datahub/datahub-frontend/app/react/controllers/AuthenticationController.java

package react.controllers;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.linkedin.common.urn.CorpuserUrn;
import com.typesafe.config.Config;
import org.apache.commons.lang3.StringUtils;
import org.pac4j.core.client.Client;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.exception.HttpAction;
import org.pac4j.play.PlayWebContext;
import org.pac4j.play.http.PlayHttpActionAdapter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import play.libs.Json;
import play.mvc.Controller;
import play.mvc.Http;
import play.mvc.Result;
import react.auth.AuthUtils;
import react.auth.JAASConfigs;
import react.auth.OidcConfigs;
import security.AuthenticationManager;

import javax.annotation.Nonnull;
import javax.inject.Inject;
import javax.naming.NamingException;

import java.time.Duration;
import java.time.temporal.ChronoUnit;

import static react.auth.AuthUtils.*;

public class AuthenticationController extends Controller {

    private final Logger _logger = LoggerFactory.getLogger(AuthenticationController.class.getName());
    private final Config _configs;
    private final OidcConfigs _oidcConfigs;
    private final JAASConfigs _jaasConfigs;

    @Inject
    private org.pac4j.core.config.Config _ssoConfig;

    @Inject
    private SessionStore _playSessionStore;

    @Inject
    public AuthenticationController(@Nonnull Config configs) {
        _configs = configs;
        _oidcConfigs = new OidcConfigs(configs);
        _jaasConfigs = new JAASConfigs(configs);
    }

    /**
     * Route used to perform authentication, or redirect to log in if authentication fails.
     *
     * If indirect SSO (eg. oidc) is configured, this route will redirect to the identity provider (Indirect auth).
     * If not, we will fallback to the default username / password login experience (Direct auth).
     */
    @Nonnull
    public Result authenticate() {
        if (AuthUtils.isAuthenticated(ctx())) {
            return redirect("/");
        }

        // 1. If indirect auth is enabled, redirect to IdP
        if (_oidcConfigs.isOidcEnabled()) {
            final PlayWebContext playWebContext = new PlayWebContext(ctx(), _playSessionStore);
            final Client client = _ssoConfig.getClients().findClient(_oidcConfigs.getClientName());
            final HttpAction action = client.redirect(playWebContext);
            return new PlayHttpActionAdapter().adapt(action.getCode(), playWebContext);
        }

        // 2. If JAAS auth is enabled, fallback to it
        if (_jaasConfigs.isJAASEnabled()) {
            return redirect(LOGIN_ROUTE);
        }

        // 3. If no auth enabled, fallback to using default user account & redirect.
        session().put(ACTOR, DEFAULT_ACTOR_URN.toString());
        return redirect("/").withCookies(createActorCookie(DEFAULT_ACTOR_URN.toString(), _configs.hasPath(SESSION_TTL_CONFIG_PATH)
                ? _configs.getInt(SESSION_TTL_CONFIG_PATH)
                : DEFAULT_SESSION_TTL_HOURS));
    }

    /**
     * Log in a user based on a username + password.
     *
     * TODO: Implement built-in support for LDAP auth. Currently dummy jaas authentication is the default.
     */
    @Nonnull
    public Result logIn() {
        if (!_jaasConfigs.isJAASEnabled()) {
            final ObjectNode error = Json.newObject();
            error.put("message", "JAAS authentication is not enabled on the server.");
            return badRequest(error);
        }

        final JsonNode json = request().body().asJson();
        final String username = json.findPath(USER_NAME).textValue();
        final String password = json.findPath(PASSWORD).textValue();

        if (StringUtils.isBlank(username)) {
            JsonNode invalidCredsJson = Json.newObject()
                .put("message", "User name must not be empty.");
            return badRequest(invalidCredsJson);
        }

        ctx().session().clear();

        try {
            AuthenticationManager.authenticateUser(username, password);
        } catch (NamingException e) {
            _logger.error("Authentication error", e);
            JsonNode invalidCredsJson = Json.newObject()
                .put("message", "Invalid Credentials");
            return badRequest(invalidCredsJson);
        }

        final String actorUrn = new CorpuserUrn(username).toString();
        ctx().session().put(ACTOR, actorUrn);

        return ok().withCookies(Http.Cookie.builder(ACTOR, actorUrn)
            .withHttpOnly(false)
            .withMaxAge(Duration.of(30, ChronoUnit.DAYS))
            .build());
    }
}
feat(react): SSO support simple OIDC authentication (#2190) Co-authored-by: John Joyce <john@acryl.io> 2021-03-11 13:38:35 -08:00			`package react.controllers;`

			`import com.fasterxml.jackson.databind.JsonNode;`
			`import com.fasterxml.jackson.databind.node.ObjectNode;`
			`import com.linkedin.common.urn.CorpuserUrn;`
			`import com.typesafe.config.Config;`
			`import org.apache.commons.lang3.StringUtils;`
			`import org.pac4j.core.client.Client;`
			`import org.pac4j.core.context.session.SessionStore;`
			`import org.pac4j.core.exception.HttpAction;`
			`import org.pac4j.play.PlayWebContext;`
			`import org.pac4j.play.http.PlayHttpActionAdapter;`
feat(logs): improve logging in GMS and datahub-frontend (#2761) 2021-06-25 10:56:45 -07:00			`import org.slf4j.Logger;`
			`import org.slf4j.LoggerFactory;`
feat(react): SSO support simple OIDC authentication (#2190) Co-authored-by: John Joyce <john@acryl.io> 2021-03-11 13:38:35 -08:00			`import play.libs.Json;`
			`import play.mvc.Controller;`
			`import play.mvc.Http;`
			`import play.mvc.Result;`
			`import react.auth.AuthUtils;`
			`import react.auth.JAASConfigs;`
			`import react.auth.OidcConfigs;`
			`import security.AuthenticationManager;`

			`import javax.annotation.Nonnull;`
			`import javax.inject.Inject;`
			`import javax.naming.NamingException;`

			`import java.time.Duration;`
			`import java.time.temporal.ChronoUnit;`

			`import static react.auth.AuthUtils.*;`

			`public class AuthenticationController extends Controller {`

feat(logs): improve logging in GMS and datahub-frontend (#2761) 2021-06-25 10:56:45 -07:00			`private final Logger _logger = LoggerFactory.getLogger(AuthenticationController.class.getName());`
feat(react): SSO support simple OIDC authentication (#2190) Co-authored-by: John Joyce <john@acryl.io> 2021-03-11 13:38:35 -08:00			`private final Config _configs;`
			`private final OidcConfigs _oidcConfigs;`
			`private final JAASConfigs _jaasConfigs;`

			`@Inject`
			`private org.pac4j.core.config.Config _ssoConfig;`

			`@Inject`
			`private SessionStore _playSessionStore;`

			`@Inject`
			`public AuthenticationController(@Nonnull Config configs) {`
			`_configs = configs;`
			`_oidcConfigs = new OidcConfigs(configs);`
			`_jaasConfigs = new JAASConfigs(configs);`
			`}`

			`/**`
			`* Route used to perform authentication, or redirect to log in if authentication fails.`
			`*`
			`* If indirect SSO (eg. oidc) is configured, this route will redirect to the identity provider (Indirect auth).`
			`* If not, we will fallback to the default username / password login experience (Direct auth).`
			`*/`
			`@Nonnull`
			`public Result authenticate() {`
			`if (AuthUtils.isAuthenticated(ctx())) {`
			`return redirect("/");`
			`}`

			`// 1. If indirect auth is enabled, redirect to IdP`
			`if (_oidcConfigs.isOidcEnabled()) {`
			`final PlayWebContext playWebContext = new PlayWebContext(ctx(), _playSessionStore);`
			`final Client client = _ssoConfig.getClients().findClient(_oidcConfigs.getClientName());`
			`final HttpAction action = client.redirect(playWebContext);`
			`return new PlayHttpActionAdapter().adapt(action.getCode(), playWebContext);`
			`}`

			`// 2. If JAAS auth is enabled, fallback to it`
			`if (_jaasConfigs.isJAASEnabled()) {`
			`return redirect(LOGIN_ROUTE);`
			`}`

			`// 3. If no auth enabled, fallback to using default user account & redirect.`
			`session().put(ACTOR, DEFAULT_ACTOR_URN.toString());`
			`return redirect("/").withCookies(createActorCookie(DEFAULT_ACTOR_URN.toString(), _configs.hasPath(SESSION_TTL_CONFIG_PATH)`
			`? _configs.getInt(SESSION_TTL_CONFIG_PATH)`
fix(frontend): auth session ttl specified in hours instead of days. M… (#2695) Fixes: #2680 Co-authored-by: thomas.larsson <thomas.larsson@klarna.com> 2021-06-25 07:24:27 +02:00			`: DEFAULT_SESSION_TTL_HOURS));`
feat(react): SSO support simple OIDC authentication (#2190) Co-authored-by: John Joyce <john@acryl.io> 2021-03-11 13:38:35 -08:00			`}`

			`/**`
			`* Log in a user based on a username + password.`
			`*`
			`* TODO: Implement built-in support for LDAP auth. Currently dummy jaas authentication is the default.`
			`*/`
			`@Nonnull`
			`public Result logIn() {`
			`if (!_jaasConfigs.isJAASEnabled()) {`
			`final ObjectNode error = Json.newObject();`
			`error.put("message", "JAAS authentication is not enabled on the server.");`
			`return badRequest(error);`
			`}`

			`final JsonNode json = request().body().asJson();`
			`final String username = json.findPath(USER_NAME).textValue();`
			`final String password = json.findPath(PASSWORD).textValue();`

			`if (StringUtils.isBlank(username)) {`
feat(datahub-frontend): Adding basic file-based authentication to datahub-frontend (#2818) 2021-07-02 06:31:01 -07:00			`JsonNode invalidCredsJson = Json.newObject()`
			`.put("message", "User name must not be empty.");`
			`return badRequest(invalidCredsJson);`
feat(react): SSO support simple OIDC authentication (#2190) Co-authored-by: John Joyce <john@acryl.io> 2021-03-11 13:38:35 -08:00			`}`

			`ctx().session().clear();`

			`try {`
			`AuthenticationManager.authenticateUser(username, password);`
			`} catch (NamingException e) {`
feat(logs): improve logging in GMS and datahub-frontend (#2761) 2021-06-25 10:56:45 -07:00			`_logger.error("Authentication error", e);`
feat(datahub-frontend): Adding basic file-based authentication to datahub-frontend (#2818) 2021-07-02 06:31:01 -07:00			`JsonNode invalidCredsJson = Json.newObject()`
			`.put("message", "Invalid Credentials");`
			`return badRequest(invalidCredsJson);`
feat(react): SSO support simple OIDC authentication (#2190) Co-authored-by: John Joyce <john@acryl.io> 2021-03-11 13:38:35 -08:00			`}`

			`final String actorUrn = new CorpuserUrn(username).toString();`
			`ctx().session().put(ACTOR, actorUrn);`

			`return ok().withCookies(Http.Cookie.builder(ACTOR, actorUrn)`
			`.withHttpOnly(false)`
			`.withMaxAge(Duration.of(30, ChronoUnit.DAYS))`
			`.build());`
			`}`
			`}`