Search in sources :

Example 1 with AttributeStatement

use of ddf.security.assertion.AttributeStatement in project ddf by codice.

the class SubjectUtilsTest method getSubjectWithAttributes.

private ddf.security.Subject getSubjectWithAttributes(Map<String, List<String>> attributes) {
    ddf.security.Subject subject = mock(ddf.security.Subject.class);
    PrincipalCollection principalCollection = mock(PrincipalCollection.class);
    SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
    AttributeStatement attributeStatement = mock(AttributeStatement.class);
    List<Attribute> attrs = attributes.entrySet().stream().map(this::getAttribute).collect(Collectors.toList());
    doReturn(principalCollection).when(subject).getPrincipals();
    doReturn(Collections.singletonList(securityAssertion)).when(principalCollection).byType(SecurityAssertion.class);
    doReturn(ImmutableList.of(securityAssertion)).when(principalCollection).byType(SecurityAssertion.class);
    doReturn(Collections.singletonList(attributeStatement)).when(securityAssertion).getAttributeStatements();
    doReturn(attrs).when(attributeStatement).getAttributes();
    return subject;
}
Also used : Attribute(ddf.security.assertion.Attribute) AttributeStatement(ddf.security.assertion.AttributeStatement) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion)

Example 2 with AttributeStatement

use of ddf.security.assertion.AttributeStatement in project ddf by codice.

the class AbstractAuthorizingRealm method doGetAuthorizationInfo.

/**
 * Takes the security attributes about the subject of the incoming security token and builds sets
 * of permissions and roles for use in further checking.
 *
 * @param principalCollection holds the security assertions for the primary principal of this
 *     request
 * @return a new collection of permissions and roles corresponding to the security assertions
 * @throws AuthorizationException if there are no security assertions associated with this
 *     principal collection or if the token cannot be processed successfully.
 */
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    LOGGER.debug("Retrieving authorization info for {}", principalCollection.getPrimaryPrincipal());
    Collection<SecurityAssertion> assertions = principalCollection.byType(SecurityAssertion.class);
    if (assertions.isEmpty()) {
        String msg = "No assertion found, cannot retrieve authorization info.";
        throw new AuthorizationException(msg);
    }
    List<AttributeStatement> attributeStatements = assertions.stream().map(SecurityAssertion::getAttributeStatements).flatMap(List::stream).collect(Collectors.toList());
    Set<Permission> permissions = new HashSet<>();
    Set<String> roles = new HashSet<>();
    Map<String, Set<String>> permissionsMap = new HashMap<>();
    Collection<Expansion> expansionServices = getUserExpansionServices();
    for (AttributeStatement curStatement : attributeStatements) {
        addAttributesToMap(curStatement.getAttributes(), permissionsMap, expansionServices);
    }
    for (Map.Entry<String, Set<String>> entry : permissionsMap.entrySet()) {
        permissions.add(new KeyValuePermissionImpl(entry.getKey(), entry.getValue()));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Adding permission: {} : {}", entry.getKey(), StringUtils.join(entry.getValue(), ","));
        }
    }
    if (permissionsMap.containsKey(SAML_ROLE)) {
        roles.addAll(permissionsMap.get(SAML_ROLE));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Adding roles to authorization info: {}", StringUtils.join(roles, ","));
        }
    }
    info.setObjectPermissions(permissions);
    info.setRoles(roles);
    return info;
}
Also used : SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) HashSet(java.util.HashSet) Set(java.util.Set) AuthorizationException(org.apache.shiro.authz.AuthorizationException) HashMap(java.util.HashMap) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) SecurityAssertion(ddf.security.assertion.SecurityAssertion) AttributeStatement(ddf.security.assertion.AttributeStatement) KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Expansion(ddf.security.expansion.Expansion) HashMap(java.util.HashMap) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashSet(java.util.HashSet)

Example 3 with AttributeStatement

use of ddf.security.assertion.AttributeStatement in project ddf by codice.

the class SubjectIdentityTest method getSubjectWithAttributes.

private Subject getSubjectWithAttributes(Map<String, List<String>> attributes) {
    Subject subject = mock(Subject.class);
    PrincipalCollection pc = mock(PrincipalCollection.class);
    SecurityAssertion assertion = mock(SecurityAssertion.class);
    AttributeStatement as = mock(AttributeStatement.class);
    List<Attribute> attrs = attributes.entrySet().stream().map(this::getAttribute).collect(Collectors.toList());
    doReturn(pc).when(subject).getPrincipals();
    doReturn(Collections.singletonList(assertion)).when(pc).byType(SecurityAssertion.class);
    doReturn(ImmutableList.of(assertion)).when(pc).byType(SecurityAssertion.class);
    doReturn(Collections.singletonList(as)).when(assertion).getAttributeStatements();
    doReturn(attrs).when(as).getAttributes();
    return subject;
}
Also used : Attribute(ddf.security.assertion.Attribute) AttributeStatement(ddf.security.assertion.AttributeStatement) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject)

Example 4 with AttributeStatement

use of ddf.security.assertion.AttributeStatement in project ddf by codice.

the class PKIRealm method createPrincipalCollectionFromCertificate.

private SimplePrincipalCollection createPrincipalCollectionFromCertificate(X500Principal principal) {
    SimplePrincipalCollection principals = new SimplePrincipalCollection();
    DefaultSecurityAssertionBuilder assertionBuilder = new DefaultSecurityAssertionBuilder();
    AttributeStatement attributeStatement = new AttributeStatementDefault();
    HashMap<String, Object> properties = createProperties(principal);
    for (ClaimsHandler claimsHandler : claimsHandlers) {
        ClaimsCollection claims = claimsHandler.retrieveClaims(new ClaimsParametersImpl(principal, Collections.singleton(principal), properties));
        mergeClaimsToAttributes(attributeStatement, claims);
    }
    final Instant now = Instant.now();
    SecurityAssertion assertion = assertionBuilder.addAttributeStatement(attributeStatement).userPrincipal(principal).weight(SecurityAssertion.LOCAL_AUTH_WEIGHT).issuer("DDF").notBefore(Date.from(now)).notOnOrAfter(Date.from(now.plus(fourHours))).tokenType(PKI_TOKEN_TYPE).build();
    principals.add(assertion, "PKI");
    return principals;
}
Also used : ClaimsHandler(ddf.security.claims.ClaimsHandler) DefaultSecurityAssertionBuilder(ddf.security.assertion.impl.DefaultSecurityAssertionBuilder) ClaimsParametersImpl(ddf.security.claims.impl.ClaimsParametersImpl) AttributeStatement(ddf.security.assertion.AttributeStatement) AttributeStatementDefault(ddf.security.assertion.impl.AttributeStatementDefault) Instant(java.time.Instant) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) ClaimsCollection(ddf.security.claims.ClaimsCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion)

Example 5 with AttributeStatement

use of ddf.security.assertion.AttributeStatement in project ddf by codice.

the class UsernamePasswordRealm method createPrincipalCollectionFromSubject.

private SimplePrincipalCollection createPrincipalCollectionFromSubject(Subject subject) {
    SimplePrincipalCollection principals = new SimplePrincipalCollection();
    DefaultSecurityAssertionBuilder assertionBuilder = new DefaultSecurityAssertionBuilder();
    AttributeStatement attributeStatement = new AttributeStatementDefault();
    Principal userPrincipal = subject.getPrincipals().stream().filter(p -> p instanceof UserPrincipal).findFirst().orElseThrow(AuthenticationException::new);
    Set<Principal> rolePrincipals = subject.getPrincipals().stream().filter(p -> p instanceof RolePrincipal).collect(Collectors.toSet());
    for (ClaimsHandler claimsHandler : claimsHandlers) {
        ClaimsCollection claims = claimsHandler.retrieveClaims(new ClaimsParametersImpl(userPrincipal, rolePrincipals, new HashMap<>()));
        mergeClaimsToAttributes(attributeStatement, claims);
    }
    final Instant now = Instant.now();
    assertionBuilder.addAttributeStatement(attributeStatement).userPrincipal(userPrincipal).weight(SecurityAssertion.LOCAL_AUTH_WEIGHT).issuer("DDF").notBefore(Date.from(now)).notOnOrAfter(Date.from(now.plus(fourHours)));
    for (Principal principal : rolePrincipals) {
        assertionBuilder.addPrincipal(principal);
    }
    assertionBuilder.tokenType(USER_PASS_TOKEN_TYPE);
    SecurityAssertion assertion = assertionBuilder.build();
    principals.add(assertion, "UP");
    return principals;
}
Also used : LoginException(javax.security.auth.login.LoginException) NamePasswordCallbackHandler(org.apache.wss4j.common.NamePasswordCallbackHandler) Date(java.util.Date) LoggerFactory(org.slf4j.LoggerFactory) HashMap(java.util.HashMap) AuthenticationToken(org.apache.shiro.authc.AuthenticationToken) DefaultSecurityAssertionBuilder(ddf.security.assertion.impl.DefaultSecurityAssertionBuilder) AttributeStatement(ddf.security.assertion.AttributeStatement) LoginContext(javax.security.auth.login.LoginContext) ArrayList(java.util.ArrayList) JaasRealm(org.apache.karaf.jaas.config.JaasRealm) CallbackHandler(javax.security.auth.callback.CallbackHandler) Duration(java.time.Duration) AuthenticationTokenType(org.codice.ddf.security.handler.AuthenticationTokenType) Bundle(org.osgi.framework.Bundle) ClaimsHandler(ddf.security.claims.ClaimsHandler) ClaimsParametersImpl(ddf.security.claims.impl.ClaimsParametersImpl) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) ServiceReference(org.osgi.framework.ServiceReference) UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal) Claim(ddf.security.claims.Claim) SecurityAssertion(ddf.security.assertion.SecurityAssertion) AuthenticationInfo(org.apache.shiro.authc.AuthenticationInfo) Logger(org.slf4j.Logger) Attribute(ddf.security.assertion.Attribute) AttributeDefault(ddf.security.assertion.impl.AttributeDefault) Set(java.util.Set) Instant(java.time.Instant) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(javax.security.auth.Subject) SimpleAuthenticationInfo(org.apache.shiro.authc.SimpleAuthenticationInfo) ClaimsCollection(ddf.security.claims.ClaimsCollection) Base64(java.util.Base64) List(java.util.List) RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal) Principal(java.security.Principal) AuthenticationException(org.apache.shiro.authc.AuthenticationException) AttributeStatementDefault(ddf.security.assertion.impl.AttributeStatementDefault) AuthenticatingRealm(org.apache.shiro.realm.AuthenticatingRealm) BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken) FrameworkUtil(org.osgi.framework.FrameworkUtil) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) ClaimsHandler(ddf.security.claims.ClaimsHandler) DefaultSecurityAssertionBuilder(ddf.security.assertion.impl.DefaultSecurityAssertionBuilder) AuthenticationException(org.apache.shiro.authc.AuthenticationException) HashMap(java.util.HashMap) Instant(java.time.Instant) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal) ClaimsParametersImpl(ddf.security.claims.impl.ClaimsParametersImpl) AttributeStatement(ddf.security.assertion.AttributeStatement) AttributeStatementDefault(ddf.security.assertion.impl.AttributeStatementDefault) ClaimsCollection(ddf.security.claims.ClaimsCollection) RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal) UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal) RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal) Principal(java.security.Principal)

Aggregations

AttributeStatement (ddf.security.assertion.AttributeStatement)13 Attribute (ddf.security.assertion.Attribute)10 SecurityAssertion (ddf.security.assertion.SecurityAssertion)9 Principal (java.security.Principal)4 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)4 AuthenticationStatement (ddf.security.assertion.AuthenticationStatement)3 HashSet (java.util.HashSet)3 AuthenticationInfo (org.apache.shiro.authc.AuthenticationInfo)3 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)3 BaseAuthenticationToken (org.codice.ddf.security.handler.BaseAuthenticationToken)3 Subject (ddf.security.Subject)2 AttributeStatementDefault (ddf.security.assertion.impl.AttributeStatementDefault)2 DefaultSecurityAssertionBuilder (ddf.security.assertion.impl.DefaultSecurityAssertionBuilder)2 ClaimsCollection (ddf.security.claims.ClaimsCollection)2 ClaimsHandler (ddf.security.claims.ClaimsHandler)2 ClaimsParametersImpl (ddf.security.claims.impl.ClaimsParametersImpl)2 Instant (java.time.Instant)2 Date (java.util.Date)2 HashMap (java.util.HashMap)2 Set (java.util.Set)2