Merge branch 'release/1.0.0'

Author: cdanger

CHANGELOG.md

@@ -1,6 +1,24 @@
 # Change log
 All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
 
+
+## 1.0.0
+### Changed 
+- Maven project version: authzforce-ce-parent: 7.4.0 -> Upgrade Apache CXF version (to fix a CVE): 3.2.5
+- Maven dependency versions:
+	- Spring Framework: 4.3.18 (fix CVE-2018-8014)
+	- authzforce-ce-jaxrs-utils: 1.2.0
+		- authzforce-ce-xacml-json-model: 2.0.0
+
+### Fixed
+- Spring Framework logging: replaced commons-logging with jcl-over-slf4j for SLF4j logging
+
+### Added
+- - #1: Authorization decision caching
+- SSL support with client certificate authentication:
+	- New configuration property `org.ow2.authzforce.kafka.pep.http.client.cfg.location` to [configure CXF HTTP client](https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport), esp. SSL settings
+
+
 ## 0.2.0
 ### Added 
 - XACML Request template file (`request.xacml.json.ft`) as part of the assembled package (`tar.gz`), so that it can be customized (by editing the file) depending on the use case

README.md

@@ -27,6 +27,7 @@ To enable the authorizer on Kafka, set the server's property:
 
 To enable XACML evaluation, set the extra following authorizer properties:
 * **`org.ow2.authzforce.kafka.pep.xacml.pdp.url`**: XACML PDP resource's URL, as defined by [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html), §2.2.2, e.g. `https://serverhostname/services/pdp` for a [AuthzForce RESTful PDP](https://github.com/authzforce/restful-pdp) instance, or `https://serverhostname/authzforce-ce/domains/XXX/pdp` for a domain `XXX` on a [AuthzForce Server](https://github.com/authzforce/server) instance.
+* **`org.ow2.authzforce.kafka.pep.http.client.cfg.location`**: location (URL supported by Spring {@link org.springframework.util.ResourceUtils}) of the HTTP client configuration as defined by <a href="https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-UsingConfiguration">Apache CXF format</a>, required for SSL settings
 * **`org.ow2.authzforce.kafka.pep.authz.cache.size.max`:** maximum number of authorization decisions cached in memory (performance optimization). Cache disabled iff not strictly positive integer. If cache enabled and an access request matches a previous one in cache, the corresponding decision is retrieved from cache directly (no decision evaluation).
 * **`org.ow2.authzforce.kafka.pep.xacml.req.tmpl.location`:** location of a file that contains a [Freemarker](https://freemarker.apache.org/) template of XACML Request formatted according to [JSON Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html), in which you can use [Freemarker expressions](https://freemarker.apache.org/docs/dgui_template_exp.html), enclosed between `${` and `}`, and have access to the following [top-level variables](https://freemarker.apache.org/docs/dgui_template_exp.html#dgui_template_exp_var_toplevel) from Kafka's authorization context:
 

pom.xml

@@ -19,36 +19,77 @@
 			<organizationUrl>http://thalesgroup.com</organizationUrl>
 		</developer>
 	</developers>
-	   <scm>
-      <connection>scm:git:https://github.com/DRIVER-EU/kafka-combined-acl-xacml-authorizer.git</connection>
-      <developerConnection>scm:git:https://github.com/DRIVER-EU/kafka-combined-acl-xacml-authorizer.git</developerConnection>
-      <tag>HEAD</tag>
-      <url>https://github.com/DRIVER-EU/kafka-combined-acl-xacml-authorizer</url>
-   </scm>
+	<scm>
+		<connection>scm:git:https://github.com/DRIVER-EU/kafka-combined-acl-xacml-authorizer.git</connection>
+		<developerConnection>scm:git:https://github.com/DRIVER-EU/kafka-combined-acl-xacml-authorizer.git</developerConnection>
+		<tag>HEAD</tag>
+		<url>https://github.com/DRIVER-EU/kafka-combined-acl-xacml-authorizer</url>
+	</scm>
 	<repositories>
 		<repository>
 			<!-- Required by owasp dependency-check plugin for find info (POM) about dependency org.everit.json.schema in child modules -->
 			<id>jitpack.io</id>
 			<url>https://jitpack.io</url>
 		</repository>
 	</repositories>
+	<properties>
+		<!-- Remove spring.version after update authzforce-ce-parent to 7.5.0 -->
+		<spring.version>4.3.18.RELEASE</spring.version>
+	</properties>
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.springframework</groupId>
+				<artifactId>spring-core</artifactId>
+				<version>${spring.version}</version>
+				<exclusions>
+					<exclusion>
+						<!-- Replaced by jcl-over-slf4j dependency for redirecting logs to slf4j, see http://www.slf4j.org/legacy.html -->
+						<artifactId>commons-logging</artifactId>
+						<groupId>commons-logging</groupId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+			<dependency>
+				<groupId>org.springframework</groupId>
+				<artifactId>spring-context</artifactId>
+				<version>${spring.version}</version>
+				<exclusions>
+					<exclusion>
+						<!-- Replaced by jcl-over-slf4j dependency for redirecting logs to slf4j, see http://www.slf4j.org/legacy.html -->
+						<artifactId>commons-logging</artifactId>
+						<groupId>commons-logging</groupId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
 	<dependencies>
+		<dependency>
+			<groupId>org.apache.kafka</groupId>
+			<artifactId>kafka_2.12</artifactId>
+			<version>1.1.0</version>
+			<scope>provided</scope>
+		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
 			<scope>provided</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.apache.kafka</groupId>
-			<artifactId>kafka_2.12</artifactId>
-			<version>1.1.0</version>
-			<scope>provided</scope>
+			<groupId>org.slf4j</groupId>
+			<artifactId>jcl-over-slf4j</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.freemarker</groupId>
 			<artifactId>freemarker</artifactId>
 			<version>2.3.23</version>
 		</dependency>
+		<!-- Needed when using CXF HTTP client XML configuration -->
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-context</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-rt-rs-client</artifactId>
@@ -62,6 +103,13 @@
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-jaxrs-utils</artifactId>
 			<version>1.2.0</version>
+			<exclusions>
+					<exclusion>
+						<!-- Replaced by jcl-over-slf4j dependency for redirecting logs to slf4j, see http://www.slf4j.org/legacy.html -->
+						<artifactId>commons-logging</artifactId>
+						<groupId>commons-logging</groupId>
+					</exclusion>
+				</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
@@ -71,7 +119,7 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
-			<version>1.5.11.RELEASE</version>
+			<version>1.5.14.RELEASE</version>
 			<scope>test</scope>
 			<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json -->
 			<exclusions>
@@ -90,7 +138,7 @@
 		<dependency>
 			<groupId>eu.driver</groupId>
 			<artifactId>driver-testbed-sec-authz-service</artifactId>
-			<version>1.0.0</version>
+			<version>1.1.0</version>
 			<scope>test</scope>
 		</dependency>
 	</dependencies>

src/main/java/org/ow2/authzforce/kafka/pep/CombinedXacmlAclAuthorizer.java

@@ -72,6 +72,9 @@
  * </ul>
  * </li>
  * <li>{@value #AUTHZ_CACHE_SIZE_MAX}: maximum number of authorization decisions cached in memory. Cache is disabled iff the property value is undefined or not strictly positive.</li>
+ * <li>{@value #HTTP_CLIENT_CFG_LOCATION}: location (URL supported by Spring {@link org.springframework.util.ResourceUtils}) of the HTTP client configuration as defined by
+ * <a href="https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-UsingConfiguration">Apache CXF format</a>, required for SSL
+ * settings</li>
  * </ul>
  */
 public class CombinedXacmlAclAuthorizer extends SimpleAclAuthorizer
@@ -95,6 +98,13 @@ public class CombinedXacmlAclAuthorizer extends SimpleAclAuthorizer
 	 */
 	public static final String AUTHZ_CACHE_SIZE_MAX = "org.ow2.authzforce.kafka.pep.authz.cache.size.max";
 
+	/**
+	 * Name of Kafka configuration property specifying the location (URL supported by Spring {@link org.springframework.util.ResourceUtils}) of the HTTP client configuration as defined by
+	 * <a href="https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-UsingConfiguration">Apache CXF format</a>, required for SSL
+	 * settings
+	 */
+	public static final String HTTP_CLIENT_CFG_LOCATION = "org.ow2.authzforce.kafka.pep.http.client.cfg.location";
+
 	private static final int MAX_JSON_STRING_LENGTH = 1000;
 
 	private interface AuthzDecisionEvaluator
@@ -137,9 +147,24 @@ public void configure(final Map<String, ?> authorizerProperties)
 			final String xacmlPdpUrlStr = (String) xacmlPdpUrlObj;
 			LOGGER.debug("XACML PDP URL set from authorizer configuration property '{}': {}", XACML_PDP_URL_CFG_PROPERTY_NAME, xacmlPdpUrlStr);
 
+			final Object cxfHttpClientCfgLocationObj = authorizerProperties.get(HTTP_CLIENT_CFG_LOCATION);
+			if (cxfHttpClientCfgLocationObj == null)
+			{
+				LOGGER.info("Configuration property '{}' undefined -> using default CXF HTTP client configuration", HTTP_CLIENT_CFG_LOCATION);
+				return;
+			}
+
+			if (!(cxfHttpClientCfgLocationObj instanceof String))
+			{
+				throw new IllegalArgumentException(this + ": authorizer configuration property '" + HTTP_CLIENT_CFG_LOCATION + "' is not a String");
+			}
+
+			final String cxfHttpClientCfgLocation = (String) cxfHttpClientCfgLocationObj;
+			LOGGER.debug("Location of HTTP client configuration (Apache CXF format) set from authorizer configuration property '{}': {}", HTTP_CLIENT_CFG_LOCATION, cxfHttpClientCfgLocation);
+
 			pdpClient = WebClient
 			        .create(xacmlPdpUrlStr, Collections.singletonList(new JsonRiJaxrsProvider(/* extra parameters */)),
-			                LOGGER.isDebugEnabled() ? Collections.singletonList(new LoggingFeature()) : Collections.<Feature>emptyList(), null /* clientConfClasspathLocation */)
+			                LOGGER.isDebugEnabled() ? Collections.singletonList(new LoggingFeature()) : Collections.<Feature>emptyList(), cxfHttpClientCfgLocation)
 			        .type(XACML_JSON_MEDIA_TYPE).accept(XACML_JSON_MEDIA_TYPE);
 
 			final Object xacmlReqTmplObj = authorizerProperties.get(XACML_REQUEST_TEMPLATE_LOCATION_CFG_PROPERTY_NAME);
@@ -263,7 +288,7 @@ public void configure(final Map<String, ?> authorizerProperties)
 
 	private boolean evalAuthzDecision(final Session session, final Operation operation, final Resource resource, final Map<String, Object> authzAttributes)
 	{
-		LOGGER.error("Calling SimpleAclAuthorizer: session={}, operation={}, resource={}", session, operation, resource);
+		LOGGER.debug("Calling SimpleAclAuthorizer: session={}, operation={}, resource={}", session, operation, resource);
 
 		final boolean simpleAclAuthorized = super.authorize(session, operation, resource);
 
@@ -314,7 +339,7 @@ public boolean authorize(final Session session, final Operation operation, final
 		 */
 		final Map<String, Object> azAttributes = ImmutableMap.of("clientHost", session.clientAddress(), "principal", session.principal(), "operation", operation.toJava(), "resourceType",
 		        resource.resourceType().toJava(), "resourceName", resource.name());
-		LOGGER.error("Authorizing access request: {}", azAttributes);
+		LOGGER.debug("Authorizing access request: {}", azAttributes);
 		final boolean isAuthorized = this.decisionEvaluator.eval(session, operation, resource, azAttributes);
 		LOGGER.debug("isAuthorized (true iff Permit) = {}", isAuthorized);
 		return isAuthorized;

src/main/resources/META-INF/cxf/org.apache.cxf.Logger

@@ -0,0 +1 @@
+org.apache.cxf.common.logging.Slf4jLogger

src/test/ca.p12

@@ -72,7 +72,7 @@ public class CombinedXacmlAclAutorizerTest
 
 	private static final Map<ResourceType, Set<AclOperation>> OPS_BY_RESOURCE_TYPE = ImmutableMap.of(
 	        //
-	        ResourceType.CLUSTER, ImmutableSet.of(AclOperation.ALTER, AclOperation.CLUSTER_ACTION, AclOperation.CREATE, AclOperation.DESCRIBE, AclOperation.IDEMPOTENT_WRITE),
+	        ResourceType.CLUSTER, ImmutableSet.of(AclOperation.ALTER, /* AclOperation.CLUSTER_ACTION, AclOperation.CREATE, */ AclOperation.DESCRIBE, AclOperation.IDEMPOTENT_WRITE),
 	        //
 	        ResourceType.GROUP, ImmutableSet.of(AclOperation.READ, AclOperation.DESCRIBE, AclOperation.DELETE),
 	        //
@@ -129,8 +129,8 @@ public CombinedXacmlAclAutorizerTest(final long authzCacheMaxSize) throws Unknow
 	public void setUp() throws IOException
 	{
 		authorizer.configure(ImmutableMap.of(KafkaConfig.ZkConnectProp(), SHARED_ZOOKEEPER_TEST_RESOURCE.getZookeeperConnectString(), CombinedXacmlAclAuthorizer.XACML_PDP_URL_CFG_PROPERTY_NAME,
-		        "http://localhost:" + port + "/services/authz/pdp", CombinedXacmlAclAuthorizer.XACML_REQUEST_TEMPLATE_LOCATION_CFG_PROPERTY_NAME, XACML_REQ_TMPL_LOCATION,
-		        CombinedXacmlAclAuthorizer.AUTHZ_CACHE_SIZE_MAX, Long.toString(authzCacheMaxSize, 10)));
+		        "https://localhost:" + port + "/services/authz/pdp", CombinedXacmlAclAuthorizer.XACML_REQUEST_TEMPLATE_LOCATION_CFG_PROPERTY_NAME, XACML_REQ_TMPL_LOCATION,
+		        CombinedXacmlAclAuthorizer.HTTP_CLIENT_CFG_LOCATION, "file:src/test/resources/http-client.xml", CombinedXacmlAclAuthorizer.AUTHZ_CACHE_SIZE_MAX, Long.toString(authzCacheMaxSize, 10)));
 	}
 
 	private void testAuthorizationForAllResourcesAndOperations(final String username, final boolean expectedAuthorized)

src/test/java/org/ow2/authzforce/kafka/pep/test/CombinedXacmlAclAutorizerTest.java

@@ -1,21 +1,38 @@
 cfg.dir=target/test-classes/authz-server
+
+# Active profile
+spring.profiles.active=ssl
+
 # Server HTTP port
 # Default server.port = 8080
 # For HTTPS (for production, you should change keypairs and passwords)
 #server.port=8443
 # If server.ssl.enabled=true, make sure sec:http/sec:intercept-url/@requires-channel = 'https' in spring-beans.xml
-server.ssl.enabled=false
+server.ssl.enabled=true
 server.ssl.key-store=file\:${cfg.dir}/server.p12
 server.ssl.key-store-type=PKCS12
 server.ssl.key-store-password=changeit
 server.ssl.key-alias=server
 server.ssl.key-password=changeit
-server.ssl.client-auth=
+server.ssl.trust-store: file\:${cfg.dir}/truststore.jks
+server.ssl.trust-store-password: changeit
+server.ssl.trust-store-type: JKS
+server.ssl.client-auth=need
 
 # JAX-RS server endpoint address (default is "/")
-#cxf.jaxrs.server.path=/
+# cxf.jaxrs.server.path=/
 # Do not use server.address to set service endpoint address as it is already used by Spring Boot
 spring.beans.conf=file\:${cfg.dir}/spring-beans.xml
 
+# Disable as much DispatcherServlet features we don't need as possible
+spring.mvc.dispatch-trace-request: false
+spring.mvc.dispatch-options-request: false 
+spring.mvc.favicon.enabled: false # Whether to enable resolution of favicon.ico.
+spring.mvc.formcontent.putfilter.enabled: false
+spring.mvc.pathmatch.use-suffix-pattern: false
+spring.mvc.servlet.load-on-startup: -1
+spring.mvc.throw-exception-if-no-handler-found: true
+spring.mvc.log-resolved-exception: true 
+
 # LOGGING
 logging.config=file\:${cfg.dir}/logback.xml

src/test/resources/application.properties

@@ -0,0 +1,83 @@
+{
+	"policy": {
+		"id": "resource.type=CLUSTER",
+		"version": "1.0",
+		"target": [
+			[
+				[
+					{
+						"matchFunction": "urn:oasis:names:tc:xacml:1.0:function:string-equal",
+						"value": "CLUSTER",
+						"attributeDesignator": {
+							"category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
+							"id": "urn:thalesgroup:xacml:resource:resource-type",
+							"dataType": "http://www.w3.org/2001/XMLSchema#string",
+							"mustBePresent": true
+						}
+					}
+				]
+			]
+		],
+		"combiningAlgId": "urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable",
+		"policies": [
+			{
+				"policy": {
+					"description": "Anonymous access to cluster kafka-cluster",
+					"id": "resource.type=CLUSTER#resource.id=kafka-cluster",
+					"version": "1.0",
+					"target": [
+						[
+							[
+								{
+									"matchFunction": "urn:oasis:names:tc:xacml:1.0:function:string-equal",
+									"value": "kafka-cluster",
+									"attributeDesignator": {
+										"category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
+										"id": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
+										"dataType": "http://www.w3.org/2001/XMLSchema#string",
+										"mustBePresent": true
+									}
+								}
+							]
+						]
+					],
+					"combiningAlgId": "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable",
+					"rules": [
+						{
+							"id": "action.id={CLUSTER_ACTION,CREATE}",
+							"effect": "Permit",
+							"target": [
+								[
+									[
+										{
+											"matchFunction": "urn:oasis:names:tc:xacml:1.0:function:string-equal",
+											"value": "CLUSTER_ACTION",
+											"attributeDesignator": {
+												"category": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
+												"id": "urn:oasis:names:tc:xacml:1.0:action:action-id",
+												"dataType": "http://www.w3.org/2001/XMLSchema#string",
+												"mustBePresent": true
+											}
+										}
+									],
+									[
+										{
+											"matchFunction": "urn:oasis:names:tc:xacml:1.0:function:string-equal",
+											"value": "CREATE",
+											"attributeDesignator": {
+												"category": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
+												"id": "urn:oasis:names:tc:xacml:1.0:action:action-id",
+												"dataType": "http://www.w3.org/2001/XMLSchema#string",
+												"mustBePresent": true
+											}
+										}
+									]
+								]
+							]
+						}
+					]
+				}
+			}
+		]
+	}
+}

src/test/resources/authz-server/policies/resource.type=CLUSTER/1.0.xacml.json

@@ -44,7 +44,7 @@
 					"combiningAlgId": "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable",
 					"rules": [
 						{
-							"id": "action.id=READ",
+							"id": "action.id={READ,DESCRIBE}",
 							"effect": "Permit",
 							"target": [
 								[
@@ -59,6 +59,18 @@
 												"mustBePresent": true
 											}
 										}
+									],
+									[
+										{
+											"matchFunction": "urn:oasis:names:tc:xacml:1.0:function:string-equal",
+											"value": "DESCRIBE",
+											"attributeDesignator": {
+												"category": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
+												"id": "urn:oasis:names:tc:xacml:1.0:action:action-id",
+												"dataType": "http://www.w3.org/2001/XMLSchema#string",
+												"mustBePresent": true
+											}
+										}
 									]
 								]
 							]