[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914507&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914507
]
ASF GitHub Bot logged work on KNOX-3028:
----------------------------------------
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:29
Start Date: 13/Apr/24 20:29
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564239406
##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -780,26 +782,98 @@ private X509Certificate
extractCertificate(HttpServletRequest req) {
return null;
}
- private Response getAuthenticationToken() {
- if (clientCertRequired) {
- X509Certificate cert = extractCertificate(request);
- if (cert != null) {
- if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
- return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - untrusted client
cert.\" }")
- .build();
- }
+ protected Response getAuthenticationToken() {
+ Response response = enforceClientCertIfRequired();
+ if (response != null) { return response; }
+
+ response = onlyAllowGroupsToBeAddedWhenEnabled();
+ if (response != null) { return response; }
+
+ UserContext context = buildUserContext(request);
+
+ response = enforceTokenLimitsAsRequired(context.userName);
+ if (response != null) { return response; }
+
+ TokenResponse resp = getTokenResponse(context);
+ return resp.build();
+ }
+
+ protected TokenResponse getTokenResponse(UserContext context) {
+ TokenResponse response = null;
+ long expires = getExpiry();
+ setupPublicCertPEM();
+ String jku = getJku();
+ try
+ {
+ JWT token = getJWT(context.userName, expires, jku);
+ if (token != null) {
+ ResponseMap result = buildResponseMap(token, expires);
+ String jsonResponse = JsonUtils.renderAsJsonString(result.map);
+ persistTokenDetails(result, expires, context.userName,
context.createdBy);
+
+ response = new TokenResponse(result, jsonResponse, Response.ok());
} else {
- return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - client cert
required.\" }")
- .build();
+ response = new TokenResponse(null, null, Response.serverError());
+ }
+ } catch (TokenServiceException e) {
+ log.unableToIssueToken(e);
+ response = new TokenResponse(null
+ , "{ \"Unable to acquire token.\" }"
+ , Response.serverError());
+ }
+ return response;
+ }
+
+ protected static class TokenResponse {
+ public ResponseMap responseMap;
+ public String responseStr;
+ public Response.ResponseBuilder responseBuilder;
+
+ public TokenResponse(ResponseMap respMap, String resp,
Response.ResponseBuilder builder) {
+ responseMap = respMap;
+ responseStr = resp;
+ responseBuilder = builder;
+ }
+
+ public Response build() {
+ Response response = null;
+ if (responseStr != null) {
+ response = responseBuilder.entity(responseStr).build();
}
+ else {
Review Comment:
again, always this way. Which is why it isn't a codestyle violation.
Issue Time Tracking
-------------------
Worklog Id: (was: 914507)
Time Spent: 50m (was: 40m)
> KnoxToken extension for OAuth Token Flows
> -----------------------------------------
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
