yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-12-13 02:57:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(frontend): Fix common OIDC issues (#4351)

Browse Source
This commit is contained in:
John Joyce 2022-03-08 14:27:19 -08:00 committed by GitHub
parent 48380ada4c
commit ef31b0ee6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
datahub-frontend/app/auth/AuthModule.java
View File

@ -11,6 +11,10 @@ import com.linkedin.entity.client.RestliEntityClient;
import com.linkedin.metadata.restli.DefaultRestliClientFactory; import com.linkedin.metadata.restli.DefaultRestliClientFactory;
import com.linkedin.util.Configuration; import com.linkedin.util.Configuration;
import com.datahub.authentication.Authentication; import com.datahub.authentication.Authentication;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import org.pac4j.core.client.Client; import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients; import org.pac4j.core.client.Clients;
@ -20,6 +24,7 @@ import org.pac4j.play.LogoutController;
import org.pac4j.play.http.PlayHttpActionAdapter; import org.pac4j.play.http.PlayHttpActionAdapter;
import org.pac4j.play.store.PlayCookieSessionStore; import org.pac4j.play.store.PlayCookieSessionStore;
import org.pac4j.play.store.PlaySessionStore; import org.pac4j.play.store.PlaySessionStore;
import org.pac4j.play.store.ShiroAesDataEncrypter;
import play.Environment; import play.Environment;
import java.util.ArrayList; import java.util.ArrayList;
@ -41,6 +46,13 @@ import static utils.ConfigUtil.*;
*/ */
public class AuthModule extends AbstractModule { public class AuthModule extends AbstractModule {
/**
* Pac4j Stores Session State in a browser-side cookie in encrypted fashion. This configuration
* value provides a stable encryption base from which to derive the encryption key.
*
* We hash this value (SHA1), then take the first 16 bytes as the AES key.
*/
private static final String PAC4J_AES_KEY_BASE_CONF = "play.http.secret.key";
private final com.typesafe.config.Config _configs; private final com.typesafe.config.Config _configs;
public AuthModule(final Environment environment, final com.typesafe.config.Config configs) { public AuthModule(final Environment environment, final com.typesafe.config.Config configs) {
@ -49,7 +61,17 @@ public class AuthModule extends AbstractModule {
@Override @Override
protected void configure() { protected void configure() {
final PlayCookieSessionStore playCacheCookieStore = new PlayCookieSessionStore(); PlayCookieSessionStore playCacheCookieStore;
try {
final String aesKeyBase = _configs.getString(PAC4J_AES_KEY_BASE_CONF);
MessageDigest sha = MessageDigest.getInstance("SHA-1");
byte[] key = sha.digest(aesKeyBase.getBytes(StandardCharsets.UTF_8));
key = Arrays.copyOf(key, 16);
playCacheCookieStore = new PlayCookieSessionStore(
new ShiroAesDataEncrypter(new String(key)));
} catch (Exception e) {
throw new RuntimeException("Failed to instantiate Pac4j cookie session store!", e);
}
bind(SessionStore.class).toInstance(playCacheCookieStore); bind(SessionStore.class).toInstance(playCacheCookieStore);
bind(PlaySessionStore.class).toInstance(playCacheCookieStore); bind(PlaySessionStore.class).toInstance(playCacheCookieStore);

1
datahub-frontend/app/auth/sso/oidc/custom/CustomOidcClient.java
View File

@ -20,7 +20,6 @@ public class CustomOidcClient extends OidcClient<OidcProfile, OidcConfiguration>
protected void clientInit() { protected void clientInit() {
CommonHelper.assertNotNull("configuration", getConfiguration()); CommonHelper.assertNotNull("configuration", getConfiguration());
getConfiguration().init(); getConfiguration().init();
defaultRedirectActionBuilder(new OidcRedirectActionBuilder(getConfiguration(), this)); defaultRedirectActionBuilder(new OidcRedirectActionBuilder(getConfiguration(), this));
defaultCredentialsExtractor(new OidcExtractor(getConfiguration(), this)); defaultCredentialsExtractor(new OidcExtractor(getConfiguration(), this));
defaultAuthenticator(new CustomOidcAuthenticator(getConfiguration(), this)); defaultAuthenticator(new CustomOidcAuthenticator(getConfiguration(), this));

11
datahub-frontend/app/controllers/AuthenticationController.java
View File

@ -34,6 +34,8 @@ import java.time.Duration;
import java.time.temporal.ChronoUnit; import java.time.temporal.ChronoUnit;
import static auth.AuthUtils.*; import static auth.AuthUtils.*;
import static org.pac4j.core.client.IndirectClient.*;
// TODO add logging. // TODO add logging.
public class AuthenticationController extends Controller { public class AuthenticationController extends Controller {
@ -147,7 +149,14 @@ public class AuthenticationController extends Controller {
private Result redirectToIdentityProvider() { private Result redirectToIdentityProvider() {
final PlayWebContext playWebContext = new PlayWebContext(ctx(), _playSessionStore); final PlayWebContext playWebContext = new PlayWebContext(ctx(), _playSessionStore);
final Client client = _ssoManager.getSsoProvider().client(); final Client<?, ?> client = _ssoManager.getSsoProvider().client();
// This is to prevent previous login attempts from being cached.
// We replicate the logic here, which is buried in the Pac4j client.
if (_playSessionStore.get(playWebContext, client.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX) != null) {
_logger.debug("Found previous login attempt. Removing it manually to prevent unexpected errors.");
_playSessionStore.set(playWebContext, client.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX, "");
}
final HttpAction action = client.redirect(playWebContext); final HttpAction action = client.redirect(playWebContext);
return new PlayHttpActionAdapter().adapt(action.getCode(), playWebContext); return new PlayHttpActionAdapter().adapt(action.getCode(), playWebContext);
} }