use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AbacProvider method syncAuthorize.
@Override
protected AuthorizationResponse syncAuthorize(ProviderRequest providerRequest) {
// let's find attributes to be validated
Errors.Collector collector = Errors.collector();
List<RuntimeAttribute> attributes = new ArrayList<>();
EndpointConfig epConfig = providerRequest.endpointConfig();
// list all "Attribute" annotations and make sure we support them
validateAnnotations(epConfig, collector);
// list all children of abac config and make sure one of the AbacValidators supports them
validateConfig(epConfig, collector);
// list all custom objects and check those that implement AttributeConfig and ...
validateCustom(epConfig, collector);
Optional<Config> abacConfig = epConfig.config(CONFIG_KEY);
for (var validator : validators) {
// order of preference - explicit class, configuration, annotation
Class<? extends AbacValidatorConfig> configClass = validator.configClass();
String configKey = validator.configKey();
Collection<Class<? extends Annotation>> annotations = validator.supportedAnnotations();
Optional<? extends AbacValidatorConfig> customObject = epConfig.instance(configClass);
if (customObject.isPresent()) {
attributes.add(new RuntimeAttribute(validator, customObject.get()));
} else {
// only configure this validator if its config key exists
// or it has a supported annotation
abacConfig.flatMap(it -> it.get(configKey).asNode().asOptional()).ifPresentOrElse(attribConfig -> {
attributes.add(new RuntimeAttribute(validator, validator.fromConfig(attribConfig)));
}, () -> {
List<Annotation> annotationConfig = new ArrayList<>();
for (SecurityLevel securityLevel : epConfig.securityLevels()) {
for (Class<? extends Annotation> annotation : annotations) {
List<? extends Annotation> list = securityLevel.combineAnnotations(annotation, EndpointConfig.AnnotationScope.values());
annotationConfig.addAll(list);
}
}
if (!annotationConfig.isEmpty()) {
attributes.add(new RuntimeAttribute(validator, validator.fromAnnotations(epConfig)));
}
});
}
}
for (RuntimeAttribute attribute : attributes) {
validate(attribute.getValidator(), attribute.getConfig(), collector, providerRequest);
}
Errors errors = collector.collect();
if (errors.isValid()) {
return AuthorizationResponse.permit();
}
return AuthorizationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(errors.toString()).build();
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AbacProviderTest method testExistingValidatorFail.
@Test
public void testExistingValidatorFail() {
AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
Attrib1 attrib = Mockito.mock(Attrib1.class);
when(attrib.value()).thenReturn(false);
doReturn(Attrib1.class).when(attrib).annotationType();
SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
ProviderRequest request = Mockito.mock(ProviderRequest.class);
when(request.endpointConfig()).thenReturn(ec);
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.description(), not(Optional.empty()));
response.description().ifPresent(desc -> assertThat(desc, containsString("Intentional unit test failure")));
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AbacProviderTest method testExistingValidatorSucceed.
@Test
public void testExistingValidatorSucceed() {
AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
Attrib1 attrib = Mockito.mock(Attrib1.class);
when(attrib.value()).thenReturn(true);
doReturn(Attrib1.class).when(attrib).annotationType();
SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
ProviderRequest request = Mockito.mock(ProviderRequest.class);
when(request.endpointConfig()).thenReturn(ec);
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.description().orElse("Attrib1 value is true, so the authorization should succeed"), response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AbacProviderTest method testMissingValidator.
@Test
public void testMissingValidator() {
AbacProvider provider = AbacProvider.create();
Attrib1 attrib = Mockito.mock(Attrib1.class);
doReturn(Attrib1.class).when(attrib).annotationType();
SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
ProviderRequest request = Mockito.mock(ProviderRequest.class);
when(request.endpointConfig()).thenReturn(ec);
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.description(), not(Optional.empty()));
response.description().ifPresent(desc -> {
assertThat(desc, containsString("Attrib1 attribute annotation is not supported"));
});
}
use of io.helidon.security.AuthorizationResponse in project helidon by oracle.
the class AbacProviderTest method testMissingRoleValidator.
@Test
public void testMissingRoleValidator() {
AbacProvider provider = AbacProvider.create();
// this must be implicitly considered an attribute annotation
RolesAllowed attrib = Mockito.mock(RolesAllowed.class);
doReturn(RolesAllowed.class).when(attrib).annotationType();
SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(RolesAllowed.class, List.of(attrib))).build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
ProviderRequest request = Mockito.mock(ProviderRequest.class);
when(request.endpointConfig()).thenReturn(ec);
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.description(), not(Optional.empty()));
response.description().ifPresent(desc -> assertThat(desc, containsString("RolesAllowed attribute annotation is not supported")));
}
Aggregations