concord-server: split ConcordAuthenticationHandler into separate handlers (#1026)

Author: ibodrov

sdk/src/main/java/com/walmartlabs/concord/sdk/Constants.java

@@ -624,6 +624,8 @@ public static class Headers {
         public static final String SECRET_TYPE = "X-Concord-SecretType";
 
         public static final String ENABLE_HTTP_SESSION = "X-Concord-EnableSession";
+
+        public static final String REMEMBER_ME_HEADER = "X-Concord-RememberMe";
     }
 
     /**

server/impl/src/main/java/com/walmartlabs/concord/server/ApiServerModule.java

@@ -81,7 +81,6 @@ public void configure(Binder binder) {
 
         newSetBinder(binder, ServletContextListener.class).addBinding().to(ShiroListener.class).in(SINGLETON);
         newSetBinder(binder, FilterChainConfigurator.class).addBinding().to(ConcordFilterChainConfigurator.class).in(SINGLETON);
-        newSetBinder(binder, AuthenticationHandler.class).addBinding().to(ConcordAuthenticationHandler.class).in(SINGLETON);
 
         binder.bind(ConcordSecurityManager.class).in(SINGLETON);
         binder.bind(SecurityManager.class).to(ConcordSecurityManager.class);

server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java

@@ -97,7 +97,7 @@ protected AuthenticationToken createToken(ServletRequest request, ServletRespons
         }
 
         // no dice
-        return new UsernamePasswordToken();
+        return new UnauthenticatedToken();
     }
 
     @Override

server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticationHandler.java

@@ -0,0 +1,36 @@
+package com.walmartlabs.concord.server.boot.filters;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2024 Walmart Inc.
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import org.apache.shiro.authc.AuthenticationToken;
+
+public final class UnauthenticatedToken implements AuthenticationToken {
+
+    @Override
+    public Object getPrincipal() {
+        return "";
+    }
+
+    @Override
+    public Object getCredentials() {
+        return "";
+    }
+}

server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/UnauthenticatedToken.java

@@ -0,0 +1,83 @@
+package com.walmartlabs.concord.server.security;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2020 Walmart Inc.
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import com.walmartlabs.concord.server.boot.filters.AuthenticationHandler;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.support.DefaultSubjectContext;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.HttpHeaders;
+import java.util.Base64;
+
+import static com.walmartlabs.concord.sdk.Constants.Headers.REMEMBER_ME_HEADER;
+
+/**
+ * Handles basic authentication (username/password).
+ */
+public class BasicAuthenticationHandler implements AuthenticationHandler {
+
+    private static final String BASIC_AUTH_PREFIX = "Basic ";
+
+    @Override
+    public AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
+        var req = (HttpServletRequest) request;
+
+        if (req.getHeader(HttpHeaders.AUTHORIZATION) == null) {
+            return null;
+        }
+
+        // check the 'remember me' status
+        var rememberMe = Boolean.parseBoolean(req.getHeader(REMEMBER_ME_HEADER));
+
+        var auth = req.getHeader(HttpHeaders.AUTHORIZATION);
+        if (auth == null || auth.isBlank()) {
+            return null;
+        }
+
+        if (!auth.startsWith(BASIC_AUTH_PREFIX)) {
+            return null;
+        }
+
+        auth = auth.substring(BASIC_AUTH_PREFIX.length());
+        auth = new String(Base64.getDecoder().decode(auth));
+
+        var idx = auth.indexOf(":");
+        if (idx + 1 == auth.length()) {
+            throw new IllegalArgumentException("Invalid basic auth header");
+        }
+
+        if (idx < 0 || idx + 1 >= auth.length()) {
+            throw new IllegalArgumentException("Invalid basic auth header");
+        }
+
+        var username = auth.substring(0, idx).trim();
+        var password = auth.substring(idx + 1);
+
+        // enable sessions
+        req.setAttribute(DefaultSubjectContext.SESSION_CREATION_ENABLED, true);
+
+        return new UsernamePasswordToken(username, password, rememberMe);
+    }
+}

server/impl/src/main/java/com/walmartlabs/concord/server/security/BasicAuthenticationHandler.java

@@ -9,9 +9,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -22,6 +22,8 @@
 
 import com.google.inject.Binder;
 import com.google.inject.Module;
+import com.walmartlabs.concord.server.boot.filters.AuthenticationHandler;
+import com.walmartlabs.concord.server.security.apikey.ApiKeyAuthenticationHandler;
 import com.walmartlabs.concord.server.security.apikey.ApiKeyRealm;
 import com.walmartlabs.concord.server.security.github.GithubRealm;
 import com.walmartlabs.concord.server.security.internal.InternalRealm;
@@ -41,6 +43,10 @@ public class SecurityModule implements Module {
 
     @Override
     public void configure(Binder binder) {
+        newSetBinder(binder, AuthenticationHandler.class).addBinding().to(BasicAuthenticationHandler.class).in(SINGLETON);
+        newSetBinder(binder, AuthenticationHandler.class).addBinding().to(ApiKeyAuthenticationHandler.class).in(SINGLETON);
+        newSetBinder(binder, AuthenticationHandler.class).addBinding().to(SessionTokenAuthenticationHandler.class).in(SINGLETON);
+
         newSetBinder(binder, Realm.class).addBinding().to(ApiKeyRealm.class);
         newSetBinder(binder, Realm.class).addBinding().to(GithubRealm.class);
         newSetBinder(binder, Realm.class).addBinding().to(InternalRealm.class);