• Home
• io.cdap.cdap
• cdap-app-fabric
• 6.8.3
• source code
• RuntimeIdentityHandler.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.cdap.cdap.internal.app.runtime.monitor.RuntimeIdentityHandler Maven / Gradle / Ivy

/*
 * Copyright © 2021 Cask Data, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */

package io.cdap.cdap.internal.app.runtime.monitor;

import io.cdap.cdap.common.conf.CConfiguration;
import io.cdap.cdap.common.conf.Constants;
import io.cdap.cdap.common.logging.AuditLogEntry;
import io.cdap.cdap.common.utils.Networks;
import io.cdap.cdap.proto.security.Credential;
import io.cdap.cdap.security.impersonation.SecurityUtil;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandler;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * A {@link ChannelInboundHandler} for properly propagating runtime identity to calls to other system services.
 */
public class RuntimeIdentityHandler extends ChannelInboundHandlerAdapter {
  private static final Logger AUDIT_LOGGER = LoggerFactory
    .getLogger(Constants.RuntimeMonitor.MONITOR_AUDIT_LOGGER_NAME);

  private static final String EMPTY_RUNTIME_TOKEN =
    String.format("%s %s", Credential.CREDENTIAL_TYPE_INTERNAL, "empty-runtime-token");

  private final boolean enforceAuthenticatedRequests;
  private final boolean auditLogEnabled;

  public RuntimeIdentityHandler(CConfiguration cConf) {
    this.enforceAuthenticatedRequests = SecurityUtil.isInternalAuthEnabled(cConf);
    this.auditLogEnabled = cConf.getBoolean(Constants.RuntimeMonitor.MONITOR_AUDIT_LOG_ENABLED);
  }

  @Override
  public void channelRead(ChannelHandlerContext ctx, Object msg) {
    if (!(msg instanceof HttpRequest)) {
      ctx.fireChannelRead(msg);
      return;
    }

    HttpRequest request = (HttpRequest) msg;

    request.headers().remove(HttpHeaderNames.AUTHORIZATION);
    request.headers().set(Constants.Security.Headers.USER_ID, Constants.Security.Authentication.RUNTIME_IDENTITY);
    String clientIP = Networks.getIP(ctx.channel().remoteAddress());
    if (clientIP != null) {
      request.headers().set(Constants.Security.Headers.USER_IP, clientIP);
    } else {
      request.headers().remove(Constants.Security.Headers.USER_IP);
    }
    if (enforceAuthenticatedRequests && !request.headers().contains(Constants.Security.Headers.RUNTIME_TOKEN)) {
      request.headers().set(Constants.Security.Headers.RUNTIME_TOKEN, EMPTY_RUNTIME_TOKEN);
    }
    ctx.fireChannelRead(msg);
  }

  private void auditLogIfNeeded(HttpRequest request, Channel channel, int code) {
    if (!auditLogEnabled) {
      return;
    }

    AuditLogEntry logEntry = new AuditLogEntry(request, Networks.getIP(channel.remoteAddress()));
    logEntry.setResponse(code, -1);

    AUDIT_LOGGER.trace(logEntry.toString());
  }
}