knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject git commit: KNOX-354 - added PseudoAuthFederation Provider to accept user.name as proof of a pre-authenticated authentication event.
Date Mon, 28 Apr 2014 15:06:37 GMT
Repository: knox
Updated Branches:
  refs/heads/master fc0041564 -> 89c476068


KNOX-354 - added PseudoAuthFederation Provider to accept user.name as proof of a pre-authenticated
authentication event.

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/89c47606
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/89c47606
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/89c47606

Branch: refs/heads/master
Commit: 89c4760680b32d18eaa6849cbfe46a696ccbdb61
Parents: fc00415
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Mon Apr 28 11:06:16 2014 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Mon Apr 28 11:06:16 2014 -0400

----------------------------------------------------------------------
 .../preauth/deploy/PreAuthContributor.java      | 66 --------------
 .../preauth/deploy/PseudoAuthContributor.java   | 66 ++++++++++++++
 .../filter/PseudoAuthFederationFilter.java      | 53 +++++++++++
 ...gateway.deploy.ProviderDeploymentContributor |  1 +
 .../PseudoAuthFederationProviderTest.java       | 96 ++++++++++++++++++++
 5 files changed, 216 insertions(+), 66 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/89c47606/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java
deleted file mode 100644
index 184482c..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PreAuthContributor.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.deploy;
-
-import java.util.List;
-import java.util.Map;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-public class PreAuthContributor extends
-    ProviderDeploymentContributorBase {
-  private static final String ROLE = "webappsec";
-  private static final String NAME = "WebAppSec";
-  private static final String CSRF_SUFFIX = "_CSRF";
-  private static final String CSRF_FILTER_CLASSNAME = "org.apache.hadoop.gateway.webappsec.filter.CSRFPreventionFilter";
-  private static final String CSRF_ENABLED = "csrf.enabled";
-
-  @Override
-  public String getRole() {
-    return ROLE;
-  }
-
-  @Override
-  public String getName() {
-    return NAME;
-  }
-
-  @Override
-  public void initializeContribution(DeploymentContext context) {
-    super.initializeContribution(context);
-  }
-
-  @Override
-  public void contributeFilter(DeploymentContext context, Provider provider, Service service,

-      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
-    
-    Provider webappsec = context.getTopology().getProvider(ROLE, NAME);
-    if (webappsec != null && webappsec.isEnabled()) {
-      Map<String,String> map = provider.getParams();
-      String csrfEnabled = map.get(CSRF_ENABLED);
-      if ( csrfEnabled != null && csrfEnabled.equals("true")) {
-        resource.addFilter().name( getName() + CSRF_SUFFIX ).role( getRole() ).impl( CSRF_FILTER_CLASSNAME
).params( params );
-      }
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/89c47606/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PseudoAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PseudoAuthContributor.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PseudoAuthContributor.java
new file mode 100644
index 0000000..eab428e
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/PseudoAuthContributor.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class PseudoAuthContributor extends
+    ProviderDeploymentContributorBase {
+  private static final String ROLE = "federation";
+  private static final String NAME = "Pseudo";
+  private static final String PREAUTH_FILTER_CLASSNAME = "org.apache.hadoop.gateway.preauth.filter.PseudoAuthFederationFilter";
+
+  @Override
+  public String getRole() {
+    return ROLE;
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service,

+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    // blindly add all the provider params as filter init params
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    Map<String, String> providerParams = provider.getParams();
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value(
entry.getValue() ) );
+    }
+    resource.addFilter().name( getName() ).role( getRole() ).impl( PREAUTH_FILTER_CLASSNAME
).params( params );
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/89c47606/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PseudoAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PseudoAuthFederationFilter.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PseudoAuthFederationFilter.java
new file mode 100644
index 0000000..4dc1b89
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PseudoAuthFederationFilter.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+public class PseudoAuthFederationFilter 
+  extends AbstractPreAuthFederationFilter {
+  
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    super.init(filterConfig);
+  }
+
+  /**
+   * @param httpRequest
+   */
+  @Override
+  protected String getPrimaryPrincipal(HttpServletRequest httpRequest) {
+    return httpRequest.getParameter("user.name");
+  }
+
+  /**
+   * @param principals
+   */
+  @Override
+  protected void addGroupPrincipals(HttpServletRequest request, 
+      Set<Principal> principals) {
+    // pseudo auth currently has no assertion of group membership
+    // we may want to consider adding group lookup here when available unless 
+    // it is an independent provider
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/89c47606/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
b/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
index 1e89ee8..f170e09 100644
--- a/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ b/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
@@ -17,3 +17,4 @@
 ##########################################################################
 
 org.apache.hadoop.gateway.preauth.deploy.HeaderPreAuthContributor
+org.apache.hadoop.gateway.preauth.deploy.PseudoAuthContributor

http://git-wip-us.apache.org/repos/asf/knox/blob/89c47606/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PseudoAuthFederationProviderTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PseudoAuthFederationProviderTest.java
b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PseudoAuthFederationProviderTest.java
new file mode 100644
index 0000000..7c1d165
--- /dev/null
+++ b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PseudoAuthFederationProviderTest.java
@@ -0,0 +1,96 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import org.apache.hadoop.gateway.preauth.filter.PseudoAuthFederationFilter;
+import org.easymock.EasyMock;
+import org.easymock.IMocksControl;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.security.AccessController;
+import java.security.Principal;
+import javax.security.auth.Subject;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import junit.framework.TestCase;
+
+/**
+ * Tests for PseudoAuth Federation Provider.
+ */
+public class PseudoAuthFederationProviderTest extends TestCase {
+
+  private IMocksControl control;
+  private HttpServletRequest request;
+  private HttpServletResponse response;
+  private FilterChain chain;
+  private FilterConfig config;
+  private PseudoAuthFederationFilter filter;
+
+  @Before
+  public void setUp() throws Exception {
+    control = EasyMock.createControl();
+    request = control.createMock(HttpServletRequest.class);
+    response = control.createMock(HttpServletResponse.class);
+    chain = new MockFilterChain();
+    config = control.createMock(FilterConfig.class);
+    filter = new PseudoAuthFederationFilter();
+    
+    EasyMock.expect(request.getParameter("user.name")).andReturn("guest");
+    EasyMock.expect(config.getInitParameter("preauth.validation.method")).andReturn(null);
+    chain.doFilter(request, response);
+  }
+
+  @Test
+  public void testFederatedIdentity() throws Exception {
+
+
+    control.replay();
+
+    filter.init(config);
+    filter.doFilter(request, response, chain);
+    control.verify();
+  }
+
+  private class MockFilterChain implements FilterChain {
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response)
+        throws IOException, ServletException {
+      Subject subject = Subject.getSubject(AccessController.getContext());
+      if (subject != null) {
+        System.out.println("non-null subject");
+        assertTrue(subject.getPrincipals().size() == 1);
+        assertTrue("Expected subject not found.", ((Principal) subject.getPrincipals().toArray()[0]).getName().equals("guest"));
+      }
+      else {
+        System.out.println("null subject");
+      }
+    }
+  }
+  
+}


Mime
View raw message