Saml2AuthenticationSuccessHandler extends SimpleUrlAuthenticationSu */ public Saml2AuthenticationSuccessHandler( final BearerTokenProvider bearerTokenProvider, - final IdpUserGroupService idpUserGroupService, final List userIdentityMappings, final List groupIdentityMappings, final Duration expiration, final String issuer ) { this.bearerTokenProvider = Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required"); - this.idpUserGroupService = Objects.requireNonNull(idpUserGroupService, "User Group Service required"); this.userIdentityMappings = Objects.requireNonNull(userIdentityMappings, "User Identity Mappings required"); this.groupIdentityMappings = Objects.requireNonNull(groupIdentityMappings, "Group Identity Mappings required"); this.expiration = Objects.requireNonNull(expiration, "Expiration required"); @@ -120,14 +114,14 @@ public class Saml2AuthenticationSuccessHandler extends SimpleUrlAuthenticationSu private void processAuthentication(final HttpServletResponse response, final Authentication authentication, final URI resourceUri) { final String identity = getIdentity(authentication); final Set groups = getGroups(authentication); - idpUserGroupService.replaceUserGroups(identity, IdpType.SAML, groups); - final String bearerToken = getBearerToken(identity); + final String bearerToken = getBearerToken(identity, groups); applicationCookieService.addSessionCookie(resourceUri, response, ApplicationCookieName.AUTHORIZATION_BEARER, bearerToken); } - private String getBearerToken(final String identity) { - final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(identity, identity, expiration.toMillis(), issuer); + private String getBearerToken(final String identity, final Set groups) { + final Set authorities = groups.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet()); + final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(identity, identity, expiration.toMillis(), issuer, authorities); return bearerTokenProvider.getBearerToken(loginAuthenticationToken); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandler.java index 052db2d8f1..e7e0e309bc 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandler.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandler.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.web.security.saml2.web.authentication.logout; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.cookie.ApplicationCookieService; import org.apache.nifi.web.security.cookie.StandardApplicationCookieService; @@ -47,14 +46,10 @@ public class Saml2LogoutSuccessHandler implements LogoutSuccessHandler { private final LogoutRequestManager logoutRequestManager; - private final IdpUserGroupService idpUserGroupService; - public Saml2LogoutSuccessHandler( - final LogoutRequestManager logoutRequestManager, - final IdpUserGroupService idpUserGroupService + final LogoutRequestManager logoutRequestManager ) { this.logoutRequestManager = Objects.requireNonNull(logoutRequestManager, "Logout Request Manager required"); - this.idpUserGroupService = Objects.requireNonNull(idpUserGroupService, "User Group Service required"); } /** @@ -76,8 +71,6 @@ public class Saml2LogoutSuccessHandler implements LogoutSuccessHandler { logger.warn("Logout Request [{}] not found", requestIdentifier); } else { final String mappedUserIdentity = logoutRequest.getMappedUserIdentity(); - - idpUserGroupService.deleteUserGroups(mappedUserIdentity); logger.info("Logout Request [{}] Identity [{}] completed", requestIdentifier, mappedUserIdentity); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java index af5fe0f1e3..3cae7b018a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java @@ -18,7 +18,6 @@ package org.apache.nifi.web.security.jwt.converter; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.PlainJWT; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.AccessPolicyProvider; import org.apache.nifi.authorization.Group; import org.apache.nifi.authorization.ManagedAuthorizer; @@ -26,9 +25,9 @@ import org.apache.nifi.authorization.UserAndGroups; import org.apache.nifi.authorization.UserGroupProvider; import org.apache.nifi.authorization.user.NiFiUser; import org.apache.nifi.authorization.user.NiFiUserDetails; -import org.apache.nifi.idp.IdpUserGroup; import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.util.StringUtils; +import org.apache.nifi.web.security.jwt.provider.SupportedClaim; import org.apache.nifi.web.security.token.NiFiAuthenticationToken; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -39,6 +38,7 @@ import org.springframework.security.oauth2.jwt.Jwt; import java.util.Collections; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Set; @@ -71,16 +71,13 @@ public class StandardJwtAuthenticationConverterTest { @Mock private UserAndGroups userAndGroups; - @Mock - private IdpUserGroupService idpUserGroupService; - private StandardJwtAuthenticationConverter converter; @BeforeEach public void setConverter() { final Map properties = new HashMap<>(); final NiFiProperties niFiProperties = NiFiProperties.createBasicNiFiProperties(StringUtils.EMPTY, properties); - converter = new StandardJwtAuthenticationConverter(authorizer, idpUserGroupService, niFiProperties); + converter = new StandardJwtAuthenticationConverter(authorizer, niFiProperties); when(authorizer.getAccessPolicyProvider()).thenReturn(accessPolicyProvider); when(accessPolicyProvider.getUserGroupProvider()).thenReturn(userGroupProvider); @@ -88,21 +85,21 @@ public class StandardJwtAuthenticationConverterTest { final Group group = new Group.Builder().name(AUTHORIZER_GROUP).identifier(AUTHORIZER_GROUP).build(); when(userAndGroups.getGroups()).thenReturn(Collections.singleton(group)); - - final IdpUserGroup idpUserGroup = new IdpUserGroup(); - idpUserGroup.setGroupName(PROVIDER_GROUP); - when(idpUserGroupService.getUserGroups(eq(USERNAME))).thenReturn(Collections.singletonList(idpUserGroup)); } @Test public void testConvert() { + final List providerGroups = Collections.singletonList(PROVIDER_GROUP); + final JWTClaimsSet claimsSet = new JWTClaimsSet.Builder() .subject(USERNAME) + .claim(SupportedClaim.GROUPS.getClaim(), providerGroups) .build(); final String token = new PlainJWT(claimsSet).serialize(); final Jwt jwt = Jwt.withTokenValue(token) .header(TYPE_FIELD, JWT_TYPE) .subject(USERNAME) + .claim(SupportedClaim.GROUPS.getClaim(), providerGroups) .build(); final NiFiAuthenticationToken authenticationToken = converter.convert(jwt); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProviderTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProviderTest.java index da3bb202a4..2e105d3d34 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProviderTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProviderTest.java @@ -27,11 +27,14 @@ import com.nimbusds.jwt.SignedJWT; import org.apache.nifi.web.security.jwt.jws.JwsSignerContainer; import org.apache.nifi.web.security.jwt.jws.JwsSignerProvider; import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import java.security.KeyPair; import java.security.KeyPairGenerator; @@ -40,9 +43,12 @@ import java.security.interfaces.RSAPublicKey; import java.text.ParseException; import java.time.Duration; import java.time.Instant; +import java.util.Collection; import java.util.Collections; import java.util.Date; +import java.util.List; import java.util.UUID; +import java.util.stream.Collectors; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; @@ -71,6 +77,10 @@ public class StandardBearerTokenProviderTest { private static final JWSAlgorithm JWS_ALGORITHM = JWSAlgorithm.PS512; + private static final String GROUP = "ProviderGroup"; + + private static KeyPair keyPair; + @Mock private JwsSignerProvider jwsSignerProvider; @@ -78,49 +88,50 @@ public class StandardBearerTokenProviderTest { private JWSVerifier jwsVerifier; - private JWSSigner jwsSigner; - - @BeforeEach - public void setProvider() throws NoSuchAlgorithmException { - provider = new StandardBearerTokenProvider(jwsSignerProvider); - + @BeforeAll + public static void setKeyPair() throws NoSuchAlgorithmException { final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM); keyPairGenerator.initialize(KEY_SIZE); - final KeyPair keyPair = keyPairGenerator.generateKeyPair(); + keyPair = keyPairGenerator.generateKeyPair(); + } + + @BeforeEach + public void setProvider() { + provider = new StandardBearerTokenProvider(jwsSignerProvider); + jwsVerifier = new RSASSAVerifier((RSAPublicKey) keyPair.getPublic()); - jwsSigner = new RSASSASigner(keyPair.getPrivate()); + final JWSSigner jwsSigner = new RSASSASigner(keyPair.getPrivate()); + + final String keyIdentifier = UUID.randomUUID().toString(); + final JwsSignerContainer jwsSignerContainer = new JwsSignerContainer(keyIdentifier, JWS_ALGORITHM, jwsSigner); + when(jwsSignerProvider.getJwsSignerContainer(isA(Instant.class))).thenReturn(jwsSignerContainer); } @Test public void testGetBearerToken() throws ParseException, JOSEException { final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, EXPIRATION.toMillis(), ISSUER); - setSignerProvider(); final String bearerToken = provider.getBearerToken(loginAuthenticationToken); - final SignedJWT signedJwt = assertTokenVerified(bearerToken); - final JWTClaimsSet claims = signedJwt.getJWTClaimsSet(); - assertNotNull(claims.getIssueTime(), "Issue Time not found"); - assertNotNull(claims.getNotBeforeTime(), "Not Before Time not found"); + assertTokenMatched(bearerToken, loginAuthenticationToken); + } - final Date claimExpirationTime = claims.getExpirationTime(); - assertNotNull(claimExpirationTime, "Expiration Time not found"); + @Test + public void testGetBearerTokenGroups() throws ParseException, JOSEException { + final GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(GROUP); + final Collection authorities = Collections.singletonList(grantedAuthority); - final Date loginExpirationTime = new Date(loginAuthenticationToken.getExpiration()); - assertEquals(loginExpirationTime.toString(), claimExpirationTime.toString(), "Expiration Time not matched"); + final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, EXPIRATION.toMillis(), ISSUER, authorities); - assertEquals(ISSUER, claims.getIssuer()); - assertEquals(Collections.singletonList(ISSUER), claims.getAudience()); - assertEquals(IDENTITY, claims.getSubject()); - assertEquals(USERNAME, claims.getClaim(SupportedClaim.PREFERRED_USERNAME.getClaim())); - assertNotNull("JSON Web Token Identifier not found", claims.getJWTID()); + final String bearerToken = provider.getBearerToken(loginAuthenticationToken); + + assertTokenMatched(bearerToken, loginAuthenticationToken); } @Test public void testGetBearerTokenExpirationMaximum() throws ParseException, JOSEException { final long expiration = MAXIMUM_DURATION_EXCEEDED.toMillis(); final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, expiration, ISSUER); - setSignerProvider(); final String bearerToken = provider.getBearerToken(loginAuthenticationToken); @@ -139,7 +150,6 @@ public class StandardBearerTokenProviderTest { public void testGetBearerTokenExpirationMinimum() throws ParseException, JOSEException { final long expiration = MINIMUM_DURATION_EXCEEDED.toMillis(); final LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, expiration, ISSUER); - setSignerProvider(); final String bearerToken = provider.getBearerToken(loginAuthenticationToken); @@ -154,15 +164,36 @@ public class StandardBearerTokenProviderTest { assertTrue(claimExpirationTime.toInstant().isAfter(loginExpirationTime.toInstant()), "Claim Expiration before Login Expiration"); } - private void setSignerProvider() { - final String keyIdentifier = UUID.randomUUID().toString(); - final JwsSignerContainer jwsSignerContainer = new JwsSignerContainer(keyIdentifier, JWS_ALGORITHM, jwsSigner); - when(jwsSignerProvider.getJwsSignerContainer(isA(Instant.class))).thenReturn(jwsSignerContainer); - } - private SignedJWT assertTokenVerified(final String bearerToken) throws ParseException, JOSEException { final SignedJWT signedJwt = SignedJWT.parse(bearerToken); assertTrue(signedJwt.verify(jwsVerifier), "Verification Failed"); return signedJwt; } + + private void assertTokenMatched(final String bearerToken, final LoginAuthenticationToken loginAuthenticationToken) throws ParseException, JOSEException { + final SignedJWT signedJwt = assertTokenVerified(bearerToken); + final JWTClaimsSet claims = signedJwt.getJWTClaimsSet(); + assertNotNull(claims.getIssueTime(), "Issue Time not found"); + assertNotNull(claims.getNotBeforeTime(), "Not Before Time not found"); + + final Date claimExpirationTime = claims.getExpirationTime(); + assertNotNull(claimExpirationTime, "Expiration Time not found"); + + final Date loginExpirationTime = new Date(loginAuthenticationToken.getExpiration()); + assertEquals(loginExpirationTime.toString(), claimExpirationTime.toString(), "Expiration Time not matched"); + + assertEquals(ISSUER, claims.getIssuer()); + assertEquals(Collections.singletonList(ISSUER), claims.getAudience()); + assertEquals(IDENTITY, claims.getSubject()); + assertEquals(USERNAME, claims.getClaim(SupportedClaim.PREFERRED_USERNAME.getClaim())); + assertNotNull(claims.getJWTID(), "JSON Web Token Identifier not found"); + + final List groups = claims.getStringListClaim(SupportedClaim.GROUPS.getClaim()); + assertNotNull(groups); + + final Collection grantedAuthorities = loginAuthenticationToken.getAuthorities(); + final List authorities = grantedAuthorities.stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()); + + assertEquals(authorities, groups); + } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandlerTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandlerTest.java index 9537ca9e60..9b3b82dcb0 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandlerTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandlerTest.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.web.security.oidc.logout; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.logout.LogoutRequest; import org.apache.nifi.web.security.logout.LogoutRequestManager; @@ -58,7 +57,6 @@ import static org.mockito.ArgumentMatchers.eq; import static org.mockito.ArgumentMatchers.isA; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.verifyNoInteractions; import static org.mockito.Mockito.when; @ExtendWith(MockitoExtension.class) @@ -91,9 +89,6 @@ class OidcLogoutSuccessHandlerTest { private static final String END_SESSION_REDIRECT_URL = String.format("%s?id_token_hint=%s&post_logout_redirect_uri=%s", END_SESSION_URI, ID_TOKEN, REDIRECTED_URL); - @Mock - IdpUserGroupService idpUserGroupService; - @Mock ClientRegistrationRepository clientRegistrationRepository; @@ -131,7 +126,6 @@ class OidcLogoutSuccessHandlerTest { logoutRequestManager = new LogoutRequestManager(); handler = new OidcLogoutSuccessHandler( logoutRequestManager, - idpUserGroupService, clientRegistrationRepository, authorizedClientRepository, tokenRevocationResponseClient @@ -150,8 +144,6 @@ class OidcLogoutSuccessHandlerTest { final String redirectedUrl = httpServletResponse.getRedirectedUrl(); assertEquals(REDIRECTED_URL, redirectedUrl); - - verifyNoInteractions(idpUserGroupService); } @Test @@ -167,7 +159,6 @@ class OidcLogoutSuccessHandlerTest { final String redirectedUrl = httpServletResponse.getRedirectedUrl(); assertEquals(REDIRECTED_URL, redirectedUrl); - assertUserGroupAuthorizedClientRemoved(); } @Test @@ -184,7 +175,6 @@ class OidcLogoutSuccessHandlerTest { final String redirectedUrl = httpServletResponse.getRedirectedUrl(); assertEquals(REDIRECTED_URL, redirectedUrl); - assertUserGroupAuthorizedClientRemoved(); } @Test @@ -220,7 +210,6 @@ class OidcLogoutSuccessHandlerTest { final String redirectedUrl = httpServletResponse.getRedirectedUrl(); assertEquals(END_SESSION_REDIRECT_URL, redirectedUrl); - assertUserGroupAuthorizedClientRemoved(); verify(authorizedClientRepository).removeAuthorizedClient(eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()), any(), eq(httpServletRequest), eq(httpServletResponse)); verify(tokenRevocationResponseClient, times(2)).getRevocationResponse(revocationRequestCaptor.capture()); @@ -235,10 +224,6 @@ class OidcLogoutSuccessHandlerTest { assertEquals(ACCESS_TOKEN, secondRevocationRequest.getToken()); } - void assertUserGroupAuthorizedClientRemoved() { - verify(idpUserGroupService).deleteUserGroups(eq(USER_IDENTITY)); - } - void setRequestCookie() { final Cookie cookie = new Cookie(ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER.getCookieName(), REQUEST_IDENTIFIER); httpServletRequest.setCookies(cookie); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandlerTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandlerTest.java index 557b79181d..d2bba5c6f0 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandlerTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandlerTest.java @@ -16,9 +16,7 @@ */ package org.apache.nifi.web.security.oidc.web.authentication; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.util.IdentityMapping; -import org.apache.nifi.idp.IdpType; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider; import org.apache.nifi.web.security.oidc.client.web.OidcRegistrationProperty; @@ -66,9 +64,6 @@ class OidcAuthenticationSuccessHandlerTest { @Mock BearerTokenProvider bearerTokenProvider; - @Mock - IdpUserGroupService idpUserGroupService; - @Captor ArgumentCaptor authenticationTokenCaptor; @@ -98,12 +93,8 @@ class OidcAuthenticationSuccessHandlerTest { private static final String IDENTITY = Authentication.class.getSimpleName(); - private static final String IDENTITY_UPPER = IDENTITY.toUpperCase(); - private static final String AUTHORITY = GrantedAuthority.class.getSimpleName(); - private static final String AUTHORITY_LOWER = AUTHORITY.toLowerCase(); - private static final String ACCESS_TOKEN = "access-token"; private static final Duration TOKEN_EXPIRATION = Duration.ofHours(1); @@ -142,7 +133,6 @@ class OidcAuthenticationSuccessHandlerTest { void setHandler() { handler = new OidcAuthenticationSuccessHandler( bearerTokenProvider, - idpUserGroupService, Collections.singletonList(UPPER_IDENTITY_MAPPING), Collections.singletonList(LOWER_IDENTITY_MAPPING), Collections.singletonList(USER_NAME_CLAIM), @@ -159,7 +149,6 @@ class OidcAuthenticationSuccessHandlerTest { assertTargetUrlEquals(TARGET_URL); assertBearerCookieAdded(ROOT_PATH); - assertReplaceUserGroupsInvoked(); } @Test @@ -172,11 +161,6 @@ class OidcAuthenticationSuccessHandlerTest { assertTargetUrlEquals(FORWARDED_TARGET_URL); assertBearerCookieAdded(FORWARDED_COOKIE_PATH); - assertReplaceUserGroupsInvoked(); - } - - void assertReplaceUserGroupsInvoked() { - verify(idpUserGroupService).replaceUserGroups(eq(IDENTITY_UPPER), eq(IdpType.OIDC), eq(Collections.singleton(AUTHORITY_LOWER))); } void assertTargetUrlEquals(final String expectedTargetUrl) { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandlerTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandlerTest.java index 0b0f72ab6d..17e7abb793 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandlerTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/Saml2AuthenticationSuccessHandlerTest.java @@ -16,9 +16,7 @@ */ package org.apache.nifi.web.security.saml2.web.authentication; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.authorization.util.IdentityMapping; -import org.apache.nifi.idp.IdpType; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider; import org.apache.nifi.web.util.WebUtils; @@ -41,8 +39,6 @@ import java.util.regex.Pattern; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.Mockito.verify; @ExtendWith(MockitoExtension.class) class Saml2AuthenticationSuccessHandlerTest { @@ -52,12 +48,8 @@ class Saml2AuthenticationSuccessHandlerTest { private static final String IDENTITY = Authentication.class.getSimpleName(); - private static final String IDENTITY_UPPER = IDENTITY.toUpperCase(); - private static final String AUTHORITY = GrantedAuthority.class.getSimpleName(); - private static final String AUTHORITY_LOWER = AUTHORITY.toLowerCase(); - private static final String REQUEST_URI = "/nifi-api"; private static final String UI_PATH = "/nifi/"; @@ -99,9 +91,6 @@ class Saml2AuthenticationSuccessHandlerTest { @Mock BearerTokenProvider bearerTokenProvider; - @Mock - IdpUserGroupService idpUserGroupService; - MockHttpServletRequest httpServletRequest; MockHttpServletResponse httpServletResponse; @@ -112,7 +101,6 @@ class Saml2AuthenticationSuccessHandlerTest { void setHandler() { handler = new Saml2AuthenticationSuccessHandler( bearerTokenProvider, - idpUserGroupService, Collections.singletonList(UPPER_IDENTITY_MAPPING), Collections.singletonList(LOWER_IDENTITY_MAPPING), EXPIRATION, @@ -129,7 +117,6 @@ class Saml2AuthenticationSuccessHandlerTest { assertTargetUrlEquals(TARGET_URL); assertBearerCookieAdded(ROOT_PATH); - assertReplaceUserGroupsInvoked(); } @Test @@ -142,11 +129,6 @@ class Saml2AuthenticationSuccessHandlerTest { assertTargetUrlEquals(FORWARDED_TARGET_URL); assertBearerCookieAdded(FORWARDED_COOKIE_PATH); - assertReplaceUserGroupsInvoked(); - } - - void assertReplaceUserGroupsInvoked() { - verify(idpUserGroupService).replaceUserGroups(eq(IDENTITY_UPPER), eq(IdpType.SAML), eq(Collections.singleton(AUTHORITY_LOWER))); } void assertTargetUrlEquals(final String expectedTargetUrl) { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandlerTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandlerTest.java index ab346ad9f4..0c29c6cd11 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandlerTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/saml2/web/authentication/logout/Saml2LogoutSuccessHandlerTest.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.web.security.saml2.web.authentication.logout; -import org.apache.nifi.admin.service.IdpUserGroupService; import org.apache.nifi.web.security.cookie.ApplicationCookieName; import org.apache.nifi.web.security.logout.LogoutRequest; import org.apache.nifi.web.security.logout.LogoutRequestManager; @@ -34,9 +33,6 @@ import java.io.IOException; import java.util.UUID; import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.verifyNoInteractions; @ExtendWith(MockitoExtension.class) class Saml2LogoutSuccessHandlerTest { @@ -50,9 +46,6 @@ class Saml2LogoutSuccessHandlerTest { private static final String REDIRECTED_URL = "http://localhost:8080/nifi/logout-complete"; - @Mock - IdpUserGroupService idpUserGroupService; - @Mock Authentication authentication; @@ -67,7 +60,7 @@ class Saml2LogoutSuccessHandlerTest { @BeforeEach void setHandler() { logoutRequestManager = new LogoutRequestManager(); - handler = new Saml2LogoutSuccessHandler(logoutRequestManager, idpUserGroupService); + handler = new Saml2LogoutSuccessHandler(logoutRequestManager); httpServletRequest = new MockHttpServletRequest(); httpServletRequest.setServerPort(SERVER_PORT); httpServletResponse = new MockHttpServletResponse(); @@ -84,8 +77,6 @@ class Saml2LogoutSuccessHandlerTest { final String redirectedUrl = httpServletResponse.getRedirectedUrl(); assertEquals(REDIRECTED_URL, redirectedUrl); - - verifyNoInteractions(idpUserGroupService); } @Test @@ -102,6 +93,5 @@ class Saml2LogoutSuccessHandlerTest { final String redirectedUrl = httpServletResponse.getRedirectedUrl(); assertEquals(REDIRECTED_URL, redirectedUrl); - verify(idpUserGroupService).deleteUserGroups(eq(USER_IDENTITY)); } }