NIFI-8931 Removed OTP Authentication
- Removed download-token and ui-extension-token REST resources
- Removed getAccessToken functions from JavaScript components
Signed-off-by: Nathan Gough <thenatog@gmail.com>
This closes #5235.
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
index c4e6304..359a03f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
@@ -25,15 +25,11 @@
import org.apache.nifi.web.security.knox.KnoxAuthenticationFilter;
import org.apache.nifi.web.security.knox.KnoxAuthenticationProvider;
import org.apache.nifi.web.security.oidc.OIDCEndpoints;
-import org.apache.nifi.web.security.otp.OtpAuthenticationFilter;
-import org.apache.nifi.web.security.otp.OtpAuthenticationProvider;
import org.apache.nifi.web.security.saml.SAMLEndpoints;
import org.apache.nifi.web.security.x509.X509AuthenticationFilter;
import org.apache.nifi.web.security.x509.X509AuthenticationProvider;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.apache.nifi.web.security.x509.X509IdentityProvider;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@@ -63,8 +59,6 @@
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapter {
- private static final Logger logger = LoggerFactory.getLogger(NiFiWebApiSecurityConfiguration.class);
-
private NiFiProperties properties;
private X509AuthenticationFilter x509AuthenticationFilter;
@@ -76,9 +70,6 @@
private JwtAuthenticationFilter jwtAuthenticationFilter;
private JwtAuthenticationProvider jwtAuthenticationProvider;
- private OtpAuthenticationFilter otpAuthenticationFilter;
- private OtpAuthenticationProvider otpAuthenticationProvider;
-
private KnoxAuthenticationFilter knoxAuthenticationFilter;
private KnoxAuthenticationProvider knoxAuthenticationProvider;
@@ -89,11 +80,13 @@
super(true); // disable defaults
}
+ /**
+ * Configure Web Security with ignoring matchers for authentication requests
+ *
+ * @param webSecurity Spring Web Security Configuration
+ */
@Override
- public void configure(WebSecurity webSecurity) throws Exception {
- // ignore the access endpoints for obtaining the access config, the access token
- // granting, and access status for a given user (note: we are not ignoring the
- // the /access/download-token and /access/ui-extension-token endpoints
+ public void configure(final WebSecurity webSecurity) {
webSecurity
.ignoring()
.antMatchers(
@@ -138,9 +131,6 @@
// jwt
http.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class);
- // otp
- http.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class);
-
// knox
http.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class);
@@ -173,7 +163,6 @@
auth
.authenticationProvider(x509AuthenticationProvider)
.authenticationProvider(jwtAuthenticationProvider)
- .authenticationProvider(otpAuthenticationProvider)
.authenticationProvider(knoxAuthenticationProvider)
.authenticationProvider(anonymousAuthenticationProvider);
}
@@ -189,16 +178,6 @@
}
@Bean
- public OtpAuthenticationFilter otpFilterBean() throws Exception {
- if (otpAuthenticationFilter == null) {
- otpAuthenticationFilter = new OtpAuthenticationFilter();
- otpAuthenticationFilter.setProperties(properties);
- otpAuthenticationFilter.setAuthenticationManager(authenticationManager());
- }
- return otpAuthenticationFilter;
- }
-
- @Bean
public KnoxAuthenticationFilter knoxFilterBean() throws Exception {
if (knoxAuthenticationFilter == null) {
knoxAuthenticationFilter = new KnoxAuthenticationFilter();
@@ -241,11 +220,6 @@
}
@Autowired
- public void setOtpAuthenticationProvider(OtpAuthenticationProvider otpAuthenticationProvider) {
- this.otpAuthenticationProvider = otpAuthenticationProvider;
- }
-
- @Autowired
public void setKnoxAuthenticationProvider(KnoxAuthenticationProvider knoxAuthenticationProvider) {
this.knoxAuthenticationProvider = knoxAuthenticationProvider;
}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
index 6dd1c26..bc19f3f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@@ -51,10 +51,8 @@
import org.apache.nifi.web.security.knox.KnoxService;
import org.apache.nifi.web.security.logout.LogoutRequest;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
-import org.apache.nifi.web.security.otp.OtpService;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
-import org.apache.nifi.web.security.token.OtpAuthenticationToken;
import org.apache.nifi.web.security.x509.X509AuthenticationProvider;
import org.apache.nifi.web.security.x509.X509AuthenticationRequestToken;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
@@ -106,7 +104,6 @@
private LoginIdentityProvider loginIdentityProvider;
private JwtAuthenticationProvider jwtAuthenticationProvider;
private JwtService jwtService;
- private OtpService otpService;
private KnoxService knoxService;
private KerberosService kerberosService;
protected LogoutRequestManager logoutRequestManager;
@@ -311,96 +308,6 @@
}
/**
- * Creates a single use access token for downloading FlowFile content.
- *
- * @param httpServletRequest the servlet request
- * @return A token (string)
- */
- @POST
- @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @Produces(MediaType.TEXT_PLAIN)
- @Path("/download-token")
- @ApiOperation(
- value = "Creates a single use access token for downloading FlowFile content.",
- notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. " +
- "It is used as a query parameter name 'access_token'.",
- response = String.class
- )
- @ApiResponses(
- value = {
- @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
- @ApiResponse(code = 409, message = "Unable to create the download token because NiFi is not in the appropriate state. " +
- "(i.e. may not have any tokens to grant or be configured to support username/password login)"),
- @ApiResponse(code = 500, message = "Unable to create download token because an unexpected error occurred.")
- }
- )
- public Response createDownloadToken(@Context HttpServletRequest httpServletRequest) {
- // only support access tokens when communicating over HTTPS
- if (!httpServletRequest.isSecure()) {
- throw new IllegalStateException("Download tokens are only issued over HTTPS.");
- }
-
- final NiFiUser user = NiFiUserUtils.getNiFiUser();
- if (user == null) {
- throw new AccessDeniedException("No user authenticated in the request.");
- }
-
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(user.getIdentity());
-
- // generate otp for response
- final String token = otpService.generateDownloadToken(authenticationToken);
-
- // build the response
- final URI uri = URI.create(generateResourceUri("access", "download-token"));
- return generateCreatedResponse(uri, token).build();
- }
-
- /**
- * Creates a single use access token for accessing a NiFi UI extension.
- *
- * @param httpServletRequest the servlet request
- * @return A token (string)
- */
- @POST
- @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @Produces(MediaType.TEXT_PLAIN)
- @Path("/ui-extension-token")
- @ApiOperation(
- value = "Creates a single use access token for accessing a NiFi UI extension.",
- notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. " +
- "It is used as a query parameter name 'access_token'.",
- response = String.class
- )
- @ApiResponses(
- value = {
- @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
- @ApiResponse(code = 409, message = "Unable to create the download token because NiFi is not in the appropriate state. " +
- "(i.e. may not have any tokens to grant or be configured to support username/password login)"),
- @ApiResponse(code = 500, message = "Unable to create download token because an unexpected error occurred.")
- }
- )
- public Response createUiExtensionToken(@Context HttpServletRequest httpServletRequest) {
- // only support access tokens when communicating over HTTPS
- if (!httpServletRequest.isSecure()) {
- throw new AuthenticationNotSupportedException("UI extension access tokens are only issued over HTTPS.");
- }
-
- final NiFiUser user = NiFiUserUtils.getNiFiUser();
- if (user == null) {
- throw new AccessDeniedException("No user authenticated in the request.");
- }
-
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(user.getIdentity());
-
- // generate otp for response
- final String token = otpService.generateUiExtensionToken(authenticationToken);
-
- // build the response
- final URI uri = URI.create(generateResourceUri("access", "ui-extension-token"));
- return generateCreatedResponse(uri, token).build();
- }
-
- /**
* Creates a token for accessing the REST API via Kerberos ticket exchange / SPNEGO negotiation.
*
* @param httpServletRequest the servlet request
@@ -705,10 +612,6 @@
this.certificateExtractor = certificateExtractor;
}
- public void setOtpService(OtpService otpService) {
- this.otpService = otpService;
- }
-
public void setKnoxService(KnoxService knoxService) {
this.knoxService = knoxService;
}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml
index 7f678b5..1934239 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/resources/nifi-web-api-context.xml
@@ -583,7 +583,6 @@
<property name="principalExtractor" ref="principalExtractor"/>
<property name="jwtAuthenticationProvider" ref="jwtAuthenticationProvider"/>
<property name="jwtService" ref="jwtService"/>
- <property name="otpService" ref="otpService"/>
<property name="kerberosService" ref="kerberosService"/>
<property name="properties" ref="nifiProperties"/>
<property name="clusterCoordinator" ref="clusterCoordinator"/>
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-content-viewer/src/main/webapp/WEB-INF/jsp/header.jsp b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-content-viewer/src/main/webapp/WEB-INF/jsp/header.jsp
index 5f5210d..f7dbd66 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-content-viewer/src/main/webapp/WEB-INF/jsp/header.jsp
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-content-viewer/src/main/webapp/WEB-INF/jsp/header.jsp
@@ -107,38 +107,12 @@
// if the selection has changesd, reload the page
if (currentLocation !== option.value) {
- // get an access token if necessary
- var getAccessToken = $$.Deferred(function (deferred) {
- if (nf.Storage.hasItem('jwt')) {
- $$.ajax({
- type: 'POST',
- url: '../nifi-api/access/ui-extension-token'
- }).done(function (token) {
- deferred.resolve(token);
- }).fail(function () {
- $$('#content-viewer-message').text('Unable to generate a token to view the content.');
- $$('#content-viewer-message-dialog').modal('show');
- deferred.reject();
- })
- } else {
- deferred.resolve('');
- }
- }).promise();
+ var contentParameter = {
+ mode: option.value
+ };
- // reload as appropriate
- getAccessToken.done(function (uiExtensionToken) {
- var contentParameter = {
- mode: option.value
- };
-
- // include the download token if applicable
- if (typeof uiExtensionToken !== 'undefined' && uiExtensionToken !== null && $$.trim(uiExtensionToken) !== '') {
- contentParameter['access_token'] = uiExtensionToken;
- }
-
- var url = window.location.origin + window.location.pathname;
- window.location.href = url + '?' + $$.param($$.extend(contentParameter, params));
- });
+ var url = window.location.origin + window.location.pathname;
+ window.location.href = url + '?' + $$.param($$.extend(contentParameter, params));
}
}
});
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
index 5502ab5..4ac2552 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java
@@ -42,7 +42,7 @@
private Cache<CacheKey, String> jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval)
/**
- * Creates a new OtpService with an expiration of 1 minute.
+ * Creates a new OIDC with an expiration of 1 minute.
*
* @param identityProvider The identity provider
*/
@@ -51,7 +51,7 @@
}
/**
- * Creates a new OtpService.
+ * Creates a new OIDC Service.
*
* @param identityProvider The identity provider
* @param duration The expiration duration
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationException.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationException.java
deleted file mode 100644
index ee2d573..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationException.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import org.springframework.security.core.AuthenticationException;
-
-/**
- * Thrown if a one time use token fails authentication.
- */
-public class OtpAuthenticationException extends AuthenticationException {
-
- public OtpAuthenticationException(String msg) {
- super(msg);
- }
-
- public OtpAuthenticationException(String msg, Throwable t) {
- super(msg, t);
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java
deleted file mode 100644
index c09a4bb..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import java.util.regex.Pattern;
-import javax.servlet.http.HttpServletRequest;
-import org.apache.nifi.web.security.NiFiAuthenticationFilter;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.core.Authentication;
-
-/**
- * This filter is used to capture one time passwords (OTP) from requests made to download files through the browser.
- * It's required because when we initiate a download in the browser, it must be opened in a new tab. The new tab
- * cannot be initialized with authentication headers, so we must add a token as a query parameter instead. As
- * tokens in URL strings are visible in various places, this must only be used once - hence our OTP.
- */
-public class OtpAuthenticationFilter extends NiFiAuthenticationFilter {
-
- private static final Logger logger = LoggerFactory.getLogger(OtpAuthenticationFilter.class);
-
- private static final Pattern PROVENANCE_DOWNLOAD_PATTERN =
- Pattern.compile("/provenance-events/([0-9]+)/content/((?:input)|(?:output))");
- private static final Pattern QUEUE_DOWNLOAD_PATTERN =
- Pattern.compile("/flowfile-queues/([a-f0-9\\-]{36})/flowfiles/([a-f0-9\\-]{36})/content");
- private static final Pattern TEMPLATE_DOWNLOAD_PATTERN =
- Pattern.compile("/templates/[a-f0-9\\-]{36}/download");
- private static final Pattern FLOW_DOWNLOAD_PATTERN =
- Pattern.compile("/process-groups/[a-f0-9\\-]{36}/download");
-
- protected static final String ACCESS_TOKEN = "access_token";
-
- @Override
- public Authentication attemptAuthentication(final HttpServletRequest request) {
- // only support otp login when running securely
- if (!request.isSecure()) {
- return null;
- }
-
- // get the accessToken out of the query string
- final String accessToken = request.getParameter(ACCESS_TOKEN);
-
- // if there is no authorization header, we don't know the user
- if (accessToken == null) {
- return null;
- } else {
- if (request.getContextPath().equals("/nifi-api")) {
- if (isDownloadRequest(request.getPathInfo())) {
- // handle download requests
- return new OtpAuthenticationRequestToken(accessToken, true, request.getRemoteAddr());
- }
- } else {
- // handle requests to other context paths (other UI extensions)
- return new OtpAuthenticationRequestToken(accessToken, false, request.getRemoteAddr());
- }
-
- // the path is a support path for otp tokens
- return null;
- }
- }
-
- private boolean isDownloadRequest(final String pathInfo) {
- return PROVENANCE_DOWNLOAD_PATTERN.matcher(pathInfo).matches() || QUEUE_DOWNLOAD_PATTERN.matcher(pathInfo).matches()
- || TEMPLATE_DOWNLOAD_PATTERN.matcher(pathInfo).matches() || FLOW_DOWNLOAD_PATTERN.matcher(pathInfo).matches();
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java
deleted file mode 100644
index 0b89b4b..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import org.apache.nifi.admin.service.IdpUserGroupService;
-import org.apache.nifi.authorization.Authorizer;
-import org.apache.nifi.authorization.user.NiFiUser;
-import org.apache.nifi.authorization.user.NiFiUserDetails;
-import org.apache.nifi.authorization.user.StandardNiFiUser.Builder;
-import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.InvalidAuthenticationException;
-import org.apache.nifi.web.security.NiFiAuthenticationProvider;
-import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-
-import java.util.Set;
-import java.util.stream.Collectors;
-
-/**
- * This provider will be used when the request is attempting to authenticate with a download or ui extension OTP/token.
- */
-public class OtpAuthenticationProvider extends NiFiAuthenticationProvider {
-
- private OtpService otpService;
- private final IdpUserGroupService idpUserGroupService;
-
- public OtpAuthenticationProvider(OtpService otpService, NiFiProperties nifiProperties, Authorizer authorizer, IdpUserGroupService idpUserGroupService) {
- super(nifiProperties, authorizer);
- this.otpService = otpService;
- this.idpUserGroupService = idpUserGroupService;
- }
-
- @Override
- public Authentication authenticate(Authentication authentication) throws AuthenticationException {
- final OtpAuthenticationRequestToken request = (OtpAuthenticationRequestToken) authentication;
-
- try {
- final String otpPrincipal;
- if (request.isDownloadToken()) {
- otpPrincipal = otpService.getAuthenticationFromDownloadToken(request.getToken());
- } else {
- otpPrincipal = otpService.getAuthenticationFromUiExtensionToken(request.getToken());
- }
- final String mappedIdentity = mapIdentity(otpPrincipal);
- final Set<String> userGroupProviderGroups = getUserGroups(mappedIdentity);
- final Set<String> idpUserGroups = getIdpUserGroups(mappedIdentity);
-
- final NiFiUser user = new Builder()
- .identity(mappedIdentity)
- .groups(userGroupProviderGroups)
- .identityProviderGroups(idpUserGroups)
- .clientAddress(request.getClientAddress())
- .build();
-
- return new NiFiAuthenticationToken(new NiFiUserDetails(user));
- } catch (OtpAuthenticationException e) {
- throw new InvalidAuthenticationException(e.getMessage(), e);
- }
- }
-
- @Override
- public boolean supports(Class<?> authentication) {
- return OtpAuthenticationRequestToken.class.isAssignableFrom(authentication);
- }
-
- private Set<String> getIdpUserGroups(final String mappedIdentity) {
- return idpUserGroupService.getUserGroups(mappedIdentity).stream()
- .map(ug -> ug.getGroupName())
- .collect(Collectors.toSet());
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java
deleted file mode 100644
index bad7c94..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import org.apache.nifi.web.security.NiFiAuthenticationRequestToken;
-
-/**
- * This is an authentication request with a given OTP token.
- */
-public class OtpAuthenticationRequestToken extends NiFiAuthenticationRequestToken {
-
- private final String token;
- private final boolean isDownloadToken;
-
- /**
- * Creates a representation of the otp authentication request for a user.
- *
- * @param token The unique token for this user
- * @param isDownloadToken Whether or not this represents a download token
- * @param clientAddress the address of the client making the request
- */
- public OtpAuthenticationRequestToken(final String token, final boolean isDownloadToken, final String clientAddress) {
- super(clientAddress);
- setAuthenticated(false);
- this.token = token;
- this.isDownloadToken = isDownloadToken;
- }
-
- @Override
- public Object getCredentials() {
- return null;
- }
-
- @Override
- public Object getPrincipal() {
- return token;
- }
-
- public String getToken() {
- return token;
- }
-
- public boolean isDownloadToken() {
- return isDownloadToken;
- }
-
- @Override
- public String toString() {
- return "<OTP token>";
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpService.java
deleted file mode 100644
index e8d96ae..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpService.java
+++ /dev/null
@@ -1,190 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.util.concurrent.TimeUnit;
-import javax.crypto.Mac;
-import javax.crypto.spec.SecretKeySpec;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.nifi.web.security.token.OtpAuthenticationToken;
-import org.apache.nifi.web.security.util.CacheKey;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * OtpService is a service for generating and verifying one time password tokens.
- */
-public class OtpService {
-
- private static final Logger logger = LoggerFactory.getLogger(OtpService.class);
-
- private static final String HMAC_SHA256 = "HmacSHA256";
-
- // protected for testing purposes
- protected static final int MAX_CACHE_SOFT_LIMIT = 100;
-
- private final TokenCache downloadTokens;
- private final TokenCache uiExtensionTokens;
-
- /**
- * Creates a new OtpService with an expiration of 5 minutes.
- */
- public OtpService() {
- this(5, TimeUnit.MINUTES);
- }
-
- /**
- * Creates a new OtpService.
- *
- * @param duration The expiration duration
- * @param units The expiration units
- * @throws NullPointerException If units is null
- * @throws IllegalArgumentException If duration is negative
- */
- public OtpService(final int duration, final TimeUnit units) {
- downloadTokens = new TokenCache("download tokens", duration, units);
- uiExtensionTokens = new TokenCache("UI extension tokens", duration, units);
- }
-
- /**
- * Generates a download token for the specified authentication.
- *
- * @param authenticationToken The authentication
- * @return The one time use download token
- */
- public String generateDownloadToken(final OtpAuthenticationToken authenticationToken) {
- return generateToken(downloadTokens, authenticationToken);
- }
-
- /**
- * Gets the authenticated identity from the specified one time use download token. This method will not return null.
- *
- * @param token The one time use download token
- * @return The authenticated identity
- * @throws OtpAuthenticationException When the specified token does not correspond to an authenticated identity
- */
- public String getAuthenticationFromDownloadToken(final String token) throws OtpAuthenticationException {
- return getAuthenticationFromToken(downloadTokens, token);
- }
-
- /**
- * Generates a UI extension token for the specified authentication.
- *
- * @param authenticationToken The authentication
- * @return The one time use UI extension token
- */
- public String generateUiExtensionToken(final OtpAuthenticationToken authenticationToken) {
- return generateToken(uiExtensionTokens, authenticationToken);
- }
-
- /**
- * Gets the authenticated identity from the specified one time use UI extension token. This method will not return null.
- *
- * @param token The one time use UI extension token
- * @return The authenticated identity
- * @throws OtpAuthenticationException When the specified token does not correspond to an authenticated identity
- */
- public String getAuthenticationFromUiExtensionToken(final String token) throws OtpAuthenticationException {
- return getAuthenticationFromToken(uiExtensionTokens, token);
- }
-
- /**
- * Generates a token and stores it in the specified cache.
- *
- * @param tokenCache A cache that maps tokens to users
- * @param authenticationToken The authentication
- * @return The one time use token
- */
- private String generateToken(final TokenCache tokenCache, final OtpAuthenticationToken authenticationToken) {
- final String userId = (String) authenticationToken.getPrincipal();
-
- // If the user has a token already, return it
- if(tokenCache.containsValue(userId)) {
- return (tokenCache.getKeyForValue(userId)).getKey();
- } else {
- // Otherwise, generate a token
- if (tokenCache.size() >= MAX_CACHE_SOFT_LIMIT) {
- throw new IllegalStateException("The maximum number of single use tokens have been issued.");
- }
-
- // Hash the authentication and build a cache key
- final CacheKey cacheKey = new CacheKey(hash(authenticationToken));
-
- // Store the token and user in the cache
- tokenCache.put(cacheKey, userId);
-
- // Return the token
- return cacheKey.getKey();
- }
- }
-
- /**
- * Gets the corresponding authentication for the specified one time use token. The specified token will be removed
- * from the token cache.
- *
- * @param tokenCache A cache that maps tokens to users
- * @param token The one time use token
- * @return The authenticated identity
- */
- private String getAuthenticationFromToken(final TokenCache tokenCache, final String token) throws OtpAuthenticationException {
- final CacheKey cacheKey = new CacheKey(token);
- final String authenticatedUser = (String) tokenCache.getIfPresent(cacheKey);
-
- if (authenticatedUser == null) {
- throw new OtpAuthenticationException("Unable to validate the access token.");
- } else {
- tokenCache.invalidate(cacheKey);
- }
-
- return authenticatedUser;
- }
-
- /**
- * Hashes the specified authentication token. The resulting value will be used as the one time use token.
- *
- * @param authenticationToken the authentication token
- * @return the one time use token
- */
- private String hash(final OtpAuthenticationToken authenticationToken) {
- try {
- // input is the user identity and timestamp
- final String input = authenticationToken.getName() + "-" + System.nanoTime();
-
- // create the secret using secure random
- final SecureRandom secureRandom = new SecureRandom();
- final byte[] randomBytes = new byte[32];
- secureRandom.nextBytes(randomBytes);
- final SecretKeySpec secret = new SecretKeySpec(randomBytes, HMAC_SHA256); // 256 bit
-
- // hash the input
- final Mac hmacSha256 = Mac.getInstance(HMAC_SHA256);
- hmacSha256.init(secret);
- final byte[] output = hmacSha256.doFinal(input.getBytes(StandardCharsets.UTF_8));
-
- // return the result as a base 64 string
- return Base64.encodeBase64URLSafeString(output);
- } catch (final NoSuchAlgorithmException | InvalidKeyException e) {
- final String errorMessage = "There was an error generating the OTP";
- logger.error(errorMessage, e);
- throw new IllegalStateException("Unable to generate single use token.");
- }
- }
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/TokenCache.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/TokenCache.java
deleted file mode 100644
index a19efe2..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/TokenCache.java
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import com.google.common.cache.AbstractCache;
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.google.common.cache.CacheStats;
-import java.util.Map;
-import java.util.concurrent.ConcurrentMap;
-import java.util.concurrent.TimeUnit;
-import org.apache.nifi.web.security.util.CacheKey;
-import org.checkerframework.checker.nullness.qual.Nullable;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * This class provides a specific wrapper implementation based on the Guava {@link Cache} but with
- * reverse-index capability because of the special use case (a user [the cache value] can only have
- * one active token [the cache key] at a time). This allows reverse lookup semantics.
- */
-public class TokenCache extends AbstractCache<CacheKey, String> {
- private static final Logger logger = LoggerFactory.getLogger(TokenCache.class);
-
- private final String contentsDescription;
- private final Cache<CacheKey, String> internalCache;
-
- public TokenCache(String contentsDescription, final int duration, final TimeUnit units) {
- this.contentsDescription = contentsDescription;
- internalCache = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build();
- }
-
- /**
- * Returns the value associated with {@code key} in this cache, or {@code null} if there is no
- * cached value for {@code key}.
- *
- * @param key the (wrapped) {@code token}
- * @since 11.0
- * @return the retrieved value ({@code user})
- */
- @Override
- public @Nullable String getIfPresent(Object key) {
- return internalCache.getIfPresent(key);
- }
-
- /**
- * Puts the provided value ({@code user}) in the cache at the provided key (wrapped {@code token}).
- *
- * @param key the cache key
- * @param value the value to insert
- * @since 11.0
- */
- @Override
- public void put(CacheKey key, String value) {
- internalCache.put(key, value);
- }
-
- /**
- * Returns {@code true} if the cache contains the provided value.
- *
- * @param value the value ({@code user}) to look for
- * @return true if the user exists in the cache
- */
- public boolean containsValue(String value) {
- return internalCache.asMap().containsValue(value);
- }
-
- /**
- * Returns the {@link CacheKey} representing the key ({@code token}) associated with the provided value ({@code user}).
- *
- * @param value the value ({@code user}) to look for
- * @return the CacheKey ({@code token}) associated with this user, or {@code null} if the user has no tokens in this cache
- */
- @Nullable
- public CacheKey getKeyForValue(String value) {
- if (containsValue(value)) {
- Map<CacheKey, String> cacheMap = internalCache.asMap();
- for (Map.Entry<CacheKey, String> e : cacheMap.entrySet()) {
- if (e.getValue().equals(value)) {
- return e.getKey();
- }
- }
- throw new IllegalStateException("The value existed in the cache but expired during retrieval");
- } else {
- return null;
- }
- }
-
- // Override the unsupported abstract methods from the parent
-
- @Override
- public void invalidate(Object key) {
- internalCache.invalidate(key);
- }
-
- @Override
- public void invalidateAll() {
- internalCache.invalidateAll(internalCache.asMap().keySet());
- }
-
- @Override
- public long size() {
- return internalCache.size();
- }
-
- @Override
- public CacheStats stats() {
- return internalCache.stats();
- }
-
- @Override
- public ConcurrentMap<CacheKey, String> asMap() {
- return internalCache.asMap();
- }
-
- /**
- * Returns a string representation of the cache.
- *
- * @return a string representation of the cache
- */
- @Override
- public String toString() {
- return new StringBuilder("TokenCache for ")
- .append(contentsDescription)
- .append(" with ")
- .append(internalCache.size())
- .append(" elements")
- .toString();
- }
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/OtpAuthenticationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/OtpAuthenticationToken.java
deleted file mode 100644
index fc51912..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/OtpAuthenticationToken.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.token;
-
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-
-/**
- * This is an Authentication Token for logging in. Once a user is authenticated, they can be issued an ID token.
- */
-public class OtpAuthenticationToken extends AbstractAuthenticationToken {
-
- private final String identity;
-
- /**
- * Creates a representation of the otp authentication token for a user.
- *
- * @param identity The unique identifier for this user
- */
- public OtpAuthenticationToken(final String identity) {
- super(null);
- setAuthenticated(true);
- this.identity = identity;
- }
-
- @Override
- public Object getCredentials() {
- return null;
- }
-
- @Override
- public Object getPrincipal() {
- return identity;
- }
-
- @Override
- public String toString() {
- return new StringBuilder("OtpAuthenticationToken for ")
- .append(getName())
- .toString();
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml
index 0405dc5..fe9d59f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml
@@ -39,7 +39,7 @@
<property name="certificateValidator" ref="certificateValidator"/>
</bean>
- <!-- otp authentication provider -->
+ <!-- x509 authentication provider -->
<bean id="x509AuthenticationProvider" class="org.apache.nifi.web.security.x509.X509AuthenticationProvider">
<constructor-arg ref="certificateIdentityProvider" index="0"/>
<constructor-arg ref="authorizer" index="1"/>
@@ -59,17 +59,6 @@
<constructor-arg ref="idpUserGroupService" index="3"/>
</bean>
- <!-- otp service -->
- <bean id="otpService" class="org.apache.nifi.web.security.otp.OtpService"/>
-
- <!-- otp authentication provider -->
- <bean id="otpAuthenticationProvider" class="org.apache.nifi.web.security.otp.OtpAuthenticationProvider">
- <constructor-arg ref="otpService" index="0"/>
- <constructor-arg ref="nifiProperties" index="1"/>
- <constructor-arg ref="authorizer" index="2"/>
- <constructor-arg ref="idpUserGroupService" index="3"/>
- </bean>
-
<!-- knox service -->
<bean id="knoxService" class="org.apache.nifi.web.security.knox.KnoxServiceFactoryBean">
<property name="properties" ref="nifiProperties"/>
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/otp/TokenCacheTest.groovy b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/otp/TokenCacheTest.groovy
deleted file mode 100644
index 64f8b6e..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/groovy/org/apache/nifi/web/security/otp/TokenCacheTest.groovy
+++ /dev/null
@@ -1,249 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp
-
-
-import org.apache.nifi.web.security.token.OtpAuthenticationToken
-import org.apache.nifi.web.security.util.CacheKey
-import org.bouncycastle.jce.provider.BouncyCastleProvider
-import org.junit.After
-import org.junit.Before
-import org.junit.BeforeClass
-import org.junit.Test
-import org.junit.runner.RunWith
-import org.junit.runners.JUnit4
-import org.slf4j.Logger
-import org.slf4j.LoggerFactory
-
-import java.security.Security
-import java.util.concurrent.TimeUnit
-
-@RunWith(JUnit4.class)
-class TokenCacheTest extends GroovyTestCase {
- private static final Logger logger = LoggerFactory.getLogger(TokenCache.class)
-
- private static final String andy = "alopresto"
- private static final String nathan = "ngough"
- private static final String matt = "mgilman"
-
- private static final int LONG_CACHE_EXPIRATION = 10
- private static final int SHORT_CACHE_EXPIRATION = 1
-
- @BeforeClass
- static void setUpOnce() throws Exception {
- Security.addProvider(new BouncyCastleProvider())
-
- logger.metaClass.methodMissing = { String name, args ->
- logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}")
- }
- }
-
- @Before
- void setUp() throws Exception {
-
- }
-
- @After
- void tearDown() throws Exception {
-
- }
-
- /**
- * Returns a simple "hash" of the provided principal (for test purposes, simply reverses the String).
- *
- * @param principal the token principal
- * @return the hashed token output
- */
- private static String hash(def principal) {
- principal.toString().reverse()
- }
-
- /**
- * Returns the {@link CacheKey} constructed from the provided token.
- *
- * @param token the authentication token
- * @return the cache key
- */
- private static CacheKey buildCacheKey(OtpAuthenticationToken token) {
- new CacheKey(hash(token.principal))
- }
-
- @Test
- void testShouldCheckIfContainsValue() throws Exception {
- // Arrange
- TokenCache tokenCache = new TokenCache("test tokens", LONG_CACHE_EXPIRATION, TimeUnit.SECONDS)
-
- OtpAuthenticationToken andyToken = new OtpAuthenticationToken(andy)
- OtpAuthenticationToken nathanToken = new OtpAuthenticationToken(nathan)
-
- tokenCache.put(buildCacheKey(andyToken), andy)
- tokenCache.put(buildCacheKey(nathanToken), nathan)
-
- logger.info(tokenCache.toString())
-
- // Act
- boolean containsAndyToken = tokenCache.containsValue(andy)
- boolean containsNathanToken = tokenCache.containsValue(nathan)
- boolean containsMattToken = tokenCache.containsValue(matt)
-
- // Assert
- assert containsAndyToken
- assert containsNathanToken
- assert !containsMattToken
- }
-
- @Test
- void testShouldGetKeyByValue() throws Exception {
- // Arrange
- TokenCache tokenCache = new TokenCache("test tokens", LONG_CACHE_EXPIRATION, TimeUnit.SECONDS)
-
- OtpAuthenticationToken andyToken = new OtpAuthenticationToken(andy)
- OtpAuthenticationToken nathanToken = new OtpAuthenticationToken(nathan)
-
- tokenCache.put(buildCacheKey(andyToken), andy)
- tokenCache.put(buildCacheKey(nathanToken), nathan)
-
- logger.info(tokenCache.toString())
-
- // Act
- CacheKey keyForAndyToken = tokenCache.getKeyForValue(andy)
- CacheKey keyForNathanToken = tokenCache.getKeyForValue(nathan)
- CacheKey keyForMattToken = tokenCache.getKeyForValue(matt)
-
- def tokens = [keyForAndyToken, keyForNathanToken, keyForMattToken]
- logger.info("Retrieved tokens: ${tokens}")
-
- // Assert
- assert keyForAndyToken.getKey() == hash(andyToken.principal)
- assert keyForNathanToken.getKey() == hash(nathanToken.principal)
- assert !keyForMattToken
- }
-
- @Test
- void testShouldNotGetKeyByValueAfterExpiration() throws Exception {
- // Arrange
- TokenCache tokenCache = new TokenCache("test tokens", SHORT_CACHE_EXPIRATION, TimeUnit.SECONDS)
-
- OtpAuthenticationToken andyToken = new OtpAuthenticationToken(andy)
- OtpAuthenticationToken nathanToken = new OtpAuthenticationToken(nathan)
-
- tokenCache.put(buildCacheKey(andyToken), andy)
- tokenCache.put(buildCacheKey(nathanToken), nathan)
-
- logger.info(tokenCache.toString())
-
- // Sleep to allow the cache entries to expire (was failing on Windows JDK 8 when only sleeping for 1 second)
- sleep(SHORT_CACHE_EXPIRATION * 2 * 1000)
-
- // Act
- CacheKey keyForAndyToken = tokenCache.getKeyForValue(andy)
- CacheKey keyForNathanToken = tokenCache.getKeyForValue(nathan)
- CacheKey keyForMattToken = tokenCache.getKeyForValue(matt)
-
- def tokens = [keyForAndyToken, keyForNathanToken, keyForMattToken]
- logger.info("Retrieved tokens: ${tokens}")
-
- // Assert
- assert !keyForAndyToken
- assert !keyForNathanToken
- assert !keyForMattToken
- }
-
- @Test
- void testShouldInvalidateSingleKey() throws Exception {
- // Arrange
- TokenCache tokenCache = new TokenCache("test tokens", LONG_CACHE_EXPIRATION, TimeUnit.SECONDS)
-
- OtpAuthenticationToken andyToken = new OtpAuthenticationToken(andy)
- OtpAuthenticationToken nathanToken = new OtpAuthenticationToken(nathan)
- OtpAuthenticationToken mattToken = new OtpAuthenticationToken(matt)
-
- CacheKey andyKey = buildCacheKey(andyToken)
- CacheKey nathanKey = buildCacheKey(nathanToken)
- CacheKey mattKey = buildCacheKey(mattToken)
-
- tokenCache.put(andyKey, andy)
- tokenCache.put(nathanKey, nathan)
- tokenCache.put(mattKey, matt)
-
- logger.info(tokenCache.toString())
-
- // Act
- tokenCache.invalidate(andyKey)
-
- // Assert
- assert !tokenCache.containsValue(andy)
- assert tokenCache.containsValue(nathan)
- assert tokenCache.containsValue(matt)
- }
-
- @Test
- void testShouldInvalidateMultipleKeys() throws Exception {
- // Arrange
- TokenCache tokenCache = new TokenCache("test tokens", LONG_CACHE_EXPIRATION, TimeUnit.SECONDS)
-
- OtpAuthenticationToken andyToken = new OtpAuthenticationToken(andy)
- OtpAuthenticationToken nathanToken = new OtpAuthenticationToken(nathan)
- OtpAuthenticationToken mattToken = new OtpAuthenticationToken(matt)
-
- CacheKey andyKey = buildCacheKey(andyToken)
- CacheKey nathanKey = buildCacheKey(nathanToken)
- CacheKey mattKey = buildCacheKey(mattToken)
-
- tokenCache.put(andyKey, andy)
- tokenCache.put(nathanKey, nathan)
- tokenCache.put(mattKey, matt)
-
- logger.info(tokenCache.toString())
-
- // Act
- tokenCache.invalidateAll([andyKey, nathanKey])
-
- // Assert
- assert !tokenCache.containsValue(andy)
- assert !tokenCache.containsValue(nathan)
- assert tokenCache.containsValue(matt)
- }
-
- @Test
- void testShouldInvalidateAll() throws Exception {
- // Arrange
- TokenCache tokenCache = new TokenCache("test tokens", LONG_CACHE_EXPIRATION, TimeUnit.SECONDS)
-
- OtpAuthenticationToken andyToken = new OtpAuthenticationToken(andy)
- OtpAuthenticationToken nathanToken = new OtpAuthenticationToken(nathan)
- OtpAuthenticationToken mattToken = new OtpAuthenticationToken(matt)
-
- CacheKey andyKey = buildCacheKey(andyToken)
- CacheKey nathanKey = buildCacheKey(nathanToken)
- CacheKey mattKey = buildCacheKey(mattToken)
-
- tokenCache.put(andyKey, andy)
- tokenCache.put(nathanKey, nathan)
- tokenCache.put(mattKey, matt)
-
- logger.info(tokenCache.toString())
-
- // Act
- tokenCache.invalidateAll()
-
- // Assert
- assert !tokenCache.containsValue(andy)
- assert !tokenCache.containsValue(nathan)
- assert !tokenCache.containsValue(matt)
- }
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilterTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilterTest.java
deleted file mode 100644
index 8027b8f..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilterTest.java
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import org.junit.Before;
-import org.junit.Test;
-
-import javax.servlet.http.HttpServletRequest;
-import java.util.UUID;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-public class OtpAuthenticationFilterTest {
-
- private final static String UI_EXTENSION_AUTHENTICATED_USER = "ui-extension-token-authenticated-user";
- private final static String UI_EXTENSION_TOKEN = "ui-extension-token";
-
- private final static String DOWNLOAD_AUTHENTICATED_USER = "download-token-authenticated-user";
- private final static String DOWNLOAD_TOKEN = "download-token";
-
- private OtpAuthenticationFilter otpAuthenticationFilter;
-
- @Before
- public void setUp() throws Exception {
- otpAuthenticationFilter = new OtpAuthenticationFilter();
- }
-
- @Test
- public void testInsecureHttp() throws Exception {
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(false);
- assertNull(otpAuthenticationFilter.attemptAuthentication(request));
- }
-
- @Test
- public void testNoAccessToken() throws Exception {
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(true);
- when(request.getParameter(OtpAuthenticationFilter.ACCESS_TOKEN)).thenReturn(null);
- assertNull(otpAuthenticationFilter.attemptAuthentication(request));
- }
-
- @Test
- public void testUnsupportedDownloadPath() throws Exception {
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(true);
- when(request.getParameter(OtpAuthenticationFilter.ACCESS_TOKEN)).thenReturn("my-access-token");
- when(request.getContextPath()).thenReturn("/nifi-api");
- when(request.getPathInfo()).thenReturn("/flow/cluster/summary");
-
- assertNull(otpAuthenticationFilter.attemptAuthentication(request));
- }
-
- @Test
- public void testUiExtensionPath() throws Exception {
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(true);
- when(request.getParameter(OtpAuthenticationFilter.ACCESS_TOKEN)).thenReturn(UI_EXTENSION_TOKEN);
- when(request.getContextPath()).thenReturn("/nifi-update-attribute-ui");
-
- final OtpAuthenticationRequestToken result = (OtpAuthenticationRequestToken) otpAuthenticationFilter.attemptAuthentication(request);
- assertEquals(UI_EXTENSION_TOKEN, result.getToken());
- assertFalse(result.isDownloadToken());
- }
-
- @Test
- public void testProvenanceInputContentDownload() throws Exception {
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(true);
- when(request.getParameter(OtpAuthenticationFilter.ACCESS_TOKEN)).thenReturn(DOWNLOAD_TOKEN);
- when(request.getContextPath()).thenReturn("/nifi-api");
- when(request.getPathInfo()).thenReturn("/provenance-events/0/content/input");
-
- final OtpAuthenticationRequestToken result = (OtpAuthenticationRequestToken) otpAuthenticationFilter.attemptAuthentication(request);
- assertEquals(DOWNLOAD_TOKEN, result.getToken());
- assertTrue(result.isDownloadToken());
- }
-
- @Test
- public void testProvenanceOutputContentDownload() throws Exception {
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(true);
- when(request.getParameter(OtpAuthenticationFilter.ACCESS_TOKEN)).thenReturn(DOWNLOAD_TOKEN);
- when(request.getContextPath()).thenReturn("/nifi-api");
- when(request.getPathInfo()).thenReturn("/provenance-events/0/content/output");
-
- final OtpAuthenticationRequestToken result = (OtpAuthenticationRequestToken) otpAuthenticationFilter.attemptAuthentication(request);
- assertEquals(DOWNLOAD_TOKEN, result.getToken());
- assertTrue(result.isDownloadToken());
- }
-
- @Test
- public void testFlowFileContentDownload() throws Exception {
- final String uuid = UUID.randomUUID().toString();
-
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(true);
- when(request.getParameter(OtpAuthenticationFilter.ACCESS_TOKEN)).thenReturn(DOWNLOAD_TOKEN);
- when(request.getContextPath()).thenReturn("/nifi-api");
- when(request.getPathInfo()).thenReturn(String.format("/flowfile-queues/%s/flowfiles/%s/content", uuid, uuid));
-
- final OtpAuthenticationRequestToken result = (OtpAuthenticationRequestToken) otpAuthenticationFilter.attemptAuthentication(request);
- assertEquals(DOWNLOAD_TOKEN, result.getToken());
- assertTrue(result.isDownloadToken());
- }
-
- @Test
- public void testTemplateDownload() throws Exception {
- final String uuid = UUID.randomUUID().toString();
-
- final HttpServletRequest request = mock(HttpServletRequest.class);
- when(request.isSecure()).thenReturn(true);
- when(request.getParameter(OtpAuthenticationFilter.ACCESS_TOKEN)).thenReturn(DOWNLOAD_TOKEN);
- when(request.getContextPath()).thenReturn("/nifi-api");
- when(request.getPathInfo()).thenReturn(String.format("/templates/%s/download", uuid));
-
- final OtpAuthenticationRequestToken result = (OtpAuthenticationRequestToken) otpAuthenticationFilter.attemptAuthentication(request);
- assertEquals(DOWNLOAD_TOKEN, result.getToken());
- assertTrue(result.isDownloadToken());
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpAuthenticationProviderTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpAuthenticationProviderTest.java
deleted file mode 100644
index 38c95a6..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpAuthenticationProviderTest.java
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import org.apache.nifi.admin.service.IdpUserGroupService;
-import org.apache.nifi.authorization.AccessPolicyProvider;
-import org.apache.nifi.authorization.Authorizer;
-import org.apache.nifi.authorization.Group;
-import org.apache.nifi.authorization.ManagedAuthorizer;
-import org.apache.nifi.authorization.User;
-import org.apache.nifi.authorization.UserAndGroups;
-import org.apache.nifi.authorization.UserGroupProvider;
-import org.apache.nifi.authorization.user.NiFiUser;
-import org.apache.nifi.authorization.user.NiFiUserDetails;
-import org.apache.nifi.idp.IdpType;
-import org.apache.nifi.idp.IdpUserGroup;
-import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
-import org.junit.Before;
-import org.junit.Test;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Set;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.doAnswer;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class OtpAuthenticationProviderTest {
-
- private final static String UI_EXTENSION_AUTHENTICATED_USER = "ui-extension-token-authenticated-user";
- private final static String UI_EXTENSION_TOKEN = "ui-extension-token";
-
- private final static String DOWNLOAD_AUTHENTICATED_USER = "download-token-authenticated-user";
- private final static String DOWNLOAD_TOKEN = "download-token";
-
- private OtpService otpService;
- private OtpAuthenticationProvider otpAuthenticationProvider;
- private NiFiProperties nifiProperties;
- private IdpUserGroupService idpUserGroupService;
-
- @Before
- public void setUp() throws Exception {
- otpService = mock(OtpService.class);
- doAnswer(new Answer<String>() {
- @Override
- public String answer(InvocationOnMock invocation) throws Throwable {
- Object[] args = invocation.getArguments();
- String downloadToken = (String) args[0];
-
- if (DOWNLOAD_TOKEN.equals(downloadToken)) {
- return DOWNLOAD_AUTHENTICATED_USER;
- }
-
- throw new OtpAuthenticationException("Invalid token");
- }
- }).when(otpService).getAuthenticationFromDownloadToken(anyString());
- doAnswer(new Answer<String>() {
- @Override
- public String answer(InvocationOnMock invocation) throws Throwable {
- Object[] args = invocation.getArguments();
- String uiExtensionToken = (String) args[0];
-
- if (UI_EXTENSION_TOKEN.equals(uiExtensionToken)) {
- return UI_EXTENSION_AUTHENTICATED_USER;
- }
-
- throw new OtpAuthenticationException("Invalid token");
- }
- }).when(otpService).getAuthenticationFromUiExtensionToken(anyString());
-
- idpUserGroupService = mock(IdpUserGroupService.class);
-
- otpAuthenticationProvider = new OtpAuthenticationProvider(
- otpService, mock(NiFiProperties.class), mock(Authorizer.class), idpUserGroupService);
- }
-
- @Test
- public void testUiExtensionPath() throws Exception {
- when(idpUserGroupService.getUserGroups(anyString())).thenReturn(Collections.emptyList());
-
- final OtpAuthenticationRequestToken request = new OtpAuthenticationRequestToken(UI_EXTENSION_TOKEN, false, null);
-
- final NiFiAuthenticationToken result = (NiFiAuthenticationToken) otpAuthenticationProvider.authenticate(request);
- final NiFiUserDetails details = (NiFiUserDetails) result.getPrincipal();
- assertEquals(UI_EXTENSION_AUTHENTICATED_USER, details.getUsername());
- assertNotNull(details.getNiFiUser());
-
- assertNull(details.getNiFiUser().getGroups());
-
- assertNotNull(details.getNiFiUser().getIdentityProviderGroups());
- assertEquals(0, details.getNiFiUser().getIdentityProviderGroups().size());
-
- assertNotNull(details.getNiFiUser().getAllGroups());
- assertEquals(0, details.getNiFiUser().getAllGroups().size());
-
- verify(otpService, times(1)).getAuthenticationFromUiExtensionToken(UI_EXTENSION_TOKEN);
- verify(otpService, never()).getAuthenticationFromDownloadToken(anyString());
- }
-
- @Test
- public void testDownload() throws Exception {
- when(idpUserGroupService.getUserGroups(anyString())).thenReturn(Collections.emptyList());
-
- final OtpAuthenticationRequestToken request = new OtpAuthenticationRequestToken(DOWNLOAD_TOKEN, true, null);
-
- final NiFiAuthenticationToken result = (NiFiAuthenticationToken) otpAuthenticationProvider.authenticate(request);
- final NiFiUserDetails details = (NiFiUserDetails) result.getPrincipal();
- assertEquals(DOWNLOAD_AUTHENTICATED_USER, details.getUsername());
- assertNotNull(details.getNiFiUser());
-
- assertNull(details.getNiFiUser().getGroups());
-
- assertNotNull(details.getNiFiUser().getIdentityProviderGroups());
- assertEquals(0, details.getNiFiUser().getIdentityProviderGroups().size());
-
- assertNotNull(details.getNiFiUser().getAllGroups());
- assertEquals(0, details.getNiFiUser().getAllGroups().size());
-
- verify(otpService, never()).getAuthenticationFromUiExtensionToken(anyString());
- verify(otpService, times(1)).getAuthenticationFromDownloadToken(DOWNLOAD_TOKEN);
- }
-
- @Test
- public void testWhenIdpUserGroupsArePresent() {
- final String groupName1 = "group1";
- final IdpUserGroup idpUserGroup1 = createIdpUserGroup(1, DOWNLOAD_AUTHENTICATED_USER, groupName1, IdpType.SAML);
-
- final String groupName2 = "group2";
- final IdpUserGroup idpUserGroup2 = createIdpUserGroup(2, DOWNLOAD_AUTHENTICATED_USER, groupName2, IdpType.SAML);
-
- when(idpUserGroupService.getUserGroups(DOWNLOAD_AUTHENTICATED_USER)).thenReturn(Arrays.asList(idpUserGroup1, idpUserGroup2));
-
- final OtpAuthenticationRequestToken request = new OtpAuthenticationRequestToken(DOWNLOAD_TOKEN, true, null);
-
- final NiFiAuthenticationToken result = (NiFiAuthenticationToken) otpAuthenticationProvider.authenticate(request);
- final NiFiUserDetails details = (NiFiUserDetails) result.getPrincipal();
- assertEquals(DOWNLOAD_AUTHENTICATED_USER, details.getUsername());
-
- final NiFiUser returnedUser = details.getNiFiUser();
- assertNotNull(returnedUser);
-
- // user-group-provider groups are null
- assertNull(returnedUser.getGroups());
-
- // identity-provider group contain the two groups
- assertNotNull(returnedUser.getIdentityProviderGroups());
- assertEquals(2, returnedUser.getIdentityProviderGroups().size());
- assertTrue(returnedUser.getIdentityProviderGroups().contains(groupName1));
- assertTrue(returnedUser.getIdentityProviderGroups().contains(groupName1));
-
- verify(otpService, never()).getAuthenticationFromUiExtensionToken(anyString());
- verify(otpService, times(1)).getAuthenticationFromDownloadToken(DOWNLOAD_TOKEN);
- }
-
- @Test
- public void testWhenUserGroupProviderGroupsAndIdpUserGroupsArePresent() {
- // setup idp user group service...
-
- final String groupName1 = "group1";
- final IdpUserGroup idpUserGroup1 = createIdpUserGroup(1, DOWNLOAD_AUTHENTICATED_USER, groupName1, IdpType.SAML);
-
- final String groupName2 = "group2";
- final IdpUserGroup idpUserGroup2 = createIdpUserGroup(2, DOWNLOAD_AUTHENTICATED_USER, groupName2, IdpType.SAML);
-
- when(idpUserGroupService.getUserGroups(DOWNLOAD_AUTHENTICATED_USER)).thenReturn(Arrays.asList(idpUserGroup1, idpUserGroup2));
-
- // setup managed authorizer...
-
- final String groupName3 = "group3";
- final Group group3 = new Group.Builder().identifierGenerateRandom().name(groupName3).build();
-
- final UserGroupProvider userGroupProvider = mock(UserGroupProvider.class);
- when(userGroupProvider.getUserAndGroups(DOWNLOAD_AUTHENTICATED_USER)).thenReturn(new UserAndGroups() {
- @Override
- public User getUser() {
- return new User.Builder().identifier(DOWNLOAD_AUTHENTICATED_USER).identity(DOWNLOAD_AUTHENTICATED_USER).build();
- }
-
- @Override
- public Set<Group> getGroups() {
- return Collections.singleton(group3);
- }
- });
-
- final AccessPolicyProvider accessPolicyProvider = mock(AccessPolicyProvider.class);
- when(accessPolicyProvider.getUserGroupProvider()).thenReturn(userGroupProvider);
-
- final ManagedAuthorizer managedAuthorizer = mock(ManagedAuthorizer.class);
- when(managedAuthorizer.getAccessPolicyProvider()).thenReturn(accessPolicyProvider);
-
- // create OTP auth provider using mocks from above
-
- otpAuthenticationProvider = new OtpAuthenticationProvider(
- otpService, mock(NiFiProperties.class), managedAuthorizer, idpUserGroupService);
-
- // test...
-
- final OtpAuthenticationRequestToken request = new OtpAuthenticationRequestToken(DOWNLOAD_TOKEN, true, null);
-
- final NiFiAuthenticationToken result = (NiFiAuthenticationToken) otpAuthenticationProvider.authenticate(request);
- final NiFiUserDetails details = (NiFiUserDetails) result.getPrincipal();
- assertEquals(DOWNLOAD_AUTHENTICATED_USER, details.getUsername());
-
- final NiFiUser returnedUser = details.getNiFiUser();
- assertNotNull(returnedUser);
-
- // Assert user-group-provider groups are correct
- assertEquals(1, returnedUser.getGroups().size());
- assertTrue(returnedUser.getGroups().contains(groupName3));
-
- // Assert identity-provider groups are correct
- assertEquals(2, returnedUser.getIdentityProviderGroups().size());
- assertTrue(returnedUser.getIdentityProviderGroups().contains(groupName1));
- assertTrue(returnedUser.getIdentityProviderGroups().contains(groupName2));
-
- // Assert combined groups are correct
- assertEquals(3, returnedUser.getAllGroups().size());
- assertTrue(returnedUser.getAllGroups().contains(groupName1));
- assertTrue(returnedUser.getAllGroups().contains(groupName2));
- assertTrue(returnedUser.getAllGroups().contains(groupName3));
-
- verify(otpService, never()).getAuthenticationFromUiExtensionToken(anyString());
- verify(otpService, times(1)).getAuthenticationFromDownloadToken(DOWNLOAD_TOKEN);
- }
-
- private IdpUserGroup createIdpUserGroup(int id, String identity, String groupName, IdpType idpType) {
- final IdpUserGroup userGroup = new IdpUserGroup();
- userGroup.setId(id);
- userGroup.setIdentity(identity);
- userGroup.setGroupName(groupName);
- userGroup.setType(idpType);
- return userGroup;
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpServiceTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpServiceTest.java
deleted file mode 100644
index 6ff920d..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/otp/OtpServiceTest.java
+++ /dev/null
@@ -1,291 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.fail;
-
-import java.util.concurrent.TimeUnit;
-import org.apache.nifi.web.security.token.OtpAuthenticationToken;
-import org.junit.Before;
-import org.junit.Test;
-
-public class OtpServiceTest {
-
- private final static String USER_1 = "user-identity-1";
- private final static int CACHE_EXPIRY_TIME = 1;
- private final static int WAIT_TIME = 2000;
-
- private OtpService otpService;
-
- @Before
- public void setUp() throws Exception {
- otpService = new OtpService();
- }
-
- @Test
- public void testGetAuthenticationForValidDownloadToken() throws Exception {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpService.generateDownloadToken(authenticationToken);
- final String authenticatedUser = otpService.getAuthenticationFromDownloadToken(downloadToken);
-
- assertNotNull(authenticatedUser);
- assertEquals(USER_1, authenticatedUser);
-
- try {
- // ensure the token is no longer valid
- otpService.getAuthenticationFromDownloadToken(downloadToken);
- fail();
- } catch (final OtpAuthenticationException oae) {}
- }
-
- @Test
- public void testGetAuthenticationForValidUiExtensionToken() throws Exception {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String uiExtensionToken = otpService.generateUiExtensionToken(authenticationToken);
- final String authenticatedUser = otpService.getAuthenticationFromUiExtensionToken(uiExtensionToken);
-
- assertNotNull(authenticatedUser);
- assertEquals(USER_1, authenticatedUser);
-
- try {
- // ensure the token is no longer valid
- otpService.getAuthenticationFromUiExtensionToken(uiExtensionToken);
- fail();
- } catch (final OtpAuthenticationException oae) {}
- }
-
- @Test(expected = OtpAuthenticationException.class)
- public void testGetNonExistentDownloadToken() throws Exception {
- otpService.getAuthenticationFromDownloadToken("Not a real download token");
- }
-
- @Test(expected = OtpAuthenticationException.class)
- public void testGetNonExistentUiExtensionToken() throws Exception {
- otpService.getAuthenticationFromUiExtensionToken("Not a real ui extension token");
- }
-
- @Test(expected = IllegalStateException.class)
- public void testMaxDownloadTokenLimit() throws Exception {
- // ensure we'll try to loop past the limit
- for (int i = 1; i < OtpService.MAX_CACHE_SOFT_LIMIT + 10; i++) {
- try {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken("user-identity-" + i);
- otpService.generateDownloadToken(authenticationToken);
- } catch (final IllegalStateException iae) {
- // ensure we failed when we've passed the limit
- assertEquals(OtpService.MAX_CACHE_SOFT_LIMIT + 1, i);
- throw iae;
- }
- }
- }
-
- @Test(expected = IllegalStateException.class)
- public void testMaxUiExtensionTokenLimit() throws Exception {
- // ensure we'll try to loop past the limit
- for (int i = 1; i < OtpService.MAX_CACHE_SOFT_LIMIT + 10; i++) {
- try {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken("user-identity-" + i);
- otpService.generateUiExtensionToken(authenticationToken);
- } catch (final IllegalStateException iae) {
- // ensure we failed when we've passed the limit
- assertEquals(OtpService.MAX_CACHE_SOFT_LIMIT + 1, i);
- throw iae;
- }
- }
- }
-
- @Test(expected = NullPointerException.class)
- public void testNullTimeUnits() throws Exception {
- new OtpService(0, null);
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void testNegativeExpiration() throws Exception {
- new OtpService(-1, TimeUnit.MINUTES);
- }
-
- @Test(expected = OtpAuthenticationException.class)
- public void testUiExtensionTokenExpiration() throws Exception {
- final OtpService otpServiceWithTightExpiration = new OtpService(CACHE_EXPIRY_TIME, TimeUnit.SECONDS);
-
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpServiceWithTightExpiration.generateUiExtensionToken(authenticationToken);
-
- // sleep for 2 seconds which should sufficiently expire the valid token
- Thread.sleep(WAIT_TIME);
-
- // attempt to get the token now that it's expired
- otpServiceWithTightExpiration.getAuthenticationFromUiExtensionToken(downloadToken);
- }
-
- @Test(expected = OtpAuthenticationException.class)
- public void testDownloadTokenExpiration() throws Exception {
- final OtpService otpServiceWithTightExpiration = new OtpService(CACHE_EXPIRY_TIME, TimeUnit.SECONDS);
-
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpServiceWithTightExpiration.generateDownloadToken(authenticationToken);
-
- // sleep for 2 seconds which should sufficiently expire the valid token
- Thread.sleep(WAIT_TIME);
-
- // attempt to get the token now that it's expired
- otpServiceWithTightExpiration.getAuthenticationFromDownloadToken(downloadToken);
- }
-
- @Test
- public void testDownloadTokenIsTheSameForSubsequentRequests() {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpService.generateDownloadToken(authenticationToken);
- final String secondDownloadToken = otpService.generateDownloadToken(authenticationToken);
-
- assertEquals(downloadToken, secondDownloadToken);
- }
-
- @Test
- public void testDownloadTokenIsTheSameForSubsequentRequestsUntilUsed() {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
-
- // generate two tokens
- final String downloadToken = otpService.generateDownloadToken(authenticationToken);
- final String secondDownloadToken = otpService.generateDownloadToken(authenticationToken);
-
- assertEquals(downloadToken, secondDownloadToken);
-
- // use the token
- otpService.getAuthenticationFromDownloadToken(downloadToken);
-
- // make sure the next token is now different
- final String thirdDownloadToken = otpService.generateDownloadToken(authenticationToken);
- assertNotEquals(downloadToken, thirdDownloadToken);
- }
-
- @Test
- public void testDownloadTokenIsValidForSubsequentGenerateAndUse() {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
-
- // generate a token
- final String downloadToken = otpService.generateDownloadToken(authenticationToken);
-
- // use the token
- final String auth = otpService.getAuthenticationFromDownloadToken(downloadToken);
- assertEquals(USER_1, auth);
-
- // generate a new token, make sure it's different, then authenticate with it
- final String secondDownloadToken = otpService.generateDownloadToken(authenticationToken);
- assertNotEquals(downloadToken, secondDownloadToken);
- final String secondAuth = otpService.getAuthenticationFromDownloadToken(secondDownloadToken);
- assertEquals(USER_1, secondAuth);
- }
-
- @Test
- public void testSingleUserCannotGenerateTooManyUIExtensionTokens() throws Exception {
- // ensure we'll try to loop past the limit
- for (int i = 1; i < OtpService.MAX_CACHE_SOFT_LIMIT + 10; i++) {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken("user-identity-1");
- otpService.generateUiExtensionToken(authenticationToken);
-
- }
-
- // make sure other users can still generate tokens
- final OtpAuthenticationToken anotherAuthenticationToken = new OtpAuthenticationToken("user-identity-2");
- final String auth = otpService.generateUiExtensionToken(anotherAuthenticationToken);
- assertNotNull(auth);
- }
-
- @Test
- public void testSingleUserCannotGenerateTooManyDownloadTokens() throws Exception {
- // ensure we'll try to loop past the limit
- for (int i = 1; i < OtpService.MAX_CACHE_SOFT_LIMIT + 10; i++) {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken("user-identity-1");
- otpService.generateDownloadToken(authenticationToken);
-
- }
-
- // make sure other users can still generate tokens
- final OtpAuthenticationToken anotherAuthenticationToken = new OtpAuthenticationToken("user-identity-2");
- final String auth = otpService.generateDownloadToken(anotherAuthenticationToken);
- assertNotNull(auth);
- }
-
- @Test(expected = OtpAuthenticationException.class)
- public void testDownloadTokenNotValidAfterUse() throws Exception {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpService.generateDownloadToken(authenticationToken);
-
- // use the token
- final String authenticatedUser = otpService.getAuthenticationFromDownloadToken(downloadToken);
-
- // check we authenticated successfully
- assertNotNull(authenticatedUser);
- assertEquals(USER_1, authenticatedUser);
-
- // check authentication fails with the used token
- final String failedAuthentication = otpService.getAuthenticationFromDownloadToken(downloadToken);
- }
-
- @Test(expected = OtpAuthenticationException.class)
- public void testUIExtensionTokenNotValidAfterUse() throws Exception {
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpService.generateDownloadToken(authenticationToken);
-
- // use the token
- final String authenticatedUser = otpService.getAuthenticationFromUiExtensionToken(downloadToken);
-
- // check we authenticated successfully
- assertNotNull(authenticatedUser);
- assertEquals(USER_1, authenticatedUser);
-
- // check authentication fails with the used token
- final String failedAuthentication = otpService.getAuthenticationFromUiExtensionToken(downloadToken);
- }
-
- @Test
- public void testShouldGenerateNewDownloadTokenAfterExpiration() throws Exception {
- final OtpService otpServiceWithTightExpiration = new OtpService(CACHE_EXPIRY_TIME, TimeUnit.SECONDS);
-
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpServiceWithTightExpiration.generateDownloadToken(authenticationToken);
-
- // sleep for 2 seconds which should sufficiently expire the valid token
- Thread.sleep(WAIT_TIME);
-
- // get a new token and make sure the previous one had expired
- final String secondDownloadToken = otpServiceWithTightExpiration.generateDownloadToken(authenticationToken);
- assertNotEquals(downloadToken, secondDownloadToken);
- }
-
- @Test
- public void testDownloadTokenRemainsTheSameBeforeExpirationButNotAfter() throws Exception {
- final OtpService otpServiceWithTightExpiration = new OtpService(CACHE_EXPIRY_TIME, TimeUnit.SECONDS);
-
- final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(USER_1);
- final String downloadToken = otpServiceWithTightExpiration.generateDownloadToken(authenticationToken);
- final String secondDownloadToken = otpServiceWithTightExpiration.generateDownloadToken(authenticationToken);
-
- assertEquals(downloadToken, secondDownloadToken);
-
- // sleep for 2 seconds which should sufficiently expire the valid token
- Thread.sleep(WAIT_TIME);
-
- // get a new token and make sure the previous one had expired
- final String thirdDownloadToken = otpServiceWithTightExpiration.generateDownloadToken(authenticationToken);
- assertNotEquals(downloadToken, thirdDownloadToken);
- }
-}
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-actions.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-actions.js
index 5ae7945..a7ee61f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-actions.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-actions.js
@@ -151,7 +151,6 @@
api: '../nifi-api',
controller: '../nifi-api/controller',
parameterContexts: '../nifi-api/parameter-contexts',
- downloadToken: '../nifi-api/access/download-token'
}
};
@@ -1648,26 +1647,11 @@
}
if (processGroupId !== null) {
- nfCommon.getAccessToken(config.urls.downloadToken).done(function (downloadToken) {
- var parameters = {};
+ var parameters = {};
- // conditionally include the download token
- if (!nfCommon.isBlank(downloadToken)) {
- parameters['access_token'] = downloadToken;
- }
-
- // open the url
- var uri = '../nifi-api/process-groups/' + encodeURIComponent(processGroupId) + '/download';
- if (!$.isEmptyObject(parameters)) {
- uri += ('?' + $.param(parameters));
- }
- window.open(uri);
- }).fail(function () {
- nfDialog.showOkDialog({
- headerText: 'Download Flow Definition',
- dialogContent: 'Unable to generate access token for downloading content.'
- });
- });
+ // open the url
+ var uri = '../nifi-api/process-groups/' + encodeURIComponent(processGroupId) + '/download';
+ window.open(uri);
}
},
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-custom-ui.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-custom-ui.js
index de26b1f..d10cc3c 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-custom-ui.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-custom-ui.js
@@ -55,35 +55,22 @@
*/
showCustomUi: function (entity, uri, editable) {
return $.Deferred(function (deferred) {
- nfCommon.getAccessToken('../nifi-api/access/ui-extension-token').done(function (uiExtensionToken) {
- // record the processor id
- $('#shell-close-button');
+ // record the processor id
+ $('#shell-close-button');
- var revision = nfClient.getRevision(entity);
+ var revision = nfClient.getRevision(entity);
- // build the customer ui params
- var customUiParams = {
- 'id': entity.id,
- 'revision': revision.version,
- 'clientId': revision.clientId,
- 'editable': editable,
- 'disconnectedNodeAcknowledged': nfStorage.isDisconnectionAcknowledged()
- };
+ // build the customer ui params
+ var customUiParams = {
+ 'id': entity.id,
+ 'revision': revision.version,
+ 'clientId': revision.clientId,
+ 'editable': editable,
+ 'disconnectedNodeAcknowledged': nfStorage.isDisconnectionAcknowledged()
+ };
- // conditionally include the ui extension token
- if (!nfCommon.isBlank(uiExtensionToken)) {
- customUiParams['access_token'] = uiExtensionToken;
- }
-
- // show the shell
- nfShell.showPage('..' + uri + '?' + $.param(customUiParams), false).done(function () {
- deferred.resolve();
- });
- }).fail(function () {
- nfDialog.showOkDialog({
- headerText: 'Advanced Configuration',
- dialogContent: 'Unable to generate access token for accessing the advanced configuration dialog.'
- });
+ // show the shell
+ nfShell.showPage('..' + uri + '?' + $.param(customUiParams), false).done(function () {
deferred.resolve();
});
}).promise();
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-queue-listing.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-queue-listing.js
index 89131bd..7aeb3e5 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-queue-listing.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-queue-listing.js
@@ -67,8 +67,6 @@
*/
var config = {
urls: {
- uiExtensionToken: '../nifi-api/access/ui-extension-token',
- downloadToken: '../nifi-api/access/download-token'
}
};
@@ -247,33 +245,20 @@
var downloadContent = function (flowFileSummary) {
var dataUri = ((nfCommon.isDefinedAndNotNull(flowFileSummary.uri))?flowFileSummary.uri:$('#flowfile-uri').text())+ '/content';
- // perform the request once we've received a token
- nfCommon.getAccessToken(config.urls.downloadToken).done(function (downloadToken) {
- var parameters = {};
+ var parameters = {};
- // conditionally include the ui extension token
- if (!nfCommon.isBlank(downloadToken)) {
- parameters['access_token'] = downloadToken;
- }
+ // conditionally include the cluster node id
+ var clusterNodeId = (nfCommon.isDefinedAndNotNull(flowFileSummary.clusterNodeId))?flowFileSummary.clusterNodeId:$('#flowfile-cluster-node-id').text();
+ if (!nfCommon.isBlank(clusterNodeId)) {
+ parameters['clusterNodeId'] = clusterNodeId;
+ }
- // conditionally include the cluster node id
- var clusterNodeId = (nfCommon.isDefinedAndNotNull(flowFileSummary.clusterNodeId))?flowFileSummary.clusterNodeId:$('#flowfile-cluster-node-id').text();
- if (!nfCommon.isBlank(clusterNodeId)) {
- parameters['clusterNodeId'] = clusterNodeId;
- }
-
- // open the url
- if ($.isEmptyObject(parameters)) {
- window.open(dataUri);
- } else {
- window.open(dataUri + '?' + $.param(parameters));
- }
- }).fail(function () {
- nfDialog.showOkDialog({
- headerText: 'Queue Listing',
- dialogContent: 'Unable to generate access token for downloading content.'
- });
- });
+ // open the url
+ if ($.isEmptyObject(parameters)) {
+ window.open(dataUri);
+ } else {
+ window.open(dataUri + '?' + $.param(parameters));
+ }
};
/**
@@ -285,80 +270,37 @@
var dataUri = ((nfCommon.isDefinedAndNotNull(flowFileSummary.uri))?flowFileSummary.uri:$('#flowfile-uri').text())+ '/content';
- // generate tokens as necessary
- var getAccessTokens = $.Deferred(function (deferred) {
- if (nfStorage.hasItem('jwt')) {
- // generate a token for the ui extension and another for the callback
- var uiExtensionToken = $.ajax({
- type: 'POST',
- url: config.urls.uiExtensionToken
- });
- var downloadToken = $.ajax({
- type: 'POST',
- url: config.urls.downloadToken
- });
+ var dataUriParameters = {};
- // wait for each token
- $.when(uiExtensionToken, downloadToken).done(function (uiExtensionTokenResult, downloadTokenResult) {
- var uiExtensionToken = uiExtensionTokenResult[0];
- var downloadToken = downloadTokenResult[0];
- deferred.resolve(uiExtensionToken, downloadToken);
- }).fail(function () {
- nfDialog.showOkDialog({
- headerText: 'Queue Listing',
- dialogContent: 'Unable to generate access token for viewing content.'
- });
- deferred.reject();
- });
- } else {
- deferred.resolve('', '');
- }
- }).promise();
+ // conditionally include the cluster node id
+ var clusterNodeId = (nfCommon.isDefinedAndNotNull(flowFileSummary.clusterNodeId))?flowFileSummary.clusterNodeId:$('#flowfile-cluster-node-id').text();
+ if (!nfCommon.isBlank(clusterNodeId)) {
+ dataUriParameters['clusterNodeId'] = clusterNodeId;
+ }
- // perform the request after we've received the tokens
- getAccessTokens.done(function (uiExtensionToken, downloadToken) {
- var dataUriParameters = {};
+ // include parameters if necessary
+ if ($.isEmptyObject(dataUriParameters) === false) {
+ dataUri = dataUri + '?' + $.param(dataUriParameters);
+ }
- // conditionally include the cluster node id
- var clusterNodeId = (nfCommon.isDefinedAndNotNull(flowFileSummary.clusterNodeId))?flowFileSummary.clusterNodeId:$('#flowfile-cluster-node-id').text();
- if (!nfCommon.isBlank(clusterNodeId)) {
- dataUriParameters['clusterNodeId'] = clusterNodeId;
- }
+ // open the content viewer
+ var contentViewerUrl = $('#nifi-content-viewer-url').text();
- // include the download token if applicable
- if (!nfCommon.isBlank(downloadToken)) {
- dataUriParameters['access_token'] = downloadToken;
- }
+ // if there's already a query string don't add another ?... this assumes valid
+ // input meaning that if the url has already included a ? it also contains at
+ // least one query parameter
+ if (contentViewerUrl.indexOf('?') === -1) {
+ contentViewerUrl += '?';
+ } else {
+ contentViewerUrl += '&';
+ }
- // include parameters if necessary
- if ($.isEmptyObject(dataUriParameters) === false) {
- dataUri = dataUri + '?' + $.param(dataUriParameters);
- }
+ var contentViewerParameters = {
+ 'ref': dataUri
+ };
- // open the content viewer
- var contentViewerUrl = $('#nifi-content-viewer-url').text();
-
- // if there's already a query string don't add another ?... this assumes valid
- // input meaning that if the url has already included a ? it also contains at
- // least one query parameter
- if (contentViewerUrl.indexOf('?') === -1) {
- contentViewerUrl += '?';
- } else {
- contentViewerUrl += '&';
- }
-
- var contentViewerParameters = {
- 'ref': dataUri
- };
-
- // include the download token if applicable
- if (!nfCommon.isBlank(uiExtensionToken)) {
- contentViewerParameters['access_token'] = uiExtensionToken;
- }
-
- // open the content viewer
- window.open(contentViewerUrl + $.param(contentViewerParameters));
- });
+ // open the content viewer
+ window.open(contentViewerUrl + $.param(contentViewerParameters));
};
/**
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js
index 2b79896..3d46d8b 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/nf-common.js
@@ -1196,29 +1196,6 @@
},
/**
- * Gets an access token from the specified url.
- *
- * @param accessTokenUrl The access token
- * @returns the access token as a deferred
- */
- getAccessToken: function (accessTokenUrl) {
- return $.Deferred(function (deferred) {
- if (nfStorage.hasItem('jwt')) {
- $.ajax({
- type: 'POST',
- url: accessTokenUrl
- }).done(function (token) {
- deferred.resolve(token);
- }).fail(function () {
- deferred.reject();
- })
- } else {
- deferred.resolve('');
- }
- }).promise();
- },
-
- /**
* Constants for time duration formatting.
*/
MILLIS_PER_DAY: 86400000,
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/provenance/nf-provenance-table.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/provenance/nf-provenance-table.js
index 2ca9abc..6973691 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/provenance/nf-provenance-table.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/provenance/nf-provenance-table.js
@@ -70,9 +70,7 @@
provenanceEvents: '../nifi-api/provenance-events/',
clusterSearch: '../nifi-api/flow/cluster/search-results',
d3Script: 'js/d3/build/d3.min.js',
- lineageScript: 'js/nf/provenance/nf-provenance-lineage.js',
- uiExtensionToken: '../nifi-api/access/ui-extension-token',
- downloadToken: '../nifi-api/access/download-token'
+ lineageScript: 'js/nf/provenance/nf-provenance-lineage.js'
}
};
@@ -92,33 +90,20 @@
// build the url
var dataUri = config.urls.provenanceEvents + encodeURIComponent(eventId) + '/content/' + encodeURIComponent(direction);
- // perform the request once we've received a token
- nfCommon.getAccessToken(config.urls.downloadToken).done(function (downloadToken) {
- var parameters = {};
+ var parameters = {};
- // conditionally include the ui extension token
- if (!nfCommon.isBlank(downloadToken)) {
- parameters['access_token'] = downloadToken;
- }
+ // conditionally include the cluster node id
+ var clusterNodeId = $('#provenance-event-cluster-node-id').text();
+ if (!nfCommon.isBlank(clusterNodeId)) {
+ parameters['clusterNodeId'] = clusterNodeId;
+ }
- // conditionally include the cluster node id
- var clusterNodeId = $('#provenance-event-cluster-node-id').text();
- if (!nfCommon.isBlank(clusterNodeId)) {
- parameters['clusterNodeId'] = clusterNodeId;
- }
-
- // open the url
- if ($.isEmptyObject(parameters)) {
- window.open(dataUri);
- } else {
- window.open(dataUri + '?' + $.param(parameters));
- }
- }).fail(function () {
- nfDialog.showOkDialog({
- headerText: 'Provenance',
- dialogContent: 'Unable to generate access token for downloading content.'
- });
- });
+ // open the url
+ if ($.isEmptyObject(parameters)) {
+ window.open(dataUri);
+ } else {
+ window.open(dataUri + '?' + $.param(parameters));
+ }
};
/**
@@ -133,80 +118,37 @@
// build the uri to the data
var dataUri = controllerUri + 'provenance-events/' + encodeURIComponent(eventId) + '/content/' + encodeURIComponent(direction);
- // generate tokens as necessary
- var getAccessTokens = $.Deferred(function (deferred) {
- if (nfStorage.hasItem('jwt')) {
- // generate a token for the ui extension and another for the callback
- var uiExtensionToken = $.ajax({
- type: 'POST',
- url: config.urls.uiExtensionToken
- });
- var downloadToken = $.ajax({
- type: 'POST',
- url: config.urls.downloadToken
- });
+ var dataUriParameters = {};
- // wait for each token
- $.when(uiExtensionToken, downloadToken).done(function (uiExtensionTokenResult, downloadTokenResult) {
- var uiExtensionToken = uiExtensionTokenResult[0];
- var downloadToken = downloadTokenResult[0];
- deferred.resolve(uiExtensionToken, downloadToken);
- }).fail(function () {
- nfDialog.showOkDialog({
- headerText: 'Provenance',
- dialogContent: 'Unable to generate access token for viewing content.'
- });
- deferred.reject();
- });
- } else {
- deferred.resolve('', '');
- }
- }).promise();
+ // conditionally include the cluster node id
+ var clusterNodeId = $('#provenance-event-cluster-node-id').text();
+ if (!nfCommon.isBlank(clusterNodeId)) {
+ dataUriParameters['clusterNodeId'] = clusterNodeId;
+ }
- // perform the request after we've received the tokens
- getAccessTokens.done(function (uiExtensionToken, downloadToken) {
- var dataUriParameters = {};
+ // include parameters if necessary
+ if ($.isEmptyObject(dataUriParameters) === false) {
+ dataUri = dataUri + '?' + $.param(dataUriParameters);
+ }
- // conditionally include the cluster node id
- var clusterNodeId = $('#provenance-event-cluster-node-id').text();
- if (!nfCommon.isBlank(clusterNodeId)) {
- dataUriParameters['clusterNodeId'] = clusterNodeId;
- }
+ // open the content viewer
+ var contentViewerUrl = $('#nifi-content-viewer-url').text();
- // include the download token if applicable
- if (!nfCommon.isBlank(downloadToken)) {
- dataUriParameters['access_token'] = downloadToken;
- }
+ // if there's already a query string don't add another ?... this assumes valid
+ // input meaning that if the url has already included a ? it also contains at
+ // least one query parameter
+ if (contentViewerUrl.indexOf('?') === -1) {
+ contentViewerUrl += '?';
+ } else {
+ contentViewerUrl += '&';
+ }
- // include parameters if necessary
- if ($.isEmptyObject(dataUriParameters) === false) {
- dataUri = dataUri + '?' + $.param(dataUriParameters);
- }
+ var contentViewerParameters = {
+ 'ref': dataUri
+ };
- // open the content viewer
- var contentViewerUrl = $('#nifi-content-viewer-url').text();
-
- // if there's already a query string don't add another ?... this assumes valid
- // input meaning that if the url has already included a ? it also contains at
- // least one query parameter
- if (contentViewerUrl.indexOf('?') === -1) {
- contentViewerUrl += '?';
- } else {
- contentViewerUrl += '&';
- }
-
- var contentViewerParameters = {
- 'ref': dataUri
- };
-
- // include the download token if applicable
- if (!nfCommon.isBlank(uiExtensionToken)) {
- contentViewerParameters['access_token'] = uiExtensionToken;
- }
-
- // open the content viewer
- window.open(contentViewerUrl + $.param(contentViewerParameters));
- });
+ // open the content viewer
+ window.open(contentViewerUrl + $.param(contentViewerParameters));
};
/**
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/templates/nf-templates-table.js b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/templates/nf-templates-table.js
index 4bd0c31..19919bc 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/templates/nf-templates-table.js
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/templates/nf-templates-table.js
@@ -51,8 +51,7 @@
*/
var config = {
urls: {
- templates: '../nifi-api/flow/templates',
- downloadToken: '../nifi-api/access/download-token'
+ templates: '../nifi-api/flow/templates'
}
};
@@ -204,26 +203,7 @@
* @param {object} templateEntity The template
*/
var downloadTemplate = function (templateEntity) {
- nfCommon.getAccessToken(config.urls.downloadToken).done(function (downloadToken) {
- var parameters = {};
-
- // conditionally include the download token
- if (!nfCommon.isBlank(downloadToken)) {
- parameters['access_token'] = downloadToken;
- }
-
- // open the url
- if ($.isEmptyObject(parameters)) {
- window.open(templateEntity.template.uri + '/download');
- } else {
- window.open(templateEntity.template.uri + '/download' + '?' + $.param(parameters));
- }
- }).fail(function () {
- nfDialog.showOkDialog({
- headerText: 'Download Template',
- dialogContent: 'Unable to generate access token for downloading content.'
- });
- });
+ window.open(templateEntity.template.uri + '/download');
};
return {
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/oidc/OidcService.java b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/oidc/OidcService.java
index 65b160b..1dd3cfb 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/oidc/OidcService.java
+++ b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/oidc/OidcService.java
@@ -45,7 +45,7 @@
private Cache<CacheKey, String> jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval)
/**
- * Creates a new OtpService with an expiration of 1 minute.
+ * Creates a new OIDC Service with an expiration of 1 minute.
*
* @param identityProvider The identity provider
*/
@@ -55,7 +55,7 @@
}
/**
- * Creates a new OtpService.
+ * Creates a new OIDC Service.
*
* @param identityProvider The identity provider
* @param duration The expiration duration