Atlas[Backend] Fix for improving logout mechanism in Atlas Backend code base

Author: aditya-gupta36

webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java

@@ -101,6 +101,14 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter {
     private boolean                     ssoEnabled;
     private JWSVerifier                 verifier;
 
+    public boolean isSsoEnabled() {
+        return ssoEnabled;
+    }
+
+    public void setSsoEnabled(boolean ssoEnabled) {
+        this.ssoEnabled = ssoEnabled;
+    }
+
     @Inject
     public AtlasKnoxSSOAuthenticationFilter(AtlasAuthenticationProvider authenticationProvider) {
         this.authenticationProvider = authenticationProvider;
@@ -163,16 +171,17 @@ public void init(FilterConfig filterConfig) throws ServletException {
      */
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        setSsoEnabled(false);
         HttpServletResponse         httpResponse    = (HttpServletResponse) servletResponse;
         AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
 
         HeadersUtil.setSecurityHeaders(responseWrapper);
 
-        if (!ssoEnabled) {
-            filterChain.doFilter(servletRequest, servletResponse);
-
-            return;
-        }
+//        if (!ssoEnabled) {
+//            filterChain.doFilter(servletRequest, servletResponse);
+//
+//            return;
+//        }
 
         HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
 
@@ -187,11 +196,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
             return;
         }
 
-        if (jwtProperties == null || isAuthenticated()) {
-            filterChain.doFilter(servletRequest, servletResponse);
-
-            return;
-        }
+//        if (jwtProperties == null || isAuthenticated()) {
+//            filterChain.doFilter(servletRequest, servletResponse);
+//
+//            return;
+//        }
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("Knox ssoEnabled  {} {}", ssoEnabled, httpRequest.getRequestURI());
@@ -308,7 +317,7 @@ protected String getJWTFromCookie(HttpServletRequest req) {
             for (Cookie cookie : cookies) {
                 if (cookieName.equals(cookie.getName())) {
                     LOG.debug("{} cookie has been found and is being processed", cookieName);
-
+                    setSsoEnabled(true);
                     serializedJWT = cookie.getValue();
                     break;
                 }

webapp/src/main/java/org/apache/atlas/web/filters/RestUtil.java

@@ -30,7 +30,7 @@ public class RestUtil {
     private static final Logger LOG = LoggerFactory.getLogger(RestUtil.class);
 
     public static final  String TIMEOUT_ACTION = "timeout";
-    public static final  String LOGOUT_URL     = "/logout.html";
+    public static final String LOGOUT_URL = "/logout";
     public static final  String DELIMITTER     = "://";
 
     private static final String PROXY_ATLAS_URL_PATH = "/atlas";

webapp/src/main/java/org/apache/atlas/web/resources/AdminResource.java

@@ -76,6 +76,7 @@
 import org.apache.atlas.utils.AtlasJson;
 import org.apache.atlas.utils.AtlasPerfTracer;
 import org.apache.atlas.web.filters.AtlasCSRFPreventionFilter;
+import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
 import org.apache.atlas.web.model.DebugMetrics;
 import org.apache.atlas.web.service.AtlasDebugMetricsSink;
 import org.apache.atlas.web.service.ServiceState;
@@ -192,6 +193,7 @@ public class AdminResource {
     private final boolean                    isUiTasksTabEnabled;
     private final AtlasAuditReductionService auditReductionService;
     private       Response                   version;
+    private AtlasKnoxSSOAuthenticationFilter atlasKnoxSSOAuthenticationFilter;
 
     @Context
     private HttpServletRequest httpServletRequest;
@@ -205,7 +207,7 @@ public AdminResource(ServiceState serviceState, MetricsService metricsService, A
             MigrationProgressService migrationProgressService, AtlasServerService serverService,
             ExportImportAuditService exportImportAuditService, AtlasEntityStore entityStore,
             AtlasPatchManager patchManager, AtlasAuditService auditService, EntityAuditRepository auditRepository,
-            TaskManagement taskManagement, AtlasDebugMetricsSink debugMetricsRESTSink, AtlasAuditReductionService atlasAuditReductionService, AtlasMetricsUtil atlasMetricsUtil) {
+            TaskManagement taskManagement, AtlasDebugMetricsSink debugMetricsRESTSink, AtlasAuditReductionService atlasAuditReductionService, AtlasMetricsUtil atlasMetricsUtil, AtlasKnoxSSOAuthenticationFilter atlasKnoxSSOAuthenticationFilter) {
         this.serviceState              = serviceState;
         this.metricsService            = metricsService;
         this.exportService             = exportService;
@@ -224,6 +226,7 @@ public AdminResource(ServiceState serviceState, MetricsService metricsService, A
         this.debugMetricsRESTSink      = debugMetricsRESTSink;
         this.auditReductionService     = atlasAuditReductionService;
         this.atlasMetricsUtil          = atlasMetricsUtil;
+        this.atlasKnoxSSOAuthenticationFilter = atlasKnoxSSOAuthenticationFilter;
 
         if (atlasProperties != null) {
             this.defaultUIVersion            = atlasProperties.getString(DEFAULT_UI_VERSION, UI_VERSION_V2);
@@ -1098,6 +1101,14 @@ public Response serviceReadiness() throws AtlasBaseException {
         }
     }
 
+    @GET
+    @Path("/checksso")
+    @Produces(MediaType.TEXT_PLAIN)
+    public String checkSSO() {
+        LOG.info("SSO Details: {}", atlasKnoxSSOAuthenticationFilter.isSsoEnabled());
+        return String.valueOf(atlasKnoxSSOAuthenticationFilter.isSsoEnabled());
+    }
+
     private void updateCriteriaWithDefaultValues(AuditReductionCriteria auditReductionCriteria) {
         if (auditReductionCriteria.getDefaultAgeoutTTLInDays() <= 0) {
             auditReductionCriteria.setDefaultAgeoutTTLInDays(AtlasConfiguration.ATLAS_AUDIT_DEFAULT_AGEOUT_TTL.getInt());

webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityCommonConfig.java

@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.atlas.web.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class AtlasSecurityCommonConfig {
+    @Bean
+    public ObjectMapper objectMapper() {
+        return new ObjectMapper();
+    }
+}

webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java

@@ -103,6 +103,7 @@ public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
     private final StaleTransactionCleanupFilter staleTransactionCleanupFilter;
     private final ActiveServerFilter            activeServerFilter;
     private final boolean                       keycloakEnabled;
+    private final CustomLogoutSuccessHandler        customLogoutSuccessHandler;
 
     @Value("${keycloak.configurationFile:WEB-INF/keycloak.json}")
     private Resource keycloakConfigFileResource;
@@ -120,7 +121,7 @@ public AtlasSecurityConfig(AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFil
             AtlasAuthenticationEntryPoint atlasAuthenticationEntryPoint,
             Configuration configuration,
             StaleTransactionCleanupFilter staleTransactionCleanupFilter,
-            ActiveServerFilter activeServerFilter) {
+            ActiveServerFilter activeServerFilter, CustomLogoutSuccessHandler customLogoutSuccessHandler) {
         this.ssoAuthenticationFilter       = ssoAuthenticationFilter;
         this.csrfPreventionFilter          = atlasCSRFPreventionFilter;
         this.atlasAuthenticationFilter     = atlasAuthenticationFilter;
@@ -131,6 +132,7 @@ public AtlasSecurityConfig(AtlasKnoxSSOAuthenticationFilter ssoAuthenticationFil
         this.configuration                 = configuration;
         this.staleTransactionCleanupFilter = staleTransactionCleanupFilter;
         this.activeServerFilter            = activeServerFilter;
+        this.customLogoutSuccessHandler    = customLogoutSuccessHandler;
 
         this.keycloakEnabled = configuration.getBoolean(AtlasAuthenticationProvider.KEYCLOAK_AUTH_METHOD, false);
     }
@@ -220,10 +222,10 @@ protected void configure(HttpSecurity httpSecurity) throws Exception {
                 .passwordParameter("j_password")
                 .and()
                 .logout()
-                .logoutSuccessUrl("/login.jsp")
+//                .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
+                .logoutSuccessHandler(customLogoutSuccessHandler)
                 .deleteCookies("ATLASSESSIONID")
-                .logoutUrl("/logout.html");
-
+                .logoutUrl("/logout");
         //@formatter:on
 
         boolean configMigrationEnabled = !StringUtils.isEmpty(configuration.getString(ATLAS_MIGRATION_MODE_FILENAME));

webapp/src/main/java/org/apache/atlas/web/security/CustomLogoutSuccessHandler.java

@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.atlas.web.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+import org.springframework.stereotype.Component;
+
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+@Component
+public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler implements LogoutSuccessHandler {
+    private final ObjectMapper mapper;
+    private static final Logger LOG = LoggerFactory.getLogger(CustomLogoutSuccessHandler.class);
+
+    @Inject
+    public CustomLogoutSuccessHandler(ObjectMapper mapper) {
+        this.mapper = mapper;
+    }
+
+    @Override
+    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+        request.getServletContext().removeAttribute(request.getRequestedSessionId());
+        response.setContentType("application/json;charset=UTF-8");
+        response.setHeader("Cache-Control", "no-cache");
+        response.setHeader("X-Frame-Options", "DENY");
+
+        try {
+            Map<String, Object> responseMap = new HashMap<>();
+            responseMap.put("statusCode", HttpServletResponse.SC_OK);
+            responseMap.put("msgDesc", "Logout Successful");
+            String jsonStr = mapper.writeValueAsString(responseMap);
+
+            response.setStatus(HttpServletResponse.SC_OK);
+            response.getWriter().write(jsonStr);
+            LOG.info("Log-out Successfully done. Returning Json : " + jsonStr);
+        } catch (IOException e) {
+            LOG.info("Error while writing JSON in HttpServletResponse");
+        }
+    }
+}

webapp/src/test/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilterTest.java

@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.web.filters;
+
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+
+import java.io.IOException;
+import java.util.Arrays;
+
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertNotNull;
+import static org.testng.Assert.assertNull;
+import static org.testng.Assert.assertTrue;
+
+public class AtlasKnoxSSOAuthenticationFilterTest {
+    @Mock
+    private FilterChain filterChain;
+
+    @InjectMocks
+    private AtlasKnoxSSOAuthenticationFilter filter;
+
+    private MockHttpServletRequest request;
+    private MockHttpServletResponse response;
+    private MockHttpSession session;
+
+    @BeforeMethod
+    public void testSetup() {
+        MockitoAnnotations.openMocks(this);  // Required for @Mock
+
+        request = new MockHttpServletRequest();
+        response = new MockHttpServletResponse();
+        session = new MockHttpSession();
+        request.setSession(session);
+
+        request.setRequestURI("/api/atlas/admin/checksso");
+        request.addHeader("User-Agent", "Chrome");
+    }
+
+    @Test
+    public void testDoFilter_withoutJwt_setsSsoDisabled() throws IOException, ServletException {
+        request.setCookies();  // clear cookies for this test
+        filter.doFilter(request, response, filterChain);
+
+        assertFalse(filter.isSsoEnabled());  // because no JWT
+        assertNull(filter.getJWTFromCookie(request));
+
+        Mockito.verify(filterChain).doFilter(request, response);
+    }
+
+    @Test
+    public void testDoFilter_withJwt_setsSsoEnabledTrue() throws IOException, ServletException {
+        request.setCookies(new Cookie("hadoop-jwt", "dummy-jwt-token"));
+        filter.doFilter(request, response, filterChain);
+
+        assertTrue(filter.isSsoEnabled());
+        assertNotNull(filter.getJWTFromCookie(request));
+        assertNotNull(request.getCookies());
+        assertTrue(Arrays.stream(request.getCookies()).anyMatch(cookie -> cookie.getValue().equals("dummy-jwt-token")));
+
+        Mockito.verify(filterChain).doFilter(request, response);
+    }
+}

webapp/src/test/java/org/apache/atlas/web/resources/AdminResourceTest.java

@@ -48,7 +48,7 @@ public void setup() {
     public void testStatusOfActiveServerIsReturned() throws IOException {
         when(serviceState.getState()).thenReturn(ServiceState.ServiceStateValue.ACTIVE);
 
-        AdminResource adminResource = new AdminResource(serviceState, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null);
+        AdminResource adminResource = new AdminResource(serviceState, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null);
         Response      response      = adminResource.getStatus();
 
         assertEquals(response.getStatus(), HttpServletResponse.SC_OK);
@@ -62,7 +62,7 @@ public void testStatusOfActiveServerIsReturned() throws IOException {
     public void testResourceGetsValueFromServiceState() throws IOException {
         when(serviceState.getState()).thenReturn(ServiceState.ServiceStateValue.PASSIVE);
 
-        AdminResource adminResource = new AdminResource(serviceState, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null);
+        AdminResource adminResource = new AdminResource(serviceState, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null);
         Response      response      = adminResource.getStatus();
 
         verify(serviceState).getState();