Alon Bar-Lev has uploaded a new change for review. Change subject: aaa: enable accept engine session using header ......................................................................
aaa: enable accept engine session using header new header OVIRT-INTERNAL-ENGINE-AUTH-TOKEN accepts token that is signed engine session id, as session id is plain uuid which is not enough random. a new query GetEngineSessionIdToken returns this token. ui should use the new query and apply the header to avoid double login. this may be temporary solution for 3.5 life cycle, as such applied only for restapi. query untested. Change-Id: I028082cced7043b5af0b9fa7b0548ba888996e9d Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1161734 Signed-off-by: Alon Bar-Lev <alo...@redhat.com> --- A backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java A backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml 5 files changed, 113 insertions(+), 0 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/69/35069/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java new file mode 100644 index 0000000..5640776 --- /dev/null +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java @@ -0,0 +1,37 @@ +package org.ovirt.engine.core.aaa.filters; + +import java.io.IOException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +import org.ovirt.engine.core.common.constants.SessionConstants; + +public class EngineSessionTokenAuthenticationFilter implements Filter { + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, + ServletException { + HttpServletRequest req = (HttpServletRequest) request; + if (!FiltersHelper.isAuthenticated(req)) { + String token = req.getHeader(FiltersHelper.Constants.HEADER_ENGINE_AUTH_TOKEN); + if (token != null) { + request.setAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY, FiltersHelper.getTokenContent(token)); + } + } + chain.doFilter(request, response); + } + + @Override + public void destroy() { + } +} diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java index 862a730..d082349 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java @@ -1,11 +1,18 @@ package org.ovirt.engine.core.aaa.filters; +import java.nio.charset.Charset; +import java.security.GeneralSecurityException; +import java.security.NoSuchAlgorithmException; import java.util.Enumeration; +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.SecretKey; import javax.naming.Context; import javax.naming.NamingException; import javax.servlet.http.HttpServletRequest; +import org.apache.commons.codec.binary.Base64; import org.apache.http.HeaderElement; import org.apache.http.message.BasicHeaderValueParser; import org.ovirt.engine.core.common.constants.SessionConstants; @@ -23,6 +30,18 @@ public static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; public static final String HEADER_PREFER = "Prefer"; public static final String HEADER_JSESSIONID_COOKIE = "JSESSIONID"; + public static final String HEADER_ENGINE_AUTH_TOKEN = "OVIRT-INTERNAL-ENGINE-AUTH-TOKEN"; + } + + private static final String HMAC_ALGO = "HmacSHA1"; + + private static SecretKey instanceKey; + static { + try { + instanceKey = KeyGenerator.getInstance(HMAC_ALGO).generateKey(); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } } public static BackendLocal getBackend(Context context) { @@ -57,4 +76,35 @@ return false; } + private static String hmacString(String s) { + try { + Mac mac = Mac.getInstance(HMAC_ALGO); + mac.init(instanceKey); + return new Base64(0).encodeToString(mac.doFinal(s.getBytes(Charset.forName("UTF-8")))); + } catch(GeneralSecurityException e) { + throw new RuntimeException(e); + } + } + + public static String getTokenInstance(String content) { + return String.format("0|%s|%s", content, hmacString(content)); + } + + public static String getTokenContent(String token) { + String s[] = token.split("\\|", 3); + if (s.length != 3) { + throw new IllegalArgumentException("Invalid session token format"); + } + if (!"0".equals(s[0])) { + throw new IllegalArgumentException("Invalid session token version"); + } + if (s[1].isEmpty() || s[2].isEmpty()) { + throw new IllegalArgumentException("Invalid session token format"); + } + if (!s[2].equals(hmacString(s[1]))) { + throw new IllegalArgumentException("Invalid session token instance"); + } + return s[1]; + } + } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java new file mode 100644 index 0000000..8884dd0 --- /dev/null +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java @@ -0,0 +1,16 @@ +package org.ovirt.engine.core.bll.aaa; + +import org.ovirt.engine.core.aaa.filters.FiltersHelper; +import org.ovirt.engine.core.bll.QueriesCommandBase; +import org.ovirt.engine.core.common.queries.VdcQueryParametersBase; + +public class GetEngineSessionIdTokenQuery<P extends VdcQueryParametersBase> extends QueriesCommandBase<P> { + public GetEngineSessionIdTokenQuery(P parameters) { + super(parameters); + } + + protected void executeQueryCommand() { + getQueryReturnValue().setReturnValue(FiltersHelper.getTokenInstance(getParameters().getSessionId())); + getQueryReturnValue().setSucceeded(true); + } +} diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java index a35fde4..72b4902 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java @@ -153,6 +153,7 @@ GetDbUserByUserId(VdcQueryAuthType.User), GetDbUserByUserNameAndDomain(VdcQueryAuthType.User), GetUserBySessionId(VdcQueryAuthType.User), + GetEngineSessionIdToken(VdcQueryAuthType.User), // Directory queries: GetDirectoryUserById(VdcQueryAuthType.User), diff --git a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml index 6805f20..9a108c4 100644 --- a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml +++ b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml @@ -43,6 +43,15 @@ </filter-mapping> <filter> + <filter-name>EngineSessionTokenAuthenticationFilter</filter-name> + <filter-class>org.ovirt.engine.core.aaa.filters.EngineSessionTokenAuthenticationFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>EngineSessionTokenAuthenticationFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>SessionValidationFilter</filter-name> <filter-class>org.ovirt.engine.core.aaa.filters.SessionValidationFilter</filter-class> </filter> -- To view, visit http://gerrit.ovirt.org/35069 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I028082cced7043b5af0b9fa7b0548ba888996e9d Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
