Search in sources :

Example 6 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AbacProvider method syncAuthorize.

@Override
protected AuthorizationResponse syncAuthorize(ProviderRequest providerRequest) {
    // let's find attributes to be validated
    Errors.Collector collector = Errors.collector();
    List<RuntimeAttribute> attributes = new ArrayList<>();
    EndpointConfig epConfig = providerRequest.endpointConfig();
    // list all "Attribute" annotations and make sure we support them
    validateAnnotations(epConfig, collector);
    // list all children of abac config and make sure one of the AbacValidators supports them
    validateConfig(epConfig, collector);
    // list all custom objects and check those that implement AttributeConfig and ...
    validateCustom(epConfig, collector);
    Optional<Config> abacConfig = epConfig.config(CONFIG_KEY);
    for (var validator : validators) {
        // order of preference - explicit class, configuration, annotation
        Class<? extends AbacValidatorConfig> configClass = validator.configClass();
        String configKey = validator.configKey();
        Collection<Class<? extends Annotation>> annotations = validator.supportedAnnotations();
        Optional<? extends AbacValidatorConfig> customObject = epConfig.instance(configClass);
        if (customObject.isPresent()) {
            attributes.add(new RuntimeAttribute(validator, customObject.get()));
        } else {
            // only configure this validator if its config key exists
            // or it has a supported annotation
            abacConfig.flatMap(it -> it.get(configKey).asNode().asOptional()).ifPresentOrElse(attribConfig -> {
                attributes.add(new RuntimeAttribute(validator, validator.fromConfig(attribConfig)));
            }, () -> {
                List<Annotation> annotationConfig = new ArrayList<>();
                for (SecurityLevel securityLevel : epConfig.securityLevels()) {
                    for (Class<? extends Annotation> annotation : annotations) {
                        List<? extends Annotation> list = securityLevel.combineAnnotations(annotation, EndpointConfig.AnnotationScope.values());
                        annotationConfig.addAll(list);
                    }
                }
                if (!annotationConfig.isEmpty()) {
                    attributes.add(new RuntimeAttribute(validator, validator.fromAnnotations(epConfig)));
                }
            });
        }
    }
    for (RuntimeAttribute attribute : attributes) {
        validate(attribute.getValidator(), attribute.getConfig(), collector, providerRequest);
    }
    Errors errors = collector.collect();
    if (errors.isValid()) {
        return AuthorizationResponse.permit();
    }
    return AuthorizationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(errors.toString()).build();
}
Also used : ProviderRequest(io.helidon.security.ProviderRequest) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) Map(java.util.Map) AuthorizationProvider(io.helidon.security.spi.AuthorizationProvider) LinkedList(java.util.LinkedList) ConfiguredOption(io.helidon.config.metadata.ConfiguredOption) SecurityLevel(io.helidon.security.SecurityLevel) RolesAllowed(jakarta.annotation.security.RolesAllowed) AuthorizationResponse(io.helidon.security.AuthorizationResponse) DenyAll(jakarta.annotation.security.DenyAll) Config(io.helidon.config.Config) Collection(java.util.Collection) Configured(io.helidon.config.metadata.Configured) SecurityProvider(io.helidon.security.spi.SecurityProvider) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) Set(java.util.Set) ServiceLoader(java.util.ServiceLoader) PermitAll(jakarta.annotation.security.PermitAll) HelidonServiceLoader(io.helidon.common.serviceloader.HelidonServiceLoader) Collectors(java.util.stream.Collectors) SecurityResponse(io.helidon.security.SecurityResponse) AbacValidatorService(io.helidon.security.providers.abac.spi.AbacValidatorService) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig) Annotation(java.lang.annotation.Annotation) Optional(java.util.Optional) Errors(io.helidon.common.Errors) Collections(java.util.Collections) AbacValidator(io.helidon.security.providers.abac.spi.AbacValidator) Config(io.helidon.config.Config) EndpointConfig(io.helidon.security.EndpointConfig) ArrayList(java.util.ArrayList) Annotation(java.lang.annotation.Annotation) Errors(io.helidon.common.Errors) SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig)

Example 7 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AbacProviderTest method testExistingValidatorFail.

@Test
public void testExistingValidatorFail() {
    AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
    Attrib1 attrib = Mockito.mock(Attrib1.class);
    when(attrib.value()).thenReturn(false);
    doReturn(Attrib1.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
    assertThat(response.description(), not(Optional.empty()));
    response.description().ifPresent(desc -> assertThat(desc, containsString("Intentional unit test failure")));
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Example 8 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AbacProviderTest method testExistingValidatorSucceed.

@Test
public void testExistingValidatorSucceed() {
    AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
    Attrib1 attrib = Mockito.mock(Attrib1.class);
    when(attrib.value()).thenReturn(true);
    doReturn(Attrib1.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.description().orElse("Attrib1 value is true, so the authorization should succeed"), response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Example 9 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AbacProviderTest method testMissingValidator.

@Test
public void testMissingValidator() {
    AbacProvider provider = AbacProvider.create();
    Attrib1 attrib = Mockito.mock(Attrib1.class);
    doReturn(Attrib1.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
    assertThat(response.description(), not(Optional.empty()));
    response.description().ifPresent(desc -> {
        assertThat(desc, containsString("Attrib1 attribute annotation is not supported"));
    });
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Example 10 with AuthorizationResponse

use of io.helidon.security.AuthorizationResponse in project helidon by oracle.

the class AbacProviderTest method testMissingRoleValidator.

@Test
public void testMissingRoleValidator() {
    AbacProvider provider = AbacProvider.create();
    // this must be implicitly considered an attribute annotation
    RolesAllowed attrib = Mockito.mock(RolesAllowed.class);
    doReturn(RolesAllowed.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(RolesAllowed.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
    assertThat(response.description(), not(Optional.empty()));
    response.description().ifPresent(desc -> assertThat(desc, containsString("RolesAllowed attribute annotation is not supported")));
}
Also used : RolesAllowed(jakarta.annotation.security.RolesAllowed) SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Aggregations

AuthorizationResponse (io.helidon.security.AuthorizationResponse)16 Test (org.junit.jupiter.api.Test)12 EndpointConfig (io.helidon.security.EndpointConfig)9 ProviderRequest (io.helidon.security.ProviderRequest)9 SecurityContext (io.helidon.security.SecurityContext)7 SecurityEnvironment (io.helidon.security.SecurityEnvironment)5 SecurityLevel (io.helidon.security.SecurityLevel)5 SecurityResponse (io.helidon.security.SecurityResponse)4 Security (io.helidon.security.Security)3 AuthenticationResponse (io.helidon.security.AuthenticationResponse)2 RolesAllowed (jakarta.annotation.security.RolesAllowed)2 WebApplicationException (jakarta.ws.rs.WebApplicationException)2 Response (jakarta.ws.rs.core.Response)2 List (java.util.List)2 Set (java.util.Set)2 Collectors (java.util.stream.Collectors)2 ContainerRequest (org.glassfish.jersey.server.ContainerRequest)2 CoreMatchers.is (org.hamcrest.CoreMatchers.is)2 MatcherAssert.assertThat (org.hamcrest.MatcherAssert.assertThat)2 Errors (io.helidon.common.Errors)1