greyp9 commented on a change in pull request #5262:
URL: https://github.com/apache/nifi/pull/5262#discussion_r680237283
##########
File path:
nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
##########
@@ -354,6 +356,7 @@
public static final String
DEFAULT_SECURITY_USER_SAML_HTTP_CLIENT_TRUSTSTORE_STRATEGY = "JDK";
public static final String
DEFAULT_SECURITY_USER_SAML_HTTP_CLIENT_CONNECT_TIMEOUT = "30 secs";
public static final String
DEFAULT_SECURITY_USER_SAML_HTTP_CLIENT_READ_TIMEOUT = "30 secs";
+ private static final String DEFAULT_SECURITY_USER_JWS_KEY_ROTATION_PERIOD
= "PT1H";
Review comment:
Maybe usage of ISO 8601 intervals could be part of the NiFi 2.0
date/time effort?
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/key/StandardVerificationKeySelector.java
##########
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.jwt.key;
+
+import org.apache.nifi.web.security.jwt.jws.SigningKeyListener;
+import org.apache.nifi.web.security.jwt.key.service.VerificationKeyService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.Key;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+
+/**
+ * Standard Verification Key Selector implements listener interfaces for
updating Key status
+ */
+public class StandardVerificationKeySelector implements SigningKeyListener,
VerificationKeyListener, VerificationKeySelector {
+ private static final Logger LOGGER =
LoggerFactory.getLogger(StandardVerificationKeySelector.class);
+
+ private final VerificationKeyService verificationKeyService;
+
+ private final Duration keyRotationPeriod;
+
+ public StandardVerificationKeySelector(final VerificationKeyService
verificationKeyService, final Duration keyRotationPeriod) {
+ this.verificationKeyService =
Objects.requireNonNull(verificationKeyService, "Verification Key Service
required");
+ this.keyRotationPeriod = Objects.requireNonNull(keyRotationPeriod,
"Key Rotation Period required");
+ }
+
+ /**
+ * On Verification Key Generated persist encoded Key with expiration
+ *
+ * @param keyIdentifier Key Identifier
+ * @param key Key
+ */
+ @Override
+ public void onVerificationKeyGenerated(final String keyIdentifier, final
Key key) {
+ final Instant expiration = Instant.now().plus(keyRotationPeriod);
+ verificationKeyService.save(keyIdentifier, key, expiration);
+ LOGGER.debug("Verification Key Saved [{}] Expiration [{}]",
keyIdentifier, expiration);
+ }
+
+ /**
+ * Get Verification Keys
+ *
+ * @param keyIdentifier Key Identifier
+ * @return List of Keys
+ */
+ @Override
+ public List<? extends Key> getVerificationKeys(final String keyIdentifier)
{
+ final Optional<Key> key =
verificationKeyService.findById(keyIdentifier);
+ final List<? extends Key> keys =
key.map(Collections::singletonList).orElse(Collections.emptyList());
+ LOGGER.debug("Key Identifier [{}] Verification Keys Found [{}]",
keyIdentifier, keys.size());
+ return keys;
+ }
+
+ /**
+ * On Signing Key Used set new expiration
Review comment:
The intent is to keep the signing key alive as long as it is being used?
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/revocation/JwtRevocationService.java
##########
@@ -14,36 +14,32 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.apache.nifi.admin.service;
+package org.apache.nifi.web.security.jwt.revocation;
-import org.apache.nifi.key.Key;
+import java.time.Instant;
/**
- * Manages NiFi user keys.
+ * JSON Web Token Revocation Service
*/
-public interface KeyService {
-
+public interface JwtRevocationService {
/**
- * Gets a key for the specified user identity. Returns null if the user
has not had a key issued
- *
- * @param id The key id
- * @return The key or null
+ * Delete Expired Revocations
*/
- Key getKey(int id);
+ void deleteExpired();
/**
- * Gets a key for the specified user identity. If a key does not exist,
one will be created.
+ * Is JSON Web Token Identifier Revoked
*
- * @param identity The user identity
- * @return The key
- * @throws AdministrationException if it failed to get/create the key
+ * @param id JSON Web Token Identifier
+ * @return Revoked Status
*/
- Key getOrCreateKey(String identity);
+ boolean isRevoked(String id);
/**
- * Deletes keys for the specified identity.
+ * Set Revoked Status using JSON Web Token Identifier
*
- * @param keyId The user's key ID
+ * @param id JSON Web Token Identifier
+ * @param expiration Expiration of Revocation Status
Review comment:
What is the purpose of the `expiration` parameter? Are there cases
where we would want a revoked JWT to become un-revoked?
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProvider.java
##########
@@ -0,0 +1,110 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.jwt.provider;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.Payload;
+import com.nimbusds.jwt.JWTClaimsSet;
+import org.apache.nifi.web.security.jwt.jws.JwsSignerContainer;
+import org.apache.nifi.web.security.jwt.jws.JwsSignerProvider;
+import org.apache.nifi.web.security.token.LoginAuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Date;
+import java.util.Objects;
+import java.util.UUID;
+
+/**
+ * Standard Bearer Token Provider supports returning serialized and signed
JSON Web Tokens
+ */
+public class StandardBearerTokenProvider implements BearerTokenProvider {
+ private static final Logger LOGGER =
LoggerFactory.getLogger(StandardBearerTokenProvider.class);
+
+ private static final String URL_ENCODED_CHARACTER_SET =
StandardCharsets.UTF_8.name();
+
+ private final JwsSignerProvider jwsSignerProvider;
+
+ public StandardBearerTokenProvider(final JwsSignerProvider
jwsSignerProvider) {
+ this.jwsSignerProvider = jwsSignerProvider;
+ }
+
+ /**
+ * Get Signed JSON Web Token using Login Authentication Token
+ *
+ * @param loginAuthenticationToken Login Authentication Token
+ * @return Serialized Signed JSON Web Token
+ */
+ @Override
+ public String getBearerToken(final LoginAuthenticationToken
loginAuthenticationToken) {
+ Objects.requireNonNull(loginAuthenticationToken,
"LoginAuthenticationToken required");
Review comment:
Is the incoming authenticationToken pre-validated?
##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -489,6 +489,28 @@ To enable authentication via Apache Knox the following
properties must be config
this listing. The audience that is populated in the token can be configured in
Knox.
|==================================================================================================================================================
+[[json_web_token]]
+=== JSON Web Tokens
+
+NiFi uses JSON Web Tokens to provide authenticated access after the initial
login process. Generated JSON Web Tokens include the authenticated user identity
+as well as the issuer and expiration from the configured Login Identity
Provider.
+
+NiFi uses generated RSA Key Pairs with a key size of 4096 bits to support the
`RS512` algorithm for JSON Web Signatures. The system stores RSA
Review comment:
Since this feature will involve the generation of a key pair on every
startup, we should consider the tradeoff between security and performance. The
generation of a 4096 bit key pair can be expensive in a resource constrained
environment.
A smaller value might be a better all-purpose default. Alternately,
allowing configuration of this value might be useful.
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/resolver/StandardBearerTokenResolver.java
##########
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.jwt.resolver;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.web.security.http.SecurityCookieName;
+import org.apache.nifi.web.security.http.SecurityHeader;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import
org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
+import org.springframework.web.util.WebUtils;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Bearer Token Resolver prefers the HTTP Authorization Header and then
evaluates the Authorization Cookie when found
Review comment:
> Bearer Token Resolver prefers the HTTP Authorization Header; when not
found, the Authorization Cookie is evaluated...
trying to convey that the cookie is ignored if the HTTP header is found
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
