mirror of https://github.com/apache/nifi.git
NIFI-655:
- Renaming spring tokens to avoid confusion over authentication and authorization.
This commit is contained in:
Matt Gilman
parent
85eb8defdd
commit
e22b51f3a7
|
|
@ -24,7 +24,7 @@ import org.apache.nifi.web.security.anonymous.NiFiAnonymousUserFilter;
|
|||
import org.apache.nifi.web.security.jwt.JwtAuthenticationFilter;
|
||||
import org.apache.nifi.web.security.jwt.JwtService;
|
||||
import org.apache.nifi.web.security.node.NodeAuthorizedUserFilter;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.apache.nifi.web.security.x509.X509AuthenticationFilter;
|
||||
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
|
||||
import org.apache.nifi.web.security.x509.X509IdentityProvider;
|
||||
|
|
@ -157,7 +157,7 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
|
|||
}
|
||||
|
||||
@Autowired
|
||||
public void setUserDetailsService(AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService) {
|
||||
public void setUserDetailsService(AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> userDetailsService) {
|
||||
this.userDetailsService = userDetailsService;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ import org.apache.nifi.web.security.UntrustedProxyException;
|
|||
import org.apache.nifi.web.security.jwt.JwtAuthenticationFilter;
|
||||
import org.apache.nifi.web.security.jwt.JwtService;
|
||||
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
|
||||
import org.apache.nifi.web.security.x509.X509IdentityProvider;
|
||||
import org.slf4j.Logger;
|
||||
|
|
@ -93,7 +93,7 @@ public class AccessResource extends ApplicationResource {
|
|||
private X509IdentityProvider certificateIdentityProvider;
|
||||
private JwtService jwtService;
|
||||
|
||||
private AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService;
|
||||
private AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> userDetailsService;
|
||||
|
||||
/**
|
||||
* Retrieves the access configuration for this NiFi.
|
||||
|
|
@ -285,7 +285,7 @@ public class AccessResource extends ApplicationResource {
|
|||
* @throws AuthenticationException if the proxy chain is not authorized
|
||||
*/
|
||||
private UserDetails checkAuthorization(final List<String> proxyChain) throws AuthenticationException {
|
||||
return userDetailsService.loadUserDetails(new NiFiAuthenticationRequestToken(proxyChain));
|
||||
return userDetailsService.loadUserDetails(new NiFiAuthortizationRequestToken(proxyChain));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -399,7 +399,7 @@ public class AccessResource extends ApplicationResource {
|
|||
private void authorizeProxyIfNecessary(final List<String> proxyChain) throws AuthenticationException {
|
||||
if (proxyChain.size() > 1) {
|
||||
try {
|
||||
userDetailsService.loadUserDetails(new NiFiAuthenticationRequestToken(proxyChain));
|
||||
userDetailsService.loadUserDetails(new NiFiAuthortizationRequestToken(proxyChain));
|
||||
} catch (final UsernameNotFoundException unfe) {
|
||||
// if a username not found exception was thrown, the proxies were authorized and now
|
||||
// we can issue a new token to the end user which they will use to identify themselves
|
||||
|
|
@ -435,7 +435,7 @@ public class AccessResource extends ApplicationResource {
|
|||
this.certificateIdentityProvider = certificateIdentityProvider;
|
||||
}
|
||||
|
||||
public void setUserDetailsService(AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService) {
|
||||
public void setUserDetailsService(AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> userDetailsService) {
|
||||
this.userDetailsService = userDetailsService;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ import javax.servlet.http.HttpServletResponse;
|
|||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.nifi.user.NiFiUser;
|
||||
import org.apache.nifi.util.NiFiProperties;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.apache.nifi.web.security.user.NiFiUserUtils;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
|
@ -82,7 +82,7 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean {
|
|||
private void authenticate(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException {
|
||||
String dnChain = null;
|
||||
try {
|
||||
final NiFiAuthenticationRequestToken authenticated = attemptAuthentication(request);
|
||||
final NiFiAuthortizationRequestToken authenticated = attemptAuthentication(request);
|
||||
if (authenticated != null) {
|
||||
dnChain = ProxiedEntitiesUtils.formatProxyDn(StringUtils.join(authenticated.getChain(), "><"));
|
||||
|
||||
|
|
@ -118,14 +118,14 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean {
|
|||
|
||||
/**
|
||||
* Attempt to authenticate the client making the request. If the request does not contain an authentication attempt, this method should return null. If the request contains an authentication
|
||||
* request, the implementation should convert it to a NiFiAuthenticationRequestToken (which is used when authorizing the client). Implementations should throw InvalidAuthenticationException when
|
||||
* request, the implementation should convert it to a NiFiAuthorizationRequestToken (which is used when authorizing the client). Implementations should throw InvalidAuthenticationException when
|
||||
* the request contains an authentication request but it could not be authenticated.
|
||||
*
|
||||
* @param request The request
|
||||
* @return The NiFiAuthenticationRequestToken used to later authorized the client
|
||||
* @return The NiFiAutorizationRequestToken used to later authorized the client
|
||||
* @throws InvalidAuthenticationException If the request contained an authentication attempt, but could not authenticate
|
||||
*/
|
||||
public abstract NiFiAuthenticationRequestToken attemptAuthentication(HttpServletRequest request);
|
||||
public abstract NiFiAuthortizationRequestToken attemptAuthentication(HttpServletRequest request);
|
||||
|
||||
protected void successfulAuthorization(HttpServletRequest request, HttpServletResponse response, Authentication authResult) {
|
||||
if (log.isDebugEnabled()) {
|
||||
|
|
|
|||
|
|
@ -16,9 +16,9 @@
|
|||
*/
|
||||
package org.apache.nifi.web.security;
|
||||
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthenticationToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthorizationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthorizationToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthorizationToken;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.core.Authentication;
|
||||
|
|
@ -32,29 +32,29 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
|||
*/
|
||||
public class NiFiAuthenticationProvider implements AuthenticationProvider {
|
||||
|
||||
private final AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService;
|
||||
private final AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> userDetailsService;
|
||||
|
||||
public NiFiAuthenticationProvider(final AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService) {
|
||||
public NiFiAuthenticationProvider(final AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> userDetailsService) {
|
||||
this.userDetailsService = userDetailsService;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||
final NiFiAuthenticationRequestToken request = (NiFiAuthenticationRequestToken) authentication;
|
||||
final NiFiAuthortizationRequestToken request = (NiFiAuthortizationRequestToken) authentication;
|
||||
|
||||
try {
|
||||
// defer to the nifi user details service to authorize the user
|
||||
final UserDetails userDetails = userDetailsService.loadUserDetails(request);
|
||||
|
||||
// build an authentication for accesing nifi
|
||||
// build a token for accesing nifi
|
||||
final NiFiAuthorizationToken result = new NiFiAuthorizationToken(userDetails);
|
||||
result.setDetails(request.getDetails());
|
||||
return result;
|
||||
} catch (final UsernameNotFoundException unfe) {
|
||||
// if the authentication request is for a new account and it could not be authorized because the user was not found,
|
||||
// return the token so the new account could be created. this must go here toe nsure that any proxies have been authorized
|
||||
// if the authorization request is for a new account and it could not be authorized because the user was not found,
|
||||
// return the token so the new account could be created. this must go here to ensure that any proxies have been authorized
|
||||
if (isNewAccountAuthenticationToken(request)) {
|
||||
return new NewAccountAuthenticationToken(((NewAccountAuthenticationRequestToken) authentication).getNewAccountRequest());
|
||||
return new NewAccountAuthorizationToken(((NewAccountAuthorizationRequestToken) authentication).getNewAccountRequest());
|
||||
} else {
|
||||
throw unfe;
|
||||
}
|
||||
|
|
@ -62,12 +62,12 @@ public class NiFiAuthenticationProvider implements AuthenticationProvider {
|
|||
}
|
||||
|
||||
private boolean isNewAccountAuthenticationToken(final Authentication authentication) {
|
||||
return NewAccountAuthenticationRequestToken.class.isAssignableFrom(authentication.getClass());
|
||||
return NewAccountAuthorizationRequestToken.class.isAssignableFrom(authentication.getClass());
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return NiFiAuthenticationRequestToken.class.isAssignableFrom(authentication);
|
||||
return NiFiAuthortizationRequestToken.class.isAssignableFrom(authentication);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ import org.apache.nifi.user.NiFiUser;
|
|||
import org.apache.nifi.util.NiFiProperties;
|
||||
import org.apache.nifi.web.security.UntrustedProxyException;
|
||||
import org.apache.nifi.web.security.user.NiFiUserDetails;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.dao.DataAccessException;
|
||||
|
|
@ -44,7 +44,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
|||
/**
|
||||
* UserDetailsService that will verify user identity and grant user authorities.
|
||||
*/
|
||||
public class NiFiAuthorizationService implements AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> {
|
||||
public class NiFiAuthorizationService implements AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> {
|
||||
|
||||
private static final Logger logger = LoggerFactory.getLogger(NiFiAuthorizationService.class);
|
||||
|
||||
|
|
@ -63,7 +63,7 @@ public class NiFiAuthorizationService implements AuthenticationUserDetailsServic
|
|||
* @throws org.springframework.dao.DataAccessException ex
|
||||
*/
|
||||
@Override
|
||||
public synchronized UserDetails loadUserDetails(NiFiAuthenticationRequestToken request) throws UsernameNotFoundException, DataAccessException {
|
||||
public synchronized UserDetails loadUserDetails(NiFiAuthortizationRequestToken request) throws UsernameNotFoundException, DataAccessException {
|
||||
NiFiUserDetails userDetails = null;
|
||||
final List<String> chain = new ArrayList<>(request.getChain());
|
||||
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ package org.apache.nifi.web.security.jwt;
|
|||
import io.jsonwebtoken.JwtException;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.nifi.web.security.NiFiAuthenticationFilter;
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthorizationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.apache.nifi.web.security.user.NewAccountRequest;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
|
@ -40,7 +40,7 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter {
|
|||
private JwtService jwtService;
|
||||
|
||||
@Override
|
||||
public NiFiAuthenticationRequestToken attemptAuthentication(final HttpServletRequest request) {
|
||||
public NiFiAuthortizationRequestToken attemptAuthentication(final HttpServletRequest request) {
|
||||
// only suppport jwt login when running securely
|
||||
if (!request.isSecure()) {
|
||||
return null;
|
||||
|
|
@ -66,9 +66,9 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter {
|
|||
final String jwtPrincipal = jwtService.getAuthenticationFromToken(token);
|
||||
|
||||
if (isNewAccountRequest(request)) {
|
||||
return new NewAccountAuthenticationRequestToken(new NewAccountRequest(Arrays.asList(jwtPrincipal), getJustification(request)));
|
||||
return new NewAccountAuthorizationRequestToken(new NewAccountRequest(Arrays.asList(jwtPrincipal), getJustification(request)));
|
||||
} else {
|
||||
return new NiFiAuthenticationRequestToken(Arrays.asList(jwtPrincipal));
|
||||
return new NiFiAuthortizationRequestToken(Arrays.asList(jwtPrincipal));
|
||||
}
|
||||
} catch (JwtException e) {
|
||||
throw new InvalidAuthenticationException(e.getMessage(), e);
|
||||
|
|
|
|||
|
|
@ -19,13 +19,13 @@ package org.apache.nifi.web.security.token;
|
|||
import org.apache.nifi.web.security.user.NewAccountRequest;
|
||||
|
||||
/**
|
||||
* This is an Authentication Token for a user that is requesting authentication in order to submit a new account request.
|
||||
* An authentication token that is used as an authorization request when submitting a new account.
|
||||
*/
|
||||
public class NewAccountAuthenticationRequestToken extends NiFiAuthenticationRequestToken {
|
||||
public class NewAccountAuthorizationRequestToken extends NiFiAuthortizationRequestToken {
|
||||
|
||||
final NewAccountRequest newAccountRequest;
|
||||
|
||||
public NewAccountAuthenticationRequestToken(final NewAccountRequest newAccountRequest) {
|
||||
public NewAccountAuthorizationRequestToken(final NewAccountRequest newAccountRequest) {
|
||||
super(newAccountRequest.getChain());
|
||||
this.newAccountRequest = newAccountRequest;
|
||||
}
|
||||
|
|
@ -23,11 +23,11 @@ import org.springframework.security.authentication.AbstractAuthenticationToken;
|
|||
* This is an Authentication Token for a user that has been authenticated but is not authorized to access the NiFi APIs. Typically, this authentication token is used successfully when requesting a
|
||||
* NiFi account. Requesting any other endpoint would be rejected due to lack of roles.
|
||||
*/
|
||||
public class NewAccountAuthenticationToken extends AbstractAuthenticationToken {
|
||||
public class NewAccountAuthorizationToken extends AbstractAuthenticationToken {
|
||||
|
||||
final NewAccountRequest newAccountRequest;
|
||||
|
||||
public NewAccountAuthenticationToken(final NewAccountRequest newAccountRequest) {
|
||||
public NewAccountAuthorizationToken(final NewAccountRequest newAccountRequest) {
|
||||
super(null);
|
||||
super.setAuthenticated(true);
|
||||
this.newAccountRequest = newAccountRequest;
|
||||
|
|
@ -21,14 +21,14 @@ import java.util.List;
|
|||
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||
|
||||
/**
|
||||
* An authentication token that is used as an authentication request. The request chain is specified during creation and is used authenticate the user(s). If the user is authenticated, the token is
|
||||
* used to authorized the user(s).
|
||||
* An authentication token that is used as an authorization request. The request has already been authenticated and is now going to be authorized.
|
||||
* The request chain is specified during creation and is used authorize the user(s).
|
||||
*/
|
||||
public class NiFiAuthenticationRequestToken extends AbstractAuthenticationToken {
|
||||
public class NiFiAuthortizationRequestToken extends AbstractAuthenticationToken {
|
||||
|
||||
private final List<String> chain;
|
||||
|
||||
public NiFiAuthenticationRequestToken(final List<String> chain) {
|
||||
public NiFiAuthortizationRequestToken(final List<String> chain) {
|
||||
super(null);
|
||||
this.chain = chain;
|
||||
}
|
||||
|
|
@ -23,8 +23,8 @@ import org.apache.nifi.authentication.AuthenticationResponse;
|
|||
import org.apache.nifi.web.security.InvalidAuthenticationException;
|
||||
import org.apache.nifi.web.security.NiFiAuthenticationFilter;
|
||||
import org.apache.nifi.web.security.ProxiedEntitiesUtils;
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NewAccountAuthorizationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.apache.nifi.web.security.user.NewAccountRequest;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
|
@ -40,7 +40,7 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter {
|
|||
private X509IdentityProvider certificateIdentityProvider;
|
||||
|
||||
@Override
|
||||
public NiFiAuthenticationRequestToken attemptAuthentication(final HttpServletRequest request) {
|
||||
public NiFiAuthortizationRequestToken attemptAuthentication(final HttpServletRequest request) {
|
||||
// only suppport x509 login when running securely
|
||||
if (!request.isSecure()) {
|
||||
return null;
|
||||
|
|
@ -62,9 +62,9 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter {
|
|||
|
||||
final List<String> proxyChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(request, authenticationResponse.getIdentity());
|
||||
if (isNewAccountRequest(request)) {
|
||||
return new NewAccountAuthenticationRequestToken(new NewAccountRequest(proxyChain, getJustification(request)));
|
||||
return new NewAccountAuthorizationRequestToken(new NewAccountRequest(proxyChain, getJustification(request)));
|
||||
} else {
|
||||
return new NiFiAuthenticationRequestToken(proxyChain);
|
||||
return new NiFiAuthortizationRequestToken(proxyChain);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ import org.apache.nifi.authorization.Authority;
|
|||
import org.apache.nifi.user.NiFiUser;
|
||||
import org.apache.nifi.util.NiFiProperties;
|
||||
import org.apache.nifi.web.security.UntrustedProxyException;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
|
||||
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
|
||||
import org.apache.nifi.web.security.user.NiFiUserDetails;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Before;
|
||||
|
|
@ -104,8 +104,8 @@ public class NiFiAuthorizationServiceTest {
|
|||
authorizationService.setUserService(userService);
|
||||
}
|
||||
|
||||
private NiFiAuthenticationRequestToken createRequestAuthentication(final String... identities) {
|
||||
return new NiFiAuthenticationRequestToken(Arrays.asList(identities));
|
||||
private NiFiAuthortizationRequestToken createRequestAuthentication(final String... identities) {
|
||||
return new NiFiAuthortizationRequestToken(Arrays.asList(identities));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in New Issue