Package io.deephaven.enterprise.auth

Class AuthenticationClientManager

java.lang.Object

io.deephaven.enterprise.auth.AuthenticationClientManagerBase

io.deephaven.enterprise.auth.AuthenticationClientManager

All Implemented Interfaces:

AuthenticationClient, PublicKeyAuthenticationClient, TokenAuthenticationClient, TokenFactoryFactory, TokenVerificationClient, AutoCloseable

Direct Known Subclasses:

AuthenticationClientManager.Null, GrpcAuthenticationClientManager

public abstract class AuthenticationClientManager
extends AuthenticationClientManagerBase
implements AuthenticationClient, AutoCloseable

Class for managing and authenticating to possibly multiple remote authentication servers.

In our gRPC re-implementation there is only a single remote (behind a gRPC channel that may be load balanced to multiple actual servers). The API (supporting multiple servers) was kept. See AuthenticationClientManagerBase} for details.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	AuthenticationClientManager.ClientTransportStatusChangeListener	This interface is used for underlying transport status changes for authentication clients.
static class	AuthenticationClientManager.Null	Null object for testing.

Nested classes/interfaces inherited from class io.deephaven.enterprise.auth.AuthenticationClientManagerBase

AuthenticationClientManagerBase.SingleClientTokenFactory, AuthenticationClientManagerBase.TokenFactoryBase

Nested classes/interfaces inherited from interface io.deephaven.enterprise.auth.TokenFactoryFactory

TokenFactoryFactory.TokenFactory

Field Summary

Fields

Modifier and Type	Field	Description
protected static final Future<Boolean>	AlwaysFalseBooleanFuture
protected final List<ClientAuthMethod>	authMethods
protected final com.fishlib.base.WeakReferenceManager<AuthenticationClientManager.ClientTransportStatusChangeListener>	connectionStatusHandlers
protected static final com.fishlib.io.logger.Logger	log

Constructor Summary

Constructors

Constructor	Description
AuthenticationClientManager()

Method Summary

Modifier and Type	Method	Description
final void	addConnectionStatusHandler(AuthenticationClientManager.ClientTransportStatusChangeListener handler)	Allows tracking of connection to server state; note that a gRPC transport will transparently try to reconnect; still, users of this class can register listeners via this method to get notified about channel state changes.
abstract boolean	challengeResponse(String privateKeyFile)	Authenticate with the user denoted in the specified private key file
protected void	checkForPlugins()	If any plugins have been enabled, check whether they match the required signature.
abstract void	close()	Disconnect from the origin
abstract List<AuthToken>	createDelegateTokens()	Create a set of tokens for delegating authentication for each Auth server.
abstract List<AuthToken>	createDelegateTokensForUser(String operateAs)	Create a set of tokens for delegating authentication for each Auth server, as a specific user.
abstract AuthToken	createToken(String service)	Create a new authentication token for the requested service.
abstract AuthToken	createTokenForUser(String service, String operateAs)	Create a new authentication token for the requested service operating as the specified user
abstract boolean	defaultAuthentication()	Perform default authentication.
abstract boolean	ensureAuthentication()	If no previous authentication attempt has been made, try default authentication.
abstract String	externalLogin(String key)	Attempt to perform key-based external-authentication against all connected/nonauthenticated servers
static AuthenticationClientManager	getDefault()
TokenFactoryFactory.TokenFactory	getTokenFactory(String service)	Create a token factory for the provided service
TokenFactoryFactory.TokenFactory	getTokenFactory(String service, String user)	Create a token factory for the provided service and user
protected abstract TokenFactoryFactory.TokenFactory	getTokenFactoryInternal(String service, String user)
abstract boolean	isAuthenticated()	Return true if this client is authenticated.
static AuthenticationClientManager	make(String name)	Factory method to create a new AuthenticationClientManager.
abstract boolean	passwordAuthentication(String checkUser, String password, String operateAs)	Authenticate to all connected/nonauthenticated servers with username/password
protected abstract boolean	pluginAuthentication()	Attempt authentication with any plugins that have been set up on the system.
abstract boolean	presentDelegateToken(AuthToken delegatedToken)	Validate the delegated tokens created by createDelegateTokens() or createDelegateTokensForUser(String)
abstract Future<Boolean>	presentDelegateTokenAsync(AuthToken delegatedToken)	Validate the delegated tokens created by createDelegateTokens() or createDelegateTokensForUser(String)
final void	removeConnectionStatusHandler(AuthenticationClientManager.ClientTransportStatusChangeListener handler)	Remove a lister to channel state changes.
final boolean	verifyToken(DhService service, AuthToken token)
abstract boolean	verifyToken(String service, AuthToken token)	Verify the specified service token with the server.
abstract void	waitForSuccessfulServerRoundtrip(long timeoutMillis)	Attempt to do a roundtrip to a (any) server, for up to the timeout milliseconds.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.deephaven.enterprise.auth.AuthenticationClient

passwordAuthentication

Methods inherited from interface io.deephaven.enterprise.auth.TokenAuthenticationClient

createToken, createTokenForUser

Methods inherited from interface io.deephaven.enterprise.auth.TokenFactoryFactory

getTokenFactory, getTokenFactory

Field Details

connectionStatusHandlers

protected final com.fishlib.base.WeakReferenceManager<AuthenticationClientManager.ClientTransportStatusChangeListener> connectionStatusHandlers

log

protected static final com.fishlib.io.logger.Logger log

authMethods

protected final List<ClientAuthMethod> authMethods

AlwaysFalseBooleanFuture

protected static final Future<Boolean> AlwaysFalseBooleanFuture

Constructor Details

AuthenticationClientManager

public AuthenticationClientManager()

Method Details

getDefault

public static AuthenticationClientManager getDefault()

make

public static AuthenticationClientManager make(String name)

Factory method to create a new AuthenticationClientManager.

Parameters:

name - a meaningful name to display for this client in logs, to help identify it. It should not contain a hostname component as that will be added to it.

Returns:

a new AuthenticationClientManager.

checkForPlugins

protected void checkForPlugins()

If any plugins have been enabled, check whether they match the required signature.

addConnectionStatusHandler

public final void addConnectionStatusHandler(AuthenticationClientManager.ClientTransportStatusChangeListener handler)

Allows tracking of connection to server state; note that a gRPC transport will transparently try to reconnect; still, users of this class can register listeners via this method to get notified about channel state changes.

Parameters:

handler - the listener where to get notifications of state changes.

removeConnectionStatusHandler

public final void removeConnectionStatusHandler(AuthenticationClientManager.ClientTransportStatusChangeListener handler)

Remove a lister to channel state changes.

Parameters:

handler - the listener to remove.

createToken

public abstract AuthToken createToken(String service)

Create a new authentication token for the requested service.

See TokenAuthenticationClient.createToken(String) for exception details Users are encouraged to use getTokenFactory(String) and TokenFactoryFactory.TokenFactory.tryActionWithToken(Consumer) or TokenFactoryFactory.TokenFactory.tryGetWithToken(Function) instead as they provide a means to handle the loss of an origin.

Specified by:

createToken in interface TokenAuthenticationClient

Returns:

a new AuthToken for service

createTokenForUser

public abstract AuthToken createTokenForUser(String service,
 String operateAs)

Create a new authentication token for the requested service operating as the specified user

See TokenAuthenticationClient.createTokenForUser(String, String) for exception details Users are encouraged to use getTokenFactory(String, String) and TokenFactoryFactory.TokenFactory.tryActionWithToken(Consumer) or TokenFactoryFactory.TokenFactory.tryGetWithToken(Function) instead as they provide a means to handle the loss of an origin.

Specified by:

createTokenForUser in interface TokenAuthenticationClient

Returns:

a new AuthToken for service operating as operateAs

createDelegateTokens

public abstract List<AuthToken> createDelegateTokens()

Create a set of tokens for delegating authentication for each Auth server.

See TokenAuthenticationClient.createToken(String) for exception details

Returns:

a list of AuthTokens delegating authentication for each available server

createDelegateTokensForUser

public abstract List<AuthToken> createDelegateTokensForUser(String operateAs)

Create a set of tokens for delegating authentication for each Auth server, as a specific user.

See TokenAuthenticationClient.createTokenForUser(String, String) for exception details

Returns:

a list of AuthTokens delegating authentication for each available server

verifyToken

public abstract boolean verifyToken(String service,
 AuthToken token)

Verify the specified service token with the server.

See TokenVerificationClient.verifyToken(String, AuthToken) for additional exception details

Specified by:

verifyToken in interface TokenVerificationClient

Returns:

true if the token was validated, false otherwise

verifyToken

public final boolean verifyToken(DhService service,
 AuthToken token)

defaultAuthentication

public abstract boolean defaultAuthentication()

Perform default authentication. Default authentication implies authenticating with the private key file, or with plugins if there is no private key file.

See challengeResponse(String) for exception details

Returns:

false if already authenticated or if an authentication attempt was done and failed, true otherwise.

ensureAuthentication

public abstract boolean ensureAuthentication()

If no previous authentication attempt has been made, try default authentication. Default authentication implies attempt to authenticate with the private key file, or with plugins if there is no private key file.

If a previous authentication attempt succeeded in the past, and that authentication method can be retried, and the client is current unauthenticated, then attempt again the same method that succeeded before.

See challengeResponse(String) for exception details

Returns:

true if authenticated by the time this call returns (either because we were already authenticated, or because we were not authenticated and an authentication attempt was done and was successful), false otherwise. When false is returned it implies not authenticated.

passwordAuthentication

public abstract boolean passwordAuthentication(String checkUser,
 String password,
 String operateAs)

Authenticate to all connected/nonauthenticated servers with username/password

See AuthenticationClient.passwordAuthentication(String, String, String) for exception details

Specified by:

passwordAuthentication in interface AuthenticationClient

Parameters:

checkUser - The user to authenticate

password - The password

operateAs - The effective user to operate as

Returns:

true on success, false on failure

externalLogin

public abstract String externalLogin(String key)

Attempt to perform key-based external-authentication against all connected/nonauthenticated servers

See AuthenticationClient.externalLogin(String) for details

Specified by:

externalLogin in interface AuthenticationClient

Parameters:

key - a nonce which an appropriate auth-module may be able to confirm as authenticated

Returns:

the authenticated user-name if this key is approved by an auth-module, else null

presentDelegateToken

public abstract boolean presentDelegateToken(AuthToken delegatedToken)

Validate the delegated tokens created by createDelegateTokens() or createDelegateTokensForUser(String)

See AuthenticationClient.presentDelegateToken(AuthToken) for additional exception detail

Specified by:

presentDelegateToken in interface AuthenticationClient

Parameters:

delegatedToken - The delegate token created by AuthenticationClientManager.createDelegateTokens()

Returns:

true if the token was validated, false otherwise

presentDelegateTokenAsync

public abstract Future<Boolean> presentDelegateTokenAsync(AuthToken delegatedToken)

Validate the delegated tokens created by createDelegateTokens() or createDelegateTokensForUser(String)

See AuthenticationClient.presentDelegateToken(AuthToken) for additional exception detail

Returns:

a Future<Boolean> that will be true if the token was validated, false otherwise

challengeResponse

public abstract boolean challengeResponse(String privateKeyFile)

Authenticate with the user denoted in the specified private key file

Specified by:

challengeResponse in interface PublicKeyAuthenticationClient

Parameters:

privateKeyFile - the file containing the elements required for authentication; user, operateas, public and private keys.

Returns:

False if already authenticated. If not already authenticated at the time of the call, the status of the authentication-attempt; true if successfully authenticated, else false

Throws:

UncheckedIOException - if the server was unreachable

PubPrivKeyException - if there was a problem with public/private key operations

AuthException - if any other problem occurred

getTokenFactory

public TokenFactoryFactory.TokenFactory getTokenFactory(String service)

Create a token factory for the provided service

Specified by:

getTokenFactory in interface TokenFactoryFactory

Parameters:

service - the service

Returns:

the created TokenFactory

getTokenFactory

public TokenFactoryFactory.TokenFactory getTokenFactory(String service,
 String user)

Create a token factory for the provided service and user

Specified by:

getTokenFactory in interface TokenFactoryFactory

Parameters:

service - the service

user - the user

Returns:

the created TokenFactory

getTokenFactoryInternal

protected abstract TokenFactoryFactory.TokenFactory getTokenFactoryInternal(String service,
 String user)

isAuthenticated

public abstract boolean isAuthenticated()

Return true if this client is authenticated. This method may wait to return if there is a concurrent authentication attempt in flight. Unlike most other methods in this class, isAuthenticated will never throw an AuthException.

Returns:

true if authenticated, false otherwise.

waitForSuccessfulServerRoundtrip

public abstract void waitForSuccessfulServerRoundtrip(long timeoutMillis)

Attempt to do a roundtrip to a (any) server, for up to the timeout milliseconds. An AuthException is thrown if the roundtrip doesn't succeed before the deadline. When this method returns normally, a client can be certain that there was an authentication server ready to service requests at some point during the call.

Throws:

AuthException - if it was not possible to get a server (any server) response.

close

public abstract void close()

Description copied from interface: AuthenticationClient

Disconnect from the origin

Specified by:

close in interface AuthenticationClient

Specified by:

close in interface AutoCloseable

Specified by:

close in interface TokenFactoryFactory

pluginAuthentication

protected abstract boolean pluginAuthentication()

Attempt authentication with any plugins that have been set up on the system.

Returns:

True if at least one plugin was able to authenticate with at least one client; false otherwise.