Search in sources :

Example 91 with Subject

use of ddf.security.Subject in project ddf by codice.

the class SecurityPluginTest method testNominalCaseCreateWithNonResourceMetacard.

@Test
public void testNominalCaseCreateWithNonResourceMetacard() throws Exception {
    Subject mockSubject = setupMockSubject();
    ThreadContext.bind(mockSubject);
    MetacardImpl metacardWithTags = new MetacardImpl();
    Set<String> setOfTags = new HashSet<String>();
    setOfTags.add("workspace");
    metacardWithTags.setTags(setOfTags);
    CreateRequest request = new CreateRequestImpl(metacardWithTags);
    SecurityPlugin plugin = new SecurityPlugin();
    request = plugin.processPreCreate(request);
    assertThat(request.getPropertyValue(SecurityConstants.SECURITY_SUBJECT), equalTo(mockSubject));
    assertThat(request.getMetacards().size(), is(1));
    assertThat(request.getMetacards().get(0).getAttribute(Metacard.POINT_OF_CONTACT), is(nullValue()));
}
Also used : CreateRequest(ddf.catalog.operation.CreateRequest) CreateRequestImpl(ddf.catalog.operation.impl.CreateRequestImpl) XSString(org.opensaml.core.xml.schema.XSString) Subject(ddf.security.Subject) MetacardImpl(ddf.catalog.data.impl.MetacardImpl) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 92 with Subject

use of ddf.security.Subject in project ddf by codice.

the class TestPepInterceptorActions method testMessageWithDefaultUrlAction.

@Test
public void testMessageWithDefaultUrlAction() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithAction = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    QName op = new QName("http://catalog/query/", "Search", "ns1");
    QName port = new QName("http://catalog/query/", "QueryPort", "ns1");
    when(messageWithAction.get(MessageContext.WSDL_OPERATION)).thenReturn(op);
    when(messageWithAction.get(MessageContext.WSDL_PORT)).thenReturn(port);
    Exchange mockExchange = mock(Exchange.class);
    BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
    when(messageWithAction.getExchange()).thenReturn(mockExchange);
    when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
    when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
    doAnswer(new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) throws Throwable {
            CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
            assertEquals("http://catalog/query/QueryPort/SearchRequest", perm.getAction());
            return true;
        }
    }).when(mockSubject).isPermitted(isA(CollectionPermission.class));
    // This should work.
    interceptor.handleMessage(messageWithAction);
    PowerMockito.verifyStatic();
}
Also used : BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) QName(javax.xml.namespace.QName) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Exchange(org.apache.cxf.message.Exchange) InvocationOnMock(org.mockito.invocation.InvocationOnMock) CollectionPermission(ddf.security.permission.CollectionPermission) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 93 with Subject

use of ddf.security.Subject in project ddf by codice.

the class TestPepInterceptorActions method testMessageWithOperationAction.

@Test
public void testMessageWithOperationAction() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithAction = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    Exchange mockExchange = mock(Exchange.class);
    BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
    SoapOperationInfo mockSOI = mock(SoapOperationInfo.class);
    when(messageWithAction.getExchange()).thenReturn(mockExchange);
    when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
    when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(mockSOI);
    when(mockSOI.getAction()).thenReturn("urn:catalog:query:query-port:search");
    doAnswer(new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) throws Throwable {
            CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
            assertEquals("urn:catalog:query:query-port:search", perm.getAction());
            return true;
        }
    }).when(mockSubject).isPermitted(isA(CollectionPermission.class));
    // This should work.
    interceptor.handleMessage(messageWithAction);
    PowerMockito.verifyStatic();
}
Also used : BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Exchange(org.apache.cxf.message.Exchange) InvocationOnMock(org.mockito.invocation.InvocationOnMock) SoapOperationInfo(org.apache.cxf.binding.soap.model.SoapOperationInfo) CollectionPermission(ddf.security.permission.CollectionPermission) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 94 with Subject

use of ddf.security.Subject in project ddf by codice.

the class PEPAuthorizingInterceptor method handleMessage.

/**
     * Intercepts a message. Interceptors should NOT invoke handleMessage or handleFault on the next
     * interceptor - the interceptor chain will take care of this.
     *
     * @param message
     */
@Override
public void handleMessage(Message message) throws Fault {
    if (message != null) {
        // grab the SAML assertion associated with this Message from the
        // token store
        SecurityAssertion assertion = SecurityAssertionStore.getSecurityAssertion(message);
        boolean isPermitted = false;
        if ((assertion != null) && (assertion.getSecurityToken() != null)) {
            Subject user = null;
            CollectionPermission action = null;
            String actionURI = getActionUri(message);
            try {
                user = securityManager.getSubject(assertion.getSecurityToken());
                if (user == null) {
                    throw new AccessDeniedException("Unauthorized");
                }
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace(format(assertion.getSecurityToken().getToken()));
                }
                LOGGER.debug("Is user authenticated: {}", user.isAuthenticated());
                LOGGER.debug("Checking for permission");
                SecurityLogger.audit("Is Subject authenticated? " + user.isAuthenticated(), user);
                if (StringUtils.isEmpty(actionURI)) {
                    SecurityLogger.audit("Denying access to Subject for unknown action.", user);
                    throw new AccessDeniedException("Unauthorized");
                }
                action = new KeyValueCollectionPermission(actionURI);
                LOGGER.debug("Permission: {}", action);
                isPermitted = user.isPermitted(action);
                LOGGER.debug("Result of permission: {}", isPermitted);
                SecurityLogger.audit("Is Subject  permitted? " + isPermitted, user);
                // store the subject so the DDF framework can use it later
                ThreadContext.bind(user);
                message.put(SecurityConstants.SAML_ASSERTION, user);
                LOGGER.debug("Added assertion information to message at key {}", SecurityConstants.SAML_ASSERTION);
            } catch (SecurityServiceException e) {
                SecurityLogger.audit("Denying access : Caught exception when trying to authenticate user for service [" + actionURI + "]", e);
                throw new AccessDeniedException("Unauthorized");
            }
            if (!isPermitted) {
                SecurityLogger.audit("Denying access to Subject for service: " + action.getAction(), user);
                throw new AccessDeniedException("Unauthorized");
            }
        } else {
            SecurityLogger.audit("Unable to retrieve the security assertion associated with the web service call.");
            throw new AccessDeniedException("Unauthorized");
        }
    } else {
        SecurityLogger.audit("Unable to retrieve the current message associated with the web service call.");
        throw new AccessDeniedException("Unauthorized");
    }
}
Also used : AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) SecurityServiceException(ddf.security.service.SecurityServiceException) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject)

Aggregations

Subject (ddf.security.Subject)94 Test (org.junit.Test)47 SecurityAssertion (ddf.security.assertion.SecurityAssertion)23 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)23 HashMap (java.util.HashMap)20 Metacard (ddf.catalog.data.Metacard)18 SecurityManager (ddf.security.service.SecurityManager)14 IOException (java.io.IOException)14 Serializable (java.io.Serializable)14 CollectionPermission (ddf.security.permission.CollectionPermission)13 ArrayList (java.util.ArrayList)12 Map (java.util.Map)12 CreateRequest (ddf.catalog.operation.CreateRequest)11 CreateRequestImpl (ddf.catalog.operation.impl.CreateRequestImpl)11 UnsupportedQueryException (ddf.catalog.source.UnsupportedQueryException)10 SecurityServiceException (ddf.security.service.SecurityServiceException)10 HashSet (java.util.HashSet)10 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)9 Before (org.junit.Before)9 HttpServletRequest (javax.servlet.http.HttpServletRequest)8