Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-6085 - Added /access/logout endpoint to allow JWT auth tokens to… #3362

Closed
wants to merge 3 commits into from
Closed

NIFI-6085 - Added /access/logout endpoint to allow JWT auth tokens to… #3362

wants to merge 3 commits into from

Conversation

thenatog
Copy link
Contributor

@thenatog thenatog commented Mar 9, 2019

… be removed correctly. Added some tests. Found an error in the KeyDAO which did not allow key deletion.

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

  • Is there a JIRA ticket associated with this PR? Is it referenced
    in the commit message?

  • Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.

  • Has your PR been rebased against the latest commit within the target branch (typically master)?

  • Is your initial contribution a single, squashed commit?

For code changes:

  • Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
  • If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
  • If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?

For documentation related changes:

  • Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
@thenatog
Copy link
Contributor Author

thenatog commented May 1, 2019

@mcgilman Let me know what you think of this one.
@alopresto
Copy link
Contributor

I tested this with a standalone instance secured using TLS Toolkit and a local LDAP server. I first verified the existing behavior (the bearer token is still valid for a curl request after the user logs out via the UI), then built with the PR and verified the expected behavior (the bearer token is no longer valid for a curl request after the user logs out via the UI).

(Full steps to configure an LDAP server and connect via NiFi available on Pierre's blog; I use dnsmasq for local hostname mapping [e.g. https://andy.nifi:9443/nifi -> https://localhost:9443/nifi].)

Selected command output:

Existing behavior

Before UI logout (token should be valid)

~W/scratch/ldap (master) 😉
🔓 0s @ 18:57:14 $ curl -v --cacert /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem -H "Authorization: Bearer eyJhbGci...QHIXNNaY" https://andy.nifi:9443/nifi-api/flow/status
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to andy.nifi (127.0.0.1) port 9443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem
  CApath: none
...
* Server certificate:
*  subject: OU=NIFI; CN=andy.nifi
*  start date: May  8 01:42:09 2019 GMT
*  expire date: May  7 01:42:09 2022 GMT
*  subjectAltName: host "andy.nifi" matched cert's "andy.nifi"
*  issuer: OU=NIFI; CN=localhost
*  SSL certificate verify ok.
> GET /nifi-api/flow/status HTTP/1.1
> Host: andy.nifi:9443
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: Bearer eyJhbGci...QHIXNNaY
>
< HTTP/1.1 200 OK
...
< Content-Length: 364
< Server: Jetty(9.4.11.v20180605)
<
* Connection #0 to host andy.nifi left intact
{"controllerStatus":{"activeThreadCount":0,"terminatedThreadCount":0,"queued":"0 / 0 bytes","flowFilesQueued":0,"bytesQueued":0,"runningCount":0,"stoppedCount":0,"invalidCount":0,"disabledCount":0,"activeRemotePortCount":0,"inactiveRemotePortCount":0,"upToDateCount":0,"locallyModifiedCount":0,"staleCount":0,"locallyModifiedAndStaleCount":0,"syncFailureCount":0}}

After UI logout (token should not be valid)

~W/scratch/ldap (master) 😉
🔓 0s @ 18:58:17 $ curl -v --cacert /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem -H "Authorization: Bearer eyJhbGci...QHIXNNaY" https://andy.nifi:9443/nifi-api/flow/status
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to andy.nifi (127.0.0.1) port 9443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem
  CApath: none
...
* Server certificate:
*  subject: OU=NIFI; CN=andy.nifi
*  start date: May  8 01:42:09 2019 GMT
*  expire date: May  7 01:42:09 2022 GMT
*  subjectAltName: host "andy.nifi" matched cert's "andy.nifi"
*  issuer: OU=NIFI; CN=localhost
*  SSL certificate verify ok.
> GET /nifi-api/flow/status HTTP/1.1
> Host: andy.nifi:9443
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: Bearer eyJhbGci...QHIXNNaY
>
< HTTP/1.1 200 OK
...
< Content-Length: 364
< Server: Jetty(9.4.11.v20180605)
<
* Connection #0 to host andy.nifi left intact
{"controllerStatus":{"activeThreadCount":0,"terminatedThreadCount":0,"queued":"0 / 0 bytes","flowFilesQueued":0,"bytesQueued":0,"runningCount":0,"stoppedCount":0,"invalidCount":0,"disabledCount":0,"activeRemotePortCount":0,"inactiveRemotePortCount":0,"upToDateCount":0,"locallyModifiedCount":0,"staleCount":0,"locallyModifiedAndStaleCount":0,"syncFailureCount":0}}

Expected behavior (after applying PR)

Before UI logout (token should be valid)

~W/scratch/ldap (master) 😉
🔓 0s @ 19:07:52 $ curl -v --cacert /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem -H "Authorization: Bearer eyJhbGci...utn2MCGAs" https://andy.nifi:9443/nifi-api/flow/status
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to andy.nifi (127.0.0.1) port 9443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem
  CApath: none
...
* Server certificate:
*  subject: OU=NIFI; CN=andy.nifi
*  start date: May  8 01:42:09 2019 GMT
*  expire date: May  7 01:42:09 2022 GMT
*  subjectAltName: host "andy.nifi" matched cert's "andy.nifi"
*  issuer: OU=NIFI; CN=localhost
*  SSL certificate verify ok.
> GET /nifi-api/flow/status HTTP/1.1
> Host: andy.nifi:9443
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: Bearer eyJhbGci...utn2MCGAs
>
< HTTP/1.1 200 OK
...
< Content-Length: 364
< Server: Jetty(9.4.11.v20180605)
<
* Connection #0 to host andy.nifi left intact
{"controllerStatus":{"activeThreadCount":0,"terminatedThreadCount":0,"queued":"0 / 0 bytes","flowFilesQueued":0,"bytesQueued":0,"runningCount":0,"stoppedCount":0,"invalidCount":0,"disabledCount":0,"activeRemotePortCount":0,"inactiveRemotePortCount":0,"upToDateCount":0,"locallyModifiedCount":0,"staleCount":0,"locallyModifiedAndStaleCount":0,"syncFailureCount":0}}

After UI logout (token should not be valid)

~W/scratch/ldap (master) 😉
🔓 0s @ 19:08:00 $ curl -v --cacert /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem -H "Authorization: Bearer eyJhbGci...utn2MCGAs" https://andy.nifi:9443/nifi-api/flow/status
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to andy.nifi (127.0.0.1) port 9443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT/conf/nifi-cert.pem
  CApath: none
...
* Server certificate:
*  subject: OU=NIFI; CN=andy.nifi
*  start date: May  8 01:42:09 2019 GMT
*  expire date: May  7 01:42:09 2022 GMT
*  subjectAltName: host "andy.nifi" matched cert's "andy.nifi"
*  issuer: OU=NIFI; CN=localhost
*  SSL certificate verify ok.
> GET /nifi-api/flow/status HTTP/1.1
> Host: andy.nifi:9443
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: Bearer eyJhbGci...utn2MCGAs
>
< HTTP/1.1 401 Unauthorized
...
< Content-Length: 37
< Server: Jetty(9.4.11.v20180605)
<
Unable to validate the access token.
* Connection #0 to host andy.nifi left intact
alopresto pushed a commit to alopresto/nifi that referenced this pull request May 8, 2019
@thenatog @alopresto
NIFI-6085 - Added /access/logout endpoint to allow JWT auth tokens to…
b3c12d8 
… be removed correctly. Added some tests. Found an error in the KeyDAO which did not allow key deletion.

NIFI-6085 - Updated logOut method to use NiFiUserUtils and updated tests.
NIFI-6085 - Added some more integration tests.
NIFI-6085 Suppressed stacktrace when token is used after being invalidated.

This closes apache#3362.

Signed-off-by: Andy LoPresto <alopresto@apache.org>
@alopresto
Copy link
Contributor

Suppressed an unnecessary stacktrace if token use was attempted after logout (commit here - b3c12d8).

Ran contrib-check and all tests pass. +1, merging.
@asfgit asfgit closed this in cf6f517 May 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@thenatog @alopresto