Repository: knox Updated Branches: refs/heads/master 437a9a883 -> 189b55414
KNOX-1314 - SSOCookieProvider derive a default provider URL with configured gateway.path and fix handling of X-FORWARDED-HOST with port in it. Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/189b5541 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/189b5541 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/189b5541 Branch: refs/heads/master Commit: 189b55414cb5b5c0cb9c9d8718c74eac5cf06f14 Parents: 437a9a8 Author: Larry McCay <lmc...@apache.org> Authored: Sun May 20 17:50:03 2018 -0400 Committer: Larry McCay <lmc...@apache.org> Committed: Sun May 20 17:50:03 2018 -0400 ---------------------------------------------------------------------- .../deploy/SSOCookieFederationContributor.java | 4 +++ .../jwt/filter/SSOCookieFederationFilter.java | 16 ++++++++++-- .../federation/SSOCookieProviderTest.java | 26 +++++++++++++++++++- 3 files changed, 43 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/189b5541/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java index f3359f4..b5757e6 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/deploy/SSOCookieFederationContributor.java @@ -58,6 +58,10 @@ public class SSOCookieFederationContributor extends for(Entry<String, String> entry : providerParams.entrySet()) { params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) ); } + // add the gatewaypath to the filter params in case a provider URL needs to be derived + String path = context.getGatewayConfig().getGatewayPath(); + params.add( resource.createFilterParam().name("gateway.path").value(path)); + resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params ); } } http://git-wip-us.apache.org/repos/asf/knox/blob/189b5541/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java index 8537ee0..a02a526 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java @@ -38,7 +38,8 @@ import java.io.IOException; import java.text.ParseException; public class SSOCookieFederationFilter extends AbstractJWTFilter { - public static final String SSO_COOKIE_NAME = "sso.cookie.name"; + private static final String GATEWAY_PATH = "gateway.path"; +public static final String SSO_COOKIE_NAME = "sso.cookie.name"; public static final String SSO_EXPECTED_AUDIENCES = "sso.expected.audiences"; public static final String SSO_AUTHENTICATION_PROVIDER_URL = "sso.authentication.provider.url"; public static final String SSO_VERIFICATION_PEM = "sso.token.verification.pem"; @@ -54,6 +55,7 @@ public class SSOCookieFederationFilter extends AbstractJWTFilter { private String cookieName; private String authenticationProviderUrl; +private String gatewayPath; @Override public void init( FilterConfig filterConfig ) throws ServletException { @@ -84,6 +86,9 @@ public class SSOCookieFederationFilter extends AbstractJWTFilter { publicKey = CertificateUtils.parseRSAPublicKey(verificationPEM); } + // gateway path for deriving an idp url when missing + gatewayPath = filterConfig.getInitParameter(GATEWAY_PATH); + configureExpectedParameters(filterConfig); } @@ -203,7 +208,14 @@ public class SSOCookieFederationFilter extends AbstractJWTFilter { host = request.getHeader(X_FORWARDED_HOST); port = Integer.parseInt(request.getHeader(X_FORWARDED_PORT)); } - return scheme + "://" + host + ":" + port + "/" + "gateway/knoxsso/api/v1/websso"; + StringBuffer sb = new StringBuffer(scheme); + sb.append("://").append(host); + if (!host.contains(":")) { + sb.append(":").append(port); + } + sb.append("/").append(gatewayPath).append("/knoxsso/api/v1/websso"); + + return sb.toString(); } private boolean beingProxied(HttpServletRequest request) { http://git-wip-us.apache.org/repos/asf/knox/blob/189b5541/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java index 3aa4cb4..6227849 100644 --- a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java +++ b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/SSOCookieProviderTest.java @@ -144,6 +144,7 @@ public class SSOCookieProviderTest extends AbstractJWTFilterTest { @Test public void testDefaultAuthenticationProviderURL() throws Exception { Properties props = new Properties(); + props.setProperty("gateway.path", "gateway"); handler.init(new TestFilterConfig(props)); HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class); @@ -166,12 +167,13 @@ public class SSOCookieProviderTest extends AbstractJWTFilterTest { @Test public void testProxiedDefaultAuthenticationProviderURL() throws Exception { Properties props = new Properties(); + props.setProperty("gateway.path", "gateway"); handler.init(new TestFilterConfig(props)); HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class); EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes(); EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PROTO)).andReturn("https").anyTimes(); - EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_HOST)).andReturn("remotehost").anyTimes(); + EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_HOST)).andReturn("remotehost:8443").anyTimes(); EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PORT)).andReturn("8443").anyTimes(); EasyMock.replay(request); @@ -184,6 +186,28 @@ public class SSOCookieProviderTest extends AbstractJWTFilterTest { Assert.assertEquals(loginURL, "https://remotehost:8443/gateway/knoxsso/api/v1/websso?originalUrl=" + SERVICE_URL); } + @Test + public void testProxiedDefaultAuthenticationProviderURLWithoutPortInHostHeader() throws Exception { + Properties props = new Properties(); + props.setProperty("gateway.path", "notgateway"); + handler.init(new TestFilterConfig(props)); + + HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class); + EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes(); + EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PROTO)).andReturn("https").anyTimes(); + EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_HOST)).andReturn("remotehost").anyTimes(); + EasyMock.expect(request.getHeader(SSOCookieFederationFilter.X_FORWARDED_PORT)).andReturn("8443").anyTimes(); + EasyMock.replay(request); + + String providerURL = ((TestSSOCookieFederationProvider) handler).deriveDefaultAuthenticationProviderUrl(request); + Assert.assertNotNull("LoginURL should not be null.", providerURL); + Assert.assertEquals(providerURL, "https://remotehost:8443/notgateway/knoxsso/api/v1/websso"); + + String loginURL = ((TestSSOCookieFederationProvider) handler).testConstructLoginURL(request); + Assert.assertNotNull("LoginURL should not be null.", loginURL); + Assert.assertEquals(loginURL, "https://remotehost:8443/notgateway/knoxsso/api/v1/websso?originalUrl=" + SERVICE_URL); + } + @Override protected String getVerificationPemProperty() { return SSOCookieFederationFilter.SSO_VERIFICATION_PEM;