knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-1314 - SSOCookieProvider derive a default provider URL with configured gateway.path and fix handling of X-FORWARDED-HOST with port in it.
Date Sun, 20 May 2018 21:50:53 GMT
Repository: knox
Updated Branches:
  refs/heads/master 437a9a883 -> 189b55414


KNOX-1314 - SSOCookieProvider derive a default provider URL with configured gateway.path and
fix handling of X-FORWARDED-HOST with port in it.

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/189b5541
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/189b5541
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/189b5541

Branch: refs/heads/master
Commit: 189b55414cb5b5c0cb9c9d8718c74eac5cf06f14
Parents: 437a9a8
Author: Larry McCay <lmccay@apache.org>
Authored: Sun May 20 17:50:03 2018 -0400
Committer: Larry McCay <lmccay@apache.org>
Committed: Sun May 20 17:50:03 2018 -0400

----------------------------------------------------------------------
 .../deploy/SSOCookieFederationContributor.java  |  4 +++
 .../jwt/filter/SSOCookieFederationFilter.java   | 16 ++++++++++--
 .../federation/SSOCookieProviderTest.java       | 26 +++++++++++++++++++-
 3 files changed, 43 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/189b5541/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java
index f3359f4..b5757e6 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java
@@ -58,6 +58,10 @@ public class SSOCookieFederationContributor extends
     for(Entry<String, String> entry : providerParams.entrySet()) {
       params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value(
entry.getValue() ) );
     }
+    // add the gatewaypath to the filter params in case a provider URL needs to be derived
+    String path = context.getGatewayConfig().getGatewayPath();
+    params.add( resource.createFilterParam().name("gateway.path").value(path));
+    
     resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params(
params );
   }
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/189b5541/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
index 8537ee0..a02a526 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
@@ -38,7 +38,8 @@ import java.io.IOException;
 import java.text.ParseException;
 
 public class SSOCookieFederationFilter extends AbstractJWTFilter {
-  public static final String SSO_COOKIE_NAME = "sso.cookie.name";
+  private static final String GATEWAY_PATH = "gateway.path";
+public static final String SSO_COOKIE_NAME = "sso.cookie.name";
   public static final String SSO_EXPECTED_AUDIENCES = "sso.expected.audiences";
   public static final String SSO_AUTHENTICATION_PROVIDER_URL = "sso.authentication.provider.url";
   public static final String SSO_VERIFICATION_PEM = "sso.token.verification.pem";
@@ -54,6 +55,7 @@ public class SSOCookieFederationFilter extends AbstractJWTFilter {
 
   private String cookieName;
   private String authenticationProviderUrl;
+private String gatewayPath;
 
   @Override
   public void init( FilterConfig filterConfig ) throws ServletException {
@@ -84,6 +86,9 @@ public class SSOCookieFederationFilter extends AbstractJWTFilter {
       publicKey = CertificateUtils.parseRSAPublicKey(verificationPEM);
     }
 
+    // gateway path for deriving an idp url when missing
+    gatewayPath = filterConfig.getInitParameter(GATEWAY_PATH);
+
     configureExpectedParameters(filterConfig);
   }
 
@@ -203,7 +208,14 @@ public class SSOCookieFederationFilter extends AbstractJWTFilter {
       host = request.getHeader(X_FORWARDED_HOST);
       port = Integer.parseInt(request.getHeader(X_FORWARDED_PORT));
     }
-    return scheme + "://" + host + ":" + port + "/" + "gateway/knoxsso/api/v1/websso";
+    StringBuffer sb = new StringBuffer(scheme);
+    sb.append("://").append(host);
+    if (!host.contains(":")) {
+      sb.append(":").append(port);
+    }
+    sb.append("/").append(gatewayPath).append("/knoxsso/api/v1/websso");
+    
+    return sb.toString();
   }
 
   private boolean beingProxied(HttpServletRequest request) {

http://git-wip-us.apache.org/repos/asf/knox/blob/189b5541/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java
b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java
index 3aa4cb4..6227849 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java
@@ -144,6 +144,7 @@ public class SSOCookieProviderTest extends AbstractJWTFilterTest {
   @Test
   public void testDefaultAuthenticationProviderURL() throws Exception {
     Properties props = new Properties();
+    props.setProperty("gateway.path", "gateway");
     handler.init(new TestFilterConfig(props));
 
     HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
@@ -166,12 +167,13 @@ public class SSOCookieProviderTest extends AbstractJWTFilterTest {
   @Test
   public void testProxiedDefaultAuthenticationProviderURL() throws Exception {
     Properties props = new Properties();
+    props.setProperty("gateway.path", "gateway");
     handler.init(new TestFilterConfig(props));
 
     HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
     EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes();
     EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PROTO)).andReturn("https").anyTimes();
-    EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_HOST)).andReturn("remotehost").anyTimes();
+    EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_HOST)).andReturn("remotehost:8443").anyTimes();
     EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PORT)).andReturn("8443").anyTimes();
     EasyMock.replay(request);
 
@@ -184,6 +186,28 @@ public class SSOCookieProviderTest extends AbstractJWTFilterTest {
     Assert.assertEquals(loginURL, "https://remotehost:8443/gateway/knoxsso/api/v1/websso?originalUrl="
+ SERVICE_URL);
   }
 
+  @Test
+  public void testProxiedDefaultAuthenticationProviderURLWithoutPortInHostHeader() throws
Exception {
+    Properties props = new Properties();
+    props.setProperty("gateway.path", "notgateway");
+    handler.init(new TestFilterConfig(props));
+
+    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+    EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes();
+    EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PROTO)).andReturn("https").anyTimes();
+    EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_HOST)).andReturn("remotehost").anyTimes();
+    EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PORT)).andReturn("8443").anyTimes();
+    EasyMock.replay(request);
+
+    String providerURL = ((TestSSOCookieFederationProvider) handler).deriveDefaultAuthenticationProviderUrl(request);
+    Assert.assertNotNull("LoginURL should not be null.", providerURL);
+    Assert.assertEquals(providerURL, "https://remotehost:8443/notgateway/knoxsso/api/v1/websso");
+
+    String loginURL = ((TestSSOCookieFederationProvider) handler).testConstructLoginURL(request);
+    Assert.assertNotNull("LoginURL should not be null.", loginURL);
+    Assert.assertEquals(loginURL, "https://remotehost:8443/notgateway/knoxsso/api/v1/websso?originalUrl="
+ SERVICE_URL);
+  }
+
   @Override
   protected String getVerificationPemProperty() {
     return SSOCookieFederationFilter.SSO_VERIFICATION_PEM;


Mime
View raw message