KNOX-1073 - Upgrade PAC4J to a more recent version
Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/994ac325 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/994ac325 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/994ac325 Branch: refs/heads/KNOX-998-Package_Restructuring Commit: 994ac325d592426f8d4abcf45b1e95a5f2d267e8 Parents: a08aaf7 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed Oct 25 13:11:08 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed Oct 25 13:11:08 2017 +0100 ---------------------------------------------------------------------- gateway-provider-security-pac4j/pom.xml | 31 +++++++++++++++-- .../pac4j/filter/Pac4jDispatcherFilter.java | 15 ++++---- .../pac4j/filter/Pac4jIdentityAdapter.java | 36 +++++++++++--------- .../gateway/pac4j/session/KnoxSessionStore.java | 28 ++++++++++++++- .../hadoop/gateway/pac4j/Pac4jProviderTest.java | 10 +++--- pom.xml | 2 +- 6 files changed, 89 insertions(+), 33 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/994ac325/gateway-provider-security-pac4j/pom.xml ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/pom.xml b/gateway-provider-security-pac4j/pom.xml index c420ad9..c8684e2 100644 --- a/gateway-provider-security-pac4j/pom.xml +++ b/gateway-provider-security-pac4j/pom.xml @@ -36,8 +36,8 @@ </licenses> <properties> - <j2e-pac4j.version>1.2.2</j2e-pac4j.version> - <pac4j.version>1.8.9</pac4j.version> + <j2e-pac4j.version>3.0.0</j2e-pac4j.version> + <pac4j.version>2.1.0</pac4j.version> </properties> <dependencies> @@ -67,6 +67,33 @@ <dependency> <groupId>org.pac4j</groupId> + <artifactId>pac4j-oidc</artifactId> + <version>${pac4j.version}</version> + </dependency> + <dependency> + <groupId>org.pac4j</groupId> + <artifactId>pac4j-saml</artifactId> + <version>${pac4j.version}</version> + <exclusions> + <exclusion> + <groupId>xalan</groupId> + <artifactId>xalan</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.pac4j</groupId> + <artifactId>pac4j-cas</artifactId> + <version>${pac4j.version}</version> + </dependency> + <dependency> + <groupId>org.pac4j</groupId> + <artifactId>pac4j-oauth</artifactId> + <version>${pac4j.version}</version> + </dependency> + + <dependency> + <groupId>org.pac4j</groupId> <artifactId>pac4j-core</artifactId> <version>${pac4j.version}</version> </dependency> http://git-wip-us.apache.org/repos/asf/knox/blob/994ac325/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java index 574dea5..fb5fa4a 100644 --- a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java +++ b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jDispatcherFilter.java @@ -31,12 +31,11 @@ import org.pac4j.core.client.Client; import org.pac4j.core.config.Config; import org.pac4j.core.config.ConfigSingleton; import org.pac4j.core.context.J2EContext; -import org.pac4j.core.context.Pac4jConstants; import org.pac4j.core.util.CommonHelper; import org.pac4j.http.client.indirect.IndirectBasicAuthClient; import org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator; import org.pac4j.j2e.filter.CallbackFilter; -import org.pac4j.j2e.filter.RequiresAuthenticationFilter; +import org.pac4j.j2e.filter.SecurityFilter; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; @@ -74,7 +73,7 @@ public class Pac4jDispatcherFilter implements Filter { private CallbackFilter callbackFilter; - private RequiresAuthenticationFilter requiresAuthenticationFilter; + private SecurityFilter securityFilter; private MasterService masterService = null; private KeystoreService keystoreService = null; private AliasService aliasService = null; @@ -119,7 +118,7 @@ public class Pac4jDispatcherFilter implements Filter { final Config config; final String clientName; // client name from servlet parameter (mandatory) - final String clientNameParameter = filterConfig.getInitParameter(Pac4jConstants.CLIENT_NAME); + final String clientNameParameter = filterConfig.getInitParameter("clientName"); if (clientNameParameter == null) { log.clientNameParameterRequired(); throw new ServletException("Required pac4j clientName parameter is missing."); @@ -154,9 +153,9 @@ public class Pac4jDispatcherFilter implements Filter { } callbackFilter = new CallbackFilter(); - requiresAuthenticationFilter = new RequiresAuthenticationFilter(); - requiresAuthenticationFilter.setClientName(clientName); - requiresAuthenticationFilter.setConfig(config); + securityFilter = new SecurityFilter(); + securityFilter.setClients(clientName); + securityFilter.setConfig(config); final String domainSuffix = filterConfig.getInitParameter(PAC4J_COOKIE_DOMAIN_SUFFIX_PARAM); config.setSessionStore(new KnoxSessionStore(cryptoService, clusterName, domainSuffix)); @@ -206,7 +205,7 @@ public class Pac4jDispatcherFilter implements Filter { } else { // otherwise just apply security and requires authentication // apply RequiresAuthenticationFilter - requiresAuthenticationFilter.doFilter(servletRequest, servletResponse, filterChain); + securityFilter.doFilter(servletRequest, servletResponse, filterChain); } } http://git-wip-us.apache.org/repos/asf/knox/blob/994ac325/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jIdentityAdapter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jIdentityAdapter.java b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jIdentityAdapter.java index ec5c368..dfbd8ca 100644 --- a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jIdentityAdapter.java +++ b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/filter/Pac4jIdentityAdapter.java @@ -23,8 +23,8 @@ import org.apache.hadoop.gateway.filter.AbstractGatewayFilter; import org.apache.hadoop.gateway.security.PrimaryPrincipal; import org.pac4j.core.config.ConfigSingleton; import org.pac4j.core.context.J2EContext; +import org.pac4j.core.profile.CommonProfile; import org.pac4j.core.profile.ProfileManager; -import org.pac4j.core.profile.UserProfile; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import java.util.Optional; /** * <p>This filter retrieves the authenticated user saved by the pac4j provider and injects it into the J2E HTTP request.</p> @@ -65,22 +66,25 @@ public class Pac4jIdentityAdapter implements Filter { final HttpServletRequest request = (HttpServletRequest) servletRequest; final HttpServletResponse response = (HttpServletResponse) servletResponse; final J2EContext context = new J2EContext(request, response, ConfigSingleton.getConfig().getSessionStore()); - final ProfileManager manager = new ProfileManager(context); - final UserProfile profile = manager.get(true); - logger.debug("User authenticated as: {}", profile); - manager.remove(true); - final String id = profile.getId(); - testIdentifier = id; - PrimaryPrincipal pp = new PrimaryPrincipal(id); - Subject subject = new Subject(); - subject.getPrincipals().add(pp); - auditService.getContext().setUsername(id); - String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME ); - auditor.audit(Action.AUTHENTICATION, sourceUri, ResourceType.URI, ActionOutcome.SUCCESS); - - doAs(request, response, chain, subject); + final ProfileManager<CommonProfile> manager = new ProfileManager<CommonProfile>(context); + final Optional<CommonProfile> optional = manager.get(true); + if (optional.isPresent()) { + CommonProfile profile = optional.get(); + logger.debug("User authenticated as: {}", profile); + manager.remove(true); + final String id = profile.getId(); + testIdentifier = id; + PrimaryPrincipal pp = new PrimaryPrincipal(id); + Subject subject = new Subject(); + subject.getPrincipals().add(pp); + auditService.getContext().setUsername(id); + String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME ); + auditor.audit(Action.AUTHENTICATION, sourceUri, ResourceType.URI, ActionOutcome.SUCCESS); + + doAs(request, response, chain, subject); + } } - + private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject) throws IOException, ServletException { http://git-wip-us.apache.org/repos/asf/knox/blob/994ac325/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/session/KnoxSessionStore.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/session/KnoxSessionStore.java b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/session/KnoxSessionStore.java index 1d7c567..ae67ae9 100644 --- a/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/session/KnoxSessionStore.java +++ b/gateway-provider-security-pac4j/src/main/java/org/apache/hadoop/gateway/pac4j/session/KnoxSessionStore.java @@ -31,6 +31,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.Serializable; +import java.util.Map; /** * Specific session store where data are saved into cookies (and not in memory). @@ -92,7 +93,8 @@ public class KnoxSessionStore implements SessionStore { } private String encryptBase64(final Object o) { - if (o == null || o.equals("")) { + if (o == null || o.equals("") + || (o instanceof Map<?,?> && ((Map<?,?>)o).isEmpty())) { return null; } else { final byte[] bytes = javaSerializationHelper.serializeToBytes((Serializable) o); @@ -117,4 +119,28 @@ public class KnoxSessionStore implements SessionStore { cookie.setSecure(ContextHelper.isHttpsOrSecure(context)); context.addResponseCookie(cookie); } + + @Override + public SessionStore buildFromTrackableSession(WebContext arg0, Object arg1) { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean destroySession(WebContext arg0) { + // TODO Auto-generated method stub + return false; + } + + @Override + public Object getTrackableSession(WebContext arg0) { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean renewSession(WebContext arg0) { + // TODO Auto-generated method stub + return false; + } } http://git-wip-us.apache.org/repos/asf/knox/blob/994ac325/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java b/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java index 60bf6f8..bc33e33 100644 --- a/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java +++ b/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java @@ -76,16 +76,16 @@ public class Pac4jProviderTest { final FilterConfig config = mock(FilterConfig.class); when(config.getServletContext()).thenReturn(context); when(config.getInitParameter(Pac4jDispatcherFilter.PAC4J_CALLBACK_URL)).thenReturn(PAC4J_CALLBACK_URL); - when(config.getInitParameter(Pac4jConstants.CLIENT_NAME)).thenReturn(Pac4jDispatcherFilter.TEST_BASIC_AUTH); + when(config.getInitParameter("clientName")).thenReturn(Pac4jDispatcherFilter.TEST_BASIC_AUTH); final Pac4jDispatcherFilter dispatcher = new Pac4jDispatcherFilter(); dispatcher.init(config); final Pac4jIdentityAdapter adapter = new Pac4jIdentityAdapter(); adapter.init(config); - adapter.setAuditor(mock(Auditor.class)); + Pac4jIdentityAdapter.setAuditor(mock(Auditor.class)); final AuditService auditService = mock(AuditService.class); when(auditService.getContext()).thenReturn(mock(AuditContext.class)); - adapter.setAuditService(auditService); + Pac4jIdentityAdapter.setAuditService(auditService); // step 1: call the KnoxSSO service with an original url pointing to an Hadoop service (redirected by the SSOCookieProvider) MockHttpServletRequest request = new MockHttpServletRequest(); @@ -126,7 +126,7 @@ public class Pac4jProviderTest { mapCookies.put(cookie.getName(), cookie.getValue()); } assertNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + CLIENT_CLASS + "$attemptedAuthentication")); - assertNotNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILE)); + assertNotNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILES)); assertNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.REQUESTED_URL)); // step 3: turn pac4j identity into KnoxSSO identity @@ -143,7 +143,7 @@ public class Pac4jProviderTest { assertEquals(1, cookies.size()); final Cookie userProfileCookie = cookies.get(0); // the user profile has been cleaned - assertEquals(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILE, userProfileCookie.getName()); + assertEquals(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILES, userProfileCookie.getName()); assertNull(userProfileCookie.getValue()); assertEquals(USERNAME, adapter.getTestIdentifier()); } http://git-wip-us.apache.org/repos/asf/knox/blob/994ac325/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 30a052b..58a4122 100644 --- a/pom.xml +++ b/pom.xml @@ -739,7 +739,7 @@ <dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> - <version>4.11</version> + <version>4.34.2</version> <scope>compile</scope> <exclusions> <exclusion>