[jira] [Work logged] (KNOX-3279) REST Catalog dispatch implementation for including configurable metadata as outbound request headers

Mon, 23 Mar 2026 08:02:32 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3279?focusedWorklogId=1010935&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1010935
 ]

ASF GitHub Bot logged work on KNOX-3279:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Mar/26 15:00
            Start Date: 23/Mar/26 15:00
    Worklog Time Spent: 10m 
      Work Description: pzampino commented on code in PR #1182:
URL: https://github.com/apache/knox/pull/1182#discussion_r2975616860


##########
gateway-service-restcatalog/src/main/java/org/apache/knox/gateway/service/restcatalog/TokenMetadataHeaderHandler.java:
##########
@@ -0,0 +1,161 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.restcatalog;
+
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.knox.gateway.services.GatewayServices;
+import org.apache.knox.gateway.services.ServiceType;
+import org.apache.knox.gateway.services.security.token.TokenMetadata;
+import org.apache.knox.gateway.services.security.token.TokenStateService;
+import org.apache.knox.gateway.services.security.token.UnknownTokenException;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+public class TokenMetadataHeaderHandler {
+    static final String TOKEN_METADATA_PARAM = "token-metadata-headers";
+
+    static final String HEADER_PREFIX = "X-Knox-Meta-";
+
+    static final String GRANT_TYPE = "grant_type";
+    static final String CLIENT_CREDENTIALS = "client_credentials";
+    static final String CLIENT_SECRET = "client_secret";
+    static final String INVALID_CLIENT_SECRET = "Error while parsing the 
received client secret";
+
+    TokenStateService tss;
+
+    Set<String> metadataHeaderConfig = new HashSet<>();
+
+    Cache<String, TokenMetadata> metadataCache = 
Caffeine.newBuilder().maximumSize(100).build();
+
+    TokenMetadataHeaderHandler(final FilterConfig filterConfig) {
+        ServletContext sc = filterConfig.getServletContext();
+        GatewayServices gatewayServices = (GatewayServices) 
sc.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
+        tss = gatewayServices.getService(ServiceType.TOKEN_STATE_SERVICE);
+
+        metadataHeaderConfig = getMetadataHeaderConfig(filterConfig);
+    }
+
+    void applyHeadersToRequest(final HttpServletRequest inboundRequest,
+                                      final HttpUriRequest outboundRequest) {
+        final String clientId = getClientID(inboundRequest);
+        if (clientId != null) {
+            Map<String, String> metadata = getMetadata(tss, clientId);
+            for (String key : metadataHeaderConfig) {
+                if (metadata.containsKey(key)) {
+                    outboundRequest.setHeader(HEADER_PREFIX + key, 
metadata.get(key));
+                }
+            }
+        }
+    }
+
+    private Set<String> getMetadataHeaderConfig(final FilterConfig 
filterConfig) {
+        Set<String> metadataForHeaders = new HashSet<>();
+
+        // Add the default metadata element to be included in the outbound 
request headers
+        metadataForHeaders.add("userName");
+
+        // Parse the configured token metadata elements which should be 
included as outbound request headers
+        String tokenMetadataHeadersConfig = 
filterConfig.getInitParameter(TOKEN_METADATA_PARAM);
+        String[] tokenMetadataHeaderNames = 
tokenMetadataHeadersConfig.split(",");
+        for (String metadataName : tokenMetadataHeaderNames) {
+            metadataForHeaders.add(metadataName.trim());
+        }
+        return metadataForHeaders;
+    }
+
+    /**
+     * Get the clientId from the client credentials in the request body 
content.
+     *
+     * @param request The ServletRequest.
+     *
+     * @return The clientId from the request.
+     */
+    String getClientID(ServletRequest request) {
+        String clientId = null;
+
+        String clientSecret = getClientSecretFromRequestBody(request);
+        if (clientSecret != null) {
+            try {
+                final String[] decodedSecret = 
decodeBase64(clientSecret).split("::");
+                clientId = decodeBase64(decodedSecret[0]);
+            } catch (Exception e) {
+                throw new SecurityException(INVALID_CLIENT_SECRET, e);
+            }
+        }
+
+        return clientId;
+    }
+
+    /**
+     * Get the client secret from the request body.
+     *
+     * @param request The ServletRequest with the body content.
+     *
+     * @return The client secret.
+     */
+    private String getClientSecretFromRequestBody(ServletRequest request) {
+        final String grantType = request.getParameter(GRANT_TYPE);
+        String clientSecret = null;
+        if (CLIENT_CREDENTIALS.equals(grantType)) {

Review Comment:
   If it is, I think it just won't match the equals test, right? I think it 
should be ok in that case.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1010935)
    Time Spent: 1h  (was: 50m)

> REST Catalog dispatch implementation for including configurable metadata as 
> outbound request headers
> ----------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-3279
>                 URL: https://issues.apache.org/jira/browse/KNOX-3279
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Philip Zampino
>            Assignee: Philip Zampino
>            Priority: Major
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> For Iceberg REST Catalog proxying, Knox should support the ability to convey 
> a configurable set of token metadata elements associated with the client 
> credentials from the inbound request as headers in the outbound (dispatch) 
> request.
> A custom dispatch for the ICEBERG-REST service should be implemented to 
> provide this support.
> Proposed topology contents (example):
> {code:java}
>     <service>
>         <role>ICEBERG-REST</role>
>         <param>
>             <name>token-metadata-headers</name>
>             <value>email,category</value>
>         </param>
>     </service> {code}
> If the configured metadata items don't exist for a given client_id, then no 
> headers for those items should be conveyed in the outbound request (i.e., 
> they should be ignored).
>  
> It's not clear whether the standard {{userName}} metadata item should be 
> included by default.
> The resulting header names can be of the form {{X-Knox-Meta-<ITEM_NAME>}} 
> where {{<ITEM_NAME>}} is the token metadata item name.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to