use of ddf.security.assertion.AttributeStatement in project ddf by codice.
the class SubjectUtilsTest method getSubjectWithAttributes.
private ddf.security.Subject getSubjectWithAttributes(Map<String, List<String>> attributes) {
ddf.security.Subject subject = mock(ddf.security.Subject.class);
PrincipalCollection principalCollection = mock(PrincipalCollection.class);
SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
AttributeStatement attributeStatement = mock(AttributeStatement.class);
List<Attribute> attrs = attributes.entrySet().stream().map(this::getAttribute).collect(Collectors.toList());
doReturn(principalCollection).when(subject).getPrincipals();
doReturn(Collections.singletonList(securityAssertion)).when(principalCollection).byType(SecurityAssertion.class);
doReturn(ImmutableList.of(securityAssertion)).when(principalCollection).byType(SecurityAssertion.class);
doReturn(Collections.singletonList(attributeStatement)).when(securityAssertion).getAttributeStatements();
doReturn(attrs).when(attributeStatement).getAttributes();
return subject;
}
use of ddf.security.assertion.AttributeStatement in project ddf by codice.
the class AbstractAuthorizingRealm method doGetAuthorizationInfo.
/**
* Takes the security attributes about the subject of the incoming security token and builds sets
* of permissions and roles for use in further checking.
*
* @param principalCollection holds the security assertions for the primary principal of this
* request
* @return a new collection of permissions and roles corresponding to the security assertions
* @throws AuthorizationException if there are no security assertions associated with this
* principal collection or if the token cannot be processed successfully.
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
LOGGER.debug("Retrieving authorization info for {}", principalCollection.getPrimaryPrincipal());
Collection<SecurityAssertion> assertions = principalCollection.byType(SecurityAssertion.class);
if (assertions.isEmpty()) {
String msg = "No assertion found, cannot retrieve authorization info.";
throw new AuthorizationException(msg);
}
List<AttributeStatement> attributeStatements = assertions.stream().map(SecurityAssertion::getAttributeStatements).flatMap(List::stream).collect(Collectors.toList());
Set<Permission> permissions = new HashSet<>();
Set<String> roles = new HashSet<>();
Map<String, Set<String>> permissionsMap = new HashMap<>();
Collection<Expansion> expansionServices = getUserExpansionServices();
for (AttributeStatement curStatement : attributeStatements) {
addAttributesToMap(curStatement.getAttributes(), permissionsMap, expansionServices);
}
for (Map.Entry<String, Set<String>> entry : permissionsMap.entrySet()) {
permissions.add(new KeyValuePermissionImpl(entry.getKey(), entry.getValue()));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Adding permission: {} : {}", entry.getKey(), StringUtils.join(entry.getValue(), ","));
}
}
if (permissionsMap.containsKey(SAML_ROLE)) {
roles.addAll(permissionsMap.get(SAML_ROLE));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Adding roles to authorization info: {}", StringUtils.join(roles, ","));
}
}
info.setObjectPermissions(permissions);
info.setRoles(roles);
return info;
}
use of ddf.security.assertion.AttributeStatement in project ddf by codice.
the class SubjectIdentityTest method getSubjectWithAttributes.
private Subject getSubjectWithAttributes(Map<String, List<String>> attributes) {
Subject subject = mock(Subject.class);
PrincipalCollection pc = mock(PrincipalCollection.class);
SecurityAssertion assertion = mock(SecurityAssertion.class);
AttributeStatement as = mock(AttributeStatement.class);
List<Attribute> attrs = attributes.entrySet().stream().map(this::getAttribute).collect(Collectors.toList());
doReturn(pc).when(subject).getPrincipals();
doReturn(Collections.singletonList(assertion)).when(pc).byType(SecurityAssertion.class);
doReturn(ImmutableList.of(assertion)).when(pc).byType(SecurityAssertion.class);
doReturn(Collections.singletonList(as)).when(assertion).getAttributeStatements();
doReturn(attrs).when(as).getAttributes();
return subject;
}
use of ddf.security.assertion.AttributeStatement in project ddf by codice.
the class PKIRealm method createPrincipalCollectionFromCertificate.
private SimplePrincipalCollection createPrincipalCollectionFromCertificate(X500Principal principal) {
SimplePrincipalCollection principals = new SimplePrincipalCollection();
DefaultSecurityAssertionBuilder assertionBuilder = new DefaultSecurityAssertionBuilder();
AttributeStatement attributeStatement = new AttributeStatementDefault();
HashMap<String, Object> properties = createProperties(principal);
for (ClaimsHandler claimsHandler : claimsHandlers) {
ClaimsCollection claims = claimsHandler.retrieveClaims(new ClaimsParametersImpl(principal, Collections.singleton(principal), properties));
mergeClaimsToAttributes(attributeStatement, claims);
}
final Instant now = Instant.now();
SecurityAssertion assertion = assertionBuilder.addAttributeStatement(attributeStatement).userPrincipal(principal).weight(SecurityAssertion.LOCAL_AUTH_WEIGHT).issuer("DDF").notBefore(Date.from(now)).notOnOrAfter(Date.from(now.plus(fourHours))).tokenType(PKI_TOKEN_TYPE).build();
principals.add(assertion, "PKI");
return principals;
}
use of ddf.security.assertion.AttributeStatement in project ddf by codice.
the class UsernamePasswordRealm method createPrincipalCollectionFromSubject.
private SimplePrincipalCollection createPrincipalCollectionFromSubject(Subject subject) {
SimplePrincipalCollection principals = new SimplePrincipalCollection();
DefaultSecurityAssertionBuilder assertionBuilder = new DefaultSecurityAssertionBuilder();
AttributeStatement attributeStatement = new AttributeStatementDefault();
Principal userPrincipal = subject.getPrincipals().stream().filter(p -> p instanceof UserPrincipal).findFirst().orElseThrow(AuthenticationException::new);
Set<Principal> rolePrincipals = subject.getPrincipals().stream().filter(p -> p instanceof RolePrincipal).collect(Collectors.toSet());
for (ClaimsHandler claimsHandler : claimsHandlers) {
ClaimsCollection claims = claimsHandler.retrieveClaims(new ClaimsParametersImpl(userPrincipal, rolePrincipals, new HashMap<>()));
mergeClaimsToAttributes(attributeStatement, claims);
}
final Instant now = Instant.now();
assertionBuilder.addAttributeStatement(attributeStatement).userPrincipal(userPrincipal).weight(SecurityAssertion.LOCAL_AUTH_WEIGHT).issuer("DDF").notBefore(Date.from(now)).notOnOrAfter(Date.from(now.plus(fourHours)));
for (Principal principal : rolePrincipals) {
assertionBuilder.addPrincipal(principal);
}
assertionBuilder.tokenType(USER_PASS_TOKEN_TYPE);
SecurityAssertion assertion = assertionBuilder.build();
principals.add(assertion, "UP");
return principals;
}
Aggregations