Ravi Nori has uploaded a new change for review. Change subject: aaa: Engine session validation should be done against sso ......................................................................
aaa: Engine session validation should be done against sso Session validation on engine side should use sso for session validation Change-Id: I72b0ed9802804e173d99f7d7f173e3e1d354a57f Bug-Url: https://bugzilla.redhat.com/1092744 Signed-off-by: Ravi Nori <[email protected]> --- M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSOLoginFilter.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiLoginFilter.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SSOPostLoginServlet.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/constants/SessionConstants.java 6 files changed, 79 insertions(+), 19 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/15/38015/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java index ff9f243..2011b9b 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java @@ -1,12 +1,22 @@ package org.ovirt.engine.core.aaa.filters; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.HttpURLConnection; +import java.net.URL; +import java.security.GeneralSecurityException; +import java.security.KeyStore; import java.util.Enumeration; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; +import javax.net.ssl.TrustManagerFactory; import javax.servlet.http.HttpServletRequest; +import org.apache.commons.lang.StringUtils; import org.apache.http.HeaderElement; import org.apache.http.message.BasicHeaderValueParser; import org.ovirt.engine.core.common.constants.SessionConstants; @@ -14,8 +24,14 @@ import org.ovirt.engine.core.common.queries.VdcQueryParametersBase; import org.ovirt.engine.core.common.queries.VdcQueryReturnValue; import org.ovirt.engine.core.common.queries.VdcQueryType; +import org.ovirt.engine.core.utils.EngineLocalConfig; +import org.ovirt.engine.core.uutils.net.HttpURLConnectionBuilder; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class FiltersHelper { + + private final static Logger log = LoggerFactory.getLogger(FiltersHelper.class); public static class Constants { public static final String REQUEST_AUTH_RECORD_KEY = "ovirt_aaa_auth_record"; @@ -60,6 +76,58 @@ } } + public static boolean isSessionValid(HttpServletRequest req) throws NamingException { + String sessionId = (String) req.getSession(true).getAttribute(SessionConstants.SSO_SESSION_ID_KEY); + HttpURLConnection connection = null; + boolean isValid = false; + if (StringUtils.isNotEmpty(sessionId)) { + try { + connection = create(new URL("http://localhost/ovirt-engine/sso/validate-session?sso_session_id="; + sessionId)); + connection.setDoInput(true); + connection.setDoOutput(false); + if (connection.getResponseCode() == HttpURLConnection.HTTP_OK) { + isValid = true; + } + try (ByteArrayOutputStream os = new ByteArrayOutputStream()) { + try (InputStream input = connection.getInputStream()) { + copy(input, os); + } + connection.connect(); + } + } catch (Exception e) { + log.error("Session not valid session id = " + sessionId, e.getMessage()); + } finally { + if (connection != null) { + connection.disconnect(); + } + } + } + return isValid; + } + + public static HttpURLConnection create(URL url) throws IOException, GeneralSecurityException { + return new HttpURLConnectionBuilder(url).setHttpsProtocol("TLSv1") + .setReadTimeout(0) + .setTrustManagerAlgorithm(TrustManagerFactory.getDefaultAlgorithm()) + .setTrustStore(EngineLocalConfig.getInstance().getProperty("ENGINE_PKI_TRUST_STORE")) + .setTrustStorePassword(EngineLocalConfig.getInstance().getPKITrustStorePassword()) + .setTrustStoreType(KeyStore.getDefaultType()) + .setURL(url) + .setVerifyChain(true) + .setVerifyHost(false).create(); + } + + public static long copy(final InputStream input, final OutputStream output) throws IOException { + final byte[] buffer = new byte[8*1024]; + long count = 0; + int n; + while ((n = input.read(buffer)) != -1) { + output.write(buffer, 0, n); + count += n; + } + return count; + } + public static int getPrefer(HttpServletRequest req) { int ret = 0; Enumeration<String> headerValues = req.getHeaders(Constants.HEADER_PREFER); diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSOLoginFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSOLoginFilter.java index 886c3b2..09a1909 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSOLoginFilter.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSOLoginFilter.java @@ -1,7 +1,6 @@ package org.ovirt.engine.core.aaa.filters; import org.apache.commons.lang.StringUtils; -import org.ovirt.engine.core.common.constants.SessionConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -37,7 +36,7 @@ String requestUri = req.getRequestURI() + (StringUtils.isEmpty(queryString) ? "" : "?" + queryString); try { - if (!FiltersHelper.isAuthenticated(req) || !FiltersHelper.isSessionValid(getSessionId((HttpServletRequest) request))) { + if (!FiltersHelper.isAuthenticated(req) || !FiltersHelper.isSessionValid((HttpServletRequest) request)) { ((HttpServletResponse) response).sendRedirect(String.format("%s%s&app_url=%s", req.getServletContext().getContextPath(), loginUrl, ((HttpServletResponse) response).encodeURL(requestUri))); } else { chain.doFilter(request, response); @@ -48,13 +47,6 @@ } } - private String getSessionId(HttpServletRequest request) { - String sessionId = (String) request.getSession(false).getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); - if (sessionId == null) { - sessionId = (String) request.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); - } - return sessionId; - } @Override public void destroy() { } diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiLoginFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiLoginFilter.java index 3769f7a..b873a6d 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiLoginFilter.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiLoginFilter.java @@ -49,7 +49,7 @@ ServletException { HttpServletRequest req = (HttpServletRequest) request; try { - if (!FiltersHelper.isAuthenticated(req) || !FiltersHelper.isSessionValid(getSessionId((HttpServletRequest) request))) { + if (!FiltersHelper.isAuthenticated(req) || !FiltersHelper.isSessionValid((HttpServletRequest) request)) { authenticateWithSSO(req); } chain.doFilter(request, response); @@ -135,6 +135,9 @@ } HttpSession httpSession = req.getSession(true); httpSession.setAttribute( + SessionConstants.SSO_SESSION_ID_KEY, + payload.get(SessionConstants.SSO_SESSION_ID_KEY)); + httpSession.setAttribute( SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY, queryRetVal.getActionReturnValue()); } catch (Exception ex) { @@ -151,13 +154,6 @@ } } - private String getSessionId(HttpServletRequest request) { - String sessionId = (String) request.getSession(false).getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); - if (sessionId == null) { - sessionId = (String) request.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); - } - return sessionId; - } @Override public void destroy() { } diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java index 92cedcf..5452985 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java @@ -31,7 +31,7 @@ try { String requestEngineSession = (String)request.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); if (requestEngineSession != null) { - if (!FiltersHelper.isSessionValid(requestEngineSession)) { + if (!FiltersHelper.isSessionValid((HttpServletRequest) request)) { request.removeAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); } } @@ -40,7 +40,7 @@ if (httpSession != null) { String engineSession = (String) httpSession.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); if (engineSession != null) { - if (!FiltersHelper.isSessionValid(engineSession)) { + if (!FiltersHelper.isSessionValid((HttpServletRequest) request)) { httpSession.invalidate(); } } diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SSOPostLoginServlet.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SSOPostLoginServlet.java index 4fcf7df..3b15b48 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SSOPostLoginServlet.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SSOPostLoginServlet.java @@ -61,6 +61,9 @@ } HttpSession httpSession = request.getSession(true); httpSession.setAttribute( + SessionConstants.SSO_SESSION_ID_KEY, + payload.get(SessionConstants.SSO_SESSION_ID_KEY)); + httpSession.setAttribute( SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY, queryRetVal.getActionReturnValue()); response.sendRedirect(request.getParameter("opaque")); diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/constants/SessionConstants.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/constants/SessionConstants.java index 87c510f..690fcdc 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/constants/SessionConstants.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/constants/SessionConstants.java @@ -3,6 +3,7 @@ public class SessionConstants { public static final String HTTP_SESSION_ENGINE_SESSION_ID_KEY = "ovirt_aaa_engineSessionId"; + public static final String SSO_SESSION_ID_KEY = "sso_session_id"; public static final String REQUEST_ASYNC_KEY = "ovirt_aaa_restapi_async"; } -- To view, visit http://gerrit.ovirt.org/38015 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I72b0ed9802804e173d99f7d7f173e3e1d354a57f Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
