MID-9035: fix authentication for cluster nodes

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/config/MidpointAuthentication.java

@@ -9,6 +9,7 @@
 import java.util.*;
 import java.util.stream.Stream;
 
+import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants;
 import com.evolveum.midpoint.util.logging.Trace;
 
 import com.evolveum.midpoint.util.logging.TraceManager;
@@ -194,8 +195,8 @@ public String getSessionId() {
     @Override
     public boolean isAuthenticated() {
         List<AuthenticationSequenceModuleType> modules = sequence.getModule();
-        if (modules.isEmpty()) {
-            return false;
+        if (modules.isEmpty() && !AuthUtil.isClusterAuthentication(MidpointAuthentication.this)) {
+                return false;
         }
 
         if (shouldEvaluateAuthentication()) {

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java

@@ -314,4 +314,15 @@ private static boolean isPasswordResetAuthChannel(MidpointAuthentication authent
         }
        return SchemaConstants.CHANNEL_RESET_PASSWORD_URI.equals(authentication.getAuthenticationChannel().getChannelId());
    }
+
+    public static boolean isClusterAuthentication(MidpointAuthentication authentication) {
+        if (authentication.getAuthModules().size() != 1) {
+            return false;
+        }
+        ModuleAuthentication baseAuthentication = authentication.getAuthModules().get(0).getBaseModuleAuthentication();
+        if (baseAuthentication == null) {
+            return false;
+        }
+        return AuthenticationModuleNameConstants.CLUSTER.equals(baseAuthentication.getModuleTypeName());
+    }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/evaluator/NodeAuthenticationEvaluatorImpl.java

@@ -55,9 +55,6 @@ public NodeAuthenticationTokenImpl authenticate(ConnectionEnvironment connEnv, N
         LOGGER.debug("Checking if {} ({}) is a known node", remoteName, remoteAddress);
         OperationResult result = new OperationResult(OPERATION_SEARCH_NODE);
 
-        //(!nodeAuthenticator.authenticate(null, enteredUsername, enteredPassword, "node authentication"))
-//        ConnectionEnvironment connEnv = ConnectionEnvironment.create(SchemaConstants.CHANNEL_REST_URI);
-
         try {
             List<PrismObject<NodeType>> allNodes = repositoryService.searchObjects(NodeType.class, null, null, result);
             List<PrismObject<NodeType>> matchingNodes = getMatchingNodes(allNodes, remoteName, remoteAddress);
@@ -77,8 +74,10 @@ public NodeAuthenticationTokenImpl authenticate(ConnectionEnvironment connEnv, N
                 if (actualNode != null) {
                     LOGGER.trace("Established authenticity for remote {}", actualNode);
                     auditAuthenticationSuccess(actualNode.asObjectable(), connEnv);
-                    return new NodeAuthenticationTokenImpl(actualNode, remoteAddress,
+                    NodeAuthenticationTokenImpl token = new NodeAuthenticationTokenImpl(actualNode, remoteAddress,
                             Collections.emptyList());
+                    token.setAuthenticated(true);
+                    return token;
                 } else {
                     LOGGER.debug("Authenticity for {} couldn't be established: none of the secrets match", matchingNodes);
                 }
@@ -115,10 +114,6 @@ private PrismObject<NodeType> determineCurrentNode(List<PrismObject<NodeType>> m
         return null;
     }
 
-//    public boolean authenticate(@Nullable String remoteName, String remoteAddress, @NotNull String credentials, String operation) {
-//
-//    }
-
     private List<PrismObject<NodeType>> getMatchingNodes(List<PrismObject<NodeType>> knownNodes, String remoteName,
             String remoteAddress) {
         LOGGER.trace("Selecting matching node(s) for remote name '{}' and remote address '{}'", remoteName, remoteAddress);

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/filter/MidpointExceptionTranslationFilter.java

@@ -55,7 +55,7 @@ protected void sendStartAuthentication(HttpServletRequest request, HttpServletRe
             requestCache.saveRequest(request, response);
         }
         if (reason != null) {
-            LOGGER.debug(reason.getMessage());
+            LOGGER.debug(reason.getMessage(), reason);
         }
         LOGGER.debug("Calling Authentication entry point.");
         getAuthenticationEntryPoint().commence(request, response, reason);

model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java

@@ -13,6 +13,8 @@
 import java.util.Collection;
 import java.util.List;
 
+import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
+import com.evolveum.midpoint.authentication.api.util.AuthUtil;
 import org.apache.commons.io.FileUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
@@ -373,9 +375,21 @@ private boolean forbiddenFileName(String fileName) {
 
     private void checkNodeAuthentication() throws SecurityViolationException {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (!(authentication instanceof NodeAuthenticationToken)) {
-            throw new SecurityViolationException("Node authentication is expected but not present");
+
+        if (!authentication.isAuthenticated()) {
+            throw new SecurityViolationException("Unauthenticated token");
         }
+
+        if (authentication instanceof MidpointAuthentication) {
+            if (!AuthUtil.isClusterAuthentication((MidpointAuthentication) authentication)) {
+                throw new SecurityViolationException("Midpoint authentication for cluster is expected but not present");
+            }
+        } else {
+            if (!(authentication instanceof NodeAuthenticationToken)) {
+                throw new SecurityViolationException("Node authentication is expected but not present");
+            }
+        }
+
         // TODO consider allowing administrator access here as well
     }
 }