Package io.deephaven.enterprise.auth

Class GrpcAuthenticationClientManager

java.lang.Object

io.deephaven.enterprise.auth.AuthenticationClientManagerBase

io.deephaven.enterprise.auth.AuthenticationClientManager

io.deephaven.enterprise.auth.GrpcAuthenticationClientManager

All Implemented Interfaces:

AuthenticationClient, PublicKeyAuthenticationClient, TokenAuthenticationClient, TokenFactoryFactory, TokenVerificationClient, AutoCloseable

public class GrpcAuthenticationClientManager
extends AuthenticationClientManager
implements AuthenticationClient, AutoCloseable

Specialization of AuthenticationClientManager handling connection to gRPC authentication servers, using the standard gRPC mechanism for symmetric server failover

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	GrpcAuthenticationClientManager.NonceData	Data required for public key authentication related to a nonce obtained from a particular server.

Nested classes/interfaces inherited from class io.deephaven.enterprise.auth.AuthenticationClientManager

AuthenticationClientManager.ClientTransportStatusChangeListener, AuthenticationClientManager.Null

Nested classes/interfaces inherited from class io.deephaven.enterprise.auth.AuthenticationClientManagerBase

AuthenticationClientManagerBase.SingleClientTokenFactory, AuthenticationClientManagerBase.TokenFactoryBase

Nested classes/interfaces inherited from interface io.deephaven.enterprise.auth.TokenFactoryFactory

TokenFactoryFactory.TokenFactory

Field Summary

Fields inherited from class io.deephaven.enterprise.auth.AuthenticationClientManager

AlwaysFalseBooleanFuture, authMethods, connectionStatusHandlers

Constructor Summary

Constructors

Constructor	Description
GrpcAuthenticationClientManager(String name)	Create a new client manager with the specified name.
GrpcAuthenticationClientManager(String who, io.deephaven.shadow.core.io.grpc.ManagedChannel channel, boolean doInitialPing)	Creates a GrpcAuthenticationClientManager.

Method Summary

Modifier and Type	Method	Description
boolean	authenticateByCookie(byte[] cookie, UserContext userContext)
boolean	challengeResponse(byte[] signedBytes, String user, String operateAsUser, PublicKey publicKey, byte[] ipAddress)	Authenticate by private key by responding to a nonce challenge.
boolean	challengeResponse(String privateKeyFileName)	Authenticate with the user denoted in the specified private key file
GrpcAuthenticationClientManager.NonceData	challengeResponseNonce()	Get a nonce for private authentication via challenge response.
void	close()	Disconnect from the origin
List<AuthToken>	createDelegateTokens()	Create a set of tokens for delegating authentication for each Auth server.
List<AuthToken>	createDelegateTokensForUser(String operateAs)	Create a set of tokens for delegating authentication for each Auth server, as a specific user.
AuthToken	createToken(String service)	Create a new authentication token for the requested service.
AuthToken	createTokenForUser(String service, String operateAs)	Create a new authentication token for the requested service operating as the specified user
boolean	defaultAuthentication()	Perform default authentication.
boolean	ensureAuthentication()	If no previous authentication attempt has been made, try default authentication.
String	externalLogin(String key)	Attempt to perform key-based external-authentication against all connected/nonauthenticated servers
void	fullClose()	Close the client and invalidate any authentication we had on it; this implies a roundtrip to the server to invalidate the cookie.
io.deephaven.shadow.core.io.grpc.ManagedChannel	getChannel()
byte[]	getCookie(org.apache.commons.lang3.mutable.MutableLong cookieDeadlineTimeMillisMut)	Get the authentication cookie for the client, if authenticated, or null if not.
protected TokenFactoryFactory.TokenFactory	getTokenFactoryInternal(String service, String user)
byte[]	getUuid()
String	getUuidAsHexString()
boolean	isAuthenticated()	Return true if this client is authenticated.
static io.deephaven.shadow.core.io.grpc.ManagedChannel	makeChannel()	Create a new ManagedChannel using the AuthenticationServiceConstants and AuthenticationServiceConstants values.
boolean	passwordAuthentication(String checkUser, String password, String operateAs)	Authenticate to all connected/nonauthenticated servers with username/password
long	ping(long timeoutMillis)	Ping a server; return and log roundtrip time.
protected boolean	pluginAuthentication()	Attempt authentication with any plugins that have been set up on the system.
boolean	presentDelegateToken(AuthToken delegateToken)	Validate the delegated tokens created by AuthenticationClientManager.createDelegateTokens() or AuthenticationClientManager.createDelegateTokensForUser(String)
Future<Boolean>	presentDelegateTokenAsync(AuthToken delegateToken)	Validate the delegated tokens created by AuthenticationClientManager.createDelegateTokens() or AuthenticationClientManager.createDelegateTokensForUser(String)
String	reloadConfiguration()
void	softClose()	Close the client.
void	tryInvalidateCookie(byte[] cookie)	Invalidate the given cookie in the server.
boolean	verifyToken(String service, AuthToken authToken)	Verify the specified service token with the server.
void	waitForSuccessfulServerRoundtrip(long timeoutMillis)	Attempt to do a roundtrip to a (any) server, for up to the timeout milliseconds.

Methods inherited from class io.deephaven.enterprise.auth.AuthenticationClientManager

addConnectionStatusHandler, checkForPlugins, getDefault, getTokenFactory, getTokenFactory, make, removeConnectionStatusHandler, verifyToken

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.deephaven.enterprise.auth.AuthenticationClient

passwordAuthentication

Methods inherited from interface io.deephaven.enterprise.auth.TokenAuthenticationClient

createToken, createTokenForUser

Methods inherited from interface io.deephaven.enterprise.auth.TokenFactoryFactory

getTokenFactory, getTokenFactory, getTokenFactory, getTokenFactory

Constructor Details

GrpcAuthenticationClientManager

public GrpcAuthenticationClientManager(String name)

Create a new client manager with the specified name. A new ManagedChannel will be created for this object and it will not do an initial ping.

Parameters:

name - an name identifying this object for informative log messages

GrpcAuthenticationClientManager

public GrpcAuthenticationClientManager(String who,
 io.deephaven.shadow.core.io.grpc.ManagedChannel channel,
 boolean doInitialPing)

Creates a GrpcAuthenticationClientManager.

Parameters:

who - an identifier for creating informative log messages

channel - The channel to use to communicate to the servers.

doInitialPing - If true, do an initial ping RPC to the server; this will ensure the channel connection is established right away (since gRPC channels are initialized lazily), and will log basic latency stats.

Method Details

makeChannel

public static io.deephaven.shadow.core.io.grpc.ManagedChannel makeChannel()

Create a new ManagedChannel using the AuthenticationServiceConstants and AuthenticationServiceConstants values.

Returns:

a new managed channel

getChannel

public io.deephaven.shadow.core.io.grpc.ManagedChannel getChannel()

getCookie

public byte[] getCookie(org.apache.commons.lang3.mutable.MutableLong cookieDeadlineTimeMillisMut)

Get the authentication cookie for the client, if authenticated, or null if not.

Parameters:

cookieDeadlineTimeMillisMut - A mutable object where, if not null, the absolute time deadline in milliseconds for the cookie is stored.

Returns:

the authentication cookie for the client, if authenticated, or null if not.

getUuid

public byte[] getUuid()

getUuidAsHexString

public String getUuidAsHexString()

close

public void close()

Description copied from interface: AuthenticationClient

Disconnect from the origin

Specified by:

close in interface AuthenticationClient

Specified by:

close in interface AutoCloseable

Specified by:

close in interface TokenFactoryFactory

Specified by:

close in class AuthenticationClientManager

fullClose

public void fullClose()

Close the client and invalidate any authentication we had on it; this implies a roundtrip to the server to invalidate the cookie.

softClose

public void softClose()

Close the client. Do not attempt to immediately invalidate any authentication it may have, which saves us a roundtrip to the server to invalidate any cookie. This will let the cookie eventually expire instead.

createToken

public AuthToken createToken(String service)

Description copied from class: AuthenticationClientManager

Create a new authentication token for the requested service.

See TokenAuthenticationClient.createToken(String) for exception details Users are encouraged to use AuthenticationClientManager.getTokenFactory(String) and TokenFactoryFactory.TokenFactory.tryActionWithToken(Consumer) or TokenFactoryFactory.TokenFactory.tryGetWithToken(Function) instead as they provide a means to handle the loss of an origin.

Specified by:

createToken in interface TokenAuthenticationClient

Specified by:

createToken in class AuthenticationClientManager

Returns:

a new AuthToken for service

createTokenForUser

public AuthToken createTokenForUser(String service,
 String operateAs)

Description copied from class: AuthenticationClientManager

Create a new authentication token for the requested service operating as the specified user

See TokenAuthenticationClient.createTokenForUser(String, String) for exception details Users are encouraged to use AuthenticationClientManager.getTokenFactory(String, String) and TokenFactoryFactory.TokenFactory.tryActionWithToken(Consumer) or TokenFactoryFactory.TokenFactory.tryGetWithToken(Function) instead as they provide a means to handle the loss of an origin.

Specified by:

createTokenForUser in interface TokenAuthenticationClient

Specified by:

createTokenForUser in class AuthenticationClientManager

Returns:

a new AuthToken for service operating as operateAs

createDelegateTokens

public List<AuthToken> createDelegateTokens()

Description copied from class: AuthenticationClientManager

Create a set of tokens for delegating authentication for each Auth server.

See TokenAuthenticationClient.createToken(String) for exception details

Specified by:

createDelegateTokens in class AuthenticationClientManager

Returns:

a list of AuthTokens delegating authentication for each available server

createDelegateTokensForUser

public List<AuthToken> createDelegateTokensForUser(String operateAs)

Description copied from class: AuthenticationClientManager

Create a set of tokens for delegating authentication for each Auth server, as a specific user.

See TokenAuthenticationClient.createTokenForUser(String, String) for exception details

Specified by:

createDelegateTokensForUser in class AuthenticationClientManager

Returns:

a list of AuthTokens delegating authentication for each available server

verifyToken

public boolean verifyToken(String service,
 AuthToken authToken)

Description copied from class: AuthenticationClientManager

Verify the specified service token with the server.

See TokenVerificationClient.verifyToken(String, AuthToken) for additional exception details

Specified by:

verifyToken in interface TokenVerificationClient

Specified by:

verifyToken in class AuthenticationClientManager

Returns:

true if the token was validated, false otherwise

passwordAuthentication

public boolean passwordAuthentication(String checkUser,
 String password,
 String operateAs)

Description copied from class: AuthenticationClientManager

Authenticate to all connected/nonauthenticated servers with username/password

See AuthenticationClient.passwordAuthentication(String, String, String) for exception details

Specified by:

passwordAuthentication in interface AuthenticationClient

Specified by:

passwordAuthentication in class AuthenticationClientManager

Parameters:

checkUser - The user to authenticate

password - The password

operateAs - The effective user to operate as

Returns:

true on success, false on failure

externalLogin

public String externalLogin(String key)

Description copied from class: AuthenticationClientManager

Attempt to perform key-based external-authentication against all connected/nonauthenticated servers

See AuthenticationClient.externalLogin(String) for details

Specified by:

externalLogin in interface AuthenticationClient

Specified by:

externalLogin in class AuthenticationClientManager

Parameters:

key - a nonce which an appropriate auth-module may be able to confirm as authenticated

Returns:

the authenticated user-name if this key is approved by an auth-module, else null

authenticateByCookie

public boolean authenticateByCookie(byte[] cookie,
 UserContext userContext)

presentDelegateToken

public boolean presentDelegateToken(AuthToken delegateToken)

Description copied from class: AuthenticationClientManager

Validate the delegated tokens created by AuthenticationClientManager.createDelegateTokens() or AuthenticationClientManager.createDelegateTokensForUser(String)

See AuthenticationClient.presentDelegateToken(AuthToken) for additional exception detail

Specified by:

presentDelegateToken in interface AuthenticationClient

Specified by:

presentDelegateToken in class AuthenticationClientManager

Parameters:

delegateToken - The delegate token created by AuthenticationClientManager.createDelegateTokens()

Returns:

true if the token was validated, false otherwise

presentDelegateTokenAsync

public Future<Boolean> presentDelegateTokenAsync(AuthToken delegateToken)

Description copied from class: AuthenticationClientManager

Validate the delegated tokens created by AuthenticationClientManager.createDelegateTokens() or AuthenticationClientManager.createDelegateTokensForUser(String)

See AuthenticationClient.presentDelegateToken(AuthToken) for additional exception detail

Specified by:

presentDelegateTokenAsync in class AuthenticationClientManager

Returns:

a Future<Boolean> that will be true if the token was validated, false otherwise

challengeResponse

public boolean challengeResponse(String privateKeyFileName)

Description copied from class: AuthenticationClientManager

Authenticate with the user denoted in the specified private key file

Specified by:

challengeResponse in interface PublicKeyAuthenticationClient

Specified by:

challengeResponse in class AuthenticationClientManager

Parameters:

privateKeyFileName - the file containing the elements required for authentication; user, operateas, public and private keys.

Returns:

False if already authenticated. If not already authenticated at the time of the call, the status of the authentication-attempt; true if successfully authenticated, else false

challengeResponse

public boolean challengeResponse(byte[] signedBytes,
 String user,
 String operateAsUser,
 PublicKey publicKey,
 byte[] ipAddress)

Authenticate by private key by responding to a nonce challenge.

Parameters:

signedBytes - Nonce signed as a response to the nonce challenge

user - user for authentication

operateAsUser - "operate as" user for authentication

publicKey - the public key

Returns:

true if authentication was successful

challengeResponseNonce

public GrpcAuthenticationClientManager.NonceData challengeResponseNonce()

Get a nonce for private authentication via challenge response.

Returns:

the nonce

defaultAuthentication

public boolean defaultAuthentication()

Description copied from class: AuthenticationClientManager

Perform default authentication. Default authentication implies authenticating with the private key file, or with plugins if there is no private key file.

See AuthenticationClientManager.challengeResponse(String) for exception details

Specified by:

defaultAuthentication in class AuthenticationClientManager

Returns:

false if already authenticated or if an authentication attempt was done and failed, true otherwise.

ensureAuthentication

public boolean ensureAuthentication()

Description copied from class: AuthenticationClientManager

If no previous authentication attempt has been made, try default authentication. Default authentication implies attempt to authenticate with the private key file, or with plugins if there is no private key file.

If a previous authentication attempt succeeded in the past, and that authentication method can be retried, and the client is current unauthenticated, then attempt again the same method that succeeded before.

See AuthenticationClientManager.challengeResponse(String) for exception details

Specified by:

ensureAuthentication in class AuthenticationClientManager

Returns:

true if authenticated by the time this call returns (either because we were already authenticated, or because we were not authenticated and an authentication attempt was done and was successful), false otherwise. When false is returned it implies not authenticated.

getTokenFactoryInternal

protected TokenFactoryFactory.TokenFactory getTokenFactoryInternal(String service,
 String user)

Specified by:

getTokenFactoryInternal in class AuthenticationClientManager

isAuthenticated

public boolean isAuthenticated()

Description copied from class: AuthenticationClientManager

Return true if this client is authenticated. This method may wait to return if there is a concurrent authentication attempt in flight. Unlike most other methods in this class, isAuthenticated will never throw an AuthException.

Specified by:

isAuthenticated in class AuthenticationClientManager

Returns:

true if authenticated, false otherwise.

waitForSuccessfulServerRoundtrip

public void waitForSuccessfulServerRoundtrip(long timeoutMillis)

Description copied from class: AuthenticationClientManager

Attempt to do a roundtrip to a (any) server, for up to the timeout milliseconds. An AuthException is thrown if the roundtrip doesn't succeed before the deadline. When this method returns normally, a client can be certain that there was an authentication server ready to service requests at some point during the call.

Specified by:

waitForSuccessfulServerRoundtrip in class AuthenticationClientManager

ping

public long ping(long timeoutMillis)

Ping a server; return and log roundtrip time.

Parameters:

timeoutMillis - how long of a timeout, in milliseconds, to use in the ping request to the server.

Returns:

roundtrip time.

reloadConfiguration

public String reloadConfiguration()

pluginAuthentication

protected boolean pluginAuthentication()

Description copied from class: AuthenticationClientManager

Attempt authentication with any plugins that have been set up on the system.

Specified by:

pluginAuthentication in class AuthenticationClientManager

Returns:

True if at least one plugin was able to authenticate with at least one client; false otherwise.

tryInvalidateCookie

public void tryInvalidateCookie(byte[] cookie)

Invalidate the given cookie in the server.

Parameters:

cookie - The cookie to invalidate