NIFI-655:

- Starting to implement the JWT service.
- Parsing JWT on client side in order to render who the user currently is when logged in.
This commit is contained in:
Matt Gilman 2015-11-05 18:26:00 -05:00
parent 93aa09dace
commit b6d09b86b6
18 changed files with 525 additions and 217 deletions

22
LICENSE
View File

@ -374,6 +374,28 @@ For details see http://jqueryui.com
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This product bundles 'jquery.base64.js' which is available under an MIT style license.
Copyright (c) 2013 Yannick Albert (http://yckart.com/)
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This product bundles 'SlickGrid v2.2' which is available under an MIT style license. This product bundles 'SlickGrid v2.2' which is available under an MIT style license.
Copyright (c) 2010 Michael Leibman, http://github.com/mleibman/slickgrid Copyright (c) 2010 Michael Leibman, http://github.com/mleibman/slickgrid

View File

@ -374,6 +374,28 @@ For details see http://jqueryui.com
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This product bundles 'jquery.base64.js' which is available under an MIT style license.
Copyright (c) 2013 Yannick Albert (http://yckart.com/)
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This product bundles 'SlickGrid v2.2' which is available under an MIT style license. This product bundles 'SlickGrid v2.2' which is available under an MIT style license.
Copyright (c) 2010 Michael Leibman, http://github.com/mleibman/slickgrid Copyright (c) 2010 Michael Leibman, http://github.com/mleibman/slickgrid

View File

@ -77,6 +77,11 @@
<groupId>org.apache.nifi</groupId> <groupId>org.apache.nifi</groupId>
<artifactId>nifi-framework-core</artifactId> <artifactId>nifi-framework-core</artifactId>
</dependency> </dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.6.0</version>
</dependency>
<dependency> <dependency>
<groupId>org.bouncycastle</groupId> <groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk16</artifactId> <artifactId>bcprov-jdk16</artifactId>

View File

@ -98,7 +98,7 @@ public class RegistrationStatusFilter extends AbstractAuthenticationProcessingFi
return new RegistrationStatusAuthenticationToken(tokenCredentials); return new RegistrationStatusAuthenticationToken(tokenCredentials);
} else { } else {
// we have a certificate so let's consider a proxy chain // we have a certificate so let's consider a proxy chain
final String principal = extractPrincipal(certificate); final String principal = principalExtractor.extractPrincipal(certificate).toString();
try { try {
// validate the certificate // validate the certificate
@ -144,12 +144,6 @@ public class RegistrationStatusFilter extends AbstractAuthenticationProcessingFi
userDetailsService.loadUserDetails(new NiFiAuthenticationRequestToken(proxyChain)); userDetailsService.loadUserDetails(new NiFiAuthenticationRequestToken(proxyChain));
} }
private String extractPrincipal(final X509Certificate certificate) {
// extract the principal
final Object certificatePrincipal = principalExtractor.extractPrincipal(certificate);
return ProxiedEntitiesUtils.formatProxyDn(certificatePrincipal.toString());
}
@Override @Override
protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain, final Authentication authentication) protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain, final Authentication authentication)
throws IOException, ServletException { throws IOException, ServletException {

View File

@ -44,7 +44,6 @@ import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor; import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
/** /**
@ -97,7 +96,7 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF
return new LoginAuthenticationToken(tokenCredentials); return new LoginAuthenticationToken(tokenCredentials);
} else { } else {
// extract the principal // extract the principal
final String principal = extractPrincipal(certificate); final String principal = principalExtractor.extractPrincipal(certificate).toString();
try { try {
certificateValidator.validateClientCertificate(request, certificate); certificateValidator.validateClientCertificate(request, certificate);
@ -151,16 +150,14 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF
} catch (final UsernameNotFoundException unfe) { } catch (final UsernameNotFoundException unfe) {
// if a username not found exception was thrown, the proxies were authorized and now // if a username not found exception was thrown, the proxies were authorized and now
// we can issue a new ID token to the end user // we can issue a new ID token to the end user
} catch (final Exception e) {
// any other issue we're going to treat as an authentication exception which will return 401
throw new AuthenticationException(e.getMessage(), e) {
};
} }
} }
} }
private String extractPrincipal(final X509Certificate certificate) {
// extract the principal
final Object certificatePrincipal = principalExtractor.extractPrincipal(certificate);
return ProxiedEntitiesUtils.formatProxyDn(certificatePrincipal.toString());
}
private LoginCredentials getLoginCredentials(HttpServletRequest request) { private LoginCredentials getLoginCredentials(HttpServletRequest request) {
final String username = request.getParameter("username"); final String username = request.getParameter("username");
final String password = request.getParameter("password"); final String password = request.getParameter("password");
@ -178,11 +175,6 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF
// generate JWT for response // generate JWT for response
jwtService.addToken(response, authentication); jwtService.addToken(response, authentication);
// mark as successful
response.setStatus(HttpServletResponse.SC_CREATED);
response.setContentType("text/plain");
response.setContentLength(0);
} }
@Override @Override

View File

@ -16,9 +16,22 @@
*/ */
package org.apache.nifi.web.security.jwt; package org.apache.nifi.web.security.jwt;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.impl.TextCodec;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Calendar;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.util.NiFiProperties;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
/** /**
@ -28,6 +41,16 @@ public class JwtService {
private final static String AUTHORIZATION = "Authorization"; private final static String AUTHORIZATION = "Authorization";
private final String key;
private final Integer expires;
public JwtService(final NiFiProperties properties) {
// TODO - load key (and algo/provider?) and expiration from properties
key = TextCodec.BASE64.encode("nififtw!");
expires = 1;
}
/** /**
* Gets the Authentication by extracting a JWT token from the specified request. * Gets the Authentication by extracting a JWT token from the specified request.
* *
@ -35,12 +58,16 @@ public class JwtService {
* @return The user identifier from the token * @return The user identifier from the token
*/ */
public String getAuthentication(final HttpServletRequest request) { public String getAuthentication(final HttpServletRequest request) {
// TODO : actually extract/verify token
// extract/verify token from incoming request // extract/verify token from incoming request
final String authorization = request.getHeader(AUTHORIZATION); final String authorization = request.getHeader(AUTHORIZATION);
final String username = StringUtils.substringAfterLast(authorization, " "); final String token = StringUtils.substringAfterLast(authorization, " ");
return username;
try {
final Jws<Claims> jwt = Jwts.parser().setSigningKey(key).parseClaimsJws(token);
return jwt.getBody().getSubject();
} catch (final MalformedJwtException | UnsupportedJwtException | SignatureException | ExpiredJwtException | IllegalArgumentException e) {
return null;
}
} }
/** /**
@ -48,14 +75,25 @@ public class JwtService {
* *
* @param response The response to add the token to * @param response The response to add the token to
* @param authentication The authentication to generate a token for * @param authentication The authentication to generate a token for
* @throws java.io.IOException if an io exception occurs
*/ */
public void addToken(final HttpServletResponse response, final Authentication authentication) { public void addToken(final HttpServletResponse response, final Authentication authentication) throws IOException {
// TODO : actually create real token... in header or response body? // set expiration to one day from now
final Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.DATE, expires);
// create a token the specified authentication // create a token the specified authentication
String token = authentication.getName(); final String identity = authentication.getPrincipal().toString();
final String username = authentication.getName();
final String token = Jwts.builder().setSubject(identity).claim("preferred_username", username).setExpiration(calendar.getTime()).signWith(SignatureAlgorithm.HS512, key).compact();
// add the token as a response header // add the token as a response header
response.setHeader(AUTHORIZATION, "Bearer " + token); final PrintWriter out = response.getWriter();
out.print(token);
// mark the response as successful
response.setStatus(HttpServletResponse.SC_CREATED);
response.setContentType("text/plain");
} }
} }

View File

@ -17,6 +17,7 @@
package org.apache.nifi.web.security.token; package org.apache.nifi.web.security.token;
import org.apache.nifi.authentication.LoginCredentials; import org.apache.nifi.authentication.LoginCredentials;
import org.apache.nifi.security.util.CertificateUtils;
import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.AbstractAuthenticationToken;
/** /**
@ -45,4 +46,11 @@ public class LoginAuthenticationToken extends AbstractAuthenticationToken {
public Object getPrincipal() { public Object getPrincipal() {
return credentials.getUsername(); return credentials.getUsername();
} }
@Override
public String getName() {
// if the username is a DN this will extract the username or CN... if not will return what was passed
return CertificateUtils.extractUsername(credentials.getUsername());
}
} }

View File

@ -40,7 +40,9 @@
</bean> </bean>
<!-- jwt service --> <!-- jwt service -->
<bean id="jwtService" class="org.apache.nifi.web.security.jwt.JwtService"></bean> <bean id="jwtService" class="org.apache.nifi.web.security.jwt.JwtService">
<constructor-arg ref="nifiProperties"/>
</bean>
<!-- login identity provider --> <!-- login identity provider -->
<bean id="loginIdentityProvider" class="org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean"> <bean id="loginIdentityProvider" class="org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean">

View File

@ -351,6 +351,28 @@ For details see http://jqueryui.com
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This product bundles 'jquery.base64.js' which is available under an MIT style license.
Copyright (c) 2013 Yannick Albert (http://yckart.com/)
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This product bundles 'SlickGrid v2.2' which is available under an MIT style license. This product bundles 'SlickGrid v2.2' which is available under an MIT style license.
Copyright (c) 2010 Michael Leibman, http://github.com/mleibman/slickgrid Copyright (c) 2010 Michael Leibman, http://github.com/mleibman/slickgrid

View File

@ -27,6 +27,7 @@
<link rel="stylesheet" href="js/jquery/qtip2/jquery.qtip.min.css?" type="text/css" /> <link rel="stylesheet" href="js/jquery/qtip2/jquery.qtip.min.css?" type="text/css" />
<link rel="stylesheet" href="js/jquery/ui-smoothness/jquery-ui-1.10.4.min.css" type="text/css" /> <link rel="stylesheet" href="js/jquery/ui-smoothness/jquery-ui-1.10.4.min.css" type="text/css" />
<script type="text/javascript" src="js/jquery/jquery-2.1.1.min.js"></script> <script type="text/javascript" src="js/jquery/jquery-2.1.1.min.js"></script>
<script type="text/javascript" src="js/jquery/jquery.base64.js"></script>
<script type="text/javascript" src="js/jquery/jquery.count.js"></script> <script type="text/javascript" src="js/jquery/jquery.count.js"></script>
<script type="text/javascript" src="js/jquery/jquery.center.js"></script> <script type="text/javascript" src="js/jquery/jquery.center.js"></script>
<script type="text/javascript" src="js/jquery/modal/jquery.modal.js?${project.version}"></script> <script type="text/javascript" src="js/jquery/modal/jquery.modal.js?${project.version}"></script>

View File

@ -45,7 +45,9 @@
<div id="header-links-container"> <div id="header-links-container">
<ul> <ul>
<li id="current-user-container"> <li id="current-user-container">
<span id="current-user"></span> <div id="anonymous-user-alert"></div>
<div id="current-user"></div>
<div class="clear"></div>
</li> </li>
<li id="login-link-container"> <li id="login-link-container">
<span id="login-link" class="link">login</span> <span id="login-link" class="link">login</span>

View File

@ -16,7 +16,17 @@
--%> --%>
<%@ page contentType="text/html" pageEncoding="UTF-8" session="false" %> <%@ page contentType="text/html" pageEncoding="UTF-8" session="false" %>
<div id="nifi-registration-container" class="hidden"> <div id="nifi-registration-container" class="hidden">
<div id="nifi-registration-title" class="login-title">Submit Justification</div> <div id="nifi-registration-title" class="login-title nifi-submit-justification">Submit Justification</div>
<div id="nifi-user-submit-justification-container" class="nifi-submit-justification">
<div class="setting">
<div class="setting-name">User</div>
<div class="setting-field">
<div id="nifi-user-submit-justification"></div>
<span id="nifi-user-submit-justification-logout" class="link hidden">logout</span>
<div class="clear"></div>
</div>
</div>
</div>
<div class="setting"> <div class="setting">
<div class="setting-name">Justification</div> <div class="setting-name">Justification</div>
<div class="setting-field"> <div class="setting-field">

View File

@ -506,7 +506,17 @@ div.search-glass-pane {
/* styles for the status link */ /* styles for the status link */
#anonymous-user-alert {
float: left;
margin-top: -2px;
margin-right: 6px;
width: 18px;
height: 16px;
background-image: url(../images/iconAlert.png);
}
#current-user { #current-user {
float: left;
margin-right: 8px; margin-right: 8px;
font-weight: bold; font-weight: bold;
} }

View File

@ -73,10 +73,24 @@ body.login-body input, body.login-body textarea {
*/ */
#nifi-registration-container { #nifi-registration-container {
margin-top: 10px;
width: 412px; width: 412px;
} }
#nifi-user-submit-justification-container {
margin-bottom: 10px;
}
#nifi-user-submit-justification {
float: left;
font-weight: bold;
}
#nifi-user-submit-justification-logout {
margin-left: 10px;
float: left;
text-decoration: underline;
}
#nifi-registration-justification { #nifi-registration-justification {
height: 200px; height: 200px;
} }

View File

@ -0,0 +1,123 @@
/*!
* jquery.base64.js 0.0.3 - https://github.com/yckart/jquery.base64.js
* Makes Base64 en & -decoding simpler as it is.
*
* Based upon: https://gist.github.com/Yaffle/1284012
*
* Copyright (c) 2012 Yannick Albert (http://yckart.com)
* Licensed under the MIT license (http://www.opensource.org/licenses/mit-license.php).
* 2013/02/10
**/
;(function($) {
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
a256 = '',
r64 = [256],
r256 = [256],
i = 0;
var UTF8 = {
/**
* Encode multi-byte Unicode string into utf-8 multiple single-byte characters
* (BMP / basic multilingual plane only)
*
* Chars in range U+0080 - U+07FF are encoded in 2 chars, U+0800 - U+FFFF in 3 chars
*
* @param {String} strUni Unicode string to be encoded as UTF-8
* @returns {String} encoded string
*/
encode: function(strUni) {
// use regular expressions & String.replace callback function for better efficiency
// than procedural approaches
var strUtf = strUni.replace(/[\u0080-\u07ff]/g, // U+0080 - U+07FF => 2 bytes 110yyyyy, 10zzzzzz
function(c) {
var cc = c.charCodeAt(0);
return String.fromCharCode(0xc0 | cc >> 6, 0x80 | cc & 0x3f);
})
.replace(/[\u0800-\uffff]/g, // U+0800 - U+FFFF => 3 bytes 1110xxxx, 10yyyyyy, 10zzzzzz
function(c) {
var cc = c.charCodeAt(0);
return String.fromCharCode(0xe0 | cc >> 12, 0x80 | cc >> 6 & 0x3F, 0x80 | cc & 0x3f);
});
return strUtf;
},
/**
* Decode utf-8 encoded string back into multi-byte Unicode characters
*
* @param {String} strUtf UTF-8 string to be decoded back to Unicode
* @returns {String} decoded string
*/
decode: function(strUtf) {
// note: decode 3-byte chars first as decoded 2-byte strings could appear to be 3-byte char!
var strUni = strUtf.replace(/[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g, // 3-byte chars
function(c) { // (note parentheses for precence)
var cc = ((c.charCodeAt(0) & 0x0f) << 12) | ((c.charCodeAt(1) & 0x3f) << 6) | (c.charCodeAt(2) & 0x3f);
return String.fromCharCode(cc);
})
.replace(/[\u00c0-\u00df][\u0080-\u00bf]/g, // 2-byte chars
function(c) { // (note parentheses for precence)
var cc = (c.charCodeAt(0) & 0x1f) << 6 | c.charCodeAt(1) & 0x3f;
return String.fromCharCode(cc);
});
return strUni;
}
};
while(i < 256) {
var c = String.fromCharCode(i);
a256 += c;
r256[i] = i;
r64[i] = b64.indexOf(c);
++i;
}
function code(s, discard, alpha, beta, w1, w2) {
s = String(s);
var buffer = 0,
i = 0,
length = s.length,
result = '',
bitsInBuffer = 0;
while(i < length) {
var c = s.charCodeAt(i);
c = c < 256 ? alpha[c] : -1;
buffer = (buffer << w1) + c;
bitsInBuffer += w1;
while(bitsInBuffer >= w2) {
bitsInBuffer -= w2;
var tmp = buffer >> bitsInBuffer;
result += beta.charAt(tmp);
buffer ^= tmp << bitsInBuffer;
}
++i;
}
if(!discard && bitsInBuffer > 0) result += beta.charAt(buffer << (w2 - bitsInBuffer));
return result;
}
var Plugin = $.base64 = function(dir, input, encode) {
return input ? Plugin[dir](input, encode) : dir ? null : this;
};
Plugin.btoa = Plugin.encode = function(plain, utf8encode) {
plain = Plugin.raw === false || Plugin.utf8encode || utf8encode ? UTF8.encode(plain) : plain;
plain = code(plain, false, r256, b64, 8, 6);
return plain + '===='.slice((plain.length % 4) || 4);
};
Plugin.atob = Plugin.decode = function(coded, utf8decode) {
coded = coded.replace(/[^A-Za-z0-9\+\/\=]/g, "");
coded = String(coded).split('=');
var i = coded.length;
do {--i;
coded[i] = code(coded[i], true, r64, a256, 6, 8);
} while (i > 0);
coded = coded.join('');
return Plugin.raw === false || Plugin.utf8decode || utf8decode ? UTF8.decode(coded) : coded;
};
}(jQuery));

View File

@ -64,7 +64,6 @@ nf.Canvas = (function () {
bulletinBoard: '../nifi-api/controller/bulletin-board', bulletinBoard: '../nifi-api/controller/bulletin-board',
banners: '../nifi-api/controller/banners', banners: '../nifi-api/controller/banners',
controller: '../nifi-api/controller', controller: '../nifi-api/controller',
token: '../nifi-api/token',
controllerConfig: '../nifi-api/controller/config', controllerConfig: '../nifi-api/controller/config',
loginConfig: '../nifi-api/controller/login/config', loginConfig: '../nifi-api/controller/login/config',
cluster: '../nifi-api/cluster', cluster: '../nifi-api/cluster',
@ -405,101 +404,101 @@ nf.Canvas = (function () {
d3.event.preventDefault(); d3.event.preventDefault();
} }
}) })
.on('mousemove.selection', function () { .on('mousemove.selection', function () {
// update selection box if shift is held down // update selection box if shift is held down
if (d3.event.shiftKey) { if (d3.event.shiftKey) {
// get the selection box // get the selection box
var selectionBox = d3.select('rect.selection'); var selectionBox = d3.select('rect.selection');
if (!selectionBox.empty()) { if (!selectionBox.empty()) {
// get the original position // get the original position
var originalPosition = selectionBox.datum(); var originalPosition = selectionBox.datum();
var position = d3.mouse(canvas.node()); var position = d3.mouse(canvas.node());
var d = {}; var d = {};
if (originalPosition[0] < position[0]) { if (originalPosition[0] < position[0]) {
d.x = originalPosition[0]; d.x = originalPosition[0];
d.width = position[0] - originalPosition[0]; d.width = position[0] - originalPosition[0];
} else { } else {
d.x = position[0]; d.x = position[0];
d.width = originalPosition[0] - position[0]; d.width = originalPosition[0] - position[0];
}
if (originalPosition[1] < position[1]) {
d.y = originalPosition[1];
d.height = position[1] - originalPosition[1];
} else {
d.y = position[1];
d.height = originalPosition[1] - position[1];
}
// update the selection box
selectionBox.attr(d);
// prevent further propagation (to parents)
d3.event.stopPropagation();
}
}
})
.on('mouseup.selection', function () {
// ensure this originated from clicking the canvas, not a component.
// when clicking on a component, the event propagation is stopped so
// it never reaches the canvas. we cannot do this however on up events
// since the drag events break down
if (canvasClicked === false) {
return;
} }
if (originalPosition[1] < position[1]) { // reset the canvas click flag
d.y = originalPosition[1]; canvasClicked = false;
d.height = position[1] - originalPosition[1];
} else { // get the selection box
d.y = position[1]; var selectionBox = d3.select('rect.selection');
d.height = originalPosition[1] - position[1]; if (!selectionBox.empty()) {
var selectionBoundingBox = {
x: parseInt(selectionBox.attr('x'), 10),
y: parseInt(selectionBox.attr('y'), 10),
width: parseInt(selectionBox.attr('width'), 10),
height: parseInt(selectionBox.attr('height'), 10)
};
// see if a component should be selected or not
d3.selectAll('g.component').classed('selected', function (d) {
// consider it selected if its already selected or enclosed in the bounding box
return d3.select(this).classed('selected') ||
d.component.position.x >= selectionBoundingBox.x && (d.component.position.x + d.dimensions.width) <= (selectionBoundingBox.x + selectionBoundingBox.width) &&
d.component.position.y >= selectionBoundingBox.y && (d.component.position.y + d.dimensions.height) <= (selectionBoundingBox.y + selectionBoundingBox.height);
});
// see if a connection should be selected or not
d3.selectAll('g.connection').classed('selected', function (d) {
// consider all points
var points = [d.start].concat(d.bends, [d.end]);
// determine the bounding box
var x = d3.extent(points, function (pt) {
return pt.x;
});
var y = d3.extent(points, function (pt) {
return pt.y;
});
// consider it selected if its already selected or enclosed in the bounding box
return d3.select(this).classed('selected') ||
x[0] >= selectionBoundingBox.x && x[1] <= (selectionBoundingBox.x + selectionBoundingBox.width) &&
y[0] >= selectionBoundingBox.y && y[1] <= (selectionBoundingBox.y + selectionBoundingBox.height);
});
// remove the selection box
selectionBox.remove();
} else if (panning === false) {
// deselect as necessary if we are not panning
nf.CanvasUtils.getSelection().classed('selected', false);
} }
// update the selection box // update the toolbar
selectionBox.attr(d); nf.CanvasToolbar.refresh();
// prevent further propagation (to parents)
d3.event.stopPropagation();
}
}
})
.on('mouseup.selection', function () {
// ensure this originated from clicking the canvas, not a component.
// when clicking on a component, the event propagation is stopped so
// it never reaches the canvas. we cannot do this however on up events
// since the drag events break down
if (canvasClicked === false) {
return;
}
// reset the canvas click flag
canvasClicked = false;
// get the selection box
var selectionBox = d3.select('rect.selection');
if (!selectionBox.empty()) {
var selectionBoundingBox = {
x: parseInt(selectionBox.attr('x'), 10),
y: parseInt(selectionBox.attr('y'), 10),
width: parseInt(selectionBox.attr('width'), 10),
height: parseInt(selectionBox.attr('height'), 10)
};
// see if a component should be selected or not
d3.selectAll('g.component').classed('selected', function (d) {
// consider it selected if its already selected or enclosed in the bounding box
return d3.select(this).classed('selected') ||
d.component.position.x >= selectionBoundingBox.x && (d.component.position.x + d.dimensions.width) <= (selectionBoundingBox.x + selectionBoundingBox.width) &&
d.component.position.y >= selectionBoundingBox.y && (d.component.position.y + d.dimensions.height) <= (selectionBoundingBox.y + selectionBoundingBox.height);
}); });
// see if a connection should be selected or not
d3.selectAll('g.connection').classed('selected', function (d) {
// consider all points
var points = [d.start].concat(d.bends, [d.end]);
// determine the bounding box
var x = d3.extent(points, function (pt) {
return pt.x;
});
var y = d3.extent(points, function (pt) {
return pt.y;
});
// consider it selected if its already selected or enclosed in the bounding box
return d3.select(this).classed('selected') ||
x[0] >= selectionBoundingBox.x && x[1] <= (selectionBoundingBox.x + selectionBoundingBox.width) &&
y[0] >= selectionBoundingBox.y && y[1] <= (selectionBoundingBox.y + selectionBoundingBox.height);
});
// remove the selection box
selectionBox.remove();
} else if (panning === false) {
// deselect as necessary if we are not panning
nf.CanvasUtils.getSelection().classed('selected', false);
}
// update the toolbar
nf.CanvasToolbar.refresh();
});
// define a function for update the graph dimensions // define a function for update the graph dimensions
var updateGraphSize = function () { var updateGraphSize = function () {
// get the location of the bottom of the graph // get the location of the bottom of the graph
@ -573,7 +572,7 @@ nf.Canvas = (function () {
var dialogMax = null; var dialogMax = null;
// identify the top most cancellable // identify the top most cancellable
$.each(cancellables, function(_, cancellable) { $.each(cancellables, function (_, cancellable) {
var dialog = $(cancellable); var dialog = $(cancellable);
var zIndex = dialog.css('zIndex'); var zIndex = dialog.css('zIndex');
@ -937,22 +936,18 @@ nf.Canvas = (function () {
}; };
return { return {
ANONYMOUS_USER_TEXT: 'Anonymous user', ANONYMOUS_USER_TEXT: 'Anonymous user',
CANVAS_OFFSET: 0, CANVAS_OFFSET: 0,
/** /**
* Determines if the current broswer supports SVG. * Determines if the current broswer supports SVG.
*/ */
SUPPORTS_SVG: !!document.createElementNS && !!document.createElementNS('http://www.w3.org/2000/svg', 'svg').createSVGRect, SUPPORTS_SVG: !!document.createElementNS && !!document.createElementNS('http://www.w3.org/2000/svg', 'svg').createSVGRect,
/** /**
* Hides the splash that is displayed while the application is loading. * Hides the splash that is displayed while the application is loading.
*/ */
hideSplash: function () { hideSplash: function () {
$('#splash').fadeOut(); $('#splash').fadeOut();
}, },
/** /**
* Stop polling for revision. * Stop polling for revision.
*/ */
@ -960,7 +955,6 @@ nf.Canvas = (function () {
// set polling flag // set polling flag
revisionPolling = false; revisionPolling = false;
}, },
/** /**
* Remove the status poller. * Remove the status poller.
*/ */
@ -968,7 +962,6 @@ nf.Canvas = (function () {
// set polling flag // set polling flag
statusPolling = false; statusPolling = false;
}, },
/** /**
* Reloads the flow from the server based on the currently specified group id. * Reloads the flow from the server based on the currently specified group id.
* To load another group, update nf.Canvas.setGroupId and call nf.Canvas.reload. * To load another group, update nf.Canvas.setGroupId and call nf.Canvas.reload.
@ -1011,7 +1004,6 @@ nf.Canvas = (function () {
}); });
}).promise(); }).promise();
}, },
/** /**
* Reloads the status. * Reloads the status.
*/ */
@ -1025,7 +1017,6 @@ nf.Canvas = (function () {
}); });
}).promise(); }).promise();
}, },
/** /**
* Initialize NiFi. * Initialize NiFi.
*/ */
@ -1045,7 +1036,7 @@ nf.Canvas = (function () {
}); });
// load the identity and authorities for the current user // load the identity and authorities for the current user
var userXhr = $.Deferred(function(deferred) { var userXhr = $.Deferred(function (deferred) {
$.when(authoritiesXhr, identityXhr).done(function (authoritiesResult, identityResult) { $.when(authoritiesXhr, identityXhr).done(function (authoritiesResult, identityResult) {
var authoritiesResponse = authoritiesResult[0]; var authoritiesResponse = authoritiesResult[0];
var identityResponse = identityResult[0]; var identityResponse = identityResult[0];
@ -1057,6 +1048,7 @@ nf.Canvas = (function () {
// if the user is logged, we want to determine if they were logged in using a certificate // if the user is logged, we want to determine if they were logged in using a certificate
if (identityResponse.identity !== 'anonymous') { if (identityResponse.identity !== 'anonymous') {
// rendner the users name
$('#current-user').text(identityResponse.identity).show(); $('#current-user').text(identityResponse.identity).show();
// render the logout button if there is a token locally // render the logout button if there is a token locally
@ -1064,6 +1056,16 @@ nf.Canvas = (function () {
$('#logout-link-container').show(); $('#logout-link-container').show();
} }
} else { } else {
// alert user's of anonymous access
$('#anonymous-user-alert').show().qtip($.extend({}, nf.Common.config.tooltipConfig, {
content: 'You are accessing with limited authority. Log in or request an account to access with additional authority granted to you by an administrator.',
position: {
my: 'top right',
at: 'bottom left'
}
}));
// render the anonymous user text
$('#current-user').text(nf.Canvas.ANONYMOUS_USER_TEXT).show(); $('#current-user').text(nf.Canvas.ANONYMOUS_USER_TEXT).show();
} }
deferred.resolve(); deferred.resolve();
@ -1193,7 +1195,6 @@ nf.Canvas = (function () {
}).fail(nf.Common.handleAjaxError); }).fail(nf.Common.handleAjaxError);
}).fail(nf.Common.handleAjaxError); }).fail(nf.Common.handleAjaxError);
}, },
/** /**
* Defines the gradient colors used to render processors. * Defines the gradient colors used to render processors.
* *
@ -1202,7 +1203,6 @@ nf.Canvas = (function () {
defineProcessorColors: function (colors) { defineProcessorColors: function (colors) {
setColors(colors, 'processor'); setColors(colors, 'processor');
}, },
/** /**
* Defines the gradient colors used to render label. * Defines the gradient colors used to render label.
* *
@ -1211,7 +1211,6 @@ nf.Canvas = (function () {
defineLabelColors: function (colors) { defineLabelColors: function (colors) {
setColors(colors, 'label'); setColors(colors, 'label');
}, },
/** /**
* Return whether this instance of NiFi is clustered. * Return whether this instance of NiFi is clustered.
* *
@ -1220,14 +1219,12 @@ nf.Canvas = (function () {
isClustered: function () { isClustered: function () {
return clustered === true; return clustered === true;
}, },
/** /**
* Returns whether site to site communications is secure. * Returns whether site to site communications is secure.
*/ */
isSecureSiteToSite: function () { isSecureSiteToSite: function () {
return secureSiteToSite; return secureSiteToSite;
}, },
/** /**
* Set the group id. * Set the group id.
* *
@ -1236,14 +1233,12 @@ nf.Canvas = (function () {
setGroupId: function (gi) { setGroupId: function (gi) {
groupId = gi; groupId = gi;
}, },
/** /**
* Get the group id. * Get the group id.
*/ */
getGroupId: function () { getGroupId: function () {
return groupId; return groupId;
}, },
/** /**
* Set the group name. * Set the group name.
* *
@ -1252,14 +1247,12 @@ nf.Canvas = (function () {
setGroupName: function (gn) { setGroupName: function (gn) {
groupName = gn; groupName = gn;
}, },
/** /**
* Get the group name. * Get the group name.
*/ */
getGroupName: function () { getGroupName: function () {
return groupName; return groupName;
}, },
/** /**
* Set the parent group id. * Set the parent group id.
* *
@ -1268,14 +1261,12 @@ nf.Canvas = (function () {
setParentGroupId: function (pgi) { setParentGroupId: function (pgi) {
parentGroupId = pgi; parentGroupId = pgi;
}, },
/** /**
* Get the parent group id. * Get the parent group id.
*/ */
getParentGroupId: function () { getParentGroupId: function () {
return parentGroupId; return parentGroupId;
}, },
View: (function () { View: (function () {
/** /**
@ -1344,8 +1335,8 @@ nf.Canvas = (function () {
.classed('entering', function () { .classed('entering', function () {
return visible && !wasVisible; return visible && !wasVisible;
}).classed('leaving', function () { }).classed('leaving', function () {
return !visible && wasVisible; return !visible && wasVisible;
}); });
}; };
// get the all components // get the all components
@ -1432,7 +1423,6 @@ nf.Canvas = (function () {
// add the behavior to the canvas and disable dbl click zoom // add the behavior to the canvas and disable dbl click zoom
svg.call(behavior).on('dblclick.zoom', null); svg.call(behavior).on('dblclick.zoom', null);
}, },
/** /**
* Whether or not a component should be rendered based solely on the current scale. * Whether or not a component should be rendered based solely on the current scale.
* *
@ -1441,7 +1431,6 @@ nf.Canvas = (function () {
shouldRenderPerScale: function () { shouldRenderPerScale: function () {
return nf.Canvas.View.scale() >= MIN_SCALE_TO_RENDER; return nf.Canvas.View.scale() >= MIN_SCALE_TO_RENDER;
}, },
/** /**
* Updates component visibility based on the current translation/scale. * Updates component visibility based on the current translation/scale.
*/ */
@ -1449,7 +1438,6 @@ nf.Canvas = (function () {
updateComponentVisibility(); updateComponentVisibility();
nf.Graph.pan(); nf.Graph.pan();
}, },
/** /**
* Sets/gets the current translation. * Sets/gets the current translation.
* *
@ -1462,7 +1450,6 @@ nf.Canvas = (function () {
behavior.translate(translate); behavior.translate(translate);
} }
}, },
/** /**
* Sets/gets the current scale. * Sets/gets the current scale.
* *
@ -1475,7 +1462,6 @@ nf.Canvas = (function () {
behavior.scale(scale); behavior.scale(scale);
} }
}, },
/** /**
* Zooms in a single zoom increment. * Zooms in a single zoom increment.
*/ */
@ -1500,7 +1486,6 @@ nf.Canvas = (function () {
height: 1 height: 1
}); });
}, },
/** /**
* Zooms out a single zoom increment. * Zooms out a single zoom increment.
*/ */
@ -1525,7 +1510,6 @@ nf.Canvas = (function () {
height: 1 height: 1
}); });
}, },
/** /**
* Zooms to fit the entire graph on the canvas. * Zooms to fit the entire graph on the canvas.
*/ */
@ -1572,7 +1556,6 @@ nf.Canvas = (function () {
height: canvasHeight / newScale height: canvasHeight / newScale
}); });
}, },
/** /**
* Zooms to the actual size (1 to 1). * Zooms to the actual size (1 to 1).
*/ */
@ -1621,7 +1604,6 @@ nf.Canvas = (function () {
// center as appropriate // center as appropriate
nf.CanvasUtils.centerBoundingBox(box); nf.CanvasUtils.centerBoundingBox(box);
}, },
/** /**
* Refreshes the view based on the configured translation and scale. * Refreshes the view based on the configured translation and scale.
* *

View File

@ -75,7 +75,7 @@ nf.Login = (function () {
var showUserRegistration = function () { var showUserRegistration = function () {
showNiFiRegistration(); showNiFiRegistration();
$('#nifi-registration-title').hide(); $('div.nifi-submit-justification').hide();
$('#user-registration-container').show(); $('#user-registration-container').show();
$('#login-submission-button').text('Create'); $('#login-submission-button').text('Create');
}; };
@ -109,41 +109,15 @@ nf.Login = (function () {
'username': $('#username').val(), 'username': $('#username').val(),
'password': $('#password').val() 'password': $('#password').val()
} }
}).done(function (response, status, xhr) { }).done(function (jwt) {
var authorization = xhr.getResponseHeader('Authorization'); // store the jwt and reload the page
var badToken = false; nf.Storage.setItem('jwt', jwt);
// ensure there was a token in the response // reload as appropriate
if (authorization) { if (top !== window) {
var tokens = authorization.split(/ /); parent.window.location = '/nifi';
// ensure the token is the appropriate length
if (tokens.length === 2) {
// store the jwt and reload the page
nf.Storage.setItem('jwt', tokens[1]);
// reload as appropriate
if (top !== window) {
parent.window.location = '/nifi';
} else {
window.location = '/nifi';
}
return;
} else {
badToken = true;
}
} else { } else {
badToken = true; window.location = '/nifi';
}
if (badToken === true) {
$('#login-message-title').text('An unexpected error has occurred');
$('#login-message').text('The user token could not be parsed.');
// update visibility
$('#login-container').hide();
$('#login-submission-container').hide();
$('#login-message-container').show();
} }
}).fail(function (xhr, status, error) { }).fail(function (xhr, status, error) {
if (xhr.status === 400) { if (xhr.status === 400) {
@ -164,13 +138,25 @@ nf.Login = (function () {
}; };
var createUserAccount = function () { var createUserAccount = function () {
var password = $('#registration-password').val();
var passwordConfirmation = $('#registration-password-confirmation').val();
// ensure the password matches
if (password !== passwordConfirmation) {
nf.Dialog.showOkDialog({
dialogContent: 'The specified passwords do not match.',
overlayBackground: false
});
return;
}
// attempt to create the user account registration // attempt to create the user account registration
$.ajax({ $.ajax({
type: 'POST', type: 'POST',
url: config.urls.registration, url: config.urls.registration,
data: { data: {
'username': $('#registration-username').val(), 'username': $('#registration-username').val(),
'password': $('#registration-password').val(), 'password': password,
'justification': $('#nifi-registration-justification').val() 'justification': $('#nifi-registration-justification').val()
} }
}).done(function (response, status, xhr) { }).done(function (response, status, xhr) {
@ -220,6 +206,33 @@ nf.Login = (function () {
}); });
}; };
/**
* Extracts the subject from the specified jwt. If the jwt is not as expected
* an empty string is returned.
*
* @param {string} jwt
* @returns {string}
*/
var getJwtSubject = function (jwt) {
if (nf.Common.isDefinedAndNotNull(jwt)) {
var segments = jwt.split(/\./);
if (segments.length !== 3) {
return '';
}
var rawPayload = $.base64.atob(segments[1]);
var payload = JSON.parse(rawPayload);
if (nf.Common.isDefinedAndNotNull(payload['preferred_username'])) {
return payload['preferred_username'];
} else {
'';
}
}
return '';
};
return { return {
/** /**
* Initializes the login page. * Initializes the login page.
@ -231,6 +244,16 @@ nf.Login = (function () {
var needsLogin = false; var needsLogin = false;
var needsNiFiRegistration = false; var needsNiFiRegistration = false;
var logout = function () {
nf.Storage.removeItem('jwt');
};
// handle logout
$('#nifi-user-submit-justification-logout').on('click', function () {
logout();
window.location = '/nifi/login';
});
var token = $.ajax({ var token = $.ajax({
type: 'GET', type: 'GET',
url: config.urls.token url: config.urls.token
@ -250,7 +273,8 @@ nf.Login = (function () {
isAnonymous = true; isAnonymous = true;
// request a token without including credentials, if successful then the user is using a certificate // request a token without including credentials, if successful then the user is using a certificate
token.done(function () { token.done(function (jwt) {
// the user is using a certificate/token, see if their account is active/pending/revoked/etc // the user is using a certificate/token, see if their account is active/pending/revoked/etc
$.ajax({ $.ajax({
type: 'GET', type: 'GET',
@ -263,6 +287,16 @@ nf.Login = (function () {
$('#login-message').text('Your account is active and you are already logged in.'); $('#login-message').text('Your account is active and you are already logged in.');
}).fail(function (xhr, status, error) { }).fail(function (xhr, status, error) {
if (xhr.status === 401) { if (xhr.status === 401) {
var user = getJwtSubject(jwt);
// show the user
$('#nifi-user-submit-justification').text(user);
// render the logout button if there is a token locally
if (nf.Storage.getItem('jwt') !== null) {
$('#nifi-user-submit-justification-logout').show();
}
// anonymous user and 401 means they need nifi registration // anonymous user and 401 means they need nifi registration
needsNiFiRegistration = true; needsNiFiRegistration = true;
} else { } else {
@ -279,7 +313,12 @@ nf.Login = (function () {
}).always(function () { }).always(function () {
deferred.resolve(); deferred.resolve();
}); });
}).fail(function () { }).fail(function (tokenXhr) {
if (tokenXhr.status === 400) {
// no credentials supplied so 400 must be due to an invalid/expired token
logout();
}
// no token granted, user has no certificate and needs to login with their credentials // no token granted, user has no certificate and needs to login with their credentials
needsLogin = true; needsLogin = true;
deferred.resolve(); deferred.resolve();
@ -296,10 +335,25 @@ nf.Login = (function () {
// unable to get identity (and no anonymous user) see if we can offer login // unable to get identity (and no anonymous user) see if we can offer login
if (xhr.status === 401) { if (xhr.status === 401) {
// attempt to get a token for the current user without passing login credentials // attempt to get a token for the current user without passing login credentials
token.done(function () { token.done(function (jwt) {
var user = getJwtSubject(jwt);
// show the user
$('#nifi-user-submit-justification').text(user);
// render the logout button if there is a token locally
if (nf.Storage.getItem('jwt') !== null) {
$('#nifi-user-submit-justification-logout').show();
}
// 401 from identity request and 200 from token means they have a certificate/token but have not yet requested an account // 401 from identity request and 200 from token means they have a certificate/token but have not yet requested an account
needsNiFiRegistration = true; needsNiFiRegistration = true;
}).fail(function () { }).fail(function (tokenXhr) {
if (tokenXhr.status === 400) {
// no credentials supplied so 400 must be due to an invalid/expired token
logout();
}
// no token granted, user needs to login with their credentials // no token granted, user needs to login with their credentials
needsLogin = true; needsLogin = true;
}).always(function () { }).always(function () {

View File

@ -206,7 +206,14 @@ nf.Common = {
// if an error occurs while the splash screen is visible close the canvas show the error message // if an error occurs while the splash screen is visible close the canvas show the error message
if ($('#splash').is(':visible')) { if ($('#splash').is(':visible')) {
$('#message-title').text('An unexpected error has occurred'); if (xhr.status === 401) {
$('#message-title').text('Unauthorized');
} else if (xhr.status === 403) {
$('#message-title').text('Access Denied');
} else {
$('#message-title').text('An unexpected error has occurred');
}
if ($.trim(xhr.responseText) === '') { if ($.trim(xhr.responseText) === '') {
$('#message-content').text('Please check the logs.'); $('#message-content').text('Please check the logs.');
} else { } else {
@ -249,7 +256,7 @@ nf.Common = {
$('#message-content').text(xhr.responseText); $('#message-content').text(xhr.responseText);
} }
} else if (xhr.status === 403) { } else if (xhr.status === 403) {
$('#message-title').text('Forbidden'); $('#message-title').text('Access Denied');
if ($.trim(xhr.responseText) === '') { if ($.trim(xhr.responseText) === '') {
$('#message-content').text('Unable to authorize you to use this NiFi.'); $('#message-content').text('Unable to authorize you to use this NiFi.');
} else { } else {