extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java - druid - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.druid.security.pac4j;

 import com.google.common.collect.ImmutableMap;
 import org.apache.druid.java.util.common.logger.Logger;
 import org.apache.druid.server.security.AuthConfig;
 import org.apache.druid.server.security.AuthenticationResult;
 import org.pac4j.core.config.Config;
 import org.pac4j.core.context.JEEContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.engine.CallbackLogic;
 import org.pac4j.core.engine.DefaultCallbackLogic;
 import org.pac4j.core.engine.DefaultSecurityLogic;
 import org.pac4j.core.engine.SecurityLogic;
 import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
 import org.pac4j.core.profile.UserProfile;

 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import java.io.IOException;
 import java.util.Collection;

 public class Pac4jFilter implements Filter
 {
   private static final Logger LOGGER = new Logger(Pac4jFilter.class);

   private final Config pac4jConfig;
   private final SecurityLogic<Object, JEEContext> securityLogic;
   private final CallbackLogic<Object, JEEContext> callbackLogic;
   private final SessionStore<JEEContext> sessionStore;

   private final String name;
   private final String authorizerName;

   public Pac4jFilter(String name, String authorizerName, Config pac4jConfig, String cookiePassphrase)
   {
     this.pac4jConfig = pac4jConfig;
     this.securityLogic = new DefaultSecurityLogic<>();
     this.callbackLogic = new DefaultCallbackLogic<>();

     this.name = name;
     this.authorizerName = authorizerName;

     this.sessionStore = new Pac4jSessionStore<>(cookiePassphrase);
   }

   @Override
   public void init(FilterConfig filterConfig)
   {
   }


   @Override
   public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
       throws IOException, ServletException
   {
     // If there's already an auth result, then we have authenticated already, skip this or else caller
     // could get HTTP redirect even if one of the druid authenticators in chain has successfully authenticated.
     if (servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) != null) {
       filterChain.doFilter(servletRequest, servletResponse);
       return;
     }

     HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
     HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
     JEEContext context = new JEEContext(httpServletRequest, httpServletResponse, sessionStore);

     if (Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())) {
       callbackLogic.perform(
           context,
           pac4jConfig,
           JEEHttpActionAdapter.INSTANCE,
           "/",
           true, false, false, null);
     } else {
       UserProfile profile = (UserProfile) securityLogic.perform(
           context,
           pac4jConfig,
           (JEEContext ctx, Collection<UserProfile> profiles, Object... parameters) -> {
             if (profiles.isEmpty()) {
               LOGGER.warn("No profiles found after OIDC auth.");
               return null;
             } else {
               return profiles.iterator().next();
             }
           },
           JEEHttpActionAdapter.INSTANCE,
           null, "none", null, null);
       // Changed the Authorizer from null to "none".
       // In the older version, if it is null, it simply grant access and returns authorized.
       // But in the newer pac4j version, it uses CsrfAuthorizer as default, And because of this, It was returning 403 in API calls.
       if (profile != null && profile.getId() != null) {
         AuthenticationResult authenticationResult = new AuthenticationResult(profile.getId(), authorizerName, name, ImmutableMap.of("profile", profile));
         servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
         filterChain.doFilter(servletRequest, servletResponse);
       }
     }
   }

   @Override
   public void destroy()
   {
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.druid.security.pac4j;

	import com.google.common.collect.ImmutableMap;
	import org.apache.druid.java.util.common.logger.Logger;
	import org.apache.druid.server.security.AuthConfig;
	import org.apache.druid.server.security.AuthenticationResult;
	import org.pac4j.core.config.Config;
	import org.pac4j.core.context.JEEContext;
	import org.pac4j.core.context.session.SessionStore;
	import org.pac4j.core.engine.CallbackLogic;
	import org.pac4j.core.engine.DefaultCallbackLogic;
	import org.pac4j.core.engine.DefaultSecurityLogic;
	import org.pac4j.core.engine.SecurityLogic;
	import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
	import org.pac4j.core.profile.UserProfile;

	import javax.servlet.Filter;
	import javax.servlet.FilterChain;
	import javax.servlet.FilterConfig;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	import java.io.IOException;
	import java.util.Collection;

	public class Pac4jFilter implements Filter
	{
	private static final Logger LOGGER = new Logger(Pac4jFilter.class);

	private final Config pac4jConfig;
	private final SecurityLogic<Object, JEEContext> securityLogic;
	private final CallbackLogic<Object, JEEContext> callbackLogic;
	private final SessionStore<JEEContext> sessionStore;

	private final String name;
	private final String authorizerName;

	public Pac4jFilter(String name, String authorizerName, Config pac4jConfig, String cookiePassphrase)
	{
	this.pac4jConfig = pac4jConfig;
	this.securityLogic = new DefaultSecurityLogic<>();
	this.callbackLogic = new DefaultCallbackLogic<>();

	this.name = name;
	this.authorizerName = authorizerName;

	this.sessionStore = new Pac4jSessionStore<>(cookiePassphrase);
	}

	@Override
	public void init(FilterConfig filterConfig)
	{
	}


	@Override
	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
	throws IOException, ServletException
	{
	// If there's already an auth result, then we have authenticated already, skip this or else caller
	// could get HTTP redirect even if one of the druid authenticators in chain has successfully authenticated.
	if (servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) != null) {
	filterChain.doFilter(servletRequest, servletResponse);
	return;
	}

	HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
	HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
	JEEContext context = new JEEContext(httpServletRequest, httpServletResponse, sessionStore);

	if (Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())) {
	callbackLogic.perform(
	context,
	pac4jConfig,
	JEEHttpActionAdapter.INSTANCE,
	"/",
	true, false, false, null);
	} else {
	UserProfile profile = (UserProfile) securityLogic.perform(
	context,
	pac4jConfig,
	(JEEContext ctx, Collection<UserProfile> profiles, Object... parameters) -> {
	if (profiles.isEmpty()) {
	LOGGER.warn("No profiles found after OIDC auth.");
	return null;
	} else {
	return profiles.iterator().next();
	}
	},
	JEEHttpActionAdapter.INSTANCE,
	null, "none", null, null);
	// Changed the Authorizer from null to "none".
	// In the older version, if it is null, it simply grant access and returns authorized.
	// But in the newer pac4j version, it uses CsrfAuthorizer as default, And because of this, It was returning 403 in API calls.
	if (profile != null && profile.getId() != null) {
	AuthenticationResult authenticationResult = new AuthenticationResult(profile.getId(), authorizerName, name, ImmutableMap.of("profile", profile));
	servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
	filterChain.doFilter(servletRequest, servletResponse);
	}
	}
	}

	@Override
	public void destroy()
	{
	}
	}