Repository: nifi Updated Branches: refs/heads/NIFI-655 5b658143a -> d21d8f316
NIFI-655: - Adding support for configuring anonymous roles. - Addressing checkstyle violations. Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/d21d8f31 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/d21d8f31 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/d21d8f31 Branch: refs/heads/NIFI-655 Commit: d21d8f31691a51e5bb4bb2523f1356513d547372 Parents: 5b65814 Author: Matt Gilman <matt.c.gil...@gmail.com> Authored: Thu Oct 15 18:24:06 2015 -0400 Committer: Matt Gilman <matt.c.gil...@gmail.com> Committed: Thu Oct 15 18:24:06 2015 -0400 ---------------------------------------------------------------------- nifi-assembly/pom.xml | 1 + .../org/apache/nifi/util/NiFiProperties.java | 49 ++++++++------ .../nifi/admin/UserDataSourceFactoryBean.java | 70 +++++++------------- .../src/main/resources/conf/nifi.properties | 1 + .../org/apache/nifi/web/NiFiServiceFacade.java | 3 +- .../nifi/web/NiFiWebApiConfiguration.java | 24 +++++-- .../web/NiFiWebApiSecurityConfiguration.java | 25 ++++--- .../nifi/web/StandardNiFiServiceFacade.java | 11 +-- .../org/apache/nifi/web/api/UserResource.java | 28 +++----- .../web/security/NiFiAuthenticationFilter.java | 12 +--- .../security/NiFiAuthenticationProvider.java | 26 ++++++-- .../nifi/web/security/ProxiedEntitiesUtils.java | 28 ++++---- .../anonymous/NiFiAnonymousUserFilter.java | 36 ++++------ .../security/form/FormAuthenticationFilter.java | 6 +- .../security/jwt/JwtAuthenticationFilter.java | 4 +- .../security/jwt/JwtAuthenticationProvider.java | 4 +- .../nifi/web/security/jwt/JwtService.java | 16 ++--- .../NewAccountAuthenticationRequestToken.java | 7 +- .../token/NewAccountAuthenticationToken.java | 8 +-- .../token/NiFiAuthenticationRequestToken.java | 9 ++- .../security/token/NiFiAuthorizationToken.java | 5 +- .../web/security/user/NewAccountRequest.java | 20 +++++- .../nifi/web/security/user/NiFiUserDetails.java | 2 +- .../nifi/web/security/user/NiFiUserUtils.java | 14 ++-- .../security/x509/X509AuthenticationFilter.java | 8 +-- .../x509/X509AuthenticationProvider.java | 20 +++++- .../apache/nifi/web/NiFiWebUiConfiguration.java | 8 +-- .../web/NiFiWebUiSecurityConfiguration.java | 6 +- 28 files changed, 229 insertions(+), 222 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-assembly/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml index de4fdcb..3dc1ae2 100644 --- a/nifi-assembly/pom.xml +++ b/nifi-assembly/pom.xml @@ -340,6 +340,7 @@ language governing permissions and limitations under the License. --> <nifi.security.user.authority.provider>file-provider</nifi.security.user.authority.provider> <nifi.security.x509.principal.extractor /> <nifi.security.support.new.account.requests /> + <nifi.security.anonymous.authorities>ROLE_MONITOR,ROLE_DFM,ROLE_ADMIN,ROLE_PROVENANCE,ROLE_NIFI</nifi.security.anonymous.authorities> <nifi.security.ocsp.responder.url /> <nifi.security.ocsp.responder.certificate /> http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java ---------------------------------------------------------------------- diff --git a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java index a51d9be..aaaac0b 100644 --- a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java +++ b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java @@ -25,10 +25,14 @@ import java.nio.file.InvalidPathException; import java.nio.file.Path; import java.nio.file.Paths; import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Properties; +import java.util.Set; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -130,7 +134,7 @@ public class NiFiProperties extends Properties { public static final String SECURITY_CLUSTER_AUTHORITY_PROVIDER_THREADS = "nifi.security.cluster.authority.provider.threads"; public static final String SECURITY_USER_CREDENTIAL_CACHE_DURATION = "nifi.security.user.credential.cache.duration"; public static final String SECURITY_SUPPORT_NEW_ACCOUNT_REQUESTS = "nifi.security.support.new.account.requests"; - public static final String SECURITY_DEFAULT_USER_ROLES = "nifi.security.default.user.roles"; + public static final String SECURITY_ANONYMOUS_AUTHORITIES = "nifi.security.anonymous.authorities"; public static final String SECURITY_OCSP_RESPONDER_URL = "nifi.security.ocsp.responder.url"; public static final String SECURITY_OCSP_RESPONDER_CERTIFICATE = "nifi.security.ocsp.responder.certificate"; @@ -234,8 +238,7 @@ public class NiFiProperties extends Properties { } /** - * This is the method through which the NiFiProperties object should be - * obtained. + * This is the method through which the NiFiProperties object should be obtained. * * @return the NiFiProperties object to use * @throws RuntimeException if unable to load properties file @@ -424,8 +427,7 @@ public class NiFiProperties extends Properties { } /** - * Returns whether the processors should be started automatically when the - * application loads. + * Returns whether the processors should be started automatically when the application loads. * * @return Whether to auto start the processors or not */ @@ -436,8 +438,7 @@ public class NiFiProperties extends Properties { } /** - * Returns the number of partitions that should be used for the FlowFile - * Repository + * Returns the number of partitions that should be used for the FlowFile Repository * * @return the number of partitions */ @@ -448,8 +449,7 @@ public class NiFiProperties extends Properties { } /** - * Returns the number of milliseconds between FlowFileRepository - * checkpointing + * Returns the number of milliseconds between FlowFileRepository checkpointing * * @return the number of milliseconds between checkpoint events */ @@ -510,6 +510,19 @@ public class NiFiProperties extends Properties { return shouldSupport; } + public Set<String> getAnonymousAuthorities() { + final Set<String> authorities; + + final String rawAnonymousAuthorities = getProperty(SECURITY_ANONYMOUS_AUTHORITIES); + if (!StringUtils.isEmpty(rawAnonymousAuthorities)) { + authorities = new HashSet<>(Arrays.asList(rawAnonymousAuthorities.split(","))); + } else { + authorities = Collections.EMPTY_SET; + } + + return authorities; + } + // getters for web properties // public Integer getPort() { Integer port = null; @@ -851,8 +864,7 @@ public class NiFiProperties extends Properties { } /** - * Returns the database repository path. It simply returns the value - * configured. No directories will be created as a result of this operation. + * Returns the database repository path. It simply returns the value configured. No directories will be created as a result of this operation. * * @return database repository path * @throws InvalidPathException If the configured path is invalid @@ -862,8 +874,7 @@ public class NiFiProperties extends Properties { } /** - * Returns the flow file repository path. It simply returns the value - * configured. No directories will be created as a result of this operation. + * Returns the flow file repository path. It simply returns the value configured. No directories will be created as a result of this operation. * * @return database repository path * @throws InvalidPathException If the configured path is invalid @@ -873,10 +884,8 @@ public class NiFiProperties extends Properties { } /** - * Returns the content repository paths. This method returns a mapping of - * file repository name to file repository paths. It simply returns the - * values configured. No directories will be created as a result of this - * operation. + * Returns the content repository paths. This method returns a mapping of file repository name to file repository paths. It simply returns the values configured. No directories will be created as + * a result of this operation. * * @return file repositories paths * @throws InvalidPathException If any of the configured paths are invalid @@ -900,10 +909,8 @@ public class NiFiProperties extends Properties { } /** - * Returns the provenance repository paths. This method returns a mapping of - * file repository name to file repository paths. It simply returns the - * values configured. No directories will be created as a result of this - * operation. + * Returns the provenance repository paths. This method returns a mapping of file repository name to file repository paths. It simply returns the values configured. No directories will be created + * as a result of this operation. * * @return the name and paths of all provenance repository locations */ http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java index ebcf574..5844f69 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/src/main/java/org/apache/nifi/admin/UserDataSourceFactoryBean.java @@ -21,8 +21,11 @@ import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; +import java.util.HashSet; +import java.util.Set; import java.util.UUID; import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.authorization.Authority; import org.h2.jdbcx.JdbcConnectionPool; import org.apache.nifi.user.NiFiUser; import org.apache.nifi.util.NiFiProperties; @@ -71,46 +74,15 @@ public class UserDataSourceFactoryBean implements FactoryBean { + "'ACTIVE'" + ")"; - private static final String INSERT_ANONYMOUS_MONITOR_AUTHORITY = "INSERT INTO AUTHORITY (" + private static final String INSERT_ANONYMOUS_AUTHORITY = "INSERT INTO AUTHORITY (" + "USER_ID, ROLE" + ") VALUES (" + "(SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "'), " - + "'ROLE_MONITOR'" + + "'%s'" + ")"; - private static final String INSERT_ANONYMOUS_DFM_AUTHORITY = "INSERT INTO AUTHORITY (" - + "USER_ID, ROLE" - + ") VALUES (" - + "(SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "'), " - + "'ROLE_DFM'" - + ")"; - - private static final String INSERT_ANONYMOUS_ADMIN_AUTHORITY = "INSERT INTO AUTHORITY (" - + "USER_ID, ROLE" - + ") VALUES (" - + "(SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "'), " - + "'ROLE_ADMIN'" - + ")"; - - private static final String INSERT_ANONYMOUS_NIFI_AUTHORITY = "INSERT INTO AUTHORITY (" - + "USER_ID, ROLE" - + ") VALUES (" - + "(SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "'), " - + "'ROLE_NIFI'" - + ")"; - - private static final String INSERT_ANONYMOUS_PROVENANCE_AUTHORITY = "INSERT INTO AUTHORITY (" - + "USER_ID, ROLE" - + ") VALUES (" - + "(SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "'), " - + "'ROLE_PROVENANCE'" - + ")"; - - private static final String SELECT_ANONYMOUS_PROVENANCE_AUTHORITY = "SELECT * FROM AUTHORITY " - + "WHERE " - + "USER_ID = (SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "') " - + "AND " - + "ROLE = 'ROLE_PROVENANCE'"; + private static final String DELETE_ANONYMOUS_AUTHORITIES = "DELETE FROM AUTHORITY " + + "WHERE USER_ID = (SELECT ID FROM USER WHERE DN = '" + NiFiUser.ANONYMOUS_USER_DN + "')"; private JdbcConnectionPool connectionPool; @@ -128,6 +100,17 @@ public class UserDataSourceFactoryBean implements FactoryBean { throw new NullPointerException("Database directory must be specified."); } + // get the roles being granted to anonymous users + final Set<String> rawAnonymousAuthorities = new HashSet<>(properties.getAnonymousAuthorities()); + final Set<Authority> anonymousAuthorities = Authority.convertRawAuthorities(rawAnonymousAuthorities); + + // ensure every authorities was recognized + if (rawAnonymousAuthorities.size() != anonymousAuthorities.size()) { + final Set<String> validAuthorities = Authority.convertAuthorities(anonymousAuthorities); + rawAnonymousAuthorities.removeAll(validAuthorities); + throw new IllegalStateException("Invalid authorities specified: " + StringUtils.join(rawAnonymousAuthorities, ", ")); + } + // create a handle to the repository directory File repositoryDirectory = new File(repositoryDirectoryPath); @@ -161,21 +144,16 @@ public class UserDataSourceFactoryBean implements FactoryBean { // seed the anonymous user statement.execute(INSERT_ANONYMOUS_USER); - statement.execute(INSERT_ANONYMOUS_MONITOR_AUTHORITY); - statement.execute(INSERT_ANONYMOUS_DFM_AUTHORITY); - statement.execute(INSERT_ANONYMOUS_ADMIN_AUTHORITY); - statement.execute(INSERT_ANONYMOUS_NIFI_AUTHORITY); } else { logger.info("Existing database found and connected to at: " + databaseUrl); - } - // close the previous result set - RepositoryUtils.closeQuietly(rs); + // remove all authorities for the anonymous user + statement.execute(DELETE_ANONYMOUS_AUTHORITIES); + } - // merge in the provenance role to handle existing databases - rs = statement.executeQuery(SELECT_ANONYMOUS_PROVENANCE_AUTHORITY); - if (!rs.next()) { - statement.execute(INSERT_ANONYMOUS_PROVENANCE_AUTHORITY); + // add all authorities for the anonymous user + for (final Authority authority : anonymousAuthorities) { + statement.execute(String.format(INSERT_ANONYMOUS_AUTHORITY, authority.name())); } // commit any changes http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties index 54b5283..e959f97 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties @@ -125,6 +125,7 @@ nifi.security.needClientAuth=${nifi.security.needClientAuth} nifi.security.user.credential.cache.duration=${nifi.security.user.credential.cache.duration} nifi.security.user.authority.provider=${nifi.security.user.authority.provider} nifi.security.support.new.account.requests=${nifi.security.support.new.account.requests} +nifi.security.anonymous.authorities=${nifi.security.anonymous.authorities} nifi.security.ocsp.responder.url=${nifi.security.ocsp.responder.url} nifi.security.ocsp.responder.certificate=${nifi.security.ocsp.responder.certificate} http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiServiceFacade.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiServiceFacade.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiServiceFacade.java index 7395cfc..f4d5821 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiServiceFacade.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiServiceFacade.java @@ -1237,10 +1237,11 @@ public interface NiFiServiceFacade { /** * Creates a new account request. + * * @return user */ UserDTO createUser(); - + /** * Updates the specified user accordingly. * http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiConfiguration.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiConfiguration.java index 04264e7..58b0af8 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiConfiguration.java @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.nifi.web; import org.springframework.context.annotation.Configuration; @@ -8,17 +24,17 @@ import org.springframework.context.annotation.ImportResource; * */ @Configuration -@Import({ NiFiWebApiSecurityConfiguration.class}) -@ImportResource( {"classpath:nifi-context.xml", +@Import({NiFiWebApiSecurityConfiguration.class}) +@ImportResource({"classpath:nifi-context.xml", "classpath:nifi-administration-context.xml", "classpath:nifi-cluster-manager-context.xml", "classpath:nifi-cluster-protocol-context.xml", "classpath:nifi-web-security-context.xml", - "classpath:nifi-web-api-context.xml"} ) + "classpath:nifi-web-api-context.xml"}) public class NiFiWebApiConfiguration { public NiFiWebApiConfiguration() { super(); } - + } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java index 305aaf6..0317f19 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java @@ -61,7 +61,7 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte protected void configure(HttpSecurity http) throws Exception { http .rememberMe().disable() - .exceptionHandling() + .exceptionHandling() .authenticationEntryPoint(new NiFiAuthenticationEntryPoint()) .and() .authorizeRequests() @@ -78,28 +78,25 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte http.addFilterBefore(buildX509Filter(), AnonymousAuthenticationFilter.class); // anonymous - final NiFiAnonymousUserFilter anonymousFilter = new NiFiAnonymousUserFilter(); - anonymousFilter.setProperties(properties); - anonymousFilter.setUserService(userService); - http.anonymous().authenticationFilter(anonymousFilter); + http.anonymous().authenticationFilter(buildAnonymousFilter()); } - @Bean + @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { // override xxxBean method so the authentication manager is available in app context (necessary for the method level security) return super.authenticationManagerBean(); } - + @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // x509 final AuthenticationProvider x509AuthenticationProvider = new NiFiAuthenticationProvider(new X509AuthenticationProvider(), userDetailsService); - + auth .authenticationProvider(x509AuthenticationProvider); } - + private X509AuthenticationFilter buildX509Filter() throws Exception { final X509AuthenticationFilter x509Filter = new X509AuthenticationFilter(); x509Filter.setPrincipalExtractor(new SubjectDnX509PrincipalExtractor()); @@ -108,7 +105,13 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte x509Filter.setAuthenticationManager(authenticationManager()); return x509Filter; } - + + private AnonymousAuthenticationFilter buildAnonymousFilter() { + final NiFiAnonymousUserFilter anonymousFilter = new NiFiAnonymousUserFilter(); + anonymousFilter.setUserService(userService); + return anonymousFilter; + } + @Autowired public void setUserDetailsService(AuthenticationUserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; @@ -118,7 +121,7 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte public void setUserService(UserService userService) { this.userService = userService; } - + @Autowired public void setProperties(NiFiProperties properties) { this.properties = properties; http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java index e47b339..6fae2fb 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.web; -import java.io.PrintWriter; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Arrays; @@ -33,8 +32,6 @@ import java.util.Set; import java.util.TimeZone; import java.util.UUID; import java.util.concurrent.TimeUnit; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import javax.ws.rs.WebApplicationException; @@ -155,7 +152,6 @@ import org.apache.nifi.web.util.SnippetUtils; import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.lang3.StringUtils; -import org.apache.nifi.admin.service.AdministrationException; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.Validator; import org.apache.nifi.controller.ReportingTaskNode; @@ -1815,7 +1811,7 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade { @Override public UserDTO createUser() { NewAccountRequest newAccountRequest = NiFiUserUtils.getNewAccountRequest(); - + // log the new user account request logger.info("Requesting new user account for " + newAccountRequest.getUsername()); @@ -1828,7 +1824,7 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade { // create the pending user account return dtoFactory.createUserDTO(userService.createPendingUserAccount(newAccountRequest.getUsername(), justification)); } - + @Override public UserDTO updateUser(UserDTO userDto) { NiFiUser user; @@ -3458,8 +3454,7 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade { } /** - * Utility method for extracting component counts from the specified group - * status. + * Utility method for extracting component counts from the specified group status. */ private ProcessGroupCounts extractProcessGroupCounts(ProcessGroupStatus groupStatus) { int running = 0; http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/UserResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/UserResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/UserResource.java index c7a84c3..8999f71 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/UserResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/UserResource.java @@ -23,7 +23,6 @@ import com.wordnik.swagger.annotations.ApiParam; import com.wordnik.swagger.annotations.ApiResponse; import com.wordnik.swagger.annotations.ApiResponses; import com.wordnik.swagger.annotations.Authorization; -import java.io.PrintWriter; import java.net.URI; import java.util.ArrayList; import java.util.Collection; @@ -36,14 +35,12 @@ import java.util.List; import java.util.Map; import java.util.Set; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import javax.ws.rs.Consumes; import javax.ws.rs.DELETE; import javax.ws.rs.DefaultValue; import javax.ws.rs.FormParam; import javax.ws.rs.GET; import javax.ws.rs.HttpMethod; -import static javax.ws.rs.HttpMethod.POST; import javax.ws.rs.POST; import javax.ws.rs.PUT; import javax.ws.rs.Path; @@ -103,25 +100,23 @@ public class UserResource extends ApplicationResource { if (!properties.getSupportNewAccountRequests()) { return Responses.notFound().entity("This NiFi does not support new account requests.").build(); } - + final NiFiUser nifiUser = NiFiUserUtils.getNiFiUser(); if (nifiUser != null) { throw new IllegalArgumentException("User account already created " + nifiUser.getDn()); } - + // create an account request for the current user final UserDTO user = serviceFacade.createUser(); final String uri = generateResourceUri("controller", "templates", user.getId()); return generateCreatedResponse(URI.create(uri), "Not authorized. User account created. Authorization pending.").build(); } - + /** * Gets all users that are registered within this Controller. * - * @param clientId Optional client id. If the client id is not specified, a - * new one will be generated. This value (whether specified or generated) is - * included in the response. + * @param clientId Optional client id. If the client id is not specified, a new one will be generated. This value (whether specified or generated) is included in the response. * @param grouped Whether to return the users in their groups. * @return A usersEntity. */ @@ -177,9 +172,7 @@ public class UserResource extends ApplicationResource { /** * Gets the details for the specified user. * - * @param clientId Optional client id. If the client id is not specified, a - * new one will be generated. This value (whether specified or generated) is - * included in the response. + * @param clientId Optional client id. If the client id is not specified, a new one will be generated. This value (whether specified or generated) is included in the response. * @param id The user id. * @return A userEntity. */ @@ -348,12 +341,9 @@ public class UserResource extends ApplicationResource { * Updates the specified user. * * @param httpServletRequest request - * @param clientId Optional client id. If the client id is not specified, a - * new one will be generated. This value (whether specified or generated) is - * included in the response. + * @param clientId Optional client id. If the client id is not specified, a new one will be generated. This value (whether specified or generated) is included in the response. * @param id The id of the user to update. - * @param rawAuthorities Array of authorities to assign to the specified - * user. + * @param rawAuthorities Array of authorities to assign to the specified user. * @param status The status of the specified users account. * @param formParams form params * @return A userEntity @@ -524,9 +514,7 @@ public class UserResource extends ApplicationResource { * * @param httpServletRequest request * @param id The user id - * @param clientId Optional client id. If the client id is not specified, a - * new one will be generated. This value (whether specified or generated) is - * included in the response. + * @param clientId Optional client id. If the client id is not specified, a new one will be generated. This value (whether specified or generated) is included in the response. * @return A userEntity. */ @DELETE http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java index 52ac2f1..b83b283 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java @@ -44,20 +44,12 @@ public abstract class NiFiAuthenticationFilter implements Filter { private AuthenticationManager authenticationManager; @Override - public void init(FilterConfig filterConfig) throws ServletException { + public void init(final FilterConfig filterConfig) throws ServletException { throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates. } - /** - * - * @param request - * @param response - * @param chain - * @throws java.io.IOException - * @throws javax.servlet.ServletException - */ @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { if (logger.isDebugEnabled()) { logger.debug("Checking secure context token: " + SecurityContextHolder.getContext().getAuthentication()); } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java index 5f15b76..7acbfa7 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.nifi.web.security; import org.apache.nifi.web.security.token.NewAccountAuthenticationToken; @@ -17,12 +33,12 @@ public class NiFiAuthenticationProvider implements AuthenticationProvider { private final AuthenticationProvider provider; private final AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService; - + public NiFiAuthenticationProvider(final AuthenticationProvider provider, final AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService) { this.provider = provider; this.userDetailsService = userDetailsService; } - + @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { final NiFiAuthenticationRequestToken request = (NiFiAuthenticationRequestToken) authentication; @@ -32,7 +48,7 @@ public class NiFiAuthenticationProvider implements AuthenticationProvider { if (result == null) { return null; } - + try { // defer to the nifi user details service to authorize the user final UserDetails userDetails = userDetailsService.loadUserDetails(request); @@ -49,7 +65,7 @@ public class NiFiAuthenticationProvider implements AuthenticationProvider { } } } - + private boolean isNewAccountAuthenticationToken(final Authentication authentication) { return NewAccountAuthenticationToken.class.isAssignableFrom(authentication.getClass()); } @@ -58,5 +74,5 @@ public class NiFiAuthenticationProvider implements AuthenticationProvider { public boolean supports(Class<?> authentication) { return provider.supports(authentication) && NiFiAuthenticationRequestToken.class.isAssignableFrom(authentication); } - + } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/ProxiedEntitiesUtils.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/ProxiedEntitiesUtils.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/ProxiedEntitiesUtils.java index e0d810c..4526501 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/ProxiedEntitiesUtils.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/ProxiedEntitiesUtils.java @@ -17,9 +17,7 @@ package org.apache.nifi.web.security; import java.security.cert.X509Certificate; -import java.util.ArrayDeque; import java.util.ArrayList; -import java.util.Deque; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -40,7 +38,7 @@ public class ProxiedEntitiesUtils { public static final String PROXY_ENTITIES_CHAIN = "X-ProxiedEntitiesChain"; public static final String PROXY_ENTITIES_ACCEPTED = "X-ProxiedEntitiesAccepted"; public static final String PROXY_ENTITIES_DETAILS = "X-ProxiedEntitiesDetails"; - + private static final Pattern proxyChainPattern = Pattern.compile("<(.*?)>"); /** @@ -63,12 +61,12 @@ public class ProxiedEntitiesUtils { return xProxiedEntitiesChain; } - + /** * Builds the dn chain for the specified user. - * - * @param user The current user - * @return The dn chain for that user + * + * @param user The current user + * @return The dn chain for that user */ public static List<String> getXProxiedEntitiesChain(final NiFiUser user) { // calculate the dn chain @@ -83,13 +81,12 @@ public class ProxiedEntitiesUtils { // go to the next user in the chain chainedUser = chainedUser.getChain(); } while (chainedUser != null); - + return dnChain; } /** - * Formats the specified DN to be set as a HTTP header using well known - * conventions. + * Formats the specified DN to be set as a HTTP header using well known conventions. * * @param dn raw dn * @return the dn formatted as an HTTP header @@ -115,7 +112,6 @@ public class ProxiedEntitiesUtils { // // return dnList; // } - public static List<String> buildProxyChain(final HttpServletRequest request, final String username) { String principal; if (username.startsWith("<") && username.endsWith(">")) { @@ -123,12 +119,12 @@ public class ProxiedEntitiesUtils { } else { principal = formatProxyDn(username); } - + // look for a proxied user if (StringUtils.isNotBlank(request.getHeader(PROXY_ENTITIES_CHAIN))) { principal = request.getHeader(PROXY_ENTITIES_CHAIN) + principal; } - + // parse the proxy chain final List<String> proxyChain = new ArrayList<>(); final Matcher rawProxyChainMatcher = proxyChainPattern.matcher(principal); @@ -138,7 +134,7 @@ public class ProxiedEntitiesUtils { return proxyChain; } - + public static String extractProxiedEntitiesChain(final HttpServletRequest request, final String username) { String principal; if (username.startsWith("<") && username.endsWith(">")) { @@ -146,14 +142,14 @@ public class ProxiedEntitiesUtils { } else { principal = formatProxyDn(username); } - + // look for a proxied user if (StringUtils.isNotBlank(request.getHeader(PROXY_ENTITIES_CHAIN))) { principal = request.getHeader(PROXY_ENTITIES_CHAIN) + principal; } return principal; } - + public static void successfulAuthorization(HttpServletRequest request, HttpServletResponse response, Authentication authResult) { if (StringUtils.isNotBlank(request.getHeader(PROXY_ENTITIES_CHAIN))) { response.setHeader(PROXY_ENTITIES_ACCEPTED, Boolean.TRUE.toString()); http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java index 7026124..ed6e6a8 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java @@ -22,7 +22,6 @@ import org.apache.nifi.admin.service.AdministrationException; import org.apache.nifi.admin.service.UserService; import org.apache.nifi.user.NiFiUser; import org.apache.nifi.web.security.user.NiFiUserDetails; -import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.web.security.token.NiFiAuthorizationToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -30,8 +29,7 @@ import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; /** - * Custom AnonymouseAuthenticationFilter used to grant additional authorities - * depending on the current operating mode. + * Custom AnonymouseAuthenticationFilter used to grant additional authorities depending on the current operating mode. */ public class NiFiAnonymousUserFilter extends AnonymousAuthenticationFilter { @@ -39,7 +37,6 @@ public class NiFiAnonymousUserFilter extends AnonymousAuthenticationFilter { private static final String ANONYMOUS_KEY = "anonymousNifiKey"; - private NiFiProperties properties; private UserService userService; public NiFiAnonymousUserFilter() { @@ -50,35 +47,26 @@ public class NiFiAnonymousUserFilter extends AnonymousAuthenticationFilter { protected Authentication createAuthentication(HttpServletRequest request) { Authentication authentication = null; - // only support anonymous when the request is non-secure or one way ssl -// if (!request.isSecure() || !properties.getNeedClientAuth()) { - if (true) { - try { - // load the anonymous user from the database - NiFiUser user = userService.getUserByDn(NiFiUser.ANONYMOUS_USER_DN); - NiFiUserDetails userDetails = new NiFiUserDetails(user); + try { + // load the anonymous user from the database + NiFiUser user = userService.getUserByDn(NiFiUser.ANONYMOUS_USER_DN); + NiFiUserDetails userDetails = new NiFiUserDetails(user); - // get the granted authorities - authentication = new NiFiAuthorizationToken(userDetails); - } catch (AdministrationException ase) { - // record the issue - anonymousUserFilterLogger.warn("Unable to load anonymous user from accounts database: " + ase.getMessage()); - if (anonymousUserFilterLogger.isDebugEnabled()) { - anonymousUserFilterLogger.warn(StringUtils.EMPTY, ase); - } + // get the granted authorities + authentication = new NiFiAuthorizationToken(userDetails); + } catch (AdministrationException ase) { + // record the issue + anonymousUserFilterLogger.warn("Unable to load anonymous user from accounts database: " + ase.getMessage()); + if (anonymousUserFilterLogger.isDebugEnabled()) { + anonymousUserFilterLogger.warn(StringUtils.EMPTY, ase); } } return authentication; } /* setters */ - public void setUserService(UserService userService) { this.userService = userService; } - public void setProperties(NiFiProperties properties) { - this.properties = properties; - } - } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/FormAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/FormAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/FormAuthenticationFilter.java index 5367ba2..46e74f3 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/FormAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/FormAuthenticationFilter.java @@ -37,7 +37,7 @@ public class FormAuthenticationFilter extends AbstractAuthenticationProcessingFi private static final Logger logger = LoggerFactory.getLogger(FormAuthenticationFilter.class); private JwtService jwtService; - + public FormAuthenticationFilter(final String defaultFilterProcessesUrl) { super(defaultFilterProcessesUrl); } @@ -50,7 +50,9 @@ public class FormAuthenticationFilter extends AbstractAuthenticationProcessingFi } @Override - protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain, final Authentication authentication) throws IOException, ServletException { + protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain, final Authentication authentication) + throws IOException, ServletException { + // generate JWT for response jwtService.addToken(response, authentication); } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java index 5b85bd2..c08ff6a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java @@ -33,7 +33,7 @@ import org.springframework.security.core.Authentication; public class JwtAuthenticationFilter extends NiFiAuthenticationFilter { private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class); - + private JwtService jwtService; @Override @@ -42,7 +42,7 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter { if (principal == null) { return null; } - + final List<String> proxyChain = ProxiedEntitiesUtils.buildProxyChain(request, principal); if (isNewAccountRequest(request)) { return new NewAccountAuthenticationRequestToken(new NewAccountRequest(proxyChain, getJustification(request))); http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java index 77e9982..ae459b0 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java @@ -38,10 +38,10 @@ public class JwtAuthenticationProvider implements AuthenticationProvider { return null; } } - + @Override public boolean supports(Class<?> authentication) { return NiFiAuthenticationRequestToken.class.isAssignableFrom(authentication); } - + } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java index 803cd79..cfe7073 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java @@ -24,12 +24,12 @@ import org.springframework.security.core.Authentication; * */ public class JwtService { - + /** * Gets the Authentication by extracting a JWT token from the specified request. - * - * @param request Request to extract the token from - * @return The user identifier from the token + * + * @param request Request to extract the token from + * @return The user identifier from the token */ public String getAuthentication(final HttpServletRequest request) { // extract/verify token from incoming request @@ -37,12 +37,12 @@ public class JwtService { // create authentication using user details return null; } - + /** * Adds a token for the specified authentication in the specified response. - * - * @param response The response to add the token to - * @param authentication The authentication to generate a token for + * + * @param response The response to add the token to + * @param authentication The authentication to generate a token for */ public void addToken(final HttpServletResponse response, final Authentication authentication) { // create a token the specified authentication http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationRequestToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationRequestToken.java index 52e5172..41cc0c0 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationRequestToken.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationRequestToken.java @@ -19,13 +19,12 @@ package org.apache.nifi.web.security.token; import org.apache.nifi.web.security.user.NewAccountRequest; /** - * This is an Authentication Token for a user that is request authentication in - * order to submit a new account request. + * This is an Authentication Token for a user that is request authentication in order to submit a new account request. */ public class NewAccountAuthenticationRequestToken extends NiFiAuthenticationRequestToken { final NewAccountRequest newAccountRequest; - + public NewAccountAuthenticationRequestToken(final NewAccountRequest newAccountRequest) { super(newAccountRequest.getChain()); this.newAccountRequest = newAccountRequest; @@ -34,7 +33,7 @@ public class NewAccountAuthenticationRequestToken extends NiFiAuthenticationRequ public String getJustification() { return newAccountRequest.getJustification(); } - + public NewAccountRequest getNewAccountRequest() { return newAccountRequest; } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationToken.java index 6fe34df..5fe3a1d 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationToken.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthenticationToken.java @@ -20,15 +20,13 @@ import org.apache.nifi.web.security.user.NewAccountRequest; import org.springframework.security.authentication.AbstractAuthenticationToken; /** - * This is an Authentication Token for a user that has been authenticated but is - * not authorized to access the NiFi APIs. Typically, this authentication token is - * used successfully when requesting a NiFi account. Requesting any other endpoint - * would be rejected due to lack of roles. + * This is an Authentication Token for a user that has been authenticated but is not authorized to access the NiFi APIs. Typically, this authentication token is used successfully when requesting a + * NiFi account. Requesting any other endpoint would be rejected due to lack of roles. */ public class NewAccountAuthenticationToken extends AbstractAuthenticationToken { final NewAccountRequest newAccountRequest; - + public NewAccountAuthenticationToken(final NewAccountRequest newAccountRequest) { super(null); super.setAuthenticated(true); http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationRequestToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationRequestToken.java index 0e00e5b..3ae6491 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationRequestToken.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationRequestToken.java @@ -21,14 +21,13 @@ import java.util.List; import org.springframework.security.authentication.AbstractAuthenticationToken; /** - * An authentication token that is used as an authentication request. The request - * chain is specified during creation and is used authenticate the user(s). If the - * user is authenticated, the token is used to authorized the user(s). + * An authentication token that is used as an authentication request. The request chain is specified during creation and is used authenticate the user(s). If the user is authenticated, the token is + * used to authorized the user(s). */ public class NiFiAuthenticationRequestToken extends AbstractAuthenticationToken { private final List<String> chain; - + public NiFiAuthenticationRequestToken(final List<String> chain) { super(null); this.chain = chain; @@ -43,7 +42,7 @@ public class NiFiAuthenticationRequestToken extends AbstractAuthenticationToken public Object getPrincipal() { return chain; } - + public List<String> getChain() { return Collections.unmodifiableList(chain); } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationToken.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationToken.java index 0945d08..0cb0353 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationToken.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationToken.java @@ -20,13 +20,12 @@ import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.core.userdetails.UserDetails; /** - * An authentication token that represents an Authenticated and Authorized user - * of the NiFi Apis. The authorities are based off the specified UserDetails. + * An authentication token that represents an Authenticated and Authorized user of the NiFi Apis. The authorities are based off the specified UserDetails. */ public class NiFiAuthorizationToken extends AbstractAuthenticationToken { final UserDetails nifiUserDetails; - + public NiFiAuthorizationToken(final UserDetails nifiUserDetails) { super(nifiUserDetails.getAuthorities()); super.setAuthenticated(true); http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NewAccountRequest.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NewAccountRequest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NewAccountRequest.java index e70c5ab..3ec147a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NewAccountRequest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NewAccountRequest.java @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.nifi.web.security.user; import java.util.List; @@ -22,10 +38,10 @@ public class NewAccountRequest { public String getJustification() { return justification; } - + public String getUsername() { // the end user is the first item in the chain return chain.get(0); } - + } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserDetails.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserDetails.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserDetails.java index 0fc2f53..5645f78 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserDetails.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserDetails.java @@ -41,7 +41,7 @@ public class NiFiUserDetails implements UserDetails { public NiFiUserDetails(NiFiUser user) { this.user = user; } - + /** * Get the user for this UserDetails. * http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserUtils.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserUtils.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserUtils.java index e435ade..341663e 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserUtils.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/user/NiFiUserUtils.java @@ -25,8 +25,7 @@ import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; /** - * Utility methods for retrieving information about the current application - * user. + * Utility methods for retrieving information about the current application user. * */ public final class NiFiUserUtils { @@ -58,8 +57,7 @@ public final class NiFiUserUtils { } /** - * Returns the current NiFiUser or null if the current user is not a - * NiFiUser. + * Returns the current NiFiUser or null if the current user is not a NiFiUser. * * @return user */ @@ -78,15 +76,15 @@ public final class NiFiUserUtils { return user; } - + /** * Returns the NewAccountRequest or null if this is not a new account request. - * + * * @return new account request */ public static NewAccountRequest getNewAccountRequest() { NewAccountRequest newAccountRequest = null; - + // obtain the principal in the current authentication final SecurityContext context = SecurityContextHolder.getContext(); final Authentication authentication = context.getAuthentication(); @@ -96,7 +94,7 @@ public final class NiFiUserUtils { newAccountRequest = (NewAccountRequest) principal; } } - + return newAccountRequest; } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java index 609edd8..4af2f16 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java @@ -34,13 +34,12 @@ import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor; /** - * Custom X509 filter that will inspect the HTTP headers for a proxied user - * before extracting the user details from the client certificate. + * Custom X509 filter that will inspect the HTTP headers for a proxied user before extracting the user details from the client certificate. */ public class X509AuthenticationFilter extends NiFiAuthenticationFilter { private static final Logger logger = LoggerFactory.getLogger(X509AuthenticationFilter.class); - + private X509PrincipalExtractor principalExtractor; private X509CertificateExtractor certificateExtractor; private OcspCertificateValidator certificateValidator; @@ -88,7 +87,7 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter { } return null; } - + final List<String> proxyChain = ProxiedEntitiesUtils.buildProxyChain(request, principal); if (isNewAccountRequest(request)) { return new NewAccountAuthenticationRequestToken(new NewAccountRequest(proxyChain, getJustification(request))); @@ -98,7 +97,6 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter { } /* setters */ - public void setCertificateValidator(OcspCertificateValidator certificateValidator) { this.certificateValidator = certificateValidator; } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java index d24b9cb..df23856 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.nifi.web.security.x509; import org.apache.nifi.web.security.token.NewAccountAuthenticationRequestToken; @@ -22,10 +38,10 @@ public class X509AuthenticationProvider implements AuthenticationProvider { return null; } } - + @Override public boolean supports(Class<?> authentication) { return NiFiAuthenticationRequestToken.class.isAssignableFrom(authentication); } - + } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiConfiguration.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiConfiguration.java index 2c9bdf5..320655a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiConfiguration.java @@ -24,12 +24,12 @@ import org.springframework.context.annotation.ImportResource; * */ @Configuration -@Import({ NiFiWebUiSecurityConfiguration.class}) -@ImportResource( {"classpath:nifi-context.xml", +@Import({NiFiWebUiSecurityConfiguration.class}) +@ImportResource({"classpath:nifi-context.xml", "classpath:nifi-administration-context.xml", "classpath:nifi-cluster-manager-context.xml", "classpath:nifi-cluster-protocol-context.xml", - "classpath:nifi-web-security-context.xml"} ) + "classpath:nifi-web-security-context.xml"}) public class NiFiWebUiConfiguration { - + } http://git-wip-us.apache.org/repos/asf/nifi/blob/d21d8f31/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiSecurityConfiguration.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiSecurityConfiguration.java index 09f5fbe..f44622c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/java/org/apache/nifi/web/NiFiWebUiSecurityConfiguration.java @@ -39,7 +39,7 @@ public class NiFiWebUiSecurityConfiguration extends WebSecurityConfigurerAdapter } private JwtService jwtService; - + @Override protected void configure(final HttpSecurity http) throws Exception { http @@ -47,7 +47,7 @@ public class NiFiWebUiSecurityConfiguration extends WebSecurityConfigurerAdapter .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); } - + private FormAuthenticationFilter buildFormLoginFilter() throws Exception { final FormAuthenticationFilter loginFilter = new FormAuthenticationFilter("/token"); loginFilter.setJwtService(jwtService); @@ -65,5 +65,5 @@ public class NiFiWebUiSecurityConfiguration extends WebSecurityConfigurerAdapter public void setJwtService(JwtService jwtService) { this.jwtService = jwtService; } - + }