Add user mapping to insecure authenticator

presto-docs/src/main/sphinx/security/user-mapping.rst

@@ -26,6 +26,7 @@ Username and Password (file or LDAP)  ``http-server.authentication.password.user
 Kerberos                              ``http-server.authentication.krb5.user-mapping.pattern``
 Certificate                           ``http-server.authentication.certificate.user-mapping.pattern``
 Json Web Token                        ``http-server.authentication.jwt.user-mapping.pattern``
+Insecure                              ``http-server.authentication.insecure.user-mapping.pattern``
 ===================================== ===============================================================
 
 File Mapping Rules
@@ -57,5 +58,6 @@ Username and password (file or LDAP)  ``http-server.authentication.password.user
 Kerberos                              ``http-server.authentication.krb5.user-mapping.file``
 Certificate                           ``http-server.authentication.certificate.user-mapping.file``
 Json Web Token                        ``http-server.authentication.jwt.user-mapping.file``
+Insecure                              ``http-server.authentication.insecure.user-mapping.file``
 ===================================== ===============================================================
 

presto-main/src/main/java/io/prestosql/server/security/AuthenticationFilter.java

@@ -41,14 +41,20 @@ public class AuthenticationFilter
     private final List<Authenticator> authenticators;
     private final InternalAuthenticationManager internalAuthenticationManager;
     private final boolean insecureAuthenticationOverHttpAllowed;
+    private final InsecureAuthenticator insecureAuthenticator;
 
     @Inject
-    public AuthenticationFilter(List<Authenticator> authenticators, InternalAuthenticationManager internalAuthenticationManager, SecurityConfig securityConfig)
+    public AuthenticationFilter(
+            List<Authenticator> authenticators,
+            InternalAuthenticationManager internalAuthenticationManager,
+            SecurityConfig securityConfig,
+            InsecureAuthenticator insecureAuthenticator)
     {
         this.authenticators = ImmutableList.copyOf(requireNonNull(authenticators, "authenticators is null"));
         checkArgument(!authenticators.isEmpty(), "authenticators is empty");
         this.internalAuthenticationManager = requireNonNull(internalAuthenticationManager, "internalAuthenticationManager is null");
         insecureAuthenticationOverHttpAllowed = requireNonNull(securityConfig, "securityConfig is null").isInsecureAuthenticationOverHttpAllowed();
+        this.insecureAuthenticator = requireNonNull(insecureAuthenticator, "insecureAuthenticator is null");
     }
 
     @Override
@@ -64,7 +70,7 @@ public void filter(ContainerRequestContext request)
             authenticators = this.authenticators;
         }
         else if (insecureAuthenticationOverHttpAllowed) {
-            authenticators = ImmutableList.of(new InsecureAuthenticator());
+            authenticators = ImmutableList.of(insecureAuthenticator);
         }
         else {
             throw new ForbiddenException("Authentication over HTTP is not enabled");

presto-main/src/main/java/io/prestosql/server/security/InsecureAuthenticator.java

@@ -16,17 +16,29 @@
 import io.prestosql.spi.security.BasicPrincipal;
 import io.prestosql.spi.security.Identity;
 
+import javax.inject.Inject;
 import javax.ws.rs.container.ContainerRequestContext;
 
 import java.util.Optional;
 
 import static com.google.common.base.Strings.emptyToNull;
 import static io.prestosql.client.PrestoHeaders.PRESTO_USER;
 import static io.prestosql.server.security.BasicAuthCredentials.extractBasicAuthCredentials;
+import static io.prestosql.server.security.UserMapping.createUserMapping;
+import static java.util.Objects.requireNonNull;
 
 public class InsecureAuthenticator
         implements Authenticator
 {
+    private final UserMapping userMapping;
+
+    @Inject
+    public InsecureAuthenticator(InsecureAuthenticatorConfig config)
+    {
+        requireNonNull(config, "config is null");
+        this.userMapping = createUserMapping(config.getUserMappingPattern(), config.getUserMappingFile());
+    }
+
     @Override
     public Identity authenticate(ContainerRequestContext request)
             throws AuthenticationException
@@ -48,8 +60,14 @@ public Identity authenticate(ContainerRequestContext request)
             throw new AuthenticationException("Basic authentication or " + PRESTO_USER + " must be sent", BasicAuthCredentials.AUTHENTICATE_HEADER);
         }
 
-        return Identity.forUser(user)
-                .withPrincipal(new BasicPrincipal(user))
-                .build();
+        try {
+            String authenticatedUser = userMapping.mapUser(user);
+            return Identity.forUser(authenticatedUser)
+                    .withPrincipal(new BasicPrincipal(user))
+                    .build();
+        }
+        catch (UserMappingException e) {
+            throw new AuthenticationException(e.getMessage());
+        }
     }
 }

presto-main/src/main/java/io/prestosql/server/security/InsecureAuthenticatorConfig.java

@@ -0,0 +1,50 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.prestosql.server.security;
+
+import io.airlift.configuration.Config;
+import io.airlift.configuration.validation.FileExists;
+
+import java.io.File;
+import java.util.Optional;
+
+public class InsecureAuthenticatorConfig
+{
+    private Optional<String> userMappingPattern = Optional.empty();
+    private Optional<File> userMappingFile = Optional.empty();
+
+    public Optional<String> getUserMappingPattern()
+    {
+        return userMappingPattern;
+    }
+
+    @Config("http-server.authentication.insecure.user-mapping.pattern")
+    public InsecureAuthenticatorConfig setUserMappingPattern(String userMappingPattern)
+    {
+        this.userMappingPattern = Optional.ofNullable(userMappingPattern);
+        return this;
+    }
+
+    public Optional<@FileExists File> getUserMappingFile()
+    {
+        return userMappingFile;
+    }
+
+    @Config("http-server.authentication.insecure.user-mapping.file")
+    public InsecureAuthenticatorConfig setUserMappingFile(File userMappingFile)
+    {
+        this.userMappingFile = Optional.ofNullable(userMappingFile);
+        return this;
+    }
+}

presto-main/src/main/java/io/prestosql/server/security/ServerSecurityModule.java

@@ -66,6 +66,8 @@ protected void setup(Binder binder)
         installAuthenticator("password", PasswordAuthenticator.class, PasswordAuthenticatorConfig.class);
         installAuthenticator("jwt", JsonWebTokenAuthenticator.class, JsonWebTokenConfig.class);
 
+        configBinder(binder).bindConfig(InsecureAuthenticatorConfig.class);
+        binder.bind(InsecureAuthenticator.class).in(Scopes.SINGLETON);
         install(authenticatorModule("insecure", InsecureAuthenticator.class, unused -> {}));
     }
 

presto-main/src/test/java/io/prestosql/server/security/TestInsecureAuthenticatorConfig.java

@@ -0,0 +1,55 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.prestosql.server.security;
+
+import com.google.common.collect.ImmutableMap;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Map;
+
+import static io.airlift.configuration.testing.ConfigAssertions.assertFullMapping;
+import static io.airlift.configuration.testing.ConfigAssertions.assertRecordedDefaults;
+import static io.airlift.configuration.testing.ConfigAssertions.recordDefaults;
+
+public class TestInsecureAuthenticatorConfig
+{
+    @Test
+    public void testDefaults()
+    {
+        assertRecordedDefaults(recordDefaults(InsecureAuthenticatorConfig.class)
+                .setUserMappingPattern(null)
+                .setUserMappingFile(null));
+    }
+
+    @Test
+    public void testExplicitPropertyMappings()
+            throws IOException
+    {
+        Path userMappingFile = Files.createTempFile(null, null);
+
+        Map<String, String> properties = new ImmutableMap.Builder<String, String>()
+                .put("http-server.authentication.insecure.user-mapping.pattern", "(.*)@something")
+                .put("http-server.authentication.insecure.user-mapping.file", userMappingFile.toString())
+                .build();
+
+        InsecureAuthenticatorConfig expected = new InsecureAuthenticatorConfig()
+                .setUserMappingPattern("(.*)@something")
+                .setUserMappingFile(userMappingFile.toFile());
+
+        assertFullMapping(properties, expected);
+    }
+}