org.apache.nifi.web.security

Class ProxiedEntitiesUtils

java.lang.Object

org.apache.nifi.web.security.ProxiedEntitiesUtils

public class ProxiedEntitiesUtils
extends Object

Field Summary

Fields

Modifier and Type	Field and Description
private static String	ANONYMOUS_CHAIN
private static String	ANONYMOUS_IDENTITY
private static String	ESCAPED_GT
private static String	ESCAPED_LT
private static String	GT
private static org.slf4j.Logger	logger
private static String	LT
static String	PROXY_ENTITIES_ACCEPTED
static String	PROXY_ENTITIES_CHAIN
static String	PROXY_ENTITIES_DETAILS
static String	PROXY_ENTITY_GROUPS
static String	PROXY_ENTITY_GROUPS_EMPTY

Constructor Summary

Constructors

Constructor and Description
ProxiedEntitiesUtils()

Method Summary

Modifier and Type	Method and Description
private static String	base64Decode(String encodedValue) Performs the reverse of $base64Encode(String).
private static String	base64Encode(String rawValue) Base64 encodes a DN and wraps it in angled brackets to indicate the value is base64 and not a raw DN.
static String	buildProxiedEntitiesChainString(NiFiUser user) Builds the proxy chain for the specified user.
static String	buildProxiedEntityGroupsString(Set<String> groups) Builds the string representation for a set of groups that belong to a proxied entity.
static String	formatProxyDn(String dn) Formats the specified DN to be set as a HTTP header using well known conventions.
static String	getProxiedEntitiesChain(List<String> proxiedEntities) Formats a list of DN/usernames to be set as a HTTP header using well known conventions.
static String	getProxiedEntitiesChain(String... proxiedEntities) Formats a list of DN/usernames to be set as a HTTP header using well known conventions.
private static boolean	isBase64Encoded(String token) Check if a value has been encoded by $base64Encode(String), and therefore needs to be decoded.
private static boolean	isPureAscii(String stringWithUnknownCharacters) Check if a string contains only pure ascii characters.
private static boolean	isValidChainFormat(String rawProxiedEntitiesChain) Check if a String is in the expected format and can be safely tokenized.
private static boolean	isWrappedInAngleBrackets(String string) Check if a string is wrapped with <angle brackets>.
private static String	sanitizeDn(String rawDn) Sanitizes a DN for safe and lossless transmission.
static void	successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) If a successfully authenticated request was made via a proxy, relevant proxy headers will be added to the response.
static List<String>	tokenizeProxiedEntitiesChain(String rawProxyChain) Tokenizes the specified proxy chain.
static Set<String>	tokenizeProxiedEntityGroups(String rawProxyEntityGroups) Tokenizes the specified proxied entity groups which are formatted the same as a proxy chain.
private static String	unsanitizeDn(String sanitizedDn) Reconstitutes the original DN from the sanitized version passed in the proxy chain.
static void	unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) If an unauthenticated request was made via a proxy, add proxy headers to explain why authentication failed.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

PROXY_ENTITIES_CHAIN

public static final String PROXY_ENTITIES_CHAIN

See Also:

Constant Field Values

PROXY_ENTITIES_ACCEPTED

public static final String PROXY_ENTITIES_ACCEPTED

See Also:

Constant Field Values

PROXY_ENTITIES_DETAILS

public static final String PROXY_ENTITIES_DETAILS

See Also:

Constant Field Values

PROXY_ENTITY_GROUPS

public static final String PROXY_ENTITY_GROUPS

See Also:

Constant Field Values

PROXY_ENTITY_GROUPS_EMPTY

public static final String PROXY_ENTITY_GROUPS_EMPTY

See Also:

Constant Field Values

GT

private static final String GT

See Also:

Constant Field Values

ESCAPED_GT

private static final String ESCAPED_GT

See Also:

Constant Field Values

LT

private static final String LT

See Also:

Constant Field Values

ESCAPED_LT

private static final String ESCAPED_LT

See Also:

Constant Field Values

ANONYMOUS_CHAIN

private static final String ANONYMOUS_CHAIN

See Also:

Constant Field Values

ANONYMOUS_IDENTITY

private static final String ANONYMOUS_IDENTITY

See Also:

Constant Field Values

Constructor Detail

ProxiedEntitiesUtils

public ProxiedEntitiesUtils()

Method Detail

getProxiedEntitiesChain

public static String getProxiedEntitiesChain(String... proxiedEntities)

Formats a list of DN/usernames to be set as a HTTP header using well known conventions.

Parameters:

proxiedEntities - the raw identities (usernames and DNs) to be formatted as a chain

Returns:

the value to use in the X-ProxiedEntitiesChain header

getProxiedEntitiesChain

public static String getProxiedEntitiesChain(List<String> proxiedEntities)

Formats a list of DN/usernames to be set as a HTTP header using well known conventions.

Parameters:

proxiedEntities - the raw identities (usernames and DNs) to be formatted as a chain

Returns:

the value to use in the X-ProxiedEntitiesChain header

tokenizeProxiedEntitiesChain

public static List<String> tokenizeProxiedEntitiesChain(String rawProxyChain)

Tokenizes the specified proxy chain.

Parameters:

rawProxyChain - raw chain

Returns:

tokenized proxy chain

tokenizeProxiedEntityGroups

public static Set<String> tokenizeProxiedEntityGroups(String rawProxyEntityGroups)

Tokenizes the specified proxied entity groups which are formatted the same as a proxy chain.

Parameters:

rawProxyEntityGroups - the raw proxy entity groups

Returns:

the set of group names, or empty set if none exist

buildProxiedEntitiesChainString

public static String buildProxiedEntitiesChainString(NiFiUser user)

Builds the proxy chain for the specified user.

Parameters:

user - The current user

Returns:

The proxy chain for that user in String form

buildProxiedEntityGroupsString

public static String buildProxiedEntityGroupsString(Set<String> groups)

Builds the string representation for a set of groups that belong to a proxied entity. The resulting string will be formatted similar to a proxied-entity chain. Example: Groups set: ("group1", "group2", "group3") Returns: "<group1><group2><group3>

Parameters:

groups - the set of groups

Returns:

the formatted group string, or null if there are no groups to proxy

successfulAuthentication

public static void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
                                            javax.servlet.http.HttpServletResponse response)

If a successfully authenticated request was made via a proxy, relevant proxy headers will be added to the response.

Parameters:

request - The proxied client request that was successfully authenticated.

response - A servlet response to the client containing the successful authentication details.

unsuccessfulAuthentication

public static void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                                              javax.servlet.http.HttpServletResponse response,
                                              org.springframework.security.core.AuthenticationException failed)

If an unauthenticated request was made via a proxy, add proxy headers to explain why authentication failed.

Parameters:

request - The original client request that failed to be authenticated.

response - Servlet response to the client containing the unsuccessful authentication attempt details.

failed - The related exception thrown and explanation for the unsuccessful authentication attempt.

formatProxyDn

public static String formatProxyDn(String dn)

Formats the specified DN to be set as a HTTP header using well known conventions.

Parameters:

dn - raw dn

Returns:

the dn formatted as an HTTP header

sanitizeDn

private static String sanitizeDn(String rawDn)

Sanitizes a DN for safe and lossless transmission. Sanitization requires:

1. Encoded so that it can be sent losslessly using US-ASCII (the character set of HTTP Header values)
2. Resilient to a DN with the sequence '><' to attempt to escape the tokenization process and impersonate another user.

Example:

Provided DN: jdoe><alopresto -> <jdoe><alopresto><proxy...> would allow the user to impersonate jdoe

Алйс Provided DN: Алйс -> <Алйс> cannot be encoded/decoded as ASCII

Parameters:

rawDn - the unsanitized DN

Returns:

the sanitized DN

unsanitizeDn

private static String unsanitizeDn(String sanitizedDn)

Reconstitutes the original DN from the sanitized version passed in the proxy chain.

Example:

alopresto\>\<proxy1 -> alopresto><proxy1

<0JDQu9C50YE=> -> Алйс

Parameters:

sanitizedDn - the sanitized DN

Returns:

the original DN

base64Encode

private static String base64Encode(String rawValue)

Base64 encodes a DN and wraps it in angled brackets to indicate the value is base64 and not a raw DN.

Parameters:

rawValue - The value to encode

Returns:

A string containing a wrapped, encoded value.

base64Decode

private static String base64Decode(String encodedValue)

Performs the reverse of $base64Encode(String).

Parameters:

encodedValue - the encoded value to decode.

Returns:

The original, decoded string.

isValidChainFormat

private static boolean isValidChainFormat(String rawProxiedEntitiesChain)

Check if a String is in the expected format and can be safely tokenized.

Parameters:

rawProxiedEntitiesChain - the value to check

Returns:

true if the value is in the valid format to tokenize, false otherwise.

isBase64Encoded

private static boolean isBase64Encoded(String token)

Check if a value has been encoded by $base64Encode(String), and therefore needs to be decoded.

Parameters:

token - the value to check

Returns:

true if the value is encoded, false otherwise.

isWrappedInAngleBrackets

private static boolean isWrappedInAngleBrackets(String string)

Check if a string is wrapped with <angle brackets>.

Parameters:

string - the value to check

Returns:

true if the value starts with < and ends with > - false otherwise

isPureAscii

private static boolean isPureAscii(String stringWithUnknownCharacters)

Check if a string contains only pure ascii characters.

Parameters:

stringWithUnknownCharacters - - the string to check

Returns:

true if string can be encoded as ascii. false otherwise.