Upgrade pac4j extension

Author: ashibhardwaj

extensions-core/druid-pac4j/pom.xml

@@ -34,12 +34,12 @@
   </parent>
 
   <properties>
-    <pac4j.version>4.5.7</pac4j.version>
+    <pac4j.version>5.7.3</pac4j.version>
 
     <!-- Following must be updated along with any updates to pac4j version. One can find the compatible version of nimbus libraries in org.pac4j:pac4j-oidc dependencies-->
     <nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>
-    <nimbus.jose.jwt.version>8.22.1</nimbus.jose.jwt.version>
-    <oauth2.oidc.sdk.version>8.22</oauth2.oidc.sdk.version>
+    <nimbus.jose.jwt.version>9.37.2</nimbus.jose.jwt.version>
+    <oauth2.oidc.sdk.version>10.8</oauth2.oidc.sdk.version>
   </properties>
 
   <dependencies>
@@ -73,6 +73,13 @@
       </exclusions>
     </dependency>
 
+    <!-- Add pac4j-javaee dependency for JEE components -->
+    <dependency>
+      <groupId>org.pac4j</groupId>
+      <artifactId>pac4j-javaee</artifactId>
+      <version>${pac4j.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>com.nimbusds</groupId>
       <artifactId>lang-tag</artifactId>

extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java

@@ -82,6 +82,7 @@ public Filter getFilter()
         name,
         authorizerName,
         pac4jConfigSupplier.get(),
+        Pac4jCallbackResource.SELF_URL,
         pac4jCommonConfig.getCookiePassphrase().getPassword()
     );
   }

extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java

@@ -19,19 +19,15 @@
 
 package org.apache.druid.security.pac4j;
 
-import com.google.common.collect.ImmutableMap;
 import org.apache.druid.java.util.common.logger.Logger;
 import org.apache.druid.server.security.AuthConfig;
 import org.apache.druid.server.security.AuthenticationResult;
 import org.pac4j.core.config.Config;
-import org.pac4j.core.context.JEEContext;
-import org.pac4j.core.context.session.SessionStore;
-import org.pac4j.core.engine.CallbackLogic;
 import org.pac4j.core.engine.DefaultCallbackLogic;
 import org.pac4j.core.engine.DefaultSecurityLogic;
-import org.pac4j.core.engine.SecurityLogic;
-import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
-import org.pac4j.core.profile.UserProfile;
+import org.pac4j.core.exception.http.HttpAction;
+import org.pac4j.jee.context.JEEContext;
+import org.pac4j.jee.http.adapter.JEEHttpActionAdapter;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -42,41 +38,40 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.Collection;
 
 public class Pac4jFilter implements Filter
 {
   private static final Logger LOGGER = new Logger(Pac4jFilter.class);
 
   private final Config pac4jConfig;
-  private final SecurityLogic<Object, JEEContext> securityLogic;
-  private final CallbackLogic<Object, JEEContext> callbackLogic;
-  private final SessionStore<JEEContext> sessionStore;
-
+  private final Pac4jSessionStore sessionStore;
+  private final String callbackPath;
   private final String name;
   private final String authorizerName;
 
-  public Pac4jFilter(String name, String authorizerName, Config pac4jConfig, String cookiePassphrase)
+  public Pac4jFilter(
+          String name,
+          String authorizerName,
+          Config pac4jConfig,
+          String callbackPath,
+          String cookiePassphrase
+  )
   {
     this.pac4jConfig = pac4jConfig;
-    this.securityLogic = new DefaultSecurityLogic<>();
-    this.callbackLogic = new DefaultCallbackLogic<>();
-
+    this.callbackPath = callbackPath;
     this.name = name;
     this.authorizerName = authorizerName;
-
-    this.sessionStore = new Pac4jSessionStore<>(cookiePassphrase);
+    this.sessionStore = new Pac4jSessionStore(cookiePassphrase);
   }
 
   @Override
   public void init(FilterConfig filterConfig)
   {
   }
 
-
   @Override
   public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
-      throws IOException, ServletException
+          throws IOException, ServletException
   {
     // If there's already an auth result, then we have authenticated already, skip this or else caller
     // could get HTTP redirect even if one of the druid authenticators in chain has successfully authenticated.
@@ -85,38 +80,59 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
       return;
     }
 
-    HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
-    HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
-    JEEContext context = new JEEContext(httpServletRequest, httpServletResponse, sessionStore);
+    HttpServletRequest request = (HttpServletRequest) servletRequest;
+    HttpServletResponse response = (HttpServletResponse) servletResponse;
+    JEEContext context = new JEEContext(request, response);
+
+    if (request.getRequestURI().equals(callbackPath)) {
+      DefaultCallbackLogic callbackLogic = new DefaultCallbackLogic();
+      String originalUrl = (String) request.getSession().getAttribute("pac4j.originalUrl");
+      String redirectUrl = originalUrl != null ? originalUrl : "/";
 
-    if (Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())) {
       callbackLogic.perform(
-          context,
-          pac4jConfig,
-          JEEHttpActionAdapter.INSTANCE,
-          "/",
-          true, false, false, null);
+              context,
+              sessionStore,
+              pac4jConfig,
+              JEEHttpActionAdapter.INSTANCE,
+              redirectUrl,                      // Redirect to original URL or root
+              null,
+              null
+      );
     } else {
-      UserProfile profile = (UserProfile) securityLogic.perform(
-          context,
-          pac4jConfig,
-          (JEEContext ctx, Collection<UserProfile> profiles, Object... parameters) -> {
-            if (profiles.isEmpty()) {
-              LOGGER.warn("No profiles found after OIDC auth.");
-              return null;
-            } else {
-              return profiles.iterator().next();
-            }
-          },
-          JEEHttpActionAdapter.INSTANCE,
-          null, "none", null, null);
-      // Changed the Authorizer from null to "none".
-      // In the older version, if it is null, it simply grant access and returns authorized.
-      // But in the newer pac4j version, it uses CsrfAuthorizer as default, And because of this, It was returning 403 in API calls.
-      if (profile != null && profile.getId() != null) {
-        AuthenticationResult authenticationResult = new AuthenticationResult(profile.getId(), authorizerName, name, ImmutableMap.of("profile", profile));
-        servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
-        filterChain.doFilter(servletRequest, servletResponse);
+      DefaultSecurityLogic securityLogic = new DefaultSecurityLogic();
+      try {
+        securityLogic.perform(
+                context,
+                sessionStore,
+                pac4jConfig,
+                (ctx, session, profiles, parameters) -> {
+                  try {
+                    // Extract user ID from pac4j profiles and create AuthenticationResult
+                    if (profiles != null && !profiles.isEmpty()) {
+                      String uid = profiles.iterator().next().getId();
+                      if (uid != null) {
+                        AuthenticationResult authenticationResult = new AuthenticationResult(uid, authorizerName, name, null);
+                        servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
+                        filterChain.doFilter(servletRequest, servletResponse);
+                      }
+                    } else {
+                      LOGGER.warn("No profiles found after OIDC auth.");
+                      // Don't continue the filter chain - let pac4j handle the authentication failure
+                    }
+                  }
+                  catch (IOException | ServletException e) {
+                    throw new RuntimeException(e);
+                  }
+                  return null;
+                },
+                JEEHttpActionAdapter.INSTANCE,
+                null,
+                "none",  // Use "none" instead of authorizerName to avoid CSRF issues
+                null
+        );
+      }
+      catch (HttpAction e) {
+        JEEHttpActionAdapter.INSTANCE.adapt(e, context);
       }
     }
   }
@@ -125,4 +141,4 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
   public void destroy()
   {
   }
-}
+}