From 64beeef5937e972c502888abc84adf1328295d04 Mon Sep 17 00:00:00 2001
From: Matt Gilman <matt.c.gilman@gmail.com>
Date: Fri, 27 Nov 2015 14:13:40 -0500
Subject: [PATCH] NIFI-655: - Ensuring anonymous user label and login links are
 rendered when appropriate. - Ensuring responses are accurate when making
 requests with a token when user log in is not supported.

---
 .../web/NiFiWebApiSecurityConfiguration.java  | 15 ++++-----
 .../apache/nifi/web/api/AccessResource.java   |  5 +++
 .../security/jwt/JwtAuthenticationFilter.java |  4 +++
 .../src/main/webapp/css/header.css            |  1 +
 .../webapp/js/nf/canvas/nf-canvas-header.js   | 31 +++++++++----------
 .../src/main/webapp/js/nf/login/nf-login.js   |  2 +-
 6 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
index 73e964083e..0680b7491f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
@@ -93,10 +93,8 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
         // x509
         http.addFilterAfter(x509FilterBean(), AnonymousAuthenticationFilter.class);
 
-        // jwt - consider when configured for log in
-        if (loginIdentityProvider != null) {
-            http.addFilterAfter(jwtFilterBean(), AnonymousAuthenticationFilter.class);
-        }
+        // jwt
+        http.addFilterAfter(jwtFilterBean(), AnonymousAuthenticationFilter.class);
     }
 
     @Bean
@@ -124,12 +122,15 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
 
     @Bean
     public JwtAuthenticationFilter jwtFilterBean() throws Exception {
-        // only consider the jwt authentication filter when configured for login
-        if (jwtAuthenticationFilter == null && loginIdentityProvider != null) {
+        if (jwtAuthenticationFilter == null) {
             jwtAuthenticationFilter = new JwtAuthenticationFilter();
             jwtAuthenticationFilter.setProperties(properties);
-            jwtAuthenticationFilter.setJwtService(jwtService);
             jwtAuthenticationFilter.setAuthenticationManager(authenticationManager());
+
+            // only consider the tokens when configured for login
+            if (loginIdentityProvider != null) {
+                jwtAuthenticationFilter.setJwtService(jwtService);
+            }
         }
         return jwtAuthenticationFilter;
     }
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
index 326aa00efc..f2b23c298b 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@@ -190,6 +190,11 @@ public class AccessResource extends ApplicationResource {
                     accessStatus.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
                     accessStatus.setMessage("No credentials supplied, unknown user.");
                 } else {
+                    // not currently configured for username/password login, don't accept existing tokens
+                    if (loginIdentityProvider == null) {
+                        throw new IllegalStateException("This NiFi is not configured to support username/password logins.");
+                    }
+
                     try {
                         // Extract the Base64 encoded token from the Authorization header
                         final String token = StringUtils.substringAfterLast(authorization, " ");
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
index 20675fbd2e..246cbd7f06 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
@@ -56,6 +56,10 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter {
         if (authorization == null) {
             return null;
         } else {
+            if (jwtService == null) {
+                throw new InvalidAuthenticationException("NiFi is not configured to support username/password logins.");
+            }
+
             // Extract the Base64 encoded token from the Authorization header
             final String token = StringUtils.substringAfterLast(authorization, " ");
 
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css
index e0f8347e56..200f6bb705 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/header.css
@@ -521,6 +521,7 @@ div.search-glass-pane {
     font-weight: bold;
     max-width: 250px;
     text-overflow: ellipsis;
+    line-height: normal;
     overflow: hidden;
 }
 
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas-header.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas-header.js
index 7d635349c8..09cf3c569a 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas-header.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas-header.js
@@ -141,28 +141,27 @@ nf.CanvasHeader = (function () {
                 nf.Shell.showPage(config.urls.helpDocument);
             });
 
-            // show the login link if supported and user is currently anonymous
-            var isAnonymous = $('#current-user').text() === nf.Common.ANONYMOUS_USER_TEXT;
-            if (supportsLogin === true && isAnonymous) {
-                // login link
-                $('#login-link').click(function () {
-                    nf.Shell.showPage('login', false);
-                });
-            } else {
-                $('#login-link-container').css('display', 'none');
-            }
-
-            // if login is not supported, don't show the current user
-            if (supportsLogin === false) {
-                $('#current-user-container').css('display', 'none');
-            }
-
+            // login link
+            $('#login-link').click(function () {
+                nf.Shell.showPage('login', false);
+            });
+            
             // logout link
             $('#logout-link').click(function () {
                 nf.Storage.removeItem("jwt");
                 window.location = '/nifi';
             });
 
+            // if the user is not anonymous or accessing via http
+            if ($('#current-user').text() !== nf.Common.ANONYMOUS_USER_TEXT || location.protocol === 'http:') {
+                $('#login-link-container').css('display', 'none');
+            }
+
+            // if accessing via http, don't show the current user
+            if (location.protocol === 'http:') {
+                $('#current-user-container').css('display', 'none');
+            }
+
             // initialize the new template dialog
             $('#new-template-dialog').modal({
                 headerText: 'Create Template',
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/login/nf-login.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/login/nf-login.js
index f2c9d2acd0..697794ca97 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/login/nf-login.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/login/nf-login.js
@@ -285,7 +285,7 @@ nf.Login = (function () {
                 // if login is required, verify its supported
                 if (accessConfig.supportsLogin === false && needsLogin === true) {
                     $('#login-message-title').text('Access Denied');
-                    $('#login-message').text('This NiFi is not configured to support login.');
+                    $('#login-message').text('This NiFi is not configured to support username/password logins.');
                     showMessage = true;
                     needsLogin = false;
                 }