Package io.deephaven.enterprise.auth

Class AuthenticationClientManager

java.lang.Object
io.deephaven.enterprise.auth.AuthenticationClientManagerBase
io.deephaven.enterprise.auth.AuthenticationClientManager
All Implemented Interfaces:
AuthenticationClient, PublicKeyAuthenticationClient, TokenAuthenticationClient, TokenFactoryFactory, TokenVerificationClient, AutoCloseable
Direct Known Subclasses:
AuthenticationClientManager.Null, GrpcAuthenticationClientManager
public abstract class AuthenticationClientManager extends AuthenticationClientManagerBase implements AuthenticationClient, AutoCloseable

Class for managing and authenticating to possibly multiple remote authentication servers.

In our gRPC re-implementation there is only a single remote (behind a gRPC channel that may be load balanced to multiple actual servers). The API (supporting multiple servers) was kept. See AuthenticationClientManagerBase} for details.

  • Field Details

  • Constructor Details

    • AuthenticationClientManager

      public AuthenticationClientManager()

  • Method Details

    • getDefault

      public static AuthenticationClientManager getDefault()

    • getDefaultWithHttpResolver

      public static AuthenticationClientManager getDefaultWithHttpResolver()

    • makeDefault

      public static AuthenticationClientManager makeDefault(io.grpc.ManagedChannel channel)

    • make

      public static AuthenticationClientManager make(String name)
      Factory method to create a new AuthenticationClientManager using an etcd resolver
      Parameters:
      name - a meaningful name to display for this client in logs, to help identify it. It should not contain a hostname component as that will be added to it.
      Returns:
      a new AuthenticationClientManager.

    • makeWithHttpResolver

      public static AuthenticationClientManager makeWithHttpResolver(String name)
      Factory method to create a new AuthenticationClientManager using an http resolver
      Parameters:
      name - a meaningful name to display for this client in logs, to help identify it. It should not contain a hostname component as that will be added to it.
      Returns:
      a new AuthenticationClientManager.

    • checkForPlugins

      protected void checkForPlugins()
      If any plugins have been enabled, check whether they match the required signature.

    • addConnectionStatusHandler

      public final void addConnectionStatusHandler(AuthenticationClientManager.ClientTransportStatusChangeListener handler)
      Allows tracking of connection to server state; note that a gRPC transport will transparently try to reconnect; still, users of this class can register listeners via this method to get notified about channel state changes.
      Parameters:
      handler - the listener where to get notifications of state changes.

    • removeConnectionStatusHandler

      public final void removeConnectionStatusHandler(AuthenticationClientManager.ClientTransportStatusChangeListener handler)
      Remove a lister to channel state changes.
      Parameters:
      handler - the listener to remove.

    • createToken

      public abstract AuthToken createToken(String service)

      Create a new authentication token for the requested service.

      See TokenAuthenticationClient.createToken(String) for exception details Users are encouraged to use getTokenFactory(String) and TokenFactoryFactory.TokenFactory.tryActionWithToken(Consumer) or TokenFactoryFactory.TokenFactory.tryGetWithToken(Function) instead as they provide a means to handle the loss of an origin.
      Specified by:
      createToken in interface TokenAuthenticationClient
      Returns:
      a new AuthToken for service

    • createTokenForUser

      public abstract AuthToken createTokenForUser(String service, String operateAs)

      Create a new authentication token for the requested service operating as the specified user

      See TokenAuthenticationClient.createTokenForUser(String, String) for exception details Users are encouraged to use getTokenFactory(String, String) and TokenFactoryFactory.TokenFactory.tryActionWithToken(Consumer) or TokenFactoryFactory.TokenFactory.tryGetWithToken(Function) instead as they provide a means to handle the loss of an origin.
      Specified by:
      createTokenForUser in interface TokenAuthenticationClient
      Returns:
      a new AuthToken for service operating as operateAs

    • createDelegateTokens

      public abstract List<AuthToken> createDelegateTokens()

      Create a set of tokens for delegating authentication for each Auth server.

      See TokenAuthenticationClient.createToken(String) for exception details
      Returns:
      a list of AuthTokens delegating authentication for each available server

    • createDelegateTokensForUser

      public abstract List<AuthToken> createDelegateTokensForUser(String operateAs)

      Create a set of tokens for delegating authentication for each Auth server, as a specific user.

      See TokenAuthenticationClient.createTokenForUser(String, String) for exception details
      Returns:
      a list of AuthTokens delegating authentication for each available server

    • verifyToken

      public abstract boolean verifyToken(String service, AuthToken token)

      Verify the specified service token with the server.

      See TokenVerificationClient.verifyToken(String, AuthToken) for additional exception details
      Specified by:
      verifyToken in interface TokenVerificationClient
      Returns:
      true if the token was validated, false otherwise

    • verifyToken

      public final boolean verifyToken(DhService service, AuthToken token)

    • defaultAuthentication

      public abstract boolean defaultAuthentication()

      Perform default authentication. Default authentication implies authenticating with the private key file, or with plugins if there is no private key file.

      See challengeResponse(String) for exception details
      Returns:
      false if already authenticated or if an authentication attempt was done and failed, true otherwise.

    • ensureAuthentication

      public abstract boolean ensureAuthentication()

      If no previous authentication attempt has been made, try default authentication. Default authentication implies attempt to authenticate with the private key file, or with plugins if there is no private key file.

      If a previous authentication attempt succeeded in the past, and that authentication method can be retried, and the client is current unauthenticated, then attempt again the same method that succeeded before.

      See challengeResponse(String) for exception details
      Returns:
      true if authenticated by the time this call returns (either because we were already authenticated, or because we were not authenticated and an authentication attempt was done and was successful), false otherwise. When false is returned it implies not authenticated.

    • passwordAuthentication

      public abstract boolean passwordAuthentication(String checkUser, String password, String operateAs)

      Authenticate to all connected/nonauthenticated servers with username/password

      See AuthenticationClient.passwordAuthentication(String, String, String) for exception details
      Specified by:
      passwordAuthentication in interface AuthenticationClient
      Parameters:
      checkUser - The user to authenticate
      password - The password
      operateAs - The effective user to operate as
      Returns:
      true on success, false on failure

    • externalLogin

      public abstract String externalLogin(String key)

      Attempt to perform key-based external-authentication against all connected/nonauthenticated servers

      See AuthenticationClient.externalLogin(String) for details
      Specified by:
      externalLogin in interface AuthenticationClient
      Parameters:
      key - a nonce which an appropriate auth-module may be able to confirm as authenticated
      Returns:
      the authenticated user-name if this key is approved by an auth-module, else null

    • presentDelegateToken

      public abstract boolean presentDelegateToken(AuthToken delegatedToken)

      Validate the delegated tokens created by createDelegateTokens() or createDelegateTokensForUser(String)

      See AuthenticationClient.presentDelegateToken(AuthToken) for additional exception detail
      Specified by:
      presentDelegateToken in interface AuthenticationClient
      Parameters:
      delegatedToken - The delegate token created by AuthenticationClientManager.createDelegateTokens()
      Returns:
      true if the token was validated, false otherwise

    • presentDelegateTokenAsync

      public abstract Future<Boolean> presentDelegateTokenAsync(AuthToken delegatedToken)

      Validate the delegated tokens created by createDelegateTokens() or createDelegateTokensForUser(String)

      See AuthenticationClient.presentDelegateToken(AuthToken) for additional exception detail
      Returns:
      a Future<Boolean> that will be true if the token was validated, false otherwise

    • challengeResponse

      public abstract boolean challengeResponse(String privateKeyFile)
      Authenticate with the user denoted in the specified private key file
      Specified by:
      challengeResponse in interface PublicKeyAuthenticationClient
      Parameters:
      privateKeyFile - the file containing the elements required for authentication; user, operateas, public and private keys.
      Returns:
      False if already authenticated. If not already authenticated at the time of the call, the status of the authentication-attempt; true if successfully authenticated, else false
      Throws:
      UncheckedIOException - if the server was unreachable
      PubPrivKeyException - if there was a problem with public/private key operations
      AuthException - if any other problem occurred

    • getTokenFactory

      public TokenFactoryFactory.TokenFactory getTokenFactory(String service)
      Create a token factory for the provided service
      Specified by:
      getTokenFactory in interface TokenFactoryFactory
      Parameters:
      service - the service
      Returns:
      the created TokenFactory

    • getTokenFactory

      public TokenFactoryFactory.TokenFactory getTokenFactory(String service, String user)
      Create a token factory for the provided service and user
      Specified by:
      getTokenFactory in interface TokenFactoryFactory
      Parameters:
      service - the service
      user - the user
      Returns:
      the created TokenFactory

    • getTokenFactoryInternal

      protected abstract TokenFactoryFactory.TokenFactory getTokenFactoryInternal(String service, String user)

    • isAuthenticated

      public abstract boolean isAuthenticated()
      Return true if this client is authenticated. This method may wait to return if there is a concurrent authentication attempt in flight. Unlike most other methods in this class, isAuthenticated will never throw an AuthException.
      Returns:
      true if authenticated, false otherwise.

    • waitForSuccessfulServerRoundtrip

      public abstract void waitForSuccessfulServerRoundtrip(long timeoutMillis)
      Attempt to do a roundtrip to a (any) server, for up to the timeout milliseconds. An AuthException is thrown if the roundtrip doesn't succeed before the deadline. When this method returns normally, a client can be certain that there was an authentication server ready to service requests at some point during the call.
      Throws:
      AuthException - if it was not possible to get a server (any server) response.

    • close

      public abstract void close()
      Description copied from interface: AuthenticationClient
      Disconnect from the origin
      Specified by:
      close in interface AuthenticationClient
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface TokenFactoryFactory

    • pluginAuthentication

      protected abstract boolean pluginAuthentication()
      Attempt authentication with any plugins that have been set up on the system.
      Returns:
      True if at least one plugin was able to authenticate with at least one client; false otherwise.

    • isHttpResolver

      protected abstract boolean isHttpResolver()
      True if this authentication client manager is backed by an http resolver, false otherwise.
      Returns:
      True if this authentication client manager is backed by an http resolver, false otherwise.