ATLAS-5284: Support JWT authentication for Atlas (#655)

Co-authored-by: chaitali.borole <chaitali.borole@cloudera.com>

Author: chaitalicod

authn/pom.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements.  See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership.  The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License.  You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.apache.atlas</groupId>
+        <artifactId>apache-atlas</artifactId>
+        <version>3.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>atlas-authn</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Apache Atlas Authentication</name>
+    <description>JWT and authentication handler support for Apache Atlas</description>
+
+    <properties>
+        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
+        <checkstyle.skip>false</checkstyle.skip>
+    </properties>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>${javax.servlet.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+            <version>${commons-conf2.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons-lang3.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+
+    </dependencies>
+</project>

authn/src/main/java/org/apache/atlas/authn/handler/AtlasAuth.java

@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.authn.handler;
+
+public class AtlasAuth {
+    public enum AuthType {
+        JWT_JWKS("JWT-JWKS");
+
+        private final String authType;
+
+        AuthType(String authType) {
+            this.authType = authType;
+        }
+    }
+
+    private String    userName;
+    private AuthType type;
+    private boolean   isAuthenticated;
+
+    public AtlasAuth(final String username, AuthType type) {
+        this.userName        = username;
+        this.isAuthenticated = true;
+        this.type            = type;
+    }
+
+    public String getUserName() {
+        return userName;
+    }
+
+    public void setUserName(String userName) {
+        this.userName = userName;
+    }
+
+    public AuthType getType() {
+        return type;
+    }
+
+    public void setType(AuthType type) {
+        this.type = type;
+    }
+
+    public boolean isAuthenticated() {
+        return isAuthenticated;
+    }
+
+    public void setAuthenticated(boolean authenticated) {
+        isAuthenticated = authenticated;
+    }
+}

authn/src/main/java/org/apache/atlas/authn/handler/AtlasAuthHandler.java

@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.authn.handler;
+
+import org.apache.commons.configuration2.Configuration;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface AtlasAuthHandler {
+    void initialize(Configuration config) throws Exception;
+
+    AtlasAuth authenticate(HttpServletRequest request);
+}

authn/src/main/java/org/apache/atlas/authn/handler/jwt/AtlasDefaultJwtAuthHandler.java

@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.atlas.authn.handler.jwt;
+
+import com.nimbusds.jose.proc.JWSKeySelector;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
+import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
+import com.nimbusds.jwt.proc.DefaultJWTProcessor;
+import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
+import org.apache.atlas.authn.handler.AtlasAuth;
+import org.apache.commons.lang3.StringUtils;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
+public class AtlasDefaultJwtAuthHandler extends AtlasJwtAuthHandler {
+    protected static final String AUTHORIZATION_HEADER = "Authorization";
+
+    @Override
+    public ConfigurableJWTProcessor<SecurityContext> getJwtProcessor(JWSKeySelector<SecurityContext> keySelector) {
+        ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
+        JWTClaimsSetVerifier<SecurityContext> claimsVerifier   = new DefaultJWTClaimsVerifier<>();
+
+        jwtProcessor.setJWSKeySelector(keySelector);
+        jwtProcessor.setJWTClaimsSetVerifier(claimsVerifier);
+
+        return jwtProcessor;
+    }
+
+    @Override
+    public AtlasAuth authenticate(HttpServletRequest request) {
+        AtlasAuth atlasAuth = null;
+        String jwtAuthHeaderStr = getJwtAuthHeader(request);
+        String jwtCookieStr     = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(request) : null;
+
+        String username = authenticate(jwtAuthHeaderStr, jwtCookieStr);
+        if (username != null) {
+            atlasAuth = new AtlasAuth(username, AtlasAuth.AuthType.JWT_JWKS);
+        }
+        return atlasAuth;
+    }
+
+    public static boolean canAuthenticateRequest(final ServletRequest request) {
+        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+        String jwtAuthHeaderStr               = getJwtAuthHeader(httpServletRequest);
+        String jwtCookieStr                   = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(httpServletRequest) : null;
+        return shouldProceedAuth(jwtAuthHeaderStr, jwtCookieStr);
+    }
+
+    public static String getJwtAuthHeader(final HttpServletRequest httpServletRequest) {
+        return httpServletRequest.getHeader(AUTHORIZATION_HEADER);
+    }
+
+    public static String getJwtCookie(final HttpServletRequest httpServletRequest) {
+        String jwtCookieStr = null;
+        Cookie[] cookies    = httpServletRequest.getCookies();
+
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                if (cookieName.equals(cookie.getName())) {
+                    jwtCookieStr = cookie.getName() + "=" + cookie.getValue();
+                    break;
+                }
+            }
+        }
+        return jwtCookieStr;
+    }
+}