/** Check the certificates with the ones in the jar file (all must match). */
private static final void validateCertificate(
final Certificate[] rootCerts, final JarFile jar, final JarEntry entry, final byte[] buf)
throws IOException, SecurityException {
if (DEBUG) {
System.err.println("JarUtil: validate JarEntry : " + entry.getName());
}
// API states that we must read all of the data from the entry's
// InputStream in order to be able to get its certificates
final InputStream is = jar.getInputStream(entry);
try {
while (is.read(buf) > 0) {}
} finally {
is.close();
}
// Get the certificates for the JAR entry
final Certificate[] nativeCerts = entry.getCertificates();
if (nativeCerts == null || nativeCerts.length == 0) {
throw new SecurityException("no certificate for " + entry.getName() + " in " + jar.getName());
}
if (!SecurityUtil.equals(rootCerts, nativeCerts)) {
throw new SecurityException(
"certificates not equal for " + entry.getName() + " in " + jar.getName());
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
User user;
if (principal instanceof AgilefantUserDetails) {
user = this.userBusiness.retrieve(((AgilefantUserDetails) principal).getUserId());
} else {
user = userBusiness.retrieveByLoginName("readonly");
}
try {
SecurityUtil.setLoggedUser(user);
chain.doFilter(request, response);
} finally {
SecurityUtil.setLoggedUser(null);
}
}
/**
* 仅将请求参数作为签名因子进行签名
*
* @param params api请求的各参数键值对
* @param appSecretKey
* @return
*/
public static String signatureWithParamsOnly(Map<String, String> params, String appSecretKey) {
List<String> paramValueList = new ArrayList<String>();
if (params != null) {
for (Map.Entry<String, String> entry : params.entrySet()) {
paramValueList.add(entry.getKey() + entry.getValue());
}
}
Collections.sort(paramValueList);
String[] datas = new String[paramValueList.size()];
paramValueList.toArray(datas);
byte[] signature = SecurityUtil.hmacSha1(datas, StringUtil.toBytes(appSecretKey));
return StringUtil.encodeHexStr(signature);
}
/**
* 将urlPath和请求参数同时作为签名因子进行签名
*
* @param urlPath protocol/version/namespace/name/appKey
* @param params api请求的各参数键值对
* @param appSecretKey app签名密钥
* @return
*/
public static String signatureWithParamsAndUrlPath(
String urlPath, Map<String, String> params, String appSecretKey) {
List<String> paramValueList = new ArrayList<String>();
if (params != null) {
for (Map.Entry<String, String> entry : params.entrySet()) {
paramValueList.add(entry.getKey() + entry.getValue());
}
}
final String[] datas = new String[1 + paramValueList.size()];
datas[0] = urlPath;
Collections.sort(paramValueList);
for (int i = 0; i < paramValueList.size(); i++) {
datas[i + 1] = paramValueList.get(i);
}
byte[] signature = SecurityUtil.hmacSha1(datas, StringUtil.toBytes(appSecretKey));
return StringUtil.encodeHexStr(signature);
}
@Test
public void testGetKerberosPrincipalWithSubstitutedHostSecure() throws Exception {
String principal =
StartupProperties.get().getProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL);
String expectedPrincipal =
"falcon/" + SecurityUtil.getLocalHostName().toLowerCase() + "@Example.com";
try {
Configuration conf = new Configuration(false);
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
Assert.assertTrue(UserGroupInformation.isSecurityEnabled());
StartupProperties.get()
.setProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL, "falcon/[email protected]");
FalconAuthenticationFilter filter = new FalconAuthenticationFilter();
Properties properties =
filter.getConfiguration(FalconAuthenticationFilter.FALCON_PREFIX, null);
Assert.assertEquals(
properties.get(KerberosAuthenticationHandler.PRINCIPAL), expectedPrincipal);
} finally {
StartupProperties.get().setProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL, principal);
}
}
/**
* Set the {@link UserGroupInformation} for the current thread WARNING - This method should be
* used only in test cases and other exceptional cases!
*
* @param ugi {@link UserGroupInformation} for the current thread
*/
public static void setCurrentUser(UserGroupInformation ugi) {
Subject user = SecurityUtil.getSubject(ugi);
currentUser.set(user);
}
/**
* Determine if the current user has dataset detail view (means {@link ProtectionType#EXPORT})
* right
*
* @param ds data set to check for
* @return <code>true</code> if dataset detail view right is present, <code>false</code> otherwise
*/
public boolean hasDatasetDetailRights(DataSet ds) {
return SecurityUtil.hasExportPermission(ds);
}
/**
* Determine if user is super admin
*
* @return <code>true</code> if super admin access shall be granted, <code>false</code> otherwise
* @see SecurityUtil#hasSuperAdminPermission()
*/
public boolean hasSuperAdminPermission() {
return SecurityUtil.hasSuperAdminPermission();
}
/**
* Determine if user shall be able to enter admin area
*
* @return <code>true</code> if access shall be granted, <code>false</code> otherwise
* @see SecurityUtil#hasAdminAreaAccessRight()
*/
public boolean hasAdminAreaAccessRight() {
return SecurityUtil.hasAdminAreaAccessRight();
}
