druid extension for OpenID Connect auth using pac4j lib

core/src/main/java/org/apache/druid/crypto/CryptoService.java

@@ -0,0 +1,217 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.crypto;
+
+import com.google.common.base.Preconditions;
+import org.apache.druid.java.util.common.StringUtils;
+
+import javax.annotation.Nullable;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.ByteBuffer;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.InvalidParameterSpecException;
+import java.security.spec.KeySpec;
+
+/**
+ * Utility class for symmetric key encryption (i.e. same secret is used for encryption and decryption) of byte[]
+ * using javax.crypto package.
+ *
+ * To learn about possible algorithms supported and their names,
+ * See https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html
+ */
+public class CryptoService
+{
+  // Based on Javadocs on SecureRandom, It is threadsafe as well.
+  private static final SecureRandom SECURE_RANDOM_INSTANCE = new SecureRandom();
+
+  // User provided secret phrase used for encrypting data
+  private final char[] passPhrase;
+
+  // Variables for algorithm used to generate a SecretKey based on user provided passPhrase
+  private final String secretKeyFactoryAlg;
+  private final int saltSize;
+  private final int iterationCount;
+  private final int keyLength;
+
+  // Cipher algorithm information
+  private final String cipherAlgName;
+  private final String cipherAlgMode;
+  private final String cipherAlgPadding;
+
+  // transformation =  "cipherAlgName/cipherAlgMode/cipherAlgPadding" used in Cipher.getInstance(transformation)
+  private final String transformation;
+
+  public CryptoService(
+      String passPhrase,
+      @Nullable String cipherAlgName,
+      @Nullable String cipherAlgMode,
+      @Nullable String cipherAlgPadding,
+      @Nullable String secretKeyFactoryAlg,
+      @Nullable Integer saltSize,
+      @Nullable Integer iterationCount,
+      @Nullable Integer keyLength
+  )
+  {
+    Preconditions.checkArgument(
+        passPhrase != null && !passPhrase.isEmpty(),
+        "null/empty passPhrase"
+    );
+    this.passPhrase = passPhrase.toCharArray();
+
+    this.cipherAlgName = cipherAlgName == null ? "AES" : cipherAlgName;
+    this.cipherAlgMode = cipherAlgMode == null ? "CBC" : cipherAlgMode;
+    this.cipherAlgPadding = cipherAlgPadding == null ? "PKCS5Padding" : cipherAlgPadding;
+    this.transformation = StringUtils.format("%s/%s/%s", this.cipherAlgName, this.cipherAlgMode, this.cipherAlgPadding);
+
+    this.secretKeyFactoryAlg = secretKeyFactoryAlg == null ? "PBKDF2WithHmacSHA256" : secretKeyFactoryAlg;
+    this.saltSize = saltSize == null ? 8 : saltSize;
+    this.iterationCount = iterationCount == null ? 65536 : iterationCount;
+    this.keyLength = keyLength == null ? 128 : keyLength;
+
+    // encrypt/decrypt a test string to ensure all params are valid
+    String testString = "duh! !! !!!";
+    Preconditions.checkState(
+        testString.equals(StringUtils.fromUtf8(decrypt(encrypt(StringUtils.toUtf8(testString))))),
+        "decrypt(encrypt(testString)) failed"
+    );
+  }
+
+  public byte[] encrypt(byte[] plain)
+  {
+    try {
+      byte[] salt = new byte[saltSize];
+      SECURE_RANDOM_INSTANCE.nextBytes(salt);
+
+      SecretKey tmp = getKeyFromPassword(passPhrase, salt);
+      SecretKey secret = new SecretKeySpec(tmp.getEncoded(), cipherAlgName);
+      Cipher ecipher = Cipher.getInstance(transformation);
+      ecipher.init(Cipher.ENCRYPT_MODE, secret);
+      return new EncryptedData(
+          salt,
+          ecipher.getParameters().getParameterSpec(IvParameterSpec.class).getIV(),
+          ecipher.doFinal(plain)
+      ).toByteAray();
+    }
+    catch (InvalidKeySpecException | NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | InvalidParameterSpecException | IllegalBlockSizeException | BadPaddingException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
+
+  public byte[] decrypt(byte[] data)
+  {
+    try {
+      EncryptedData encryptedData = EncryptedData.fromByteArray(data);
+
+      SecretKey tmp = getKeyFromPassword(passPhrase, encryptedData.getSalt());
+      SecretKey secret = new SecretKeySpec(tmp.getEncoded(), cipherAlgName);
+
+      Cipher dcipher = Cipher.getInstance(transformation);
+      dcipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(encryptedData.getIv()));
+      return dcipher.doFinal(encryptedData.getCipher());
+    }
+    catch (InvalidKeySpecException | NoSuchAlgorithmException | InvalidAlgorithmParameterException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException ex) {
+      throw new RuntimeException(ex);
+    }
+  }
+
+  private SecretKey getKeyFromPassword(char[] passPhrase, byte[] salt)
+      throws NoSuchAlgorithmException, InvalidKeySpecException
+  {
+    SecretKeyFactory factory = SecretKeyFactory.getInstance(secretKeyFactoryAlg);
+    KeySpec spec = new PBEKeySpec(passPhrase, salt, iterationCount, keyLength);
+    return factory.generateSecret(spec);
+  }
+
+  private static class EncryptedData
+  {
+    private final byte[] salt;
+    private final byte[] iv;
+    private final byte[] cipher;
+
+    public EncryptedData(byte[] salt, byte[] iv, byte[] cipher)
+    {
+      this.salt = salt;
+      this.iv = iv;
+      this.cipher = cipher;
+    }
+
+    public byte[] getSalt()
+    {
+      return salt;
+    }
+
+    public byte[] getIv()
+    {
+      return iv;
+    }
+
+    public byte[] getCipher()
+    {
+      return cipher;
+    }
+
+    public byte[] toByteAray()
+    {
+      int headerLength = 12;
+      ByteBuffer bb = ByteBuffer.allocate(salt.length + iv.length + cipher.length + headerLength);
+      bb.putInt(salt.length)
+        .putInt(iv.length)
+        .putInt(cipher.length)
+        .put(salt)
+        .put(iv)
+        .put(cipher);
+      bb.flip();
+
+      return bb.array();
+    }
+
+    public static EncryptedData fromByteArray(byte[] array)
+    {
+      ByteBuffer bb = ByteBuffer.wrap(array);
+
+      int saltSize = bb.getInt();
+      int ivSize = bb.getInt();
+      int cipherSize = bb.getInt();
+
+      byte[] salt = new byte[saltSize];
+      bb.get(salt);
+
+      byte[] iv = new byte[ivSize];
+      bb.get(iv);
+
+      byte[] cipher = new byte[cipherSize];
+      bb.get(cipher);
+
+      return new EncryptedData(salt, iv, cipher);
+    }
+  }
+}

core/src/test/java/org/apache/druid/crypto/CryptoServiceTest.java

@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.crypto;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.nio.charset.StandardCharsets;
+
+public class CryptoServiceTest
+{
+  @Test
+  public void testEncryptDecrypt()
+  {
+    CryptoService cryptoService = new CryptoService(
+        "random-passphrase",
+        "AES",
+        "CBC",
+        "PKCS5Padding",
+        "PBKDF2WithHmacSHA256",
+        8,
+        65536,
+        128
+    );
+
+    byte[] original = "i am a test string".getBytes(StandardCharsets.UTF_8);
+
+    byte[] decrypted = cryptoService.decrypt(cryptoService.encrypt(original));
+
+    Assert.assertArrayEquals(original, decrypted);
+  }
+
+  @Test
+  public void testInvalidParamsConstructorFailure()
+  {
+    try {
+      new CryptoService(
+          "random-passphrase",
+          "ABCD",
+          "EFGH",
+          "PAXXDDING",
+          "QWERTY",
+          8,
+          65536,
+          128
+      );
+      Assert.fail("Must Fail!!!");
+    }
+    catch (RuntimeException ex) {
+      // expected
+    }
+  }
+}

distribution/bin/check-licenses.py

@@ -250,6 +250,7 @@ def build_compatible_license_names():
     compatible_licenses['CDDL/GPLv2+CE'] = 'CDDL 1.1'
     compatible_licenses['CDDL + GPLv2 with classpath exception'] = 'CDDL 1.1'
     compatible_licenses['CDDL License'] = 'CDDL 1.1'
+    compatible_licenses['COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0'] = 'CDDL 1.0'
 
     compatible_licenses['Eclipse Public License 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['The Eclipse Public License, Version 1.0'] = 'Eclipse Public License 1.0'

distribution/pom.xml

@@ -240,6 +240,8 @@
                                         <argument>org.apache.druid.extensions:simple-client-sslcontext</argument>
                                         <argument>-c</argument>
                                         <argument>org.apache.druid.extensions:druid-basic-security</argument>
+                                        <argument>-c</argument>
+                                        <argument>org.apache.druid.extensions:druid-pac4j</argument>
                                         <argument>${druid.distribution.pulldeps.opts}</argument>
                                     </arguments>
                                 </configuration>

docs/development/extensions-core/druid-pac4j.md

@@ -0,0 +1,45 @@
+---
+id: druid-pac4j
+title: "Druid pac4j based Security extension"
+---
+
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements.  See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership.  The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License.  You may obtain a copy of the License at
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+
+Apache Druid Extension to enable [OpenID Connect](https://openid.net/connect/) based Authentication for Druid Processes using [pac4j](https://github.com/pac4j/pac4j) as the underlying client library.
+This can be used  with any authentication server that supports same e.g. [Okta](https://developer.okta.com/).
+This extension should only be used at the router node to enable a group of users in existing authentication server to interact with Druid cluster, using the [Web Console](../../operations/druid-console.html). This extension does not support JDBC client authentication.
+
+## Configuration
+
+### Creating an Authenticator
+```
+druid.auth.authenticatorChain=["pac4j"]
+druid.auth.authenticator.pac4j.type=pac4j
+```
+
+### Properties
+|Property|Description|Default|required|
+|--------|---------------|-----------|-------|--------|
+|`druid.auth.pac4j.oidc.clientID`|OAuth Client Application id.|none|Yes|
+|`druid.auth.pac4j.oidc.clientSecret`|OAuth Client Application secret. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes|
+|`druid.auth.pac4j.oidc.discoveryURI`|discovery URI for fetching OP metadata [see this](http://openid.net/specs/openid-connect-discovery-1_0.html).|none|Yes|
+|`druid.auth.pac4j.oidc.cookiePassphrase`|passphrase for encrypting the cookies used to manage authentication session with browser. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes|
+

docs/development/extensions.md

@@ -60,6 +60,7 @@ Core extensions are maintained by Druid committers.
 |mysql-metadata-storage|MySQL metadata store.|[link](../development/extensions-core/mysql.md)|
 |postgresql-metadata-storage|PostgreSQL metadata store.|[link](../development/extensions-core/postgresql.md)|
 |simple-client-sslcontext|Simple SSLContext provider module to be used by Druid's internal HttpClient when talking to other Druid processes over HTTPS.|[link](../development/extensions-core/simple-client-sslcontext.md)|
+|druid-pac4j|OpenID Connect authentication for druid processes.|[link](../development/extensions-core/druid-pac4j.md)|
 
 ## Community extensions