AbsaOSS · TheLydonKing · Aug 20, 2024 · Apr 24, 2024 · Apr 25, 2024 · Apr 26, 2024
@@ -73,6 +73,11 @@ loginsvc:
               #region: "region"
               #username-field-name: "username"
               #password-field-name: "password"
+          #enable-kerberos:
+            #krb-file-location: "/etc/krb5.conf"
+            #keytab-file-location: "/etc/keytab"
+            #spn: "HTTP/Host"
+            #debug: true
           attributes:
             # The FieldName is the key used to search ldap and the value is the value used to name the JWT claim.
             # ldapFieldName: claimFieldName

@@ -16,15 +16,21 @@
 
 package za.co.absa.loginsvc.rest
 
+import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.{Bean, Configuration}
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.http.SessionCreationPolicy
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
+import za.co.absa.loginsvc.rest.config.provider.AuthConfigProvider
+import za.co.absa.loginsvc.rest.provider.kerberos.KerberosSPNEGOAuthenticationProvider
 
 @Configuration
 @EnableWebSecurity
-class SecurityConfig {
+class SecurityConfig @Autowired()(authConfigsProvider: AuthConfigProvider) {
+
+  private val ldapConfig = authConfigsProvider.getLdapConfig.orNull
 
   @Bean
   def filterChain(http: HttpSecurity): SecurityFilterChain = {
@@ -49,9 +55,19 @@ class SecurityConfig {
         .and()
       .httpBasic()
 
-    http.build()
-  }
+    if(ldapConfig != null)
+      {
+        if(ldapConfig.enableKerberos.isDefined)
+          {
+            val kerberos = new KerberosSPNEGOAuthenticationProvider(ldapConfig)
 
+            http.addFilterBefore(
+              kerberos.spnegoAuthenticationProcessingFilter,
+              classOf[BasicAuthenticationFilter])
+          }
+      }
 
+    http.build()
+  }
 
 }
@@ -34,6 +34,7 @@ case class ActiveDirectoryLDAPConfig(domain: String,
                                      searchFilter: String,
                                      order: Int,
                                      serviceAccount: ServiceAccountConfig,
+                                     enableKerberos: Option[KerberosConfig],
                                      attributes: Option[Map[String, String]])
   extends ConfigValidatable with ConfigOrdering
 {
@@ -63,89 +64,17 @@ case class ActiveDirectoryLDAPConfig(domain: String,
           .getOrElse(ConfigValidationError(ConfigValidationException("searchFilter is empty")))
       )
 
-      results.foldLeft[ConfigValidationResult](ConfigValidationSuccess)(ConfigValidationResult.merge)
+      val requiredResults = results.foldLeft[ConfigValidationResult](ConfigValidationSuccess)(ConfigValidationResult.merge)
+      val kerberosResults = enableKerberos match {
+        case Some(x) => x.validate()
+        case None => ConfigValidationSuccess
+      }
+      requiredResults.merge(kerberosResults)
     }
     else ConfigValidationSuccess
   }
 }
 
-case class ServiceAccountConfig(private val accountPattern: String,
-                                private val inConfigAccount: Option[LdapUserCredentialsConfig],
-                                private val awsSecretsManagerAccount: Option[AwsSecretsLdapUserConfig])
-{
-  private val ldapUserDetails: LdapUser = (inConfigAccount, awsSecretsManagerAccount) match {
-    case (Some(_), Some(_)) =>
-      throw ConfigValidationException("Both inConfigAccount and awsSecretsLdapUserConfig exist. Please choose only one.")
-
-    case (None, None) =>
-      throw ConfigValidationException("Neither integratedLdapUserConfig nor awsSecretsLdapUserConfig exists. Exactly one of them should be present.")
-
-    case (Some(inConfig), None) =>
-      inConfig.throwOnErrors()
-      inConfig
-
-    case (None, Some(awsConfig)) =>
-      awsConfig.throwOnErrors()
-      awsConfig
-
-    case _ =>
-      throw ConfigValidationException("Error with current config concerning inConfigAccount or awsSecretsLdapUserConfig")
-  }
-
-  val username: String = String.format(accountPattern, ldapUserDetails.username)
-  val password: String = ldapUserDetails.password
-}
-
-case class LdapUserCredentialsConfig (username: String, password: String) extends LdapUser
-{
-  def throwOnErrors(): Unit = this.validate().throwOnErrors()
-}
-
-case class AwsSecretsLdapUserConfig(private val secretName: String,
-                                    private val region: String,
-                                    private val usernameFieldName: String,
-                                    private val passwordFieldName: String) extends LdapUser {
-
-  private val logger = LoggerFactory.getLogger(classOf[LdapUser])
-
-  val (username, password) = getUsernameAndPasswordFromSecret
-  def throwOnErrors(): Unit = this.validate().throwOnErrors()
-  override def validate(): ConfigValidationResult = {
-    val results = Seq(
-      Option(secretName)
-        .map(_ => ConfigValidationSuccess)
-        .getOrElse(ConfigValidationError(ConfigValidationException("secretName is empty"))),
-
-      Option(region)
-        .map(_ => ConfigValidationSuccess)
-        .getOrElse(ConfigValidationError(ConfigValidationException("region is empty"))),
-
-      Option(usernameFieldName)
-        .map(_ => ConfigValidationSuccess)
-        .getOrElse(ConfigValidationError(ConfigValidationException("usernameFieldName is empty"))),
-
-      Option(passwordFieldName)
-        .map(_ => ConfigValidationSuccess)
-        .getOrElse(ConfigValidationError(ConfigValidationException("passwordFieldName is empty")))
-    )
-
-    val awsSecretsResultsMerge = results.foldLeft[ConfigValidationResult](ConfigValidationSuccess)(ConfigValidationResult.merge)
-    awsSecretsResultsMerge.merge(super.validate())
-  }
-
-  private def getUsernameAndPasswordFromSecret: (String, String) = {
-    try {
-      val secrets = AwsSecretsUtils.fetchSecret(secretName, region, Array(usernameFieldName, passwordFieldName))
-      (secrets(usernameFieldName), secrets(passwordFieldName))
-    }
-    catch {
-      case e: Throwable =>
-        logger.error(s"Error occurred retrieving account data from AWS Secrets Manager", e)
-        throw e
-    }
-  }
-}
-
 trait LdapUser extends ConfigValidatable {
   def username: String
   def password: String

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2023 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.loginsvc.rest.config.auth
+
+import za.co.absa.loginsvc.rest.config.validation.{ConfigValidatable, ConfigValidationException, ConfigValidationResult}
+import za.co.absa.loginsvc.rest.config.validation.ConfigValidationResult.{ConfigValidationError, ConfigValidationSuccess}
+
+case class KerberosConfig(
+  krbFileLocation: String,
+  keytabFileLocation: String,
+  spn: String,
+  debug: Option[Boolean]) extends ConfigValidatable {
+
+  override def validate(): ConfigValidationResult = {
+    val results = Seq(
+      Option(krbFileLocation)
+        .map(_ => ConfigValidationSuccess)
+        .getOrElse(ConfigValidationError(ConfigValidationException("krbFileLocation is empty"))),
+      Option(keytabFileLocation)
+        .map(_ => ConfigValidationSuccess)
+        .getOrElse(ConfigValidationError(ConfigValidationException("keytabFileLocation is empty"))),
+      Option(spn)
+        .map(_ => ConfigValidationSuccess)
+        .getOrElse(ConfigValidationError(ConfigValidationException("spn is empty")))
+    )
+    results.foldLeft[ConfigValidationResult](ConfigValidationSuccess)(ConfigValidationResult.merge)
+  }
+}
@@ -0,0 +1,100 @@
+/*
+ * Copyright 2023 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.loginsvc.rest.config.auth
+
+import org.slf4j.LoggerFactory
+import za.co.absa.loginsvc.rest.config.validation.{ConfigValidationException, ConfigValidationResult}
+import za.co.absa.loginsvc.rest.config.validation.ConfigValidationResult.{ConfigValidationError, ConfigValidationSuccess}
+import za.co.absa.loginsvc.utils.AwsSecretsUtils
+
+case class ServiceAccountConfig(private val accountPattern: String,
+                                private val inConfigAccount: Option[LdapUserCredentialsConfig],
+                                private val awsSecretsManagerAccount: Option[AwsSecretsLdapUserConfig])
+{
+  private val ldapUserDetails: LdapUser = (inConfigAccount, awsSecretsManagerAccount) match {
+    case (Some(_), Some(_)) =>
+      throw ConfigValidationException("Both inConfigAccount and awsSecretsLdapUserConfig exist. Please choose only one.")
+
+    case (None, None) =>
+      throw ConfigValidationException("Neither integratedLdapUserConfig nor awsSecretsLdapUserConfig exists. Exactly one of them should be present.")
+
+    case (Some(inConfig), None) =>
+      inConfig.throwOnErrors()
+      inConfig
+
+    case (None, Some(awsConfig)) =>
+      awsConfig.throwOnErrors()
+      awsConfig
+
+    case _ =>
+      throw ConfigValidationException("Error with current config concerning inConfigAccount or awsSecretsLdapUserConfig")
+  }
+
+  val username: String = String.format(accountPattern, ldapUserDetails.username)
+  val password: String = ldapUserDetails.password
+}
+
+case class LdapUserCredentialsConfig (username: String, password: String) extends LdapUser
+{
+  def throwOnErrors(): Unit = this.validate().throwOnErrors()
+}
+
+case class AwsSecretsLdapUserConfig(private val secretName: String,
+                                    private val region: String,
+                                    private val usernameFieldName: String,
+                                    private val passwordFieldName: String) extends LdapUser
+{
+
+  private val logger = LoggerFactory.getLogger(classOf[LdapUser])
+
+  val (username, password) = getUsernameAndPasswordFromSecret
+  def throwOnErrors(): Unit = this.validate().throwOnErrors()
+  override def validate(): ConfigValidationResult = {
+    val results = Seq(
+      Option(secretName)
+        .map(_ => ConfigValidationSuccess)
+        .getOrElse(ConfigValidationError(ConfigValidationException("secretName is empty"))),
+
+      Option(region)
+        .map(_ => ConfigValidationSuccess)
+        .getOrElse(ConfigValidationError(ConfigValidationException("region is empty"))),
+
+      Option(usernameFieldName)
+        .map(_ => ConfigValidationSuccess)
+        .getOrElse(ConfigValidationError(ConfigValidationException("usernameFieldName is empty"))),
+
+      Option(passwordFieldName)
+        .map(_ => ConfigValidationSuccess)
+        .getOrElse(ConfigValidationError(ConfigValidationException("passwordFieldName is empty")))
+    )
+
+    val awsSecretsResultsMerge = results.foldLeft[ConfigValidationResult](ConfigValidationSuccess)(ConfigValidationResult.merge)
+    awsSecretsResultsMerge.merge(super.validate())
+  }
+
+  private def getUsernameAndPasswordFromSecret: (String, String) = {
+    try {
+      val secrets = AwsSecretsUtils.fetchSecret(secretName, region, Array(usernameFieldName, passwordFieldName))
+      (secrets(usernameFieldName), secrets(passwordFieldName))
+    }
+    catch {
+      case e: Throwable =>
+        logger.error(s"Error occurred retrieving account data from AWS Secrets Manager", e)
+        throw e
+    }
+  }
+}
@@ -26,8 +26,9 @@ import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.http.{HttpStatus, MediaType}
 import org.springframework.security.core.Authentication
 import org.springframework.web.bind.annotation._
+import org.springframework.web.server.ResponseStatusException
 import za.co.absa.loginsvc.model.User
-import za.co.absa.loginsvc.rest.model.{PublicKey, TokensWrapper}
+import za.co.absa.loginsvc.rest.model.{KerberosUserDetails, PublicKey, TokensWrapper}
 import za.co.absa.loginsvc.rest.service.jwt.JWTService
 import za.co.absa.loginsvc.utils.OptionUtils.ImplicitBuilderExt
 
@@ -71,7 +72,12 @@ class TokenController @Autowired()(jwtService: JWTService) {
   @ResponseStatus(HttpStatus.OK)
   @SecurityRequirement(name = "basicAuth")
   def generateToken(authentication: Authentication, @RequestParam("group-prefixes") groupPrefixes: Optional[String]): CompletableFuture[TokensWrapper] = {
-    val user = authentication.getPrincipal.asInstanceOf[User]
+
+    val user: User = authentication.getPrincipal match {
+      case u: User => u
+      case k: KerberosUserDetails => k.getUser
+      case _ => throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "User not authenticated or unknown principal type")
+    }
     val groupPrefixesStrScala = groupPrefixes.toScalaOption
 
     val filteredGroupsUser = user.applyIfDefined(groupPrefixesStrScala) { (user: User, prefixesStr: String) =>

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2023 ABSA Group Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package za.co.absa.loginsvc.rest.model
+
+import org.springframework.security.core.GrantedAuthority
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.core.userdetails.UserDetails
+import za.co.absa.loginsvc.model.User
+
+import java.util
+import scala.collection.JavaConverters._
+
+case class KerberosUserDetails(user: User)
+extends UserDetails
+{
+  override def getAuthorities: util.Collection[_ <: GrantedAuthority] =
+    user.groups.map(new SimpleGrantedAuthority(_)).toList.asJava
+
+  override def getPassword: String = ""
+
+  override def getUsername: String = user.name
+
+  override def isAccountNonExpired: Boolean = true
+
+  override def isAccountNonLocked: Boolean = true
+
+  override def isCredentialsNonExpired: Boolean = true
+
+  override def isEnabled: Boolean = true
+
+  def getUser: User = user
+}