All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.finos.legend.sdlc.server.tools.AuthenticationTools Maven / Gradle / Ivy

// Copyright 2020 Goldman Sachs
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package org.finos.legend.sdlc.server.tools;

import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.AuthSchemeProvider;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.auth.KerberosCredentials;
import org.apache.http.client.CookieStore;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.config.AuthSchemes;
import org.apache.http.config.Lookup;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.auth.BasicSchemeFactory;
import org.apache.http.impl.auth.DigestSchemeFactory;
import org.apache.http.impl.auth.KerberosSchemeFactory;
import org.apache.http.impl.auth.NTLMSchemeFactory;
import org.apache.http.impl.auth.SPNegoScheme;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.protocol.HttpContext;
import org.eclipse.collections.api.factory.Maps;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

import java.security.Principal;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;

public class AuthenticationTools
{
    private AuthenticationTools()
    {
        // utility class
    }

    public static CloseableHttpClient createHttpClientForSPNego()
    {
        return createHttpClientForSPNego(null);
    }

    public static CloseableHttpClient createHttpClientForSPNego(CookieStore cookieStore)
    {
        HttpClientBuilder builder = createHttpClientBuilderForSPNego();
        if (cookieStore != null)
        {
            builder.setDefaultCookieStore(cookieStore);
        }
        return builder.build();
    }

    /**
     * Create a client builder configured for SPNego. This sets the default authentication
     * scheme registry and credentials provider.
     *
     * @return HTTP client builder configured for SPNego
     */
    public static HttpClientBuilder createHttpClientBuilderForSPNego()
    {
        return configureForSPNego(HttpClientBuilder.create());
    }

    /**
     * Configure a client builder for SPNego. This sets the default authentication
     * scheme registry and credentials provider.
     *
     * @param builder HTTP client builder
     * @return same builder after configuration
     */
    public static HttpClientBuilder configureForSPNego(HttpClientBuilder builder)
    {
        Lookup authSchemeRegistry = RegistryBuilder.create()
                .register(AuthSchemes.BASIC, new BasicSchemeFactory())
                .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
                .register(AuthSchemes.NTLM, new NTLMSchemeFactory())
                .register(AuthSchemes.SPNEGO, new SPNegoWithDelegationSchemeFactory())
                .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(true, false))
                .build();

        CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM, AuthSchemes.SPNEGO), new NullCredentials());

        builder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
        builder.setDefaultCredentialsProvider(credentialsProvider);
        return builder;
    }

    /**
     * Return whether the subject has the given Kerberos id for
     * (at least) one of its principals.
     *
     * @param subject    subject
     * @param kerberosId Kerberos id
     * @return whether the subject has the Kerberos id for a principal
     */
    public static boolean subjectHasKerberosId(Subject subject, String kerberosId)
    {
        return subject.getPrincipals().stream().map(Principal::getName).anyMatch(name -> (name != null) && name.startsWith(kerberosId) && ((name.length() == kerberosId.length()) || (name.charAt(kerberosId.length()) == '@')));
    }

    /**
     * Get one Kerberos id for the given subject. If there are multiple
     * ids for the subject, an arbitrary one is returned. If there is no
     * Kerberos id, null is returned.
     *
     * @param subject subject
     * @return one Kerberos id (or null)
     */
    public static String getKerberosIdFromSubject(Subject subject)
    {
        return (subject == null) ? null : subject.getPrincipals().stream().map(AuthenticationTools::getKerberosIdFromPrincipal).filter(Objects::nonNull).findAny().orElse(null);
    }

    /**
     * Get the Kerberos id from a Principal. This is the principal's
     * name with any domain stripped off.
     *
     * @param principal principal
     * @return Kerberos id
     */
    public static String getKerberosIdFromPrincipal(Principal principal)
    {
        String name = principal.getName();
        if (name == null)
        {
            return null;
        }

        int atIndex = name.indexOf('@');
        return (atIndex == -1) ? name : name.substring(0, atIndex);
    }

    public static Configuration getLocalLoginConfiguration()
    {
        return new Configuration()
        {
            @Override
            public AppConfigurationEntry[] getAppConfigurationEntry(String name)
            {
                Map options = Maps.mutable.with(
                        "useTicketCache", "true",
                        "doNotPrompt", "false");
                String ticketCacheName = System.getenv("KRB5CCNAME");
                if ((ticketCacheName != null) && !ticketCacheName.isEmpty())
                {
                    options.put("ticketCache", ticketCacheName);
                }

                AppConfigurationEntry ace = new AppConfigurationEntry(
                        "com.sun.security.auth.module.Krb5LoginModule",
                        AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
                        options);

                return new AppConfigurationEntry[]{ace};
            }
        };
    }

    private static class NullCredentials implements Credentials
    {
        @Override
        public Principal getUserPrincipal()
        {
            return null;
        }

        @Override
        public String getPassword()
        {
            return null;
        }
    }

    private static class SPNegoWithDelegationSchemeFactory implements AuthSchemeProvider
    {
        @Override
        public AuthScheme create(final HttpContext context)
        {
            return new SPNegoWithDelegationScheme();
        }
    }

    private static class SPNegoWithDelegationScheme extends SPNegoScheme
    {
        private SPNegoWithDelegationScheme()
        {
            super(true, false);
        }

        @Override
        protected byte[] generateGSSToken(byte[] input, Oid oid, String authServer, Credentials credentials) throws GSSException
        {
            GSSCredential gssCredential = (credentials instanceof KerberosCredentials) ? ((KerberosCredentials)credentials).getGSSCredential() : null;

            GSSManager manager = GSSManager.getInstance();
            GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);

            GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME);
            gssContext.requestCredDeleg(true);
            gssContext.requestMutualAuth(true);

            return gssContext.initSecContext((input == null) ? new byte[0] : input, 0, (input == null) ? 0 : input.length);
        }
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy