@Override public AuthenticationResult createEscalatedAuthenticationResult() { // if you found your self asking why the authenticatedBy field is set to null please read this: // https://github.com/apache/incubator-druid/pull/5706#discussion_r185940889 return new AuthenticationResult(internalClientPrincipal, authorizerName, null, null); }
@Override public AuthenticationResult createEscalatedAuthenticationResult() { // if you found your self asking why the authenticatedBy field is set to null please read this: // https://github.com/apache/incubator-druid/pull/5706#discussion_r185940889 return new AuthenticationResult(internalClientUsername, authorizerName, null, null); } }
@JsonCreator public AnonymousAuthenticator( @JsonProperty("name") String name, @JsonProperty("authorizerName") String authorizerName, @JsonProperty("identity") String identity ) { this.anonymousResult = new AuthenticationResult( identity == null ? DEFAULT_IDENTITY : identity, authorizerName, name, null ); }
@Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { // PreResponseAuthorizationCheckFilter checks that this attribute is set, // but the value doesn't matter since we skip authorization checks for requests that go through this filter servletRequest.setAttribute( AuthConfig.DRUID_AUTHENTICATION_RESULT, new AuthenticationResult(AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, null) ); // This request will not go to an Authorizer, so we need to set this for PreResponseAuthorizationCheckFilter servletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); servletRequest.setAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH, true); filterChain.doFilter(servletRequest, servletResponse); }
@Override @Nullable public AuthenticationResult authenticateJDBCContext(Map<String, Object> context) { String user = (String) context.get("user"); String password = (String) context.get("password"); if (user == null || password == null) { return null; } if (checkCredentials(user, password.toCharArray())) { return new AuthenticationResult(user, authorizerName, name, null); } else { return null; } }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpReq = (HttpServletRequest) request; // Druid itself doesn't explictly handle OPTIONS requests, no resource handler will authorize such requests. // so this filter catches all OPTIONS requests and authorizes them. if (HttpMethod.OPTIONS.equals(httpReq.getMethod())) { if (httpReq.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) == null) { // If the request already had credentials and authenticated successfully, keep the authenticated identity. // Otherwise, allow the unauthenticated request. if (allowUnauthenticatedHttpOptions) { httpReq.setAttribute( AuthConfig.DRUID_AUTHENTICATION_RESULT, new AuthenticationResult(AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, null, null) ); } else { ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED); } } httpReq.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); } chain.doFilter(request, response); }
@Override public AuthenticationResult authenticateJDBCContext(Map<String, Object> context) { return new AuthenticationResult((String) context.get("user"), AuthConfig.ALLOW_ALL_NAME, null, null); } }
AuthenticationResult authenticationResult = new AuthenticationResult(user, authorizerName, name, null); servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult); filterChain.doFilter(servletRequest, servletResponse);
private static HttpServletRequest newRequest() { final HttpServletRequest request = EasyMock.niceMock(HttpServletRequest.class); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)) .andReturn(new AuthenticationResult("test", "test", "test", Collections.emptyMap())); EasyMock.replay(request); return request; }
private void expectAuthorizationTokenCheck() { AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)) .andReturn(authenticationResult) .atLeastOnce(); req.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false); EasyMock.expectLastCall().anyTimes(); req.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); EasyMock.expectLastCall().anyTimes(); }
@Test public void testFullGetSpecificIntervals() { EasyMock.expect(inventoryView.getInventory()).andReturn( ImmutableList.of(server) ).atLeastOnce(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn( new AuthenticationResult("druid", "druid", null, null) ).once(); request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); EasyMock.expectLastCall().times(1); EasyMock.replay(inventoryView, request); List<Interval> expectedIntervals = new ArrayList<>(); expectedIntervals.add(Intervals.of("2010-01-01T00:00:00.000Z/2010-01-02T00:00:00.000Z")); IntervalsResource intervalsResource = new IntervalsResource( inventoryView, new AuthConfig(), AuthTestUtils.TEST_AUTHORIZER_MAPPER ); Response response = intervalsResource.getSpecificIntervals("2010-01-01T00:00:00.000Z/P1D", null, "full", request); TreeMap<Interval, Map<String, Map<String, Object>>> actualIntervals = (TreeMap) response.getEntity(); Assert.assertEquals(1, actualIntervals.size()); Assert.assertEquals(expectedIntervals.get(0), actualIntervals.firstKey()); Assert.assertEquals(20L, actualIntervals.get(expectedIntervals.get(0)).get("datasource1").get("size")); Assert.assertEquals(1, actualIntervals.get(expectedIntervals.get(0)).get("datasource1").get("count")); Assert.assertEquals(5L, actualIntervals.get(expectedIntervals.get(0)).get("datasource2").get("size")); Assert.assertEquals(1, actualIntervals.get(expectedIntervals.get(0)).get("datasource2").get("count")); }
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn( new AuthenticationResult("druid", "druid", null, null) ).once(); request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
@Test public void testSimpleGetSpecificIntervals() { EasyMock.expect(inventoryView.getInventory()).andReturn( ImmutableList.of(server) ).atLeastOnce(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn( new AuthenticationResult("druid", "druid", null, null) ).once(); request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); EasyMock.expectLastCall().times(1); EasyMock.replay(inventoryView, request); List<Interval> expectedIntervals = new ArrayList<>(); expectedIntervals.add(Intervals.of("2010-01-01T00:00:00.000Z/2010-01-02T00:00:00.000Z")); IntervalsResource intervalsResource = new IntervalsResource( inventoryView, new AuthConfig(), AuthTestUtils.TEST_AUTHORIZER_MAPPER ); Response response = intervalsResource.getSpecificIntervals("2010-01-01T00:00:00.000Z/P1D", "simple", null, request); Map<Interval, Map<String, Object>> actualIntervals = (Map) response.getEntity(); Assert.assertEquals(1, actualIntervals.size()); Assert.assertTrue(actualIntervals.containsKey(expectedIntervals.get(0))); Assert.assertEquals(25L, actualIntervals.get(expectedIntervals.get(0)).get("size")); Assert.assertEquals(2, actualIntervals.get(expectedIntervals.get(0)).get("count")); }
@Test public void testGetSpecificIntervals() { EasyMock.expect(inventoryView.getInventory()).andReturn( ImmutableList.of(server) ).atLeastOnce(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn( new AuthenticationResult("druid", "druid", null, null) ).once(); request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); EasyMock.expectLastCall().times(1); EasyMock.replay(inventoryView, request); IntervalsResource intervalsResource = new IntervalsResource( inventoryView, new AuthConfig(), AuthTestUtils.TEST_AUTHORIZER_MAPPER ); Response response = intervalsResource.getSpecificIntervals("2010-01-01T00:00:00.000Z/P1D", null, null, request); Map<String, Object> actualIntervals = (Map) response.getEntity(); Assert.assertEquals(2, actualIntervals.size()); Assert.assertEquals(25L, actualIntervals.get("size")); Assert.assertEquals(2, actualIntervals.get("count")); }
@Test public void testValidRequest() throws Exception { AuthenticationResult authenticationResult = new AuthenticationResult("so-very-valid", "so-very-valid", null, null); HttpServletRequest req = EasyMock.createStrictMock(HttpServletRequest.class); HttpServletResponse resp = EasyMock.createStrictMock(HttpServletResponse.class); FilterChain filterChain = EasyMock.createNiceMock(FilterChain.class); ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(true).once(); EasyMock.replay(req, resp, filterChain, outputStream); PreResponseAuthorizationCheckFilter filter = new PreResponseAuthorizationCheckFilter( authenticators, new DefaultObjectMapper() ); filter.doFilter(req, resp, filterChain); EasyMock.verify(req, resp, filterChain, outputStream); }
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn( new AuthenticationResult("druid", "druid", null, null) ).atLeastOnce(); request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce(); EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn( new AuthenticationResult("druid", "druid", null, null) ).atLeastOnce(); request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
@Test public void testMissingAuthorizationCheckWithError() throws Exception { EmittingLogger.registerEmitter(EasyMock.createNiceMock(ServiceEmitter.class)); AuthenticationResult authenticationResult = new AuthenticationResult("so-very-valid", "so-very-valid", null, null); HttpServletRequest req = EasyMock.createStrictMock(HttpServletRequest.class); HttpServletResponse resp = EasyMock.createStrictMock(HttpServletResponse.class); FilterChain filterChain = EasyMock.createNiceMock(FilterChain.class); ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once(); EasyMock.expect(resp.getStatus()).andReturn(404).once(); EasyMock.replay(req, resp, filterChain, outputStream); PreResponseAuthorizationCheckFilter filter = new PreResponseAuthorizationCheckFilter( authenticators, new DefaultObjectMapper() ); filter.doFilter(req, resp, filterChain); EasyMock.verify(req, resp, filterChain, outputStream); } }
@Test public void testInvalidRequest() throws Exception { HttpServletRequest req = EasyMock.createStrictMock(HttpServletRequest.class); HttpServletResponse resp = EasyMock.createStrictMock(HttpServletResponse.class); FilterChain filterChain = EasyMock.createStrictMock(FilterChain.class); ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class); AuthenticationResult authenticationResult = new AuthenticationResult("does-not-belong", "does-not-belong", null, null); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(true).once(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).once(); resp.setStatus(403); EasyMock.expectLastCall().once(); resp.setContentType("application/json"); EasyMock.expectLastCall().once(); resp.setCharacterEncoding("UTF-8"); EasyMock.expectLastCall().once(); EasyMock.replay(req, resp, filterChain, outputStream); SecuritySanityCheckFilter filter = new SecuritySanityCheckFilter(new DefaultObjectMapper()); filter.doFilter(req, resp, filterChain); EasyMock.verify(req, resp, filterChain, outputStream); } }
expectedException.expectMessage("Request did not have an authorization check performed."); AuthenticationResult authenticationResult = new AuthenticationResult("so-very-valid", "so-very-valid", null, null);