knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-630 - KnoxSSO Needs to Populate Configured Audiences
Date Fri, 11 Mar 2016 03:20:56 GMT
Repository: knox
Updated Branches:
  refs/heads/master 3e36bc69b -> 99593c2e7


KNOX-630 - KnoxSSO Needs to Populate Configured Audiences

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/99593c2e
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/99593c2e
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/99593c2e

Branch: refs/heads/master
Commit: 99593c2e7054dc234b00194ccea4f13ba428df44
Parents: 3e36bc6
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Thu Mar 10 22:20:44 2016 -0500
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Thu Mar 10 22:20:44 2016 -0500

----------------------------------------------------------------------
 .../provider/federation/JWTTokenTest.java       | 84 ++++++++++++++++++--
 .../federation/SSOCookieProviderTest.java       |  6 ++
 .../impl/DefaultTokenAuthorityService.java      | 26 ++++--
 .../gateway/service/knoxsso/WebSSOResource.java |  7 ++
 .../security/token/JWTokenAuthority.java        |  4 +
 .../services/security/token/impl/JWTToken.java  | 14 +++-
 6 files changed, 127 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
index 8f5a02a..8d8bcab 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTTokenTest.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.gateway.provider.federation;
 
+import java.util.ArrayList;
 import junit.framework.TestCase;
 
 import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
@@ -43,17 +44,90 @@ public class JWTTokenTest extends TestCase {
 //    }
 //  }
   
-  @Test 
+  @Test
   public void testTokenCreation() throws Exception {
     String[] claims = new String[4];
-    claims[0] = "HSSO";
+    claims[0] = "KNOXSSO";
     claims[1] = "john.doe@example.com";
     claims[2] = "https://login.example.com";
     claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
     JWTToken token = new JWTToken("RS256", claims);
 
-    assertEquals(token.getIssuer(), "HSSO");
-    assertEquals(token.getSubject(), "john.doe@example.com");
-    assertEquals(token.getAudience(), "https://login.example.com");
+    assertEquals("KNOXSSO", token.getIssuer());
+    assertEquals("john.doe@example.com", token.getSubject());
+    assertEquals("https://login.example.com", token.getAudience());
+  }
+
+  @Test
+  public void testTokenCreationWithAudienceListSingle() throws Exception {
+    String[] claims = new String[4];
+    claims[0] = "KNOXSSO";
+    claims[1] = "john.doe@example.com";
+    claims[2] = null;
+    claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+    ArrayList<String> audiences = new ArrayList<String>();
+    audiences.add("https://login.example.com");
+
+    JWTToken token = new JWTToken("RS256", claims, audiences);
+
+    assertEquals("KNOXSSO", token.getIssuer());
+    assertEquals("john.doe@example.com", token.getSubject());
+    assertEquals("https://login.example.com", token.getAudience());
+    assertEquals(1, token.getAudienceClaims().length);
+  }
+
+  @Test
+  public void testTokenCreationWithAudienceListMultiple() throws Exception {
+    String[] claims = new String[4];
+    claims[0] = "KNOXSSO";
+    claims[1] = "john.doe@example.com";
+    claims[2] = null;
+    claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+    ArrayList<String> audiences = new ArrayList<String>();
+    audiences.add("https://login.example.com");
+    audiences.add("KNOXSSO");
+
+    JWTToken token = new JWTToken("RS256", claims, audiences);
+
+    assertEquals("KNOXSSO", token.getIssuer());
+    assertEquals("john.doe@example.com", token.getSubject());
+    assertEquals("https://login.example.com", token.getAudience());
+    assertEquals(2, token.getAudienceClaims().length);
+  }
+
+  @Test
+  public void testTokenCreationWithAudienceListCombined() throws Exception {
+    String[] claims = new String[4];
+    claims[0] = "KNOXSSO";
+    claims[1] = "john.doe@example.com";
+    claims[2] = "LJM";
+    claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+    ArrayList<String> audiences = new ArrayList<String>();
+    audiences.add("https://login.example.com");
+    audiences.add("KNOXSSO");
+
+    JWTToken token = new JWTToken("RS256", claims, audiences);
+
+    assertEquals("KNOXSSO", token.getIssuer());
+    assertEquals("john.doe@example.com", token.getSubject());
+    assertEquals("https://login.example.com", token.getAudience());
+    assertEquals(3, token.getAudienceClaims().length);
+  }
+
+  @Test
+  public void testTokenCreationWithNullAudienceList() throws Exception {
+    String[] claims = new String[4];
+    claims[0] = "KNOXSSO";
+    claims[1] = "john.doe@example.com";
+    claims[2] = null;
+    claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+    ArrayList<String> audiences = null;
+
+    JWTToken token = new JWTToken("RS256", claims, audiences);
+
+    assertEquals("KNOXSSO", token.getIssuer());
+    assertEquals("john.doe@example.com", token.getSubject());
+    assertEquals(null, token.getAudience());
+    assertEquals(null, token.getAudienceClaims());
   }
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
index c613869..c6f1cae 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
@@ -521,6 +521,12 @@ public class SSOCookieProviderTest  {
       return null;
     }
 
+    @Override
+    public JWTToken issueToken(Principal p, List<String> audiences, String algorithm,
+        long expires) throws TokenServiceException {
+      return null;
+    }
+
     /* (non-Javadoc)
      * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal,
java.lang.String, long)
      */

http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
index e5f5767..3fbc789 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
@@ -23,6 +23,8 @@ import java.security.PublicKey;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 import java.util.Map;
+import java.util.List;
+import java.util.ArrayList;
 
 import javax.security.auth.Subject;
 
@@ -77,27 +79,35 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority,
Service {
    */
   @Override
   public JWTToken issueToken(Principal p, String algorithm, long expires) throws TokenServiceException
{
-    return issueToken(p, null, algorithm, expires);
+    return issueToken(p, (String)null, algorithm, expires);
   }
 
   public JWTToken issueToken(Principal p, String audience, String algorithm)
       throws TokenServiceException {
     return issueToken(p, audience, algorithm, -1);
   }
-  
+
   /* (non-Javadoc)
    * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal,
java.lang.String, java.lang.String)
    */
   @Override
   public JWTToken issueToken(Principal p, String audience, String algorithm, long expires)
       throws TokenServiceException {
+    ArrayList<String> audiences = null;
+    if (audience != null) {
+      audiences = new ArrayList<String>();
+      audiences.add(audience);
+    }
+    return issueToken(p, audiences, algorithm, expires);
+  }
+
+  @Override
+  public JWTToken issueToken(Principal p, List<String> audiences, String algorithm,
long expires)
+      throws TokenServiceException {
     String[] claimArray = new String[4];
-    claimArray[0] = "HSSO";
+    claimArray[0] = "KNOXSSO";
     claimArray[1] = p.getName();
-    if (audience == null) {
-      audience = "HSSO";
-    }
-    claimArray[2] = audience;
+    claimArray[2] = null;
     // TODO: make the validity period configurable
     if (expires == -1) {
       claimArray[3] = Long.toString( ( System.currentTimeMillis() ) + 30000);
@@ -108,7 +118,7 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority,
Service {
 
     JWTToken token = null;
     if ("RS256".equals(algorithm)) {
-      token = new JWTToken("RS256", claimArray);
+      token = new JWTToken("RS256", claimArray, audiences);
       RSAPrivateKey key;
       char[] passphrase = null;
       try {

http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
index 73871dc..5dcead1 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
@@ -52,6 +52,7 @@ public class WebSSOResource {
   private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = "knoxsso.cookie.max.age";
   private static final String SSO_COOKIE_DOMAIN_SUFFIX_PARAM = "knoxsso.cookie.domain.suffix";
   private static final String SSO_COOKIE_TOKEN_TTL_PARAM = "knoxsso.token.ttl";
+  private static final String SSO_COOKIE_TOKEN_AUDIENCES_PARAM = "knoxsso.token.audiences";
   private static final String SSO_COOKIE_TOKEN_WHITELIST_PARAM = "knoxsso.redirect.whitelist.regex";
   private static final String SSO_ENABLE_SESSION_PARAM = "knoxsso.enable.session";
   private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl";
@@ -66,6 +67,7 @@ public class WebSSOResource {
   private long tokenTTL = 30000l;
   private String whitelist = null;
   private String domainSuffix = null;
+  private String[] targetAudiences = null;
   private boolean enableSession = false;
 
   @Context
@@ -106,6 +108,11 @@ public class WebSSOResource {
       whitelist = DEFAULT_WHITELIST;
     }
 
+    String audiences = context.getInitParameter(SSO_COOKIE_TOKEN_AUDIENCES_PARAM);
+    if (audiences != null) {
+      targetAudiences = audiences.split(",");
+    }
+
     String ttl = context.getInitParameter(SSO_COOKIE_TOKEN_TTL_PARAM);
     if (ttl != null) {
       try {

http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
index 7ed3ab5..8cf1676 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
@@ -18,6 +18,7 @@
 package org.apache.hadoop.gateway.services.security.token;
 
 import java.security.Principal;
+import java.util.List;
 
 import javax.security.auth.Subject;
 
@@ -41,4 +42,7 @@ public interface JWTokenAuthority {
       long expires) throws TokenServiceException;
 
   JWT issueToken(Principal p, String audience, long l) throws TokenServiceException;
+
+  JWTToken issueToken(Principal p, List<String> audience, String algorithm,
+      long expires) throws TokenServiceException;
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/99593c2e/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
index 485fd89..4b1e2b0 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
@@ -20,6 +20,8 @@ package org.apache.hadoop.gateway.services.security.token.impl;
 import java.io.UnsupportedEncodingException;
 import java.text.ParseException;
 import java.util.Date;
+import java.util.ArrayList;
+import java.util.List;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
 
@@ -56,12 +58,22 @@ public class JWTToken implements JWT {
   }
 
   public JWTToken(String alg, String[] claimsArray) {
+    this(alg, claimsArray, null);
+  }
+
+  public JWTToken(String alg, String[] claimsArray, List<String> audiences) {
     JWSHeader header = new JWSHeader(new JWSAlgorithm(alg));
 
+    if (claimsArray[2] != null) {
+      if (audiences == null) {
+        audiences = new ArrayList<String>();
+      }
+      audiences.add(claimsArray[2]);
+    }
     JWTClaimsSet claims = new JWTClaimsSet.Builder()
     .issuer(claimsArray[0])
     .subject(claimsArray[1])
-    .audience(claimsArray[2])
+    .audience(audiences)
     .expirationTime(new Date(Long.parseLong(claimsArray[3])))
     .build();
 


Mime
View raw message