yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-09-26 17:34:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Prevent Authentication bypass using Jwt Token Config in case of OM su… (#10079)" (#10083)

Browse Source 
This reverts commit e164bbb760886ca30327a5c0fe7983341775f7d1.
This commit is contained in:
Mohit Yadav 2023-02-02 20:19:32 +05:30 committed by GitHub
parent e164bbb760
commit 7b6771f1cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 10 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java
View File

@ -60,7 +60,6 @@ import org.jdbi.v3.core.statement.StatementContext;
import org.jdbi.v3.sqlobject.SqlObjects; import org.jdbi.v3.sqlobject.SqlObjects;
import org.openmetadata.schema.api.security.AuthenticationConfiguration; import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration; import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.elasticsearch.ElasticSearchEventPublisher; import org.openmetadata.service.elasticsearch.ElasticSearchEventPublisher;
import org.openmetadata.service.events.EventFilter; import org.openmetadata.service.events.EventFilter;
import org.openmetadata.service.events.EventPubSub; import org.openmetadata.service.events.EventPubSub;
@ -274,16 +273,15 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
filter = filter =
Class.forName(filterClazzName) Class.forName(filterClazzName)
.asSubclass(ContainerRequestFilter.class) .asSubclass(ContainerRequestFilter.class)
.getConstructor( .getConstructor(AuthenticationConfiguration.class, AuthorizerConfiguration.class)
AuthenticationConfiguration.class, AuthorizerConfiguration.class, JWTTokenConfiguration.class) .newInstance(authenticationConfiguration, authorizerConf);
.newInstance(authenticationConfiguration, authorizerConf, catalogConfig.getJwtTokenConfiguration());
LOG.info("Registering ContainerRequestFilter: {}", filter.getClass().getCanonicalName()); LOG.info("Registering ContainerRequestFilter: {}", filter.getClass().getCanonicalName());
environment.jersey().register(filter); environment.jersey().register(filter);
} }
} else { } else {
LOG.info("Authorizer config not set, setting noop authorizer"); LOG.info("Authorizer config not set, setting noop authorizer");
authorizer = new NoopAuthorizer(); authorizer = new NoopAuthorizer();
ContainerRequestFilter filter = new NoopFilter(authenticationConfiguration, null, null); ContainerRequestFilter filter = new NoopFilter(authenticationConfiguration, null);
environment.jersey().register(filter); environment.jersey().register(filter);
} }
} }
@ -344,9 +342,7 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
if (catalogConfig.getAuthorizerConfiguration() != null) { if (catalogConfig.getAuthorizerConfiguration() != null) {
socketAddressFilter = socketAddressFilter =
new SocketAddressFilter( new SocketAddressFilter(
catalogConfig.getAuthenticationConfiguration(), catalogConfig.getAuthenticationConfiguration(), catalogConfig.getAuthorizerConfiguration());
catalogConfig.getAuthorizerConfiguration(),
catalogConfig.getJwtTokenConfiguration());
} else { } else {
socketAddressFilter = new SocketAddressFilter(); socketAddressFilter = new SocketAddressFilter();
} }

4
openmetadata-service/src/main/java/org/openmetadata/service/security/CatalogOpenIdAuthorizationRequestFilter.java
View File

@ -23,7 +23,6 @@ import javax.ws.rs.core.UriInfo;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.openmetadata.schema.api.security.AuthenticationConfiguration; import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration; import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.security.auth.CatalogSecurityContext; import org.openmetadata.service.security.auth.CatalogSecurityContext;
@Slf4j @Slf4j
@ -35,8 +34,7 @@ public class CatalogOpenIdAuthorizationRequestFilter implements ContainerRequest
@SuppressWarnings("unused") @SuppressWarnings("unused")
private CatalogOpenIdAuthorizationRequestFilter() {} private CatalogOpenIdAuthorizationRequestFilter() {}
public CatalogOpenIdAuthorizationRequestFilter( public CatalogOpenIdAuthorizationRequestFilter(AuthenticationConfiguration config, AuthorizerConfiguration conf) {}
AuthenticationConfiguration config, AuthorizerConfiguration conf, JWTTokenConfiguration jwtTokenConfiguration) {}
public void filter(ContainerRequestContext containerRequestContext) { public void filter(ContainerRequestContext containerRequestContext) {
if (isHealthEndpoint(containerRequestContext)) { if (isHealthEndpoint(containerRequestContext)) {

19
openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java
View File

@ -43,7 +43,6 @@ import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.openmetadata.schema.api.security.AuthenticationConfiguration; import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration; import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.schema.auth.LogoutRequest; import org.openmetadata.schema.auth.LogoutRequest;
import org.openmetadata.schema.auth.SSOAuthMechanism; import org.openmetadata.schema.auth.SSOAuthMechanism;
import org.openmetadata.service.security.auth.BotTokenCache; import org.openmetadata.service.security.auth.BotTokenCache;
@ -61,7 +60,6 @@ public class JwtFilter implements ContainerRequestFilter {
private String principalDomain; private String principalDomain;
private boolean enforcePrincipalDomain; private boolean enforcePrincipalDomain;
private String providerType; private String providerType;
private String storedJwtKeyId;
public static final List<String> EXCLUDED_ENDPOINTS = public static final List<String> EXCLUDED_ENDPOINTS =
List.of( List.of(
"v1/config", "v1/config",
@ -80,9 +78,7 @@ public class JwtFilter implements ContainerRequestFilter {
@SneakyThrows @SneakyThrows
public JwtFilter( public JwtFilter(
AuthenticationConfiguration authenticationConfiguration, AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConfiguration) {
AuthorizerConfiguration authorizerConfiguration,
JWTTokenConfiguration jwtTokenConfiguration) {
this.providerType = authenticationConfiguration.getProvider(); this.providerType = authenticationConfiguration.getProvider();
this.jwtPrincipalClaims = authenticationConfiguration.getJwtPrincipalClaims(); this.jwtPrincipalClaims = authenticationConfiguration.getJwtPrincipalClaims();
@ -93,7 +89,6 @@ public class JwtFilter implements ContainerRequestFilter {
this.jwkProvider = new MultiUrlJwkProvider(publicKeyUrlsBuilder.build()); this.jwkProvider = new MultiUrlJwkProvider(publicKeyUrlsBuilder.build());
this.principalDomain = authorizerConfiguration.getPrincipalDomain(); this.principalDomain = authorizerConfiguration.getPrincipalDomain();
this.enforcePrincipalDomain = authorizerConfiguration.getEnforcePrincipalDomain(); this.enforcePrincipalDomain = authorizerConfiguration.getEnforcePrincipalDomain();
this.storedJwtKeyId = jwtTokenConfiguration != null ? jwtTokenConfiguration.getKeyId() : StringUtils.EMPTY;
} }
@VisibleForTesting @VisibleForTesting
@ -134,17 +129,7 @@ public class JwtFilter implements ContainerRequestFilter {
String userName = validateAndReturnUsername(claims); String userName = validateAndReturnUsername(claims);
// validate bot token // validate bot token
boolean isBot = claims.containsKey(BOT_CLAIM) && Boolean.TRUE.equals(claims.get(BOT_CLAIM).asBoolean()); if (claims.containsKey(BOT_CLAIM) && Boolean.TRUE.equals(claims.get(BOT_CLAIM).asBoolean())) {
// if other sso and we have OM Jwt Token configuration as well
if ((!providerType.equals(SSOAuthMechanism.SsoServiceType.BASIC.toString()))) {
// check if the jwtId for the token used is from the jwtTokenConfig
if (storedJwtKeyId.equals(jwt.getKeyId()) && !isBot) {
throw new AuthenticationException("Not Authorized! , Invalid Key Id used for login");
}
}
if (isBot) {
validateBotToken(tokenFromHeader, userName); validateBotToken(tokenFromHeader, userName);
} }

5
openmetadata-service/src/main/java/org/openmetadata/service/security/NoopFilter.java
View File

@ -21,7 +21,6 @@ import javax.ws.rs.core.UriInfo;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.openmetadata.schema.api.security.AuthenticationConfiguration; import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration; import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.security.auth.CatalogSecurityContext; import org.openmetadata.service.security.auth.CatalogSecurityContext;
@Slf4j @Slf4j
@ -29,9 +28,7 @@ public class NoopFilter implements ContainerRequestFilter {
@Context private UriInfo uriInfo; @Context private UriInfo uriInfo;
public NoopFilter( public NoopFilter(
AuthenticationConfiguration authenticationConfiguration, AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConfiguration) {}
AuthorizerConfiguration authorizerConfiguration,
JWTTokenConfiguration jwtTokenConfiguration) {}
public void filter(ContainerRequestContext containerRequestContext) { public void filter(ContainerRequestContext containerRequestContext) {
CatalogPrincipal catalogPrincipal = new CatalogPrincipal("anonymous"); CatalogPrincipal catalogPrincipal = new CatalogPrincipal("anonymous");

7
openmetadata-service/src/main/java/org/openmetadata/service/socket/SocketAddressFilter.java
View File

@ -29,7 +29,6 @@ import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.openmetadata.schema.api.security.AuthenticationConfiguration; import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration; import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.security.jwt.JWTTokenConfiguration;
import org.openmetadata.service.security.JwtFilter; import org.openmetadata.service.security.JwtFilter;
@Slf4j @Slf4j
@ -39,12 +38,10 @@ public class SocketAddressFilter implements Filter {
private final boolean enableSecureSocketConnection; private final boolean enableSecureSocketConnection;
public SocketAddressFilter( public SocketAddressFilter(
AuthenticationConfiguration authenticationConfiguration, AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConf) {
AuthorizerConfiguration authorizerConf,
JWTTokenConfiguration jwtTokenConfiguration) {
enableSecureSocketConnection = authorizerConf.getEnableSecureSocketConnection(); enableSecureSocketConnection = authorizerConf.getEnableSecureSocketConnection();
if (enableSecureSocketConnection) { if (enableSecureSocketConnection) {
jwtFilter = new JwtFilter(authenticationConfiguration, authorizerConf, jwtTokenConfiguration); jwtFilter = new JwtFilter(authenticationConfiguration, authorizerConf);
} }
} }