]>
Commit | Line | Data |
---|---|---|
1d09f67e TL |
1 | /* |
2 | * Licensed to the Apache Software Foundation (ASF) under one or more | |
3 | * contributor license agreements. See the NOTICE file distributed with | |
4 | * this work for additional information regarding copyright ownership. | |
5 | * The ASF licenses this file to You under the Apache License, Version 2.0 | |
6 | * (the "License"); you may not use this file except in compliance with | |
7 | * the License. You may obtain a copy of the License at | |
8 | * | |
9 | * http://www.apache.org/licenses/LICENSE-2.0 | |
10 | * | |
11 | * Unless required by applicable law or agreed to in writing, software | |
12 | * distributed under the License is distributed on an "AS IS" BASIS, | |
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
14 | * See the License for the specific language governing permissions and | |
15 | * limitations under the License. | |
16 | */ | |
17 | ||
18 | package org.apache.arrow.flight.auth2; | |
19 | ||
20 | import org.apache.arrow.flight.CallHeaders; | |
21 | import org.apache.arrow.flight.FlightRuntimeException; | |
22 | ||
23 | /** | |
24 | * Interface for Server side authentication handlers. | |
25 | * | |
26 | * A CallHeaderAuthenticator is used by {@link ServerCallHeaderAuthMiddleware} to validate headers sent by a Flight | |
27 | * client for authentication purposes. The headers validated do not necessarily have to be Authorization headers. | |
28 | * | |
29 | * The workflow is that the FlightServer will intercept headers on a request, validate the headers, and | |
30 | * either send back an UNAUTHENTICATED error, or succeed and potentially send back additional headers to the client. | |
31 | * | |
32 | * Implementations of CallHeaderAuthenticator should take care not to provide leak confidential details (such as | |
33 | * indicating if usernames are valid or not) for security reasons when reporting errors back to clients. | |
34 | * | |
35 | * Example CallHeaderAuthenticators provided include: | |
36 | * The {@link BasicCallHeaderAuthenticator} will authenticate basic HTTP credentials. | |
37 | * | |
38 | * The {@link BearerTokenAuthenticator} will authenticate basic HTTP credentials initially, then also send back a | |
39 | * bearer token that the client can use for subsequent requests. The {@link GeneratedBearerTokenAuthenticator} will | |
40 | * provide internally generated bearer tokens and maintain a cache of them. | |
41 | */ | |
42 | public interface CallHeaderAuthenticator { | |
43 | ||
44 | /** | |
45 | * Encapsulates the result of the {@link CallHeaderAuthenticator} analysis of headers. | |
46 | * | |
47 | * This includes the identity of the incoming user and any outbound headers to send as a response to the client. | |
48 | */ | |
49 | interface AuthResult { | |
50 | /** | |
51 | * The peer identity that was determined by the handshake process based on the | |
52 | * authentication credentials supplied by the client. | |
53 | * | |
54 | * @return The peer identity. | |
55 | */ | |
56 | String getPeerIdentity(); | |
57 | ||
58 | /** | |
59 | * Appends a header to the outgoing call headers. | |
60 | * @param outgoingHeaders The outgoing headers. | |
61 | */ | |
62 | default void appendToOutgoingHeaders(CallHeaders outgoingHeaders) { | |
63 | ||
64 | } | |
65 | } | |
66 | ||
67 | /** | |
68 | * Validate the auth headers sent by the client. | |
69 | * | |
70 | * @param incomingHeaders The incoming headers to authenticate. | |
71 | * @return an auth result containing a peer identity and optionally a bearer token. | |
72 | * @throws FlightRuntimeException with CallStatus.UNAUTHENTICATED if credentials were not supplied | |
73 | * or if credentials were supplied but were not valid. | |
74 | */ | |
75 | AuthResult authenticate(CallHeaders incomingHeaders); | |
76 | ||
77 | /** | |
78 | * An auth handler that does nothing. | |
79 | */ | |
80 | CallHeaderAuthenticator NO_OP = new CallHeaderAuthenticator() { | |
81 | @Override | |
82 | public AuthResult authenticate(CallHeaders incomingHeaders) { | |
83 | return () -> ""; | |
84 | } | |
85 | }; | |
86 | } |