yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-09-02 22:03:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sso) Retrieve cookie configs separately from SSO configs (#7330)

Browse Source
This commit is contained in:
Chris Collins 2023-02-14 13:36:47 -05:00 committed by GitHub
parent 3a095f960f
commit fd89047ee2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 74 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
datahub-frontend/app/auth/AuthModule.java
View File

@ -105,9 +105,10 @@ public class AuthModule extends AbstractModule {
SsoManager.class, SsoManager.class,
Authentication.class, Authentication.class,
EntityClient.class, EntityClient.class,
AuthServiceClient.class)); AuthServiceClient.class,
com.typesafe.config.Config.class));
} catch (NoSuchMethodException | SecurityException e) { } catch (NoSuchMethodException | SecurityException e) {
throw new RuntimeException("Failed to bind to SsoCallbackController. Cannot find constructor, e"); throw new RuntimeException("Failed to bind to SsoCallbackController. Cannot find constructor", e);
} }
// logout // logout
final LogoutController logoutController = new LogoutController(); final LogoutController logoutController = new LogoutController();

8
datahub-frontend/app/auth/AuthUtils.java
View File

@ -41,16 +41,8 @@ public class AuthUtils {
*/ */
public static final String SYSTEM_CLIENT_SECRET_CONFIG_PATH = "systemClientSecret"; public static final String SYSTEM_CLIENT_SECRET_CONFIG_PATH = "systemClientSecret";
public static final String SESSION_TTL_CONFIG_PATH = "auth.session.ttlInHours";
public static final Integer DEFAULT_SESSION_TTL_HOURS = 720;
public static final CorpuserUrn DEFAULT_ACTOR_URN = new CorpuserUrn("datahub"); public static final CorpuserUrn DEFAULT_ACTOR_URN = new CorpuserUrn("datahub");
public static final String AUTH_COOKIE_SAME_SITE = "play.http.session.sameSite";
public static final String DEFAULT_AUTH_COOKIE_SAME_SITE = "LAX";
public static final String AUTH_COOKIE_SECURE = "play.http.session.secure";
public static final boolean DEFAULT_AUTH_COOKIE_SECURE = false;
public static final String LOGIN_ROUTE = "/login"; public static final String LOGIN_ROUTE = "/login";
public static final String USER_NAME = "username"; public static final String USER_NAME = "username";
public static final String PASSWORD = "password"; public static final String PASSWORD = "password";

38
datahub-frontend/app/auth/CookieConfigs.java Normal file
View File

@ -0,0 +1,38 @@
package auth;
import com.typesafe.config.Config;
public class CookieConfigs {
public static final String SESSION_TTL_CONFIG_PATH = "auth.session.ttlInHours";
public static final Integer DEFAULT_SESSION_TTL_HOURS = 720;
public static final String AUTH_COOKIE_SAME_SITE = "play.http.session.sameSite";
public static final String DEFAULT_AUTH_COOKIE_SAME_SITE = "LAX";
public static final String AUTH_COOKIE_SECURE = "play.http.session.secure";
public static final boolean DEFAULT_AUTH_COOKIE_SECURE = false;
private final int _ttlInHours;
private final String _authCookieSameSite;
private final boolean _authCookieSecure;
public CookieConfigs(final Config configs) {
_ttlInHours = configs.hasPath(SESSION_TTL_CONFIG_PATH) ? configs.getInt(SESSION_TTL_CONFIG_PATH)
: DEFAULT_SESSION_TTL_HOURS;
_authCookieSameSite = configs.hasPath(AUTH_COOKIE_SAME_SITE) ? configs.getString(AUTH_COOKIE_SAME_SITE)
: DEFAULT_AUTH_COOKIE_SAME_SITE;
_authCookieSecure = configs.hasPath(AUTH_COOKIE_SECURE) ? configs.getBoolean(AUTH_COOKIE_SECURE)
: DEFAULT_AUTH_COOKIE_SECURE;
}
public int getTtlInHours() {
return _ttlInHours;
}
public String getAuthCookieSameSite() {
return _authCookieSameSite;
}
public boolean getAuthCookieSecure() {
return _authCookieSecure;
}
}

28
datahub-frontend/app/auth/sso/SsoConfigs.java
View File

@ -1,6 +1,5 @@
package auth.sso; package auth.sso;
import static auth.AuthUtils.*;
import static auth.ConfigUtil.*; import static auth.ConfigUtil.*;
@ -26,10 +25,7 @@ public class SsoConfigs {
private final String _authBaseUrl; private final String _authBaseUrl;
private final String _authBaseCallbackPath; private final String _authBaseCallbackPath;
private final String _authSuccessRedirectPath; private final String _authSuccessRedirectPath;
private final Integer _sessionTtlInHours;
private final Boolean _oidcEnabled; private final Boolean _oidcEnabled;
private final String _authCookieSameSite;
private final Boolean _authCookieSecure;
public SsoConfigs(final com.typesafe.config.Config configs) { public SsoConfigs(final com.typesafe.config.Config configs) {
_authBaseUrl = getRequired(configs, AUTH_BASE_URL_CONFIG_PATH); _authBaseUrl = getRequired(configs, AUTH_BASE_URL_CONFIG_PATH);
@ -41,21 +37,9 @@ public class SsoConfigs {
configs, configs,
AUTH_SUCCESS_REDIRECT_PATH_CONFIG_PATH, AUTH_SUCCESS_REDIRECT_PATH_CONFIG_PATH,
DEFAULT_SUCCESS_REDIRECT_PATH); DEFAULT_SUCCESS_REDIRECT_PATH);
_sessionTtlInHours = Integer.parseInt(getOptional(
configs,
SESSION_TTL_CONFIG_PATH,
DEFAULT_SESSION_TTL_HOURS.toString()));
_oidcEnabled = configs.hasPath(OIDC_ENABLED_CONFIG_PATH) _oidcEnabled = configs.hasPath(OIDC_ENABLED_CONFIG_PATH)
&& Boolean.TRUE.equals( && Boolean.TRUE.equals(
Boolean.parseBoolean(configs.getString(OIDC_ENABLED_CONFIG_PATH))); Boolean.parseBoolean(configs.getString(OIDC_ENABLED_CONFIG_PATH)));
_authCookieSameSite = getOptional(
configs,
AUTH_COOKIE_SAME_SITE,
DEFAULT_AUTH_COOKIE_SAME_SITE);
_authCookieSecure = Boolean.parseBoolean(getOptional(
configs,
AUTH_COOKIE_SECURE,
String.valueOf(DEFAULT_AUTH_COOKIE_SECURE)));
} }
public String getAuthBaseUrl() { public String getAuthBaseUrl() {
@ -70,18 +54,6 @@ public class SsoConfigs {
return _authSuccessRedirectPath; return _authSuccessRedirectPath;
} }
public Integer getSessionTtlInHours() {
return _sessionTtlInHours;
}
public String getAuthCookieSameSite() {
return _authCookieSameSite;
}
public boolean getAuthCookieSecure() {
return _authCookieSecure;
}
public Boolean isOidcEnabled() { public Boolean isOidcEnabled() {
return _oidcEnabled; return _oidcEnabled;
} }

11
datahub-frontend/app/auth/sso/oidc/OidcCallbackLogic.java
View File

@ -1,5 +1,6 @@
package auth.sso.oidc; package auth.sso.oidc;
import auth.CookieConfigs;
import client.AuthServiceClient; import client.AuthServiceClient;
import com.datahub.authentication.Authentication; import com.datahub.authentication.Authentication;
import com.linkedin.common.AuditStamp; import com.linkedin.common.AuditStamp;
@ -80,13 +81,15 @@ public class OidcCallbackLogic extends DefaultCallbackLogic<Result, PlayWebConte
private final EntityClient _entityClient; private final EntityClient _entityClient;
private final Authentication _systemAuthentication; private final Authentication _systemAuthentication;
private final AuthServiceClient _authClient; private final AuthServiceClient _authClient;
private final CookieConfigs _cookieConfigs;
public OidcCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication, public OidcCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication,
final EntityClient entityClient, final AuthServiceClient authClient) { final EntityClient entityClient, final AuthServiceClient authClient, final CookieConfigs cookieConfigs) {
_ssoManager = ssoManager; _ssoManager = ssoManager;
_systemAuthentication = systemAuthentication; _systemAuthentication = systemAuthentication;
_entityClient = entityClient; _entityClient = entityClient;
_authClient = authClient; _authClient = authClient;
_cookieConfigs = cookieConfigs;
} }
@Override @Override
@ -157,9 +160,9 @@ public class OidcCallbackLogic extends DefaultCallbackLogic<Result, PlayWebConte
.withCookies( .withCookies(
createActorCookie( createActorCookie(
corpUserUrn.toString(), corpUserUrn.toString(),
oidcConfigs.getSessionTtlInHours(), _cookieConfigs.getTtlInHours(),
oidcConfigs.getAuthCookieSameSite(), _cookieConfigs.getAuthCookieSameSite(),
oidcConfigs.getAuthCookieSecure() _cookieConfigs.getAuthCookieSecure()
) )
); );
} }

44
datahub-frontend/app/controllers/AuthenticationController.java
View File

@ -1,6 +1,7 @@
package controllers; package controllers;
import auth.AuthUtils; import auth.AuthUtils;
import auth.CookieConfigs;
import auth.JAASConfigs; import auth.JAASConfigs;
import auth.NativeAuthenticationConfigs; import auth.NativeAuthenticationConfigs;
import auth.sso.SsoManager; import auth.sso.SsoManager;
@ -32,19 +33,13 @@ import play.mvc.Result;
import play.mvc.Results; import play.mvc.Results;
import security.AuthenticationManager; import security.AuthenticationManager;
import static auth.AuthUtils.AUTH_COOKIE_SAME_SITE;
import static auth.AuthUtils.AUTH_COOKIE_SECURE;
import static auth.AuthUtils.DEFAULT_ACTOR_URN; import static auth.AuthUtils.DEFAULT_ACTOR_URN;
import static auth.AuthUtils.DEFAULT_AUTH_COOKIE_SAME_SITE;
import static auth.AuthUtils.DEFAULT_AUTH_COOKIE_SECURE;
import static auth.AuthUtils.DEFAULT_SESSION_TTL_HOURS;
import static auth.AuthUtils.EMAIL; import static auth.AuthUtils.EMAIL;
import static auth.AuthUtils.FULL_NAME; import static auth.AuthUtils.FULL_NAME;
import static auth.AuthUtils.INVITE_TOKEN; import static auth.AuthUtils.INVITE_TOKEN;
import static auth.AuthUtils.LOGIN_ROUTE; import static auth.AuthUtils.LOGIN_ROUTE;
import static auth.AuthUtils.PASSWORD; import static auth.AuthUtils.PASSWORD;
import static auth.AuthUtils.RESET_TOKEN; import static auth.AuthUtils.RESET_TOKEN;
import static auth.AuthUtils.SESSION_TTL_CONFIG_PATH;
import static auth.AuthUtils.TITLE; import static auth.AuthUtils.TITLE;
import static auth.AuthUtils.USER_NAME; import static auth.AuthUtils.USER_NAME;
import static auth.AuthUtils.createActorCookie; import static auth.AuthUtils.createActorCookie;
@ -62,7 +57,7 @@ public class AuthenticationController extends Controller {
private static final String SSO_NO_REDIRECT_MESSAGE = "SSO is configured, however missing redirect from idp"; private static final String SSO_NO_REDIRECT_MESSAGE = "SSO is configured, however missing redirect from idp";
private final Logger _logger = LoggerFactory.getLogger(AuthenticationController.class.getName()); private final Logger _logger = LoggerFactory.getLogger(AuthenticationController.class.getName());
private final Config _configs; private final CookieConfigs _cookieConfigs;
private final JAASConfigs _jaasConfigs; private final JAASConfigs _jaasConfigs;
private final NativeAuthenticationConfigs _nativeAuthenticationConfigs; private final NativeAuthenticationConfigs _nativeAuthenticationConfigs;
@ -80,7 +75,7 @@ public class AuthenticationController extends Controller {
@Inject @Inject
public AuthenticationController(@Nonnull Config configs) { public AuthenticationController(@Nonnull Config configs) {
_configs = configs; _cookieConfigs = new CookieConfigs(configs);
_jaasConfigs = new JAASConfigs(configs); _jaasConfigs = new JAASConfigs(configs);
_nativeAuthenticationConfigs = new NativeAuthenticationConfigs(configs); _nativeAuthenticationConfigs = new NativeAuthenticationConfigs(configs);
} }
@ -119,15 +114,15 @@ public class AuthenticationController extends Controller {
// 3. If no auth enabled, fallback to using default user account & redirect. // 3. If no auth enabled, fallback to using default user account & redirect.
// Generate GMS session token, TODO: // Generate GMS session token, TODO:
final String accessToken = _authClient.generateSessionTokenForUser(DEFAULT_ACTOR_URN.getId()); final String accessToken = _authClient.generateSessionTokenForUser(DEFAULT_ACTOR_URN.getId());
int ttlInHours = _configs.hasPath(SESSION_TTL_CONFIG_PATH) ? _configs.getInt(SESSION_TTL_CONFIG_PATH)
: DEFAULT_SESSION_TTL_HOURS;
String authCookieSameSite = _configs.hasPath(AUTH_COOKIE_SAME_SITE) ? _configs.getString(AUTH_COOKIE_SAME_SITE)
: DEFAULT_AUTH_COOKIE_SAME_SITE;
boolean authCookieSecure = _configs.hasPath(AUTH_COOKIE_SECURE) ? _configs.getBoolean(AUTH_COOKIE_SECURE)
: DEFAULT_AUTH_COOKIE_SECURE;
return Results.redirect(redirectPath).withSession(createSessionMap(DEFAULT_ACTOR_URN.toString(), accessToken)) return Results.redirect(redirectPath).withSession(createSessionMap(DEFAULT_ACTOR_URN.toString(), accessToken))
.withCookies(createActorCookie(DEFAULT_ACTOR_URN.toString(), ttlInHours, authCookieSameSite, authCookieSecure)); .withCookies(
createActorCookie(
DEFAULT_ACTOR_URN.toString(),
_cookieConfigs.getTtlInHours(),
_cookieConfigs.getAuthCookieSameSite(),
_cookieConfigs.getAuthCookieSecure()
)
);
} }
/** /**
@ -336,14 +331,15 @@ public class AuthenticationController extends Controller {
} }
private Result createSession(String userUrnString, String accessToken) { private Result createSession(String userUrnString, String accessToken) {
int ttlInHours = _configs.hasPath(SESSION_TTL_CONFIG_PATH) ? _configs.getInt(SESSION_TTL_CONFIG_PATH)
: DEFAULT_SESSION_TTL_HOURS;
String authCookieSameSite = _configs.hasPath(AUTH_COOKIE_SAME_SITE) ? _configs.getString(AUTH_COOKIE_SAME_SITE)
: DEFAULT_AUTH_COOKIE_SAME_SITE;
boolean authCookieSecure = _configs.hasPath(AUTH_COOKIE_SECURE) ? _configs.getBoolean(AUTH_COOKIE_SECURE)
: DEFAULT_AUTH_COOKIE_SECURE;
return Results.ok().withSession(createSessionMap(userUrnString, accessToken)) return Results.ok().withSession(createSessionMap(userUrnString, accessToken))
.withCookies(createActorCookie(userUrnString, ttlInHours, authCookieSameSite, authCookieSecure)); .withCookies(
createActorCookie(
userUrnString,
_cookieConfigs.getTtlInHours(),
_cookieConfigs.getAuthCookieSameSite(),
_cookieConfigs.getAuthCookieSecure()
)
);
} }
} }

10
datahub-frontend/app/controllers/SsoCallbackController.java
View File

@ -1,5 +1,6 @@
package controllers; package controllers;
import auth.CookieConfigs;
import client.AuthServiceClient; import client.AuthServiceClient;
import com.datahub.authentication.Authentication; import com.datahub.authentication.Authentication;
import com.linkedin.entity.client.EntityClient; import com.linkedin.entity.client.EntityClient;
@ -40,11 +41,12 @@ public class SsoCallbackController extends CallbackController {
@Nonnull SsoManager ssoManager, @Nonnull SsoManager ssoManager,
@Nonnull Authentication systemAuthentication, @Nonnull Authentication systemAuthentication,
@Nonnull EntityClient entityClient, @Nonnull EntityClient entityClient,
@Nonnull AuthServiceClient authClient) { @Nonnull AuthServiceClient authClient,
@Nonnull com.typesafe.config.Config configs) {
_ssoManager = ssoManager; _ssoManager = ssoManager;
setDefaultUrl("/"); // By default, redirects to Home Page on log in. setDefaultUrl("/"); // By default, redirects to Home Page on log in.
setSaveInSession(false); setSaveInSession(false);
setCallbackLogic(new SsoCallbackLogic(ssoManager, systemAuthentication, entityClient, authClient)); setCallbackLogic(new SsoCallbackLogic(ssoManager, systemAuthentication, entityClient, authClient, new CookieConfigs(configs)));
} }
public CompletionStage<Result> handleCallback(String protocol, Http.Request request) { public CompletionStage<Result> handleCallback(String protocol, Http.Request request) {
@ -77,8 +79,8 @@ public class SsoCallbackController extends CallbackController {
private final OidcCallbackLogic _oidcCallbackLogic; private final OidcCallbackLogic _oidcCallbackLogic;
SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication, SsoCallbackLogic(final SsoManager ssoManager, final Authentication systemAuthentication,
final EntityClient entityClient, final AuthServiceClient authClient) { final EntityClient entityClient, final AuthServiceClient authClient, final CookieConfigs cookieConfigs) {
_oidcCallbackLogic = new OidcCallbackLogic(ssoManager, systemAuthentication, entityClient, authClient); _oidcCallbackLogic = new OidcCallbackLogic(ssoManager, systemAuthentication, entityClient, authClient, cookieConfigs);
} }
@Override @Override