use of io.airlift.http.server.HttpServerInfo in project trino by trinodb.
the class TestResourceSecurity method verifyJwtAuthenticator.
private void verifyJwtAuthenticator(Optional<String> principalField) throws Exception {
try (TestingTrinoServer server = TestingTrinoServer.builder().setProperties(ImmutableMap.<String, String>builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).put("http-server.authentication.jwt.principal-field", principalField.orElse("sub")).buildOrThrow()).build()) {
server.getInstance(Key.get(AccessControlManager.class)).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
assertAuthenticationDisabled(httpServerInfo.getHttpUri());
SecretKey hmac = hmacShaKeyFor(Base64.getDecoder().decode(Files.readString(Paths.get(HMAC_KEY)).trim()));
JwtBuilder tokenBuilder = newJwtBuilder().signWith(hmac).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5).toInstant()));
if (principalField.isPresent()) {
tokenBuilder.claim(principalField.get(), "test-user");
} else {
tokenBuilder.setSubject("test-user");
}
String token = tokenBuilder.compact();
OkHttpClient clientWithJwt = client.newBuilder().authenticator((route, response) -> response.request().newBuilder().header(AUTHORIZATION, "Bearer " + token).build()).build();
assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), clientWithJwt);
}
}
use of io.airlift.http.server.HttpServerInfo in project trino by trinodb.
the class TestResourceSecurity method verifyOAuth2Authenticator.
private void verifyOAuth2Authenticator(boolean webUiEnabled, Optional<String> principalField) throws Exception {
CookieManager cookieManager = new CookieManager();
OkHttpClient client = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
try (TokenServer tokenServer = new TokenServer(principalField);
TestingTrinoServer server = TestingTrinoServer.builder().setProperties(ImmutableMap.<String, String>builder().putAll(SECURE_PROPERTIES).put("web-ui.enabled", String.valueOf(webUiEnabled)).put("http-server.authentication.type", "oauth2").putAll(getOAuth2Properties(tokenServer)).put("http-server.authentication.oauth2.principal-field", principalField.orElse("sub")).buildOrThrow()).setAdditionalModule(oauth2Module(tokenServer)).build()) {
server.getInstance(Key.get(AccessControlManager.class)).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
assertAuthenticationDisabled(httpServerInfo.getHttpUri());
// not logged in
URI baseUri = httpServerInfo.getHttpsUri();
assertOk(client, getPublicLocation(baseUri));
assertAuthenticateOAuth2Bearer(client, getManagementLocation(baseUri), "http://example.com/authorize");
OAuthBearer bearer = assertAuthenticateOAuth2Bearer(client, getAuthorizedUserLocation(baseUri), "http://example.com/authorize");
assertResponseCode(client, getInternalLocation(baseUri), SC_FORBIDDEN);
// login with the callback endpoint
assertOk(client, uriBuilderFrom(baseUri).replacePath("/oauth2/callback/").addParameter("code", "TEST_CODE").addParameter("state", bearer.getState()).toString());
assertEquals(getOauthToken(client, bearer.getTokenServer()), tokenServer.getAccessToken());
// if Web UI is using oauth so we should get a cookie
if (webUiEnabled) {
HttpCookie cookie = getOnlyElement(cookieManager.getCookieStore().getCookies());
assertEquals(cookie.getValue(), tokenServer.getAccessToken());
assertEquals(cookie.getPath(), "/ui/");
assertEquals(cookie.getDomain(), baseUri.getHost());
assertTrue(cookie.getMaxAge() > 0 && cookie.getMaxAge() < MINUTES.toSeconds(5));
assertTrue(cookie.isHttpOnly());
cookieManager.getCookieStore().removeAll();
} else {
List<HttpCookie> cookies = cookieManager.getCookieStore().getCookies();
assertTrue(cookies.isEmpty(), "Expected no cookies when webUi is not enabled, but got: " + cookies);
}
OkHttpClient clientWithOAuthToken = client.newBuilder().authenticator((route, response) -> response.request().newBuilder().header(AUTHORIZATION, "Bearer " + tokenServer.getAccessToken()).build()).build();
assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), clientWithOAuthToken);
}
}
use of io.airlift.http.server.HttpServerInfo in project trino by trinodb.
the class TestResourceSecurity method createTestingJwkServer.
private static TestingHttpServer createTestingJwkServer() throws IOException {
NodeInfo nodeInfo = new NodeInfo("test");
HttpServerConfig config = new HttpServerConfig().setHttpPort(0);
HttpServerInfo httpServerInfo = new HttpServerInfo(config, nodeInfo);
return new TestingHttpServer(httpServerInfo, nodeInfo, config, new JwkServlet(), ImmutableMap.of());
}
use of io.airlift.http.server.HttpServerInfo in project trino by trinodb.
the class TestResourceSecurity method testJwtWithJwkAuthenticator.
@Test
public void testJwtWithJwkAuthenticator() throws Exception {
TestingHttpServer jwkServer = createTestingJwkServer();
jwkServer.start();
try (TestingTrinoServer server = TestingTrinoServer.builder().setProperties(ImmutableMap.<String, String>builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", jwkServer.getBaseUrl().toString()).buildOrThrow()).build()) {
server.getInstance(Key.get(AccessControlManager.class)).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
assertAuthenticationDisabled(httpServerInfo.getHttpUri());
String token = newJwtBuilder().signWith(JWK_PRIVATE_KEY).setHeaderParam(JwsHeader.KEY_ID, JWK_KEY_ID).setSubject("test-user").setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5).toInstant())).compact();
OkHttpClient clientWithJwt = client.newBuilder().authenticator((route, response) -> response.request().newBuilder().header(AUTHORIZATION, "Bearer " + token).build()).build();
assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), clientWithJwt);
} finally {
jwkServer.stop();
}
}
use of io.airlift.http.server.HttpServerInfo in project trino by trinodb.
the class TestResourceSecurity method testFixedManagerAuthenticatorHttpInsecureEnabledOnly.
@Test
public void testFixedManagerAuthenticatorHttpInsecureEnabledOnly() throws Exception {
try (TestingTrinoServer server = TestingTrinoServer.builder().setProperties(ImmutableMap.<String, String>builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).put("management.user", MANAGEMENT_USER).buildOrThrow()).build()) {
server.getInstance(Key.get(PasswordAuthenticatorManager.class)).setAuthenticators(TestResourceSecurity::authenticate);
server.getInstance(Key.get(AccessControlManager.class)).addSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION);
HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
assertFixedManagementUser(httpServerInfo.getHttpUri(), true);
assertPasswordAuthentication(httpServerInfo.getHttpsUri());
}
}
Aggregations