MID-9035: fix authentication for cluster nodes

Evolveum · Sep 6, 2023 · ea6ea60 · ea6ea60
1 parent 9039c4a
commit ea6ea60
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 5 deletions.
diff --git a/...src/main/java/com/evolveum/midpoint/authentication/api/config/MidpointAuthentication.java b/...src/main/java/com/evolveum/midpoint/authentication/api/config/MidpointAuthentication.java
@@ -182,8 +182,8 @@ public String getSessionId() {
     @Override
     public boolean isAuthenticated() {
         List<AuthenticationSequenceModuleType> modules = sequence.getModule();
-        if (modules.isEmpty()) {
-            return false;
+        if (modules.isEmpty() && !AuthUtil.isClusterAuthentication(MidpointAuthentication.this)) {
+                return false;
         }
 
         if (shouldEvaluateAuthentication()) {

diff --git a/...hentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java b/...hentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java
@@ -298,4 +298,15 @@ private static boolean isPasswordResetAuthChannel(MidpointAuthentication authent
         }
        return SchemaConstants.CHANNEL_RESET_PASSWORD_URI.equals(authentication.getAuthenticationChannel().getChannelId());
    }
+
+    public static boolean isClusterAuthentication(MidpointAuthentication authentication) {
+        if (authentication.getAuthModules().size() != 1) {
+            return false;
+        }
+        ModuleAuthentication baseAuthentication = authentication.getAuthModules().get(0).getBaseModuleAuthentication();
+        if (baseAuthentication == null) {
+            return false;
+        }
+        return AuthenticationModuleNameConstants.CLUSTER.equals(baseAuthentication.getModuleTypeName());
+    }
 }
diff --git a/.../com/evolveum/midpoint/authentication/impl/evaluator/NodeAuthenticationEvaluatorImpl.java b/.../com/evolveum/midpoint/authentication/impl/evaluator/NodeAuthenticationEvaluatorImpl.java
@@ -98,6 +98,7 @@ public boolean authenticate(@Nullable String remoteName, String remoteAddress, @
                     LOGGER.trace("Established authenticity for remote {}", actualNode);
                     NodeAuthenticationTokenImpl authNtoken = new NodeAuthenticationTokenImpl(actualNode, remoteAddress,
                             Collections.emptyList());
+                    authNtoken.setAuthenticated(true);
                     SecurityContextHolder.getContext().setAuthentication(authNtoken);
                     securityHelper.auditLoginSuccess(actualNode.asObjectable(), connEnv);
                     return true;

diff --git a/.../com/evolveum/midpoint/authentication/impl/filter/MidpointExceptionTranslationFilter.java b/.../com/evolveum/midpoint/authentication/impl/filter/MidpointExceptionTranslationFilter.java
@@ -52,7 +52,7 @@ protected void sendStartAuthentication(HttpServletRequest request, HttpServletRe
             requestCache.saveRequest(request, response);
         }
         if (reason != null) {
-            LOGGER.debug(reason.getMessage());
+            LOGGER.debug(reason.getMessage(), reason);
         }
         LOGGER.debug("Calling Authentication entry point.");
         getAuthenticationEntryPoint().commence(request, response, reason);

diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
@@ -13,6 +13,8 @@
 import java.util.Collection;
 import java.util.List;
 
+import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
+import com.evolveum.midpoint.authentication.api.util.AuthUtil;
 import org.apache.commons.io.FileUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
@@ -373,9 +375,21 @@ private boolean forbiddenFileName(String fileName) {
 
     private void checkNodeAuthentication() throws SecurityViolationException {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (!(authentication instanceof NodeAuthenticationToken)) {
-            throw new SecurityViolationException("Node authentication is expected but not present");
+
+        if (!authentication.isAuthenticated()) {
+            throw new SecurityViolationException("Unauthenticated token");
         }
+
+        if (authentication instanceof MidpointAuthentication) {
+            if (!AuthUtil.isClusterAuthentication((MidpointAuthentication) authentication)) {
+                throw new SecurityViolationException("Midpoint authentication for cluster is expected but not present");
+            }
+        } else {
+            if (!(authentication instanceof NodeAuthenticationToken)) {
+                throw new SecurityViolationException("Node authentication is expected but not present");
+            }
+        }
+
         // TODO consider allowing administrator access here as well
     }
 }