This is an automated email from the ASF dual-hosted git repository. lmccay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push: new f3eddab KNOX-2066 - Composite Authz Provider new 15a85c0 Merge branch 'master' into KNOX-2066 f3eddab is described below commit f3eddab9b854f1774ecf89ac39ec03566e296113 Author: lmccay <lmc...@apache.org> AuthorDate: Thu Oct 24 16:35:04 2019 -0400 KNOX-2066 - Composite Authz Provider --- gateway-provider-security-authz-composite/pom.xml | 64 ++++++++++++++++ .../impl/CompositeAuthzDeploymentContributor.java | 89 ++++++++++++++++++++++ ...ox.gateway.deploy.ProviderDeploymentContributor | 18 +++++ .../deploy/impl/CompositeAuthzProviderTest.java | 67 ++++++++++++++++ gateway-release/pom.xml | 4 + pom.xml | 6 ++ 6 files changed, 248 insertions(+) diff --git a/gateway-provider-security-authz-composite/pom.xml b/gateway-provider-security-authz-composite/pom.xml new file mode 100644 index 0000000..fd1f962 --- /dev/null +++ b/gateway-provider-security-authz-composite/pom.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.knox</groupId> + <artifactId>gateway</artifactId> + <version>1.4.0-SNAPSHOT</version> + </parent> + <artifactId>gateway-provider-security-authz-composite</artifactId> + <name>gateway-provider-security-authz-composite</name> + <description>Provides authorization support through the use of multiple providers.</description> + + <dependencies> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-i18n</artifactId> + </dependency> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-server</artifactId> + </dependency> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-spi</artifactId> + </dependency> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-util-common</artifactId> + </dependency> + + <dependency> + <groupId>commons-io</groupId> + <artifactId>commons-io</artifactId> + </dependency> + + <dependency> + <groupId>javax.servlet</groupId> + <artifactId>javax.servlet-api</artifactId> + </dependency> + + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-test-utils</artifactId> + <scope>test</scope> + </dependency> + </dependencies> +</project> diff --git a/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java b/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java new file mode 100644 index 0000000..5e7562c --- /dev/null +++ b/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.deploy.impl; + +import org.apache.knox.gateway.deploy.DeploymentContext; +import org.apache.knox.gateway.deploy.DeploymentFactory; +import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase; +import org.apache.knox.gateway.descriptor.FilterParamDescriptor; +import org.apache.knox.gateway.descriptor.ResourceDescriptor; +import org.apache.knox.gateway.topology.Provider; +import org.apache.knox.gateway.topology.Service; + +import java.util.ArrayList; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import java.util.Map.Entry; + +public class CompositeAuthzDeploymentContributor extends ProviderDeploymentContributorBase { + @Override + public String getRole() { + return "authorization"; + } + + @Override + public String getName() { + return "CompositeAuthz"; + } + + @Override + public void initializeContribution(DeploymentContext context) { + super.initializeContribution(context); + } + + @Override + public void contributeProvider( DeploymentContext context, Provider provider ) { + } + + @Override + public void contributeFilter( DeploymentContext context, Provider provider, Service service, + ResourceDescriptor resource, List<FilterParamDescriptor> params ) { + + if (params == null) { + params = new ArrayList<>(); + } + + Map<String, String> providerParams = provider.getParams(); + String providerNames = providerParams.get("composite.provider.names"); + String[] names = parseProviderNames(providerNames); + for (String name : names) { + getProviderSpecificParams(resource, params, providerParams, name); + DeploymentFactory.getProviderContributor("authorization", name) + .contributeFilter(context, provider, service, resource, params); + params.clear(); + } + } + + String[] parseProviderNames(String providerNames) { + String[] names = providerNames.split(",\\s*"); + return names; + } + + void getProviderSpecificParams(ResourceDescriptor resource, List<FilterParamDescriptor> params, + Map<String, String> providerParams, String name) { + String entryName; + for(Entry<String, String> entry : providerParams.entrySet()) { + if (entry.getKey().startsWith(name + ".")) { + entryName = entry.getKey().substring(entry.getKey().indexOf('.') + 1); + FilterParamDescriptor fpd = resource.createFilterParam(); + params.add(fpd.name(entryName.toLowerCase(Locale.ROOT)).value(entry.getValue())); + } + } + } +} diff --git a/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor new file mode 100644 index 0000000..33362c5 --- /dev/null +++ b/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor @@ -0,0 +1,18 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## +org.apache.knox.gateway.deploy.impl.CompositeAuthzDeploymentContributor diff --git a/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java b/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java new file mode 100644 index 0000000..eadb2d6 --- /dev/null +++ b/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java @@ -0,0 +1,67 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.deploy.impl; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.apache.knox.gateway.descriptor.FilterParamDescriptor; +import org.apache.knox.gateway.descriptor.ResourceDescriptor; +import org.junit.Test; + +import static org.junit.Assert.assertEquals; + +import static org.easymock.EasyMock.createMock; +import static org.easymock.EasyMock.expect; +import static org.easymock.EasyMock.replay; + +public class CompositeAuthzProviderTest { + @Test + public void testParsingProviderParams() throws Exception { + String name = "AclsAuthz"; + Map<String, String> providerParams = new HashMap<>(); + // provider params are disambiguated by prefixing them with + // the provider name. Therefore the following should only + // result in a single param making it through since only + // one has a prefix that matches the name. + providerParams.put("AclsAuthz.webhdfs.acl", "admin;*;*"); + providerParams.put("SomeOther.webhdfs.acl", "admin;*;*"); + List<FilterParamDescriptor> params = new ArrayList<>(); + ResourceDescriptor resource = createMock(ResourceDescriptor.class); + FilterParamDescriptor fpd = createMock(FilterParamDescriptor.class); + expect(resource.createFilterParam()).andReturn(fpd).atLeastOnce(); + expect(fpd.name("webhdfs.acl")).andReturn(fpd).once(); + expect(fpd.value("admin;*;*")).andReturn(fpd).once(); + replay(resource, fpd); + CompositeAuthzDeploymentContributor c = new CompositeAuthzDeploymentContributor(); + c.getProviderSpecificParams(resource, params, providerParams, name); + } + + @Test + public void testParsingProviderNames() throws Exception { + String names = "AclsAuthz, SomeOther,TheOtherOne"; + CompositeAuthzDeploymentContributor c = new CompositeAuthzDeploymentContributor(); + String[] providerNames = c.parseProviderNames(names); + assertEquals(providerNames.length, 3); + assertEquals(providerNames[0], "AclsAuthz"); + assertEquals(providerNames[1], "SomeOther"); + assertEquals(providerNames[2], "TheOtherOne"); + } +} diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml index fdc4536..2306a3d 100644 --- a/gateway-release/pom.xml +++ b/gateway-release/pom.xml @@ -348,6 +348,10 @@ </dependency> <dependency> <groupId>org.apache.knox</groupId> + <artifactId>gateway-provider-security-authz-composite</artifactId> + </dependency> + <dependency> + <groupId>org.apache.knox</groupId> <artifactId>gateway-provider-identity-assertion-common</artifactId> </dependency> <dependency> diff --git a/pom.xml b/pom.xml index c0ef103..fd97b52 100644 --- a/pom.xml +++ b/pom.xml @@ -89,6 +89,7 @@ <module>gateway-provider-security-shiro</module> <module>gateway-provider-security-pac4j</module> <module>gateway-provider-security-authz-acls</module> + <module>gateway-provider-security-authz-composite</module> <module>gateway-provider-security-authc-anon</module> <module>gateway-provider-identity-assertion-common</module> <module>gateway-provider-identity-assertion-concat</module> @@ -847,6 +848,11 @@ </dependency> <dependency> <groupId>org.apache.knox</groupId> + <artifactId>gateway-provider-security-authz-composite</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.knox</groupId> <artifactId>gateway-provider-identity-assertion-common</artifactId> <version>${project.version}</version> </dependency>