NIFI-655:

- Adding a few new exceptions for the login identity provider.

nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java

@@ -16,6 +16,7 @@
  */
 package org.apache.nifi.authentication;
 
+import org.apache.nifi.authentication.exception.IdentityAccessException;
 import org.apache.nifi.authorization.exception.IdentityAlreadyExistsException;
 import org.apache.nifi.authorization.exception.ProviderCreationException;
 import org.apache.nifi.authorization.exception.ProviderDestructionException;
@@ -37,7 +38,7 @@ public interface LoginIdentityProvider {
      *
      * @param credentials the login credentials
      */
-    void register(LoginCredentials credentials) throws IdentityAlreadyExistsException;
+    void register(LoginCredentials credentials) throws IdentityAlreadyExistsException, IdentityAccessException;
 
     /**
      * Authenticates the specified login credentials.
@@ -45,7 +46,7 @@ public interface LoginIdentityProvider {
      * @param credentials the credentials
      * @return whether the user was authenticated
      */
-    boolean authenticate(LoginCredentials credentials);
+    boolean authenticate(LoginCredentials credentials) throws IdentityAccessException;
 
     /**
      * Called immediately after instance creation for implementers to perform additional setup

nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityAccessException.java

@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.authentication.exception;
+
+/**
+ * Represents the case when the identity could not be confirmed because it was unable
+ * to access the backing store.
+ */
+public class IdentityAccessException extends RuntimeException {
+
+    public IdentityAccessException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public IdentityAccessException(String message) {
+        super(message);
+    }
+
+}

nifi-api/src/main/java/org/apache/nifi/authentication/exception/IdentityRegistrationException.java

@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.authentication.exception;
+
+/**
+ * Represents the case when the identity could not be registered for some reason.
+ * Like the credentials did not meet the minimum requirements
+ */
+public class IdentityRegistrationException extends RuntimeException {
+
+    public IdentityRegistrationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public IdentityRegistrationException(String message) {
+        super(message);
+    }
+
+}

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorized-users/src/main/java/org/apache/nifi/authorized/users/AuthorizedUsers.java

@@ -123,6 +123,12 @@ public final class AuthorizedUsers {
         return authorizedUsers;
     }
 
+    /**
+     * Gets the user identity.
+     * 
+     * @param user  The user
+     * @return      The user identity
+     */
     public String getUserIdentity(final NiFiUser user) {
         if (User.class.isAssignableFrom(user.getClass())) {
             return ((User) user).getDn();
@@ -131,6 +137,11 @@ public final class AuthorizedUsers {
         }
     }
 
+    /**
+     * Gets all users from configured file.
+     * 
+     * @return The Users
+     */
     public synchronized Users getUsers() {
         try {
             // ensure the directory exists and it can be created
@@ -152,6 +163,12 @@ public final class AuthorizedUsers {
         }
     }
 
+    /**
+     * Determines if a user exists through the specified HasUser.
+     * 
+     * @param finder    The finder
+     * @return          Whether the user exists
+     */
     public synchronized boolean hasUser(final HasUser finder) {
         // load the users
         final Users users = getUsers();
@@ -165,6 +182,13 @@ public final class AuthorizedUsers {
         return finder.hasUser(nifiUsers);
     }
 
+    /**
+     * Gets the desired user.
+     * 
+     * @param finder    The finder
+     * @return          The NiFiUser
+     * @throws UnknownIdentityException If the desired user could not be found
+     */
     public synchronized NiFiUser getUser(final FindUser finder) {
         // load the users
         final Users users = getUsers();
@@ -178,6 +202,13 @@ public final class AuthorizedUsers {
         return finder.findUser(nifiUsers);
     }
 
+    /**
+     * Gets the desired users.
+     * 
+     * @param finder    The finder
+     * @return          The NiFiUsers
+     * @throws UnknownIdentityException If the users could not be found
+     */
     public synchronized List<NiFiUser> getUsers(final FindUsers finder) {
         // load the users
         final Users users = getUsers();
@@ -191,6 +222,11 @@ public final class AuthorizedUsers {
         return finder.findUsers(nifiUsers);
     }
 
+    /**
+     * Creates the user via the specified CreateUser.
+     * 
+     * @param creator   The creator
+     */
     public synchronized void createUser(final CreateUser creator) {
         // add the user
         final Users users = getUsers();
@@ -207,6 +243,13 @@ public final class AuthorizedUsers {
         saveUsers(users);
     }
 
+    /**
+     * Creates or Updates a user identified by the finder. If the user exists, it's updated otherwise it's created.
+     * 
+     * @param finder    The finder
+     * @param creator   The creator
+     * @param updater   The updater
+     */
     public synchronized void createOrUpdateUser(final FindUser finder, final CreateUser creator, final UpdateUser updater) {
         try {
             updateUser(finder, updater);
@@ -215,6 +258,12 @@ public final class AuthorizedUsers {
         }
     }
 
+    /**
+     * Updates the user identified by the finder.
+     * 
+     * @param finder    The finder
+     * @param updater   The updater
+     */
     public synchronized void updateUser(final FindUser finder, final UpdateUser updater) {
         // update the user
         final Users users = getUsers();
@@ -234,6 +283,12 @@ public final class AuthorizedUsers {
         saveUsers(users);
     }
 
+    /**
+     * Updates the users identified by the finder.
+     * 
+     * @param finder    The finder
+     * @param updater   The updater
+     */
     public synchronized void updateUsers(final FindUsers finder, final UpdateUsers updater) {
         // update the user
         final Users users = getUsers();
@@ -252,7 +307,12 @@ public final class AuthorizedUsers {
         saveUsers(users);
     }
 
-    public synchronized Users removeUser(final FindUser finder) {
+    /**
+     * Removes the user identified by the finder.
+     * 
+     * @param finder    The finder
+     */
+    public synchronized void removeUser(final FindUser finder) {
         // load the users
         final Users users = getUsers();
 
@@ -271,11 +331,14 @@ public final class AuthorizedUsers {
 
         // save the users
         saveUsers(users);
-
-        return users;
     }
 
-    public synchronized Users removeUsers(final FindUsers finder) {
+    /**
+     * Removes the users identified by the finder.
+     * 
+     * @param finder    The finder
+     */
+    public synchronized void removeUsers(final FindUsers finder) {
         // load the users
         final Users users = getUsers();
 
@@ -296,8 +359,6 @@ public final class AuthorizedUsers {
 
         // save the users
         saveUsers(users);
-
-        return users;
     }
 
     private synchronized void saveUsers(final Users users) {

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java

@@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.nifi.authentication.LoginCredentials;
 import org.apache.nifi.authentication.LoginIdentityProvider;
+import org.apache.nifi.authentication.exception.IdentityAccessException;
 import org.apache.nifi.util.StringUtils;
 import org.apache.nifi.web.security.ProxiedEntitiesUtils;
 import org.apache.nifi.web.security.jwt.JwtService;
@@ -38,6 +39,7 @@ import org.apache.nifi.web.security.x509.X509CertificateValidator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -139,10 +141,14 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF
                 throw new BadCredentialsException("Login not supported.");
             }
 
-            if (loginIdentityProvider.authenticate(credentials)) {
+            try {
-                return new LoginAuthenticationToken(credentials);
+                if (loginIdentityProvider.authenticate(credentials)) {
-            } else {
+                    return new LoginAuthenticationToken(credentials);
-                throw new BadCredentialsException("The supplied username and password are not valid.");
+                } else {
+                    throw new BadCredentialsException("The supplied username and password are not valid.");
+                }
+            } catch (final IdentityAccessException iae) {
+                throw new AuthenticationServiceException(iae.getMessage(), iae);
             }
         }
     }
@@ -196,6 +202,8 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF
 
         if (failed instanceof BadCredentialsException || failed instanceof AuthenticationCredentialsNotFoundException) {
             response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+        } else if (failed instanceof AuthenticationServiceException) {
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
         } else {
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
         }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/RegistrationFilter.java

@@ -29,6 +29,7 @@ import org.apache.nifi.admin.service.AdministrationException;
 import org.apache.nifi.admin.service.UserService;
 import org.apache.nifi.authentication.LoginCredentials;
 import org.apache.nifi.authentication.LoginIdentityProvider;
+import org.apache.nifi.authentication.exception.IdentityAccessException;
 import org.apache.nifi.authorization.exception.IdentityAlreadyExistsException;
 import org.apache.nifi.util.StringUtils;
 import org.apache.nifi.web.security.jwt.JwtService;
@@ -79,6 +80,8 @@ public class RegistrationFilter extends AbstractAuthenticationProcessingFilter {
                 loginIdentityProvider.register(credentials);
             } catch (final IdentityAlreadyExistsException iaee) {
                 // if the identity already exists, try to create the nifi account request
+            } catch (final IdentityAccessException iae) {
+                throw new AuthenticationServiceException(iae.getMessage(), iae);
             }
 
             try {