KNOX-2998 - Path based authorization provider

gateway-provider-security-authz-path-acls/pom.xml

@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.knox</groupId>
+        <artifactId>gateway</artifactId>
+        <version>2.1.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>gateway-provider-security-authz-path-acls</artifactId>
+    <name>gateway-provider-security-authz-path-acls</name>
+    <description>Provides authorization ACL support based on request path.</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-i18n</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-util-common</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-provider-security-authz-acls</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-util-urltemplate</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-test-utils</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+</project>

gateway-provider-security-authz-path-acls/src/main/java/org/apache/knox/gateway/deploy/impl/PathAclsAuthzDeploymentContributor.java

@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class PathAclsAuthzDeploymentContributor
+    extends ProviderDeploymentContributorBase {
+
+  private static final String FILTER_CLASSNAME = "org.apache.knox.gateway.filter.PathAclsAuthorizationFilter";
+
+  @Override
+  public String getRole() {
+    return "authorization";
+  }
+
+  @Override
+  public String getName() {
+    return "PathAclsAuthz";
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeProvider(DeploymentContext context, Provider provider) {
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider,
+      Service service, ResourceDescriptor resource,
+      List<FilterParamDescriptor> params) {
+    if (params == null) {
+      params = new ArrayList<>();
+    }
+    // add resource role to params so that we can determine the acls to enforce at runtime
+    params.add(resource.createFilterParam().name("resource.role")
+        .value(resource.role()));
+
+    // the following are used within the PathAclsAuthz provider to replace
+    // placeholders within the acls KNOX_ADMIN_GROUPS and KNOX_ADMIN_USERS
+    String adminGroups = context.getGatewayConfig().getKnoxAdminGroups();
+    params.add(resource.createFilterParam().name("knox.admin.groups")
+        .value(adminGroups));
+
+    String adminUsers = context.getGatewayConfig().getKnoxAdminUsers();
+    params.add(resource.createFilterParam().name("knox.admin.users")
+        .value(adminUsers));
+
+    // blindly add all the provider params as filter init params
+    Map<String, String> providerParams = provider.getParams();
+    for (Entry<String, String> entry : providerParams.entrySet()) {
+      params.add(resource.createFilterParam()
+          .name(entry.getKey().toLowerCase(Locale.ROOT))
+          .value(entry.getValue()));
+    }
+
+    resource.addFilter().name(getName()).role(getRole()).impl(FILTER_CLASSNAME)
+        .params(params);
+  }
+}

gateway-provider-security-authz-path-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationResources.java

@@ -0,0 +1,27 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import org.apache.knox.gateway.i18n.resources.Resource;
+import org.apache.knox.gateway.i18n.resources.Resources;
+
+@Resources
+public interface AclsAuthorizationResources {
+  @Resource( text = "Response status: {0}" )
+  String responseStatus( int status );
+}

gateway-provider-security-authz-path-acls/src/main/java/org/apache/knox/gateway/filter/InvalidACLException.java

@@ -0,0 +1,31 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+/**
+ * invalid ACL configuration item
+ */
+public class InvalidACLException extends RuntimeException {
+
+  private static final long serialVersionUID = -4284269372393774095L;
+
+  public InvalidACLException(String message) {
+    super(message);
+  }
+
+}

gateway-provider-security-authz-path-acls/src/main/java/org/apache/knox/gateway/filter/PathAclParser.java

@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.urltemplate.Matcher;
+import org.apache.knox.gateway.util.urltemplate.Parser;
+import org.apache.knox.gateway.util.urltemplate.Template;
+
+import java.net.URISyntaxException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+public class PathAclParser {
+  private static PathAclsAuthorizationMessages log = MessagesFactory.get(
+      PathAclsAuthorizationMessages.class);
+  /* A Map of path to ACLs (users, groups, ips) to match */
+  public Map<Matcher, AclParser> rulesMap = new HashMap<>();
+  public PathAclParser() {
+    super();
+  }
+
+  public void parsePathAcls(final String resourceRole,
+      Map<String, String> rawRules) throws InvalidACLException {
+    if (rawRules != null && !rawRules.isEmpty()) {
+      for (final Map.Entry<String, String> rules : rawRules.entrySet()) {
+        final String acls = rules.getValue();
+        final Matcher urlMatcher = new Matcher();
+        final AclParser aclParser = new AclParser();
+        final Template urlPatternTemplate;
+        if (acls != null) {
+          final String path = acls.substring(0, acls.indexOf(';'));
+          final String aclRules = acls.substring(acls.indexOf(';') + 1);
+
+          log.aclsFoundForResource(rules.getKey());
+          if (StringUtils.isBlank(path) || StringUtils.isBlank(aclRules)) {
+            log.invalidAclsFoundForResource(rules.getKey());
+            throw new InvalidACLException(
+                "Invalid Path ACLs specified for rule: " + rules.getKey());
+          }
+          log.aclsFoundForResource(rules.getKey());
+
+          try {
+            urlPatternTemplate = Parser.parseTemplate(path);
+          } catch (URISyntaxException e) {
+            log.invalidURLPattern(rules.getKey());
+            throw new InvalidACLException(
+                "Invalid URL pattern for rule: " + rules.getKey());
+          }
+
+          urlMatcher.add(urlPatternTemplate, rules.getKey());
+          /* Reuse the code that parses users, groups and ips*/
+          aclParser.parseAcls(resourceRole, aclRules);
+          /* Save our rule and the parsed path */
+          rulesMap.put(urlMatcher, aclParser);
+        }
+
+      }
+    } else {
+      log.noAclsFoundForResource(resourceRole);
+    }
+  }
+
+  public Map getRulesMap() {
+    return Collections.unmodifiableMap(rulesMap);
+  }
+
+}