Alon Bar-Lev has posted comments on this change. Change subject: aaa: Intorduce filters ......................................................................
Patch Set 8: (13 comments) http://gerrit.ovirt.org/#/c/28022/8/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java: Line 23: public class BasicAuthenticationFilter implements Filter { Line 24: Line 25: private static enum UserNameFormat { Line 26: UPN, Line 27: DOWN_LEVEL_LOGON_NAME interesting name :) RESTAPI_SPECIFIC? Line 28: }; Line 29: Line 30: private static Log log = LogFactory.getLog(BasicAuthenticationFilter.class); Line 31: private UserNameFormat userNameFormat; Line 47: if (!FiltersHelper.isAuthenticated(req)) { Line 48: chain.doFilter(request, response); Line 49: String headerValue = req.getHeader("Authorization"); Line 50: if (headerValue != null && headerValue.startsWith("Basic ")) { Line 51: String credentials = headerValue.substring("Basic".length()); are you sure you need credentials temp variable? Line 52: String userPass = new String(Base64.decodeBase64(credentials), Charset.defaultCharset().toString()); Line 53: String[] creds = userPass.split(":", 2); Line 54: if (creds != null && creds.length == 2) { Line 55: handleCredentials(request, creds[0], creds[1], getSeparator(creds[0])); Line 48: chain.doFilter(request, response); Line 49: String headerValue = req.getHeader("Authorization"); Line 50: if (headerValue != null && headerValue.startsWith("Basic ")) { Line 51: String credentials = headerValue.substring("Basic".length()); Line 52: String userPass = new String(Base64.decodeBase64(credentials), Charset.defaultCharset().toString()); are you sure you need userPass temp variable? also, never use default charset for something you accept over wire. String[] creds = new String( Base64.decodeBase64(headerValue.substring("Basic".length())), Charset.forName("UTF-8") ).split(":", 2) Line 53: String[] creds = userPass.split(":", 2); Line 54: if (creds != null && creds.length == 2) { Line 55: handleCredentials(request, creds[0], creds[1], getSeparator(creds[0])); Line 56: } Line 51: String credentials = headerValue.substring("Basic".length()); Line 52: String userPass = new String(Base64.decodeBase64(credentials), Charset.defaultCharset().toString()); Line 53: String[] creds = userPass.split(":", 2); Line 54: if (creds != null && creds.length == 2) { Line 55: handleCredentials(request, creds[0], creds[1], getSeparator(creds[0])); decide... either to resolve user/profile here or do this within the function... do not mix Line 56: } Line 57: } Line 58: } Line 59: chain.doFilter(request, response); Line 62: Line 63: private int getSeparator(String qualified) { Line 64: int result = -1; Line 65: if (userNameFormat == UserNameFormat.UPN && qualified.indexOf("\\") == -1) { Line 66: result = qualified.lastIndexOf("@"); I think that if this is the new notation you accept it as-is, fall back only if there is no \ atIndex = qualified.lastIndexOf("@") if (atIndex != -1) { } else if (userNameFormat == UserNameFormat.DOWN_LEVEL_LOGON_NAME) { backslashIndex = ... } Line 67: } else if (userNameFormat == UserNameFormat.DOWN_LEVEL_LOGON_NAME && qualified.indexOf("@") == -1) { Line 68: result = qualified.lastIndexOf("\\"); Line 69: } Line 70: return result; Line 80: } else { Line 81: // legacy format: profile\\user Line 82: profileName = qualified.substring(0, index); Line 83: user = qualified.substring(index + 1); Line 84: } resolve the user -> profile + user should be at one place... do not split it between functions. Line 85: Line 86: AuthenticationProfile profile = AuthenticationProfileRepository.getInstance().getProfile(profileName); Line 87: if (profile == null) { Line 88: String msg = String.format("Error in obtaining profile %1$s", profileName); Line 104: if (outputMap.<Integer> get(Base.InvokeKeys.RESULT) == Base.InvokeResult.SUCCESS && Line 105: outputMap.<Integer> get(Authn.InvokeKeys.RESULT) == Authn.AuthResult.SUCCESS) { Line 106: request.setAttribute(FiltersHelper.Constants.AUTH_RECORD_KEY, outputMap.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD)); Line 107: request.setAttribute(FiltersHelper.Constants.PROFILE_KEY, profileName); Line 108: } else { here we should also call accouting (in future) Line 109: log.error( Line 110: String.format( Line 111: "Failure in authentication to profile %1$s. Invocation Result code is %2$s. Authn result code is %3$s", Line 112: profileName, http://gerrit.ovirt.org/#/c/28022/8/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java: Line 37: Line 38: public static boolean isAuthenticated(HttpServletRequest request) { Line 39: HttpSession session = request.getSession(false); Line 40: return session != null && session.getAttribute(Constants.AUTHENTICATED_KEY) != null Line 41: && (boolean) session.getAttribute(Constants.AUTHENTICATED_KEY); maybe? return session != null && Boolean.valueOf(session.getAttribute("..")); Line 42: } Line 43: http://gerrit.ovirt.org/#/c/28022/8/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java: Line 46: */ Line 47: private static final String STACK_ATTR = NegotiationFilter.class.getName() + ".stack"; Line 48: Line 49: Line 50: private static final String CAPABILITIES_PARAMETER = "CAPABILITIES"; why upper case? Line 51: Line 52: @Override Line 53: public void init(FilterConfig filterConfig) throws ServletException { Line 54: String capsParam = filterConfig.getInitParameter(CAPABILITIES_PARAMETER); Line 54: String capsParam = filterConfig.getInitParameter(CAPABILITIES_PARAMETER); Line 55: if (capsParam == null) { Line 56: caps = 0; Line 57: } else { Line 58: for (String nego : capsParam.trim().split("\\|")) { should be: " *\\| *" Line 59: try { Line 60: caps |= Authn.Capabilities.class.getField(nego).getInt(null); Line 61: } catch (IllegalArgumentException | IllegalAccessException | NoSuchFieldException ex) { Line 62: log.error(String.format("Error calculating authn capabilities while accessing constant %1$s", nego)); Line 79: if (profiles == null) { Line 80: synchronized (this) { Line 81: if (profiles == null) { Line 82: schemes = new ArrayList<>(); Line 83: profiles = new ArrayList<AuthenticationProfile>(1); why 1? Line 84: Line 85: for (AuthenticationProfile profile : AuthenticationProfileRepository.getInstance().getProfiles()) { Line 86: if (profile != null) { Line 87: ExtMap authnContext = profile.getAuthn().getContext(); Line 152: Line 153: switch (output.<Integer> get(Authn.InvokeKeys.RESULT)) { Line 154: case Authn.AuthResult.SUCCESS: Line 155: ExtMap authRecord = output.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD); Line 156: session.setAttribute(FiltersHelper.Constants.AUTH_RECORD_KEY, authRecord); put profile name? Line 157: session.removeAttribute(STACK_ATTR); Line 158: break; Line 159: Line 160: case Authn.AuthResult.NEGOTIATION_UNAUTHORIZED: http://gerrit.ovirt.org/#/c/28022/8/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java File backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java: I still think we should split this base command into two... one that is called by ui and accept user/password/profile and the other that is called by login filter and the 1st with auth_record. Line 1: package org.ovirt.engine.core.bll; Line 2: Line 3: import java.text.ParseException; Line 4: import java.text.SimpleDateFormat; -- To view, visit http://gerrit.ovirt.org/28022 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ia5536d123b6407acf41b6946dde796bd67d1e073 Gerrit-PatchSet: 8 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Barak Azulay <bazu...@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com> Gerrit-Reviewer: Yair Zaslavsky <yzasl...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
