use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class GoogleTokenProviderTest method testInboundVerificationException.
@Test
public void testInboundVerificationException() throws ExecutionException, InterruptedException, GeneralSecurityException, IOException {
GoogleIdTokenVerifier verifier = mock(GoogleIdTokenVerifier.class);
when(verifier.verify(TOKEN_VALUE)).thenThrow(new IOException("Failed to verify token"));
GoogleTokenProvider provider = GoogleTokenProvider.builder().clientId("clientId").verifier(verifier).build();
ProviderRequest inboundRequest = createInboundRequest("Authorization", "bearer " + TOKEN_VALUE);
AuthenticationResponse response = provider.authenticate(inboundRequest).toCompletableFuture().get();
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.statusCode().orElse(200), is(401));
assertThat(response.responseHeaders().get("WWW-Authenticate"), notNullValue());
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class GoogleTokenProviderTest method testInboundIncorrectToken.
@Test
public void testInboundIncorrectToken() throws ExecutionException, InterruptedException {
ProviderRequest inboundRequest = createInboundRequest("Authorization", "tearer " + TOKEN_VALUE);
AuthenticationResponse response = provider.authenticate(inboundRequest).toCompletableFuture().get();
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.statusCode().orElse(200), is(400));
assertThat(response.responseHeaders().get("WWW-Authenticate"), notNullValue());
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class HttpDigestAuthProvider method validateDigestAuth.
private AuthenticationResponse validateDigestAuth(String headerValue, SecurityEnvironment env) {
DigestToken token;
try {
token = DigestToken.fromAuthorizationHeader(headerValue.substring(DIGEST_PREFIX.length()), env.method().toLowerCase());
} catch (HttpAuthException e) {
LOGGER.log(Level.FINEST, "Failed to process digest token", e);
return failOrAbstain(e.getMessage());
}
// decrypt
byte[] bytes;
try {
bytes = Base64.getDecoder().decode(token.getNonce());
} catch (IllegalArgumentException e) {
LOGGER.log(Level.FINEST, "Failed to base64 decode nonce", e);
// not base 64
return failOrAbstain("Nonce must be base64 encoded");
}
if (bytes.length < 17) {
return failOrAbstain("Invalid nonce length");
}
byte[] salt = new byte[SALT_LENGTH];
byte[] aesNonce = new byte[AES_NONCE_LENGTH];
byte[] encryptedBytes = new byte[bytes.length - SALT_LENGTH - AES_NONCE_LENGTH];
System.arraycopy(bytes, 0, salt, 0, salt.length);
System.arraycopy(bytes, SALT_LENGTH, aesNonce, 0, aesNonce.length);
System.arraycopy(bytes, SALT_LENGTH + AES_NONCE_LENGTH, encryptedBytes, 0, encryptedBytes.length);
Cipher cipher = HttpAuthUtil.cipher(digestServerSecret, salt, aesNonce, Cipher.DECRYPT_MODE);
try {
byte[] timestampBytes = cipher.doFinal(encryptedBytes);
long nonceTimestamp = HttpAuthUtil.toLong(timestampBytes, 0, timestampBytes.length);
// validate nonce
if ((System.currentTimeMillis() - nonceTimestamp) > digestNonceTimeoutMillis) {
return failOrAbstain("Nonce timeout");
}
} catch (Exception e) {
LOGGER.log(Level.FINEST, "Failed to validate nonce", e);
return failOrAbstain("Invalid nonce value");
}
// validate realm
if (!realm.equals(token.getRealm())) {
return failOrAbstain("Invalid realm");
}
return userStore.user(token.getUsername()).map(user -> {
if (token.validateLogin(user)) {
// yay, correct user and password!!!
if (subjectType == SubjectType.USER) {
return AuthenticationResponse.success(buildSubject(user));
} else {
return AuthenticationResponse.successService(buildSubject(user));
}
} else {
return failOrAbstain("Invalid username or password");
}
}).orElse(failOrAbstain("Invalid username or password"));
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class HeaderAtnProviderTest method testServiceExtraction.
@Test
public void testServiceExtraction() {
HeaderAtnProvider provider = getServiceProvider();
String username = "service";
SecurityEnvironment env = SecurityEnvironment.builder().header("Authorization", "bearer " + username).build();
ProviderRequest request = mock(ProviderRequest.class);
when(request.env()).thenReturn(env);
AuthenticationResponse response = provider.syncAuthenticate(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
assertThat(response.user(), is(Optional.empty()));
assertThat(response.service(), is(not(Optional.empty())));
response.service().map(Subject::principal).map(Principal::getName).ifPresent(name -> assertThat(name, is(username)));
}
use of io.helidon.security.AuthenticationResponse in project helidon by oracle.
the class HeaderAtnProviderTest method testServiceNoHeaderExtraction.
@Test
public void testServiceNoHeaderExtraction() {
HeaderAtnProvider provider = getServiceProvider();
SecurityEnvironment env = SecurityEnvironment.create();
ProviderRequest request = mock(ProviderRequest.class);
when(request.env()).thenReturn(env);
AuthenticationResponse response = provider.syncAuthenticate(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.service(), is(Optional.empty()));
assertThat(response.user(), is(Optional.empty()));
}
Aggregations