Include WWW-Authenticate header with auth failure (AthenZ#590)

Author: havetisyan

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/Authority.java

@@ -56,6 +56,15 @@ default CredSource getCredSource() {
      */
     String getHeader();
 
+    /**
+     * @return the string to be returned as the value for WWW-Authenticate header:
+     *        WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge
+     * in case all authorities fail to authenticate a request.
+     */
+    default String getAuthenticateChallenge() {
+        return null;
+    }
+
     /**
      * @return a boolean flag indicating whether or not authenticated principals
      * by this authority are allowed to be "authorized" to make changes. If this

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/CertificateAuthority.java

@@ -32,8 +32,9 @@
 public class CertificateAuthority implements Authority {
 
     private static final Logger LOG = LoggerFactory.getLogger(CertificateAuthority.class);
-    private static final String ATHENZ_PROP_EXCLUDED_PRINCIPALS = "athenz.auth.certificate.excluded_principals";
 
+    private static final String ATHENZ_PROP_EXCLUDED_PRINCIPALS = "athenz.auth.certificate.excluded_principals";
+    private static final String ATHENZ_AUTH_CHALLENGE = "AthenzX509Certificate realm=\"athenz\"";
     private Set<String> excludedPrincipalSet = null;
 
     @Override
@@ -55,6 +56,11 @@ public String getHeader() {
         return null;
     }
 
+    @Override
+    public String getAuthenticateChallenge() {
+        return ATHENZ_AUTH_CHALLENGE;
+    }
+
     @Override
     public Principal authenticate(String creds, String remoteAddr, String httpMethod, StringBuilder errMsg) {
         return null;

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/KerberosAuthority.java

@@ -41,10 +41,11 @@ public class KerberosAuthority implements Authority {
 
     private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthority.class);
 
-    static final String KRB_AUTH_HEADER  = "Authorization";
-    static final String KRB_PROP_SVCPRPL = "athenz.auth.kerberos.service_principal";
-    static final String KRB_PROP_KEYTAB  = "athenz.auth.kerberos.keytab_location";
-    static final String KRB_PROP_DEBUG   = "athenz.auth.kerberos.debug";
+    static final String KRB_AUTH_HEADER    = "Authorization";
+    static final String KRB_AUTH_CHALLENGE = "Negotiate";
+    static final String KRB_PROP_SVCPRPL   = "athenz.auth.kerberos.service_principal";
+    static final String KRB_PROP_KEYTAB    = "athenz.auth.kerberos.keytab_location";
+    static final String KRB_PROP_DEBUG     = "athenz.auth.kerberos.debug";
 
     // This is used if there is a jaas.conf. The jaas.conf path is specified by the system property 
     // java.security.auth.login.config
@@ -229,6 +230,11 @@ public String getHeader() {
         return KRB_AUTH_HEADER;
     }
 
+    @Override
+     public String getAuthenticateChallenge() {
+        return KRB_AUTH_CHALLENGE;
+    }
+
     /**
      * Verify the credentials and if valid return the corresponding Principal, null otherwise.
      * @param creds the credentials (i.e. cookie, token, secret) that will identify the principal.

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/PrincipalAuthority.java

@@ -39,6 +39,7 @@ public class PrincipalAuthority implements Authority, AuthorityKeyStore {
     private static final String ATHENZ_PROP_USER_DOMAIN = "athenz.user_domain";
 
     public static final String HTTP_HEADER = "Athenz-Principal-Auth";
+    public static final String ATHENZ_AUTH_CHALLENGE = "AthenzPrincipalToken realm=\"athenz\"";
     public static final String ATHENZ_PROP_PRINCIPAL_HEADER = "athenz.auth.principal.header";
 
     private static final Logger LOG = LoggerFactory.getLogger(PrincipalAuthority.class);
@@ -83,6 +84,11 @@ public String getHeader() {
         return headerName;
     }
 
+    @Override
+    public String getAuthenticateChallenge() {
+        return ATHENZ_AUTH_CHALLENGE;
+    }
+
     @Override
     public Principal authenticate(String signedToken, String remoteAddr, String httpMethod,
             StringBuilder errMsg) {
@@ -167,11 +173,6 @@ public Principal authenticate(String signedToken, String remoteAddr, String http
 
         SimplePrincipal princ = (SimplePrincipal) SimplePrincipal.create(tokenDomain,
                 tokenName, signedToken, serviceToken.getTimestamp(), this);
-        if (princ == null) {
-            errMsg.append("PrincipalAuthority:authenticate: Unable to create principal");
-            LOG.error(errMsg.toString());
-            return null;
-        }
         princ.setUnsignedCreds(serviceToken.getUnsignedToken());
         princ.setAuthorizedService(authorizedServiceName);
         princ.setOriginalRequestor(serviceToken.getOriginalRequestor());

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/RoleAuthority.java

@@ -37,6 +37,7 @@ public class RoleAuthority implements Authority, AuthorityKeyStore {
     static final String ATHENZ_PROP_USER_DOMAIN = "athenz.user_domain";
 
     public static final String HTTP_HEADER = "Athenz-Role-Auth";
+    public static final String ATHENZ_AUTH_CHALLENGE = "AthenzRoleToken realm=\"athenz\"";
     public static final String ATHENZ_PROP_ROLE_HEADER = "athenz.auth.role.header";
 
     private int allowedOffset;
@@ -71,6 +72,11 @@ public String getHeader() {
         return headerName;
     }
 
+    @Override
+    public String getAuthenticateChallenge() {
+        return ATHENZ_AUTH_CHALLENGE;
+    }
+
     @Override
     public Principal authenticate(String signedToken, String remoteAddr, String httpMethod, StringBuilder errMsg) {
 
@@ -133,12 +139,11 @@ public Principal authenticate(String signedToken, String remoteAddr, String http
 
         // all the role members in Athenz are normalized to lower case so we need to make
         // sure our principal's name and domain are created with lower case as well
+        // we have verified that our token already includes valid roles
 
         SimplePrincipal princ = (SimplePrincipal) SimplePrincipal.create(roleToken.getDomain().toLowerCase(),
                 signedToken, roleToken.getRoles(), this);
-        if (princ != null) {
-            princ.setUnsignedCreds(roleToken.getUnsignedToken());
-        }
+        princ.setUnsignedCreds(roleToken.getUnsignedToken());
         return princ;
     }
 

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/SimpleServiceIdentityProvider.java

@@ -114,9 +114,7 @@ public Principal getIdentity(String domainName, String serviceName) {
         SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create(domainName,
                 serviceName, token.getSignedToken(), System.currentTimeMillis() / 1000,
                 authority);
-        if (principal != null) {
-            principal.setUnsignedCreds(token.getUnsignedToken());
-        }
+        principal.setUnsignedCreds(token.getUnsignedToken());
         return principal;
     }
 

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/UserAuthority.java

@@ -35,6 +35,7 @@ public class UserAuthority implements Authority {
 
     private static final Logger LOG = LoggerFactory.getLogger(UserAuthority.class);
     static final String ATHENZ_PROP_PAM_SERVICE_NAME = "athenz.auth.user.pam_service_name";
+    public static final String ATHENZ_AUTH_CHALLENGE = "Basic realm=\"athenz\"";
 
     String serviceName;
     private PAM pam = null;
@@ -57,6 +58,11 @@ public String getHeader() {
         return "Authorization";
     }
 
+    @Override
+    public String getAuthenticateChallenge() {
+        return ATHENZ_AUTH_CHALLENGE;
+    }
+
     /*
      * we don't want the user to keep specifying their username and
      * password as part of the request. instead, the user must first

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/token/KerberosToken.java

@@ -86,8 +86,8 @@ public boolean validate(Subject serviceSubject, StringBuilder errMsg) {
                 }
                 userName = userName.substring(0, index);
             }
-
             return true;
+
         } catch (PrivilegedActionException paexc) {
             if (errMsg == null) {
                 errMsg = new StringBuilder(512);

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/CertificateAuthorityTest.java

@@ -110,4 +110,10 @@ public void testAuthenciateInvalidArray() {
         principal = authority.authenticate(certs, errMsg);
         assertNull(principal);
     }
+
+    @Test
+    public void testGetAuthenticateChallenge() {
+        CertificateAuthority authority = new CertificateAuthority();
+        assertEquals(authority.getAuthenticateChallenge(), "AthenzX509Certificate realm=\"athenz\"");
+    }
 }

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/KerberosAuthorityTest.java

@@ -366,4 +366,10 @@ public void testIsTargetPrincipalIlligal() {
 
         assertFalse(check.isTargetPrincipal(null,null));
     }
+
+    @Test
+    public void testGetAuthenticateChallenge() {
+        KerberosAuthority krbAuthority  = new KerberosAuthority();
+        assertEquals(krbAuthority.getAuthenticateChallenge(), "Negotiate");
+    }
 }

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/PrincipalAuthorityTest.java

@@ -592,4 +592,10 @@ public void testPrincipalAuthorityAuthenticateIlligal() throws CryptoException {
         Principal check = serviceAuthority.authenticate(t, "10", "10", null);
         assertNull(check);
     }
+
+    @Test
+    public void testGetAuthenticateChallenge() {
+        PrincipalAuthority serviceAuthority = new PrincipalAuthority();
+        assertEquals(serviceAuthority.getAuthenticateChallenge(), "AthenzPrincipalToken realm=\"athenz\"");
+    }
 }

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/RoleAuthorityTest.java

@@ -393,4 +393,10 @@ public void testInitialize() throws NoSuchFieldException, SecurityException,
         assertEquals(m,300);
         assertEquals(roleAuthority.userDomain,"user");
     }
+
+    @Test
+    public void testGetAuthenticateChallenge() {
+        RoleAuthority roleAuthority = new RoleAuthority();
+        assertEquals(roleAuthority.getAuthenticateChallenge(), "AthenzRoleToken realm=\"athenz\"");
+    }
 }

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/SimpleServiceIdentityProviderTest.java

@@ -120,9 +120,10 @@ public void testConstructorWithAuthority() {
         assertEquals(provider.getAuthority(), authority);
 
         SimpleServiceIdentityProvider provider2 = new SimpleServiceIdentityProvider("coretech",
-                "athenz", key, "1", 3600);
+                "athenz", key, "1", 3900);
         assertNotEquals(provider2.getAuthority(), authority);
         provider2.setAuthority(authority);
+        provider2.setTokenTimeout(3600);
         assertEquals(provider2.getAuthority(), authority);
     }
 }

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/UserAuthorityTest.java

@@ -83,4 +83,10 @@ public void testAuthenticateException() throws PAMException {
         principal = userAuthority.authenticate("Basic ", "10.72.118.45", "GET", null);
         assertNull(principal);
     }
+
+    @Test
+    public void testGetAuthenticateChallenge() {
+        UserAuthority userAuthority = new UserAuthority();
+        assertEquals(userAuthority.getAuthenticateChallenge(), "Basic realm=\"athenz\"");
+    }
 }

libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/rest/Http.java

@@ -15,9 +15,11 @@
  */
 package com.yahoo.athenz.common.server.rest;
 
+import java.util.HashSet;
 import java.util.List;
 import java.util.ArrayList;
 import java.security.cert.X509Certificate;
+import java.util.Set;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -33,9 +35,11 @@ public class Http {
 
     private static final Logger LOG = LoggerFactory.getLogger(Http.class);
 
+    public static final String WWW_AUTHENTICATE  = "WWW-Authenticate";
     public static final String INVALID_CRED_ATTR = "com.yahoo.athenz.auth.credential.error";
+    public static final String AUTH_CHALLENGES   = "com.yahoo.athenz.auth.credential.challenges";
     public static final String JAVAX_CERT_ATTR   = "javax.servlet.request.X509Certificate";
-    
+
     public static class AuthorityList {
         List<Authority> authorities;
 
@@ -66,7 +70,7 @@ static String getCookieValue(HttpServletRequest hreq, String name) {
         return null;
     }
 
-    private static String authenticatingCredentials(HttpServletRequest request,
+    static String authenticatingCredentials(HttpServletRequest request,
             Authority authority) {
         final String header = authority.getHeader();
         if (header == null) {
@@ -91,12 +95,14 @@ public static Principal authenticate(HttpServletRequest request,
         }
 
         StringBuilder authErrMsg = new StringBuilder(512);
+        Set<String> authChallenges = null;
         for (Authority authority : authorities.authorities) {
             Principal principal = null;
             StringBuilder errMsg = new StringBuilder(512);
             switch (authority.getCredSource()) {
             case HEADER:
                 String creds = authenticatingCredentials(request, authority);
+
                 if (creds != null) {
                     principal = authority.authenticate(creds, ServletRequestUtil.getRemoteAddress(request),
                             request.getMethod(), errMsg);
@@ -119,7 +125,15 @@ public static Principal authenticate(HttpServletRequest request,
             if (principal != null) {
                 return principal;
             }
-            
+
+            final String challenge = authority.getAuthenticateChallenge();
+            if (challenge != null) {
+                if (authChallenges == null) {
+                    authChallenges = new HashSet<>();
+                }
+                authChallenges.add(challenge);
+            }
+
             // otherwise if we have a specific error message from an authority
             // then we'll keep it in case all other authorities also fail and
             // we need to log the reason for failure
@@ -151,6 +165,14 @@ public static Principal authenticate(HttpServletRequest request,
             LOG.error("authenticate: No credentials provided");
         }
 
+        // if we have challenges specified, we're going to set it as a request
+        // attribute and let the caller decide if they want to add it to the
+        // response as a header in its context handler
+
+        if (authChallenges != null) {
+            request.setAttribute(AUTH_CHALLENGES,  String.join(", ", authChallenges));
+        }
+
         throw new ResourceException(ResourceException.UNAUTHORIZED, "Invalid credentials");
     }
 
@@ -165,9 +187,6 @@ public static String authorizedUser(HttpServletRequest request,
             String resource, String otherDomain) {
         Principal principal = authenticate(request, authorities);
         authorize(authorizer, principal, action, resource, otherDomain);
-        if (principal == null) {
-            return null;
-        }
         return principal.getFullName();
     }
 

libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/rest/ResourceContext.java

@@ -22,6 +22,7 @@
 import com.yahoo.athenz.auth.Principal;
 
 public class ResourceContext  {
+
     private final HttpServletRequest request;
     private final HttpServletResponse response;
     private final Http.AuthorityList authorities;
@@ -92,4 +93,28 @@ public void authorize(String action, String resource, String trustedDomain) {
         principal = authenticate();
         Http.authorize(authorizer, principal, action, resource, trustedDomain);
     }
+
+
+    /**
+     * If requested include the WWW-Authenticate challenge response
+     * header for this request. This is only done if the exception
+     * was thrown for invalid credentials.
+     * @param exc ResourceException that was thrown when calling authenticate
+     */
+    public void sendAuthenticateChallenges(ResourceException exc) {
+
+        // first check to see if this is an auth failure and if
+        // that's the case include the WWW-Authenticate challenge
+
+        if (exc.getCode() != ResourceException.UNAUTHORIZED) {
+            return;
+        }
+
+        Object authChallenges = request.getAttribute(Http.AUTH_CHALLENGES);
+        if (authChallenges == null) {
+            return;
+        }
+
+        response.addHeader(Http.WWW_AUTHENTICATE, authChallenges.toString());
+    }
 }