Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature/Identity] Bearer auth via internal idp #5367

Closed
wants to merge 77 commits into from
Closed

[Feature/Identity] Bearer auth via internal idp #5367

wants to merge 77 commits into from

Conversation

stephen-crawford
Copy link
Contributor

Description

This PR introduces bearer authentication with JWTs for feature/identity. It includes the changes introduced in #4798 because the authentication uses the same token management system to operate. There are included unit tests for bearer authentication which check catching early JWTs, expired JWTs, and valid JWTs. It is not clear what an invalid JWT would be if it were not early or expired.

There are also adaptations of the basic auth integration tests.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

cwperks and others added 30 commits November 9, 2022 14:40
@cwperks @DarshitChanpura
Experiment with creating internal realm in OS
eae97da 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Create realm, read users from a file and show authentication flow wor…
283ec5c 
…king

Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add experimental tag in new classes
68fb702 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Run updateShas
fe5a468 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Create internal idp as a module
2aaccf0 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add licenses/ directory for internal authn module
a154fdb 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Run spotlessApply
047bbea 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add shiro-core LICENSE and NOTICE
306f590 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add missing licenses
4a00f72 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add thirdPartyAudit
b57d7b2 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add naive internalClusterTest and yamlRestTest
6d78226 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Fix yamlRestTest test case
3d315df 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Remove added line from security.policy
69d6acd 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Create idp in a sandbox library
ad58ff5 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add jackson-dataformat-yaml sha1
b87adb7 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Start addressing code review comments and work on bundling issues
2134f73 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add gradle property that enables native authn feature
430cc9b 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Integrate new changes with existing identity classes
c652fa2 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Apply spotless changes
f29ce16 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Disable jar hell in server/build.gradle to get beyond bcprov/bcfips l…
ad66c3a 
…icense jar hell

Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Add jarHell.enabled = false to plugin-cli build.gradle
77c543e 
Signed-off-by: Craig Perkins <[email protected]>
@cwperks @DarshitChanpura
Switch from InternalSubject to User and iterate on builder implementa…
78e4ac1 
…tion

Signed-off-by: Craig Perkins <[email protected]>
@DarshitChanpura
Initial commit for basic auth handling via internal realm
bfb6e6a 
Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Temp removes the system get property check for sandbox flag
abf05d3 
Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Removes login method from subject interface as authentication is hand…
553788d 
…led by Internal Realm

Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Removes authentication handling from RestController class
5ae8043 
Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Adds javadoc comments and TODO statements to SecurityRestFilter and I…
bb97c92 
…nternalRealm classes

Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Adds SecurityRestFilter class to ActionModule to enable REST Request …
faae7f7 
…wrapping for authentication

Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Grants Jackson databind Reflect access and makes changes to access Us…
a2e68bf 
…er class accordingly

Signed-off-by: Darshit Chanpura <[email protected]>
@DarshitChanpura
Adds internal realm instance to Node class and adds a failure respons…
27422fe 
…e in case of missing auth credentials

Signed-off-by: Darshit Chanpura <[email protected]>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford
Updated SHAs
48d35c7 
Signed-off-by: Stephen Crawford <[email protected]>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford
Fix wildcard use
c1739f2 
Signed-off-by: Stephen Crawford <[email protected]>
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford
Spotless
8fdc142 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
Run checks
cec8b7b 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford stephen-crawford marked this pull request as ready for review November 30, 2022 15:05
@stephen-crawford stephen-crawford requested review from a team and reta as code owners November 30, 2022 15:05
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford
Copy link
Contributor Author

@DarshitChanpura @cwperks @peternied I am opening this for some feedback. The gradle check is still failing because it says a license is missing for a jar file. I am not sure what the fix for that is but if you have any ideas it would be appreciated!

The error is:

Execution failed for task ':server:dependencyLicenses'.
> Missing LICENSE for slf4j-api-1.7.36.jar, expected in slf4j-api-LICENSE.txt

@stephen-crawford stephen-crawford marked this pull request as draft November 30, 2022 17:18
@DarshitChanpura
Copy link
Member

@DarshitChanpura @cwperks @peternied I am opening this for some feedback. The gradle check is still failing because it says a license is missing for a jar file. I am not sure what the fix for that is but if you have any ideas it would be appreciated!

The error is:

Execution failed for task ':server:dependencyLicenses'.
> Missing LICENSE for slf4j-api-1.7.36.jar, expected in slf4j-api-LICENSE.txt

You can run ./gradlew updateShas to fix this

@stephen-crawford
readd sha
3b28597 
Signed-off-by: Stephen Crawford <[email protected]>
@github-actions
Copy link
Contributor

github-actions bot commented Dec 1, 2022

Gradle Check (Jenkins) Run Completed with:

@stephen-crawford
Built
8e92edb 
Signed-off-by: Stephen Crawford <[email protected]>
@github-actions
Copy link
Contributor

github-actions bot commented Dec 1, 2022

Gradle Check (Jenkins) Run Completed with:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta Awaiting requested review from reta reta is a code owner

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz will be requested when the pull request is marked ready for review anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross will be requested when the pull request is marked ready for review andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar will be requested when the pull request is marked ready for review Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE will be requested when the pull request is marked ready for review CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock will be requested when the pull request is marked ready for review dblock is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna will be requested when the pull request is marked ready for review gbbafna is a code owner

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal will be requested when the pull request is marked ready for review kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 will be requested when the pull request is marked ready for review mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize will be requested when the pull request is marked ready for review nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 will be requested when the pull request is marked ready for review owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 will be requested when the pull request is marked ready for review Rishikesh1159 is a code owner

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli will be requested when the pull request is marked ready for review saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja will be requested when the pull request is marked ready for review shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89 dreamer-89 will be requested when the pull request is marked ready for review dreamer-89 is a code owner

@tlfeng tlfeng Awaiting requested review from tlfeng tlfeng will be requested when the pull request is marked ready for review tlfeng is a code owner

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah will be requested when the pull request is marked ready for review VachaShah is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stephen-crawford @DarshitChanpura @cwperks @peternied