yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-09-25 17:04:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Prevent Authentication bypass using Jwt Token Config in case of OM su… (#10079)" (#10083)

Browse Source 
This reverts commit e164bbb760886ca30327a5c0fe7983341775f7d1.
This commit is contained in:
Mohit Yadav 2023-02-02 20:19:32 +05:30 committed by GitHub
parent e164bbb760
commit 7b6771f1cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 10 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java
View File

@ -60,7 +60,6 @@ import org.jdbi.v3.core.statement.StatementContext;
import org.jdbi.v3.sqlobject.SqlObjects;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.elasticsearch.ElasticSearchEventPublisher;
import org.openmetadata.service.events.EventFilter;
import org.openmetadata.service.events.EventPubSub;
@ -274,16 +273,15 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
filter =
Class.forName(filterClazzName)
.asSubclass(ContainerRequestFilter.class)
.getConstructor(
AuthenticationConfiguration.class, AuthorizerConfiguration.class, JWTTokenConfiguration.class)
.newInstance(authenticationConfiguration, authorizerConf, catalogConfig.getJwtTokenConfiguration());
.getConstructor(AuthenticationConfiguration.class, AuthorizerConfiguration.class)
.newInstance(authenticationConfiguration, authorizerConf);
LOG.info("Registering ContainerRequestFilter: {}", filter.getClass().getCanonicalName());
environment.jersey().register(filter);
}
} else {
LOG.info("Authorizer config not set, setting noop authorizer");
authorizer = new NoopAuthorizer();
ContainerRequestFilter filter = new NoopFilter(authenticationConfiguration, null, null);
ContainerRequestFilter filter = new NoopFilter(authenticationConfiguration, null);
environment.jersey().register(filter);
}
}
@ -344,9 +342,7 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
if (catalogConfig.getAuthorizerConfiguration() != null) {
socketAddressFilter =
new SocketAddressFilter(
catalogConfig.getAuthenticationConfiguration(),
catalogConfig.getAuthorizerConfiguration(),
catalogConfig.getJwtTokenConfiguration());
catalogConfig.getAuthenticationConfiguration(), catalogConfig.getAuthorizerConfiguration());
} else {
socketAddressFilter = new SocketAddressFilter();
}

4
openmetadata-service/src/main/java/org/openmetadata/service/security/CatalogOpenIdAuthorizationRequestFilter.java
View File

@ -23,7 +23,6 @@ import javax.ws.rs.core.UriInfo;
import lombok.extern.slf4j.Slf4j;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.security.auth.CatalogSecurityContext;
@Slf4j
@ -35,8 +34,7 @@ public class CatalogOpenIdAuthorizationRequestFilter implements ContainerRequest
@SuppressWarnings("unused")
private CatalogOpenIdAuthorizationRequestFilter() {}
public CatalogOpenIdAuthorizationRequestFilter(
AuthenticationConfiguration config, AuthorizerConfiguration conf, JWTTokenConfiguration jwtTokenConfiguration) {}
public CatalogOpenIdAuthorizationRequestFilter(AuthenticationConfiguration config, AuthorizerConfiguration conf) {}
public void filter(ContainerRequestContext containerRequestContext) {
if (isHealthEndpoint(containerRequestContext)) {

19
openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java
View File

@ -43,7 +43,6 @@ import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringUtils;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.schema.auth.LogoutRequest;
import org.openmetadata.schema.auth.SSOAuthMechanism;
import org.openmetadata.service.security.auth.BotTokenCache;
@ -61,7 +60,6 @@ public class JwtFilter implements ContainerRequestFilter {
private String principalDomain;
private boolean enforcePrincipalDomain;
private String providerType;
private String storedJwtKeyId;
public static final List<String> EXCLUDED_ENDPOINTS =
List.of(
"v1/config",
@ -80,9 +78,7 @@ public class JwtFilter implements ContainerRequestFilter {
@SneakyThrows
public JwtFilter(
AuthenticationConfiguration authenticationConfiguration,
AuthorizerConfiguration authorizerConfiguration,
JWTTokenConfiguration jwtTokenConfiguration) {
AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConfiguration) {
this.providerType = authenticationConfiguration.getProvider();
this.jwtPrincipalClaims = authenticationConfiguration.getJwtPrincipalClaims();
@ -93,7 +89,6 @@ public class JwtFilter implements ContainerRequestFilter {
this.jwkProvider = new MultiUrlJwkProvider(publicKeyUrlsBuilder.build());
this.principalDomain = authorizerConfiguration.getPrincipalDomain();
this.enforcePrincipalDomain = authorizerConfiguration.getEnforcePrincipalDomain();
this.storedJwtKeyId = jwtTokenConfiguration != null ? jwtTokenConfiguration.getKeyId() : StringUtils.EMPTY;
}
@VisibleForTesting
@ -134,17 +129,7 @@ public class JwtFilter implements ContainerRequestFilter {
String userName = validateAndReturnUsername(claims);
// validate bot token
boolean isBot = claims.containsKey(BOT_CLAIM) && Boolean.TRUE.equals(claims.get(BOT_CLAIM).asBoolean());
// if other sso and we have OM Jwt Token configuration as well
if ((!providerType.equals(SSOAuthMechanism.SsoServiceType.BASIC.toString()))) {
// check if the jwtId for the token used is from the jwtTokenConfig
if (storedJwtKeyId.equals(jwt.getKeyId()) && !isBot) {
throw new AuthenticationException("Not Authorized! , Invalid Key Id used for login");
}
}
if (isBot) {
if (claims.containsKey(BOT_CLAIM) && Boolean.TRUE.equals(claims.get(BOT_CLAIM).asBoolean())) {
validateBotToken(tokenFromHeader, userName);
}

5
openmetadata-service/src/main/java/org/openmetadata/service/security/NoopFilter.java
View File

@ -21,7 +21,6 @@ import javax.ws.rs.core.UriInfo;
import lombok.extern.slf4j.Slf4j;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.security.auth.CatalogSecurityContext;
@Slf4j
@ -29,9 +28,7 @@ public class NoopFilter implements ContainerRequestFilter {
@Context private UriInfo uriInfo;
public NoopFilter(
AuthenticationConfiguration authenticationConfiguration,
AuthorizerConfiguration authorizerConfiguration,
JWTTokenConfiguration jwtTokenConfiguration) {}
AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConfiguration) {}
public void filter(ContainerRequestContext containerRequestContext) {
CatalogPrincipal catalogPrincipal = new CatalogPrincipal("anonymous");

7
openmetadata-service/src/main/java/org/openmetadata/service/socket/SocketAddressFilter.java
View File

@ -29,7 +29,6 @@ import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.security.JwtFilter;
@Slf4j
@ -39,12 +38,10 @@ public class SocketAddressFilter implements Filter {
private final boolean enableSecureSocketConnection;
public SocketAddressFilter(
AuthenticationConfiguration authenticationConfiguration,
AuthorizerConfiguration authorizerConf,
JWTTokenConfiguration jwtTokenConfiguration) {
AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConf) {
enableSecureSocketConnection = authorizerConf.getEnableSecureSocketConnection();
if (enableSecureSocketConnection) {
jwtFilter = new JwtFilter(authenticationConfiguration, authorizerConf, jwtTokenConfiguration);
jwtFilter = new JwtFilter(authenticationConfiguration, authorizerConf);
}
}