Example 11 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class AuthorizationFilterTest method getMockContextPolicy.
private ContextPolicy getMockContextPolicy() {
ContextPolicy contextPolicy = mock(ContextPolicy.class);
when(contextPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("BASIC"));
when(contextPolicy.getAllowedAttributePermissions()).thenReturn(new CollectionPermission(PATH, new KeyValuePermission(PATH, Collections.singleton("permission"))));
when(contextPolicy.getContextPath()).thenReturn(PATH);
when(contextPolicy.getRealm()).thenReturn("DDF");
return contextPolicy;
}
Also used :
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
Example 12 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class AuthzRealmTest method testBadPolicyExtension.
@Test
public void testBadPolicyExtension() {
permissionList.clear();
KeyValuePermission kvp = new KeyValuePermission("country", Arrays.asList("AUS", "CAN", "GBR"));
permissionList.add(kvp);
testRealm.addPolicyExtension(new PolicyExtension() {
@Override
public KeyValueCollectionPermission isPermittedMatchAll(CollectionPermission subjectAllCollection, KeyValueCollectionPermission matchAllCollection) {
throw new NullPointerException();
}
@Override
public KeyValueCollectionPermission isPermittedMatchOne(CollectionPermission subjectAllCollection, KeyValueCollectionPermission matchOneCollection) {
throw new NullPointerException();
}
});
boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
for (boolean permitted : permittedArray) {
Assert.assertEquals(true, permitted);
}
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
PolicyExtension(ddf.security.policy.extension.PolicyExtension)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Test(org.junit.Test)
Example 13 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class TestPepInterceptorActions method testMessageWithDefaultUrlAction.
@Test
public void testMessageWithDefaultUrlAction() throws SecurityServiceException {
PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
SecurityManager mockSecurityManager = mock(SecurityManager.class);
interceptor.setSecurityManager(mockSecurityManager);
Message messageWithAction = mock(Message.class);
SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
SecurityToken mockSecurityToken = mock(SecurityToken.class);
Subject mockSubject = mock(Subject.class);
assertNotNull(mockSecurityAssertion);
PowerMockito.mockStatic(SecurityAssertionStore.class);
PowerMockito.mockStatic(SecurityLogger.class);
when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
// SecurityLogger is already stubbed out
when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
when(mockSecurityToken.getToken()).thenReturn(null);
when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
QName op = new QName("http://catalog/query/", "Search", "ns1");
QName port = new QName("http://catalog/query/", "QueryPort", "ns1");
when(messageWithAction.get(MessageContext.WSDL_OPERATION)).thenReturn(op);
when(messageWithAction.get(MessageContext.WSDL_PORT)).thenReturn(port);
Exchange mockExchange = mock(Exchange.class);
BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
when(messageWithAction.getExchange()).thenReturn(mockExchange);
when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
doAnswer(new Answer<Boolean>() {
@Override
public Boolean answer(InvocationOnMock invocation) throws Throwable {
CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
assertEquals("http://catalog/query/QueryPort/SearchRequest", perm.getAction());
return true;
}
}).when(mockSubject).isPermitted(isA(CollectionPermission.class));
// This should work.
interceptor.handleMessage(messageWithAction);
PowerMockito.verifyStatic();
}
Also used :
BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo)
SecurityManager(ddf.security.service.SecurityManager)
Message(org.apache.cxf.message.Message)
QName(javax.xml.namespace.QName)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Exchange(org.apache.cxf.message.Exchange)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
CollectionPermission(ddf.security.permission.CollectionPermission)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 14 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class TestPepInterceptorActions method testMessageWithOperationAction.
@Test
public void testMessageWithOperationAction() throws SecurityServiceException {
PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
SecurityManager mockSecurityManager = mock(SecurityManager.class);
interceptor.setSecurityManager(mockSecurityManager);
Message messageWithAction = mock(Message.class);
SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
SecurityToken mockSecurityToken = mock(SecurityToken.class);
Subject mockSubject = mock(Subject.class);
assertNotNull(mockSecurityAssertion);
PowerMockito.mockStatic(SecurityAssertionStore.class);
PowerMockito.mockStatic(SecurityLogger.class);
when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
// SecurityLogger is already stubbed out
when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
when(mockSecurityToken.getToken()).thenReturn(null);
when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
Exchange mockExchange = mock(Exchange.class);
BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
SoapOperationInfo mockSOI = mock(SoapOperationInfo.class);
when(messageWithAction.getExchange()).thenReturn(mockExchange);
when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(mockSOI);
when(mockSOI.getAction()).thenReturn("urn:catalog:query:query-port:search");
doAnswer(new Answer<Boolean>() {
@Override
public Boolean answer(InvocationOnMock invocation) throws Throwable {
CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
assertEquals("urn:catalog:query:query-port:search", perm.getAction());
return true;
}
}).when(mockSubject).isPermitted(isA(CollectionPermission.class));
// This should work.
interceptor.handleMessage(messageWithAction);
PowerMockito.verifyStatic();
}
Also used :
BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo)
SecurityManager(ddf.security.service.SecurityManager)
Message(org.apache.cxf.message.Message)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Exchange(org.apache.cxf.message.Exchange)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
SoapOperationInfo(org.apache.cxf.binding.soap.model.SoapOperationInfo)
CollectionPermission(ddf.security.permission.CollectionPermission)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 15 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class PEPAuthorizingInterceptor method handleMessage.
/**
* Intercepts a message. Interceptors should NOT invoke handleMessage or handleFault on the next
* interceptor - the interceptor chain will take care of this.
*
* @param message
*/
@Override
public void handleMessage(Message message) throws Fault {
if (message != null) {
// grab the SAML assertion associated with this Message from the
// token store
SecurityAssertion assertion = SecurityAssertionStore.getSecurityAssertion(message);
boolean isPermitted = false;
if ((assertion != null) && (assertion.getSecurityToken() != null)) {
Subject user = null;
CollectionPermission action = null;
String actionURI = getActionUri(message);
try {
user = securityManager.getSubject(assertion.getSecurityToken());
if (user == null) {
throw new AccessDeniedException("Unauthorized");
}
if (LOGGER.isTraceEnabled()) {
LOGGER.trace(format(assertion.getSecurityToken().getToken()));
}
LOGGER.debug("Is user authenticated: {}", user.isAuthenticated());
LOGGER.debug("Checking for permission");
SecurityLogger.audit("Is Subject authenticated? " + user.isAuthenticated(), user);
if (StringUtils.isEmpty(actionURI)) {
SecurityLogger.audit("Denying access to Subject for unknown action.", user);
throw new AccessDeniedException("Unauthorized");
}
action = new KeyValueCollectionPermission(actionURI);
LOGGER.debug("Permission: {}", action);
isPermitted = user.isPermitted(action);
LOGGER.debug("Result of permission: {}", isPermitted);
SecurityLogger.audit("Is Subject permitted? " + isPermitted, user);
// store the subject so the DDF framework can use it later
ThreadContext.bind(user);
message.put(SecurityConstants.SAML_ASSERTION, user);
LOGGER.debug("Added assertion information to message at key {}", SecurityConstants.SAML_ASSERTION);
} catch (SecurityServiceException e) {
SecurityLogger.audit("Denying access : Caught exception when trying to authenticate user for service [" + actionURI + "]", e);
throw new AccessDeniedException("Unauthorized");
}
if (!isPermitted) {
SecurityLogger.audit("Denying access to Subject for service: " + action.getAction(), user);
throw new AccessDeniedException("Unauthorized");
}
} else {
SecurityLogger.audit("Unable to retrieve the security assertion associated with the web service call.");
throw new AccessDeniedException("Unauthorized");
}
} else {
SecurityLogger.audit("Unable to retrieve the current message associated with the web service call.");
throw new AccessDeniedException("Unauthorized");
}
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
SecurityServiceException(ddf.security.service.SecurityServiceException)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
Aggregations
CollectionPermission (ddf.security.permission.CollectionPermission)21
Test (org.junit.Test)16
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)13
KeyValuePermission (ddf.security.permission.KeyValuePermission)12
Permission (org.apache.shiro.authz.Permission)10
Subject (ddf.security.Subject)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)5
SecurityManager (ddf.security.service.SecurityManager)4
Message (org.apache.cxf.message.Message)4
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4
InvocationOnMock (org.mockito.invocation.InvocationOnMock)4
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)4
ArrayList (java.util.ArrayList)3
QName (javax.xml.namespace.QName)3
Exchange (org.apache.cxf.message.Exchange)3
BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)3
ContextPolicy (org.codice.ddf.security.policy.context.ContextPolicy)3
PolicyExtension (ddf.security.policy.extension.PolicyExtension)2
List (java.util.List)2
ImmutableMap (com.google.common.collect.ImmutableMap)1
