Ravi Nori has uploaded a new change for review. Change subject: aaa: Remove basic auth and negotiate aaa filters ......................................................................
aaa: Remove basic auth and negotiate aaa filters Basic auth and negotiate filters on engine side are not required Change-Id: I5f72bc953113c4b21349c7e0023ec924185b6a53 Bug-Url: https://bugzilla.redhat.com/1092744 Signed-off-by: Ravi Nori <rn...@redhat.com> --- D backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java D backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml M frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml M frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml 5 files changed, 0 insertions(+), 445 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/08/40108/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java deleted file mode 100644 index d74b139..0000000 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java +++ /dev/null @@ -1,183 +0,0 @@ -package org.ovirt.engine.core.aaa.filters; - -import java.io.IOException; -import java.lang.reflect.Field; -import java.nio.charset.Charset; -import java.util.HashMap; -import java.util.Map; - -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; - -import org.apache.commons.codec.binary.Base64; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.ovirt.engine.api.extensions.Base; -import org.ovirt.engine.api.extensions.ExtMap; -import org.ovirt.engine.api.extensions.aaa.Acct; -import org.ovirt.engine.api.extensions.aaa.Authn; -import org.ovirt.engine.core.aaa.AcctUtils; -import org.ovirt.engine.core.aaa.AuthType; -import org.ovirt.engine.core.aaa.AuthenticationProfile; -import org.ovirt.engine.core.aaa.AuthenticationProfileRepository; - -public class BasicAuthenticationFilter implements Filter { - - private static enum UserNameFormat { - UPN, - RESTAPI_SPECIFIC - }; - - private static class UserProfile { - - private String userName; - private AuthenticationProfile profile; - - public UserProfile(String user, AuthenticationProfile profile) { - this.userName = user; - this.profile = profile; - } - } - - private static final Map<Integer, String> authResultMap; - static { - try { - authResultMap = new HashMap<Integer, String>(); - for (Field field : Authn.AuthResult.class.getFields()) { - authResultMap.put((Integer)field.get(null), field.getName()); - } - } catch (IllegalAccessException e) { - throw new RuntimeException(e); - } - } - - private static final Logger log = LoggerFactory.getLogger(BasicAuthenticationFilter.class); - private UserNameFormat userNameFormat = UserNameFormat.UPN; - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - try { - userNameFormat = UserNameFormat.valueOf(filterConfig.getInitParameter("user-name-format")); - } catch (Exception ex) { - log.error("The value {} is not a valid UserNameFormat. setting UPN as default", filterConfig.getInitParameter("user-name-format")); - } - - } - - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, - ServletException { - HttpServletRequest req = (HttpServletRequest) request; - if (!FiltersHelper.isAuthenticated(req)) { - String headerValue = req.getHeader(FiltersHelper.Constants.HEADER_AUTHORIZATION); - if (headerValue != null && headerValue.startsWith("Basic ")) { - String[] creds = new String( - Base64.decodeBase64(headerValue.substring("Basic".length())), - Charset.forName("UTF-8") - ).split(":", 2); - if (creds != null && creds.length == 2) { - handleCredentials(req, creds[0], creds[1]); - } else { - log.error("Error in parsing basic authorization information"); - } - } - } - chain.doFilter(request, response); - } - - - private UserProfile translateUser(String translateFrom) { - UserProfile result = translateUserProfileUpn(translateFrom); - if (userNameFormat == UserNameFormat.RESTAPI_SPECIFIC && result == null) { - result = translateUserRestApiSpecific(translateFrom); - } - if (result == null) { - result = new UserProfile(translateFrom, null); - } - return result; - } - - private UserProfile translateUserProfileUpn(String translateFrom) { - UserProfile result = null; - int separator = translateFrom.lastIndexOf("@"); - if (separator != -1) { - String profileName = translateFrom.substring(separator + 1); - AuthenticationProfile profile = AuthenticationProfileRepository.getInstance().getProfile(profileName); - result = profile != null ? new UserProfile(translateFrom.substring(0, separator), profile) : null; - } - return result; - } - - private UserProfile translateUserRestApiSpecific(String translateFrom) { - UserProfile result = null; - int separator = translateFrom.indexOf("\\"); - if (separator != -1) { - - String profileName = translateFrom.substring(0, separator); - AuthenticationProfile profile = AuthenticationProfileRepository.getInstance().getProfile(profileName); - result = profile != null ? new UserProfile(translateFrom.substring(separator + 1), profile) : null; - } - return result; - } - - - private void handleCredentials(HttpServletRequest request, String user, String password) { - UserProfile userProfile = translateUser(user); - if (userProfile == null || userProfile.profile == null) { - log.error("Cannot obtain profile for user {}", user); - } else { - ExtMap outputMap = userProfile.profile.getAuthn().invoke(new ExtMap().mput( - Base.InvokeKeys.COMMAND, - Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS - ).mput( - Authn.InvokeKeys.USER, - userProfile.userName - ).mput( - Authn.InvokeKeys.CREDENTIALS, - password - ) - ); - if (outputMap.<Integer> get(Base.InvokeKeys.RESULT) == Base.InvokeResult.SUCCESS && - outputMap.<Integer> get(Authn.InvokeKeys.RESULT) == Authn.AuthResult.SUCCESS) { - request.setAttribute(FiltersHelper.Constants.REQUEST_AUTH_RECORD_KEY, - outputMap.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD)); - request.setAttribute(FiltersHelper.Constants.REQUEST_AUTH_TYPE_KEY, AuthType.CREDENTIALS); - request.setAttribute(FiltersHelper.Constants.REQUEST_PROFILE_KEY, userProfile.profile.getName()); - request.setAttribute(FiltersHelper.Constants.REQUEST_PASSWORD_KEY, password); - } else { - int authResultCode = outputMap.<Integer> get(Authn.InvokeKeys.RESULT, Authn.AuthResult.GENERAL_ERROR); - String authnResult = authResultMap.get(authResultCode); - if (authnResult == null) { - authnResult = Integer.toString(authResultCode); - } - AcctUtils.reportRecords( - Acct.ReportReason.PRINCIPAL_LOGIN_FAILED, - userProfile.profile.getAuthzName(), - userProfile.userName, - null, - null, - "Basic authentication failed for User %1$s (%2$s).", - userProfile.userName, - authnResult - ); - log.error("User {} authentication failed. profile is {}. Invocation Result code is {}. Authn result code is {}", - userProfile.userName, - userProfile.profile.getName(), - outputMap.<Integer> get(Base.InvokeKeys.RESULT), - authnResult - ); - } - } - } - - - @Override - public void destroy() { - } - -} diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java deleted file mode 100644 index 59e02a0..0000000 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java +++ /dev/null @@ -1,184 +0,0 @@ -package org.ovirt.engine.core.aaa.filters; - -import java.io.IOException; -import java.util.ArrayDeque; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.Comparator; -import java.util.Deque; -import java.util.List; -import java.util.Observable; -import java.util.Observer; - -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.ovirt.engine.api.extensions.Base; -import org.ovirt.engine.api.extensions.ExtMap; -import org.ovirt.engine.api.extensions.aaa.Authn; -import org.ovirt.engine.core.aaa.AuthType; -import org.ovirt.engine.core.aaa.AuthenticationProfile; -import org.ovirt.engine.core.aaa.AuthenticationProfileRepository; - -/** - * This filter should be added to the {@code web.xml} file to the applications that want to use the authentication - * mechanism implemented in this package. - */ -public class NegotiationFilter implements Filter { - - private static final Logger log = LoggerFactory.getLogger(NegotiationFilter.class); - - private static final String CAPABILITIES_PARAMETER = "capabilities"; - - /** - * In order to support several alternative authentication extension we - * store their associated profiles in a stack inside the HTTP session, - * this is the key for that stack. - */ - private static final String STACK_ATTR = NegotiationFilter.class.getName() + ".stack"; - - private volatile Collection<String> schemes; - private volatile List<AuthenticationProfile> profiles; - private long caps = 0; - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - String capsParam = filterConfig.getInitParameter(CAPABILITIES_PARAMETER); - if (capsParam != null) { - for (String nego : capsParam.trim().split(" *\\| *")) { - try { - caps |= Authn.Capabilities.class.getField(nego).getLong(null); - } catch (IllegalArgumentException | IllegalAccessException | NoSuchFieldException ex) { - log.error("Error calculating authn capabilities while accessing constant {}", nego); - } - } - } - - AuthenticationProfileRepository.getInstance().addObserver( - new Observer() { - @Override - public void update(Observable o, Object arg) { - cacheNegotiatingProfiles(); - } - } - ); - cacheNegotiatingProfiles(); - } - - @Override - public void destroy() { - } - - private synchronized void cacheNegotiatingProfiles() { - schemes = new ArrayList<String>(); - profiles = new ArrayList<AuthenticationProfile>(); - - for (AuthenticationProfile profile : AuthenticationProfileRepository.getInstance().getProfiles()) { - ExtMap authnContext = profile.getAuthn().getContext(); - if ((authnContext.<Long> get(Authn.ContextKeys.CAPABILITIES).longValue() & caps) != 0) { - profiles.add(profile); - schemes.addAll(authnContext.<Collection<String>>get(Authn.ContextKeys.HTTP_AUTHENTICATION_SCHEME, Collections.<String>emptyList())); - } - } - - Collections.sort( - profiles, - new Comparator<AuthenticationProfile>() { - @Override - public int compare(AuthenticationProfile o1, AuthenticationProfile o2) { - return Integer.valueOf(o1.getNegotiationPriority()).compareTo(o2.getNegotiationPriority()); - } - } - ); - } - - @SuppressWarnings("unchecked") - @Override - public void doFilter(ServletRequest req, ServletResponse rsp, FilterChain chain) - throws IOException, ServletException { - - HttpServletRequest httpreq = (HttpServletRequest)req; - - if (FiltersHelper.isAuthenticated(httpreq) || httpreq.getAttribute(FiltersHelper.Constants.REQUEST_AUTH_RECORD_KEY) != null) { - chain.doFilter(req, rsp); - } else { - ((HttpServletRequest) req).setAttribute(FiltersHelper.Constants.REQUEST_SCHEMES_KEY, schemes); - HttpSession session = httpreq.getSession(false); - Deque<AuthenticationProfile> stack = null; - if (session != null) { - stack = (Deque<AuthenticationProfile>)session.getAttribute(STACK_ATTR); - } - if (stack == null) { - stack = new ArrayDeque<AuthenticationProfile>(); - stack.addAll(profiles); - } - doAuth(httpreq, (HttpServletResponse) rsp, stack); - if (!stack.isEmpty()) { - httpreq.getSession(true).setAttribute(STACK_ATTR, stack); - } else { - if (session != null) { - session.removeAttribute(STACK_ATTR); - } - chain.doFilter(req, rsp); - } - } - } - - private void doAuth(HttpServletRequest req, HttpServletResponse rsp, Deque<AuthenticationProfile> stack) - throws IOException, ServletException { - - boolean stop = false; - while (!stop && !stack.isEmpty()) { - AuthenticationProfile profile = stack.peek(); - - ExtMap output = profile.getAuthn().invoke( - new ExtMap().mput( - Base.InvokeKeys.COMMAND, - Authn.InvokeCommands.AUTHENTICATE_NEGOTIATE - ).mput( - Authn.InvokeKeys.HTTP_SERVLET_REQUEST, - req - ).mput( - Authn.InvokeKeys.HTTP_SERVLET_RESPONSE, - rsp - ) - ); - - switch (output.<Integer> get(Authn.InvokeKeys.RESULT)) { - case Authn.AuthResult.SUCCESS: - req.setAttribute(FiltersHelper.Constants.REQUEST_AUTH_RECORD_KEY, - output.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD)); - req.setAttribute(FiltersHelper.Constants.REQUEST_AUTH_TYPE_KEY, - AuthType.NEGOTIATION); - req.setAttribute(FiltersHelper.Constants.REQUEST_PROFILE_KEY, profile.getName()); - stack.clear(); - break; - - case Authn.AuthResult.NEGOTIATION_UNAUTHORIZED: - stack.pop(); - break; - - case Authn.AuthResult.NEGOTIATION_INCOMPLETE: - stop = true; - break; - - default: - log.error("Unexpected authentication result. AuthResult code is {}", - output.<Integer> get(Authn.InvokeKeys.RESULT)); - stack.pop(); - break; - } - } - } - -} diff --git a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml index 8c05668..48042e3 100644 --- a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml +++ b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml @@ -79,32 +79,6 @@ </filter-mapping> <filter> - <filter-name>BasicAuthenticationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter</filter-class> - <init-param> - <param-name>user-name-format</param-name> - <param-value>RESTAPI_SPECIFIC</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>BasicAuthenticationFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <filter> - <filter-name>NegotiationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.filters.NegotiationFilter</filter-class> - <init-param> - <param-name>capabilities</param-name> - <param-value>AUTHENTICATE_NEGOTIATE_NON_INTERACTIVE</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>NegotiationFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <filter> <filter-name>EnforceAuthFilter</filter-name> <filter-class>org.ovirt.engine.core.aaa.filters.EnforceAuthFilter</filter-class> <!-- schemes parameter names should be in format of scheme.XXX Add diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml index 7aa7961..4746de2 100644 --- a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml @@ -44,32 +44,6 @@ <url-pattern>/*</url-pattern> </filter-mapping> - <filter> - <filter-name>BasicAuthenticationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter</filter-class> - <init-param> - <param-name>user-name-format</param-name> - <param-value>UPN</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>BasicAuthenticationFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <filter> - <filter-name>NegotiationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.filters.NegotiationFilter</filter-class> - <init-param> - <param-name>capabilities</param-name> - <param-value>AUTHENTICATE_NEGOTIATE_INTERACTIVE | AUTHENTICATE_NEGOTIATE_NON_INTERACTIVE</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>NegotiationFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter-mapping> <filter-name>LocaleFilter</filter-name> <url-pattern>/*</url-pattern> diff --git a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml index f15f54c..71f7e6e 100644 --- a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml +++ b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml @@ -45,32 +45,6 @@ <url-pattern>/*</url-pattern> </filter-mapping> - <filter> - <filter-name>BasicAuthenticationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter</filter-class> - <init-param> - <param-name>user-name-format</param-name> - <param-value>UPN</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>BasicAuthenticationFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <filter> - <filter-name>NegotiationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.filters.NegotiationFilter</filter-class> - <init-param> - <param-name>capabilities</param-name> - <param-value>AUTHENTICATE_NEGOTIATE_INTERACTIVE | AUTHENTICATE_NEGOTIATE_NON_INTERACTIVE</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>NegotiationFilter</filter-name> - <url-pattern>/</url-pattern> - </filter-mapping> - <filter-mapping> <filter-name>LocaleFilter</filter-name> <url-pattern>/*</url-pattern> -- To view, visit https://gerrit.ovirt.org/40108 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5f72bc953113c4b21349c7e0023ec924185b6a53 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <rn...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
