use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class JwtAuthProviderTest method testEcBothWays.
@Test
public void testEcBothWays() {
String username = "user1";
String userId = "user1-id";
String email = "user1@example.org";
String familyName = "Novak";
String givenName = "Standa";
String fullName = "Standa Novak";
Locale locale = Locale.CANADA_FRENCH;
Principal principal = Principal.builder().name(username).id(userId).addAttribute("email", email).addAttribute("email_verified", true).addAttribute("family_name", familyName).addAttribute("given_name", givenName).addAttribute("full_name", fullName).addAttribute("locale", locale).addAttribute("roles", Set.of("role1", "role2")).build();
Subject subject = Subject.builder().principal(principal).addGrant(Role.create("group1")).addGrant(Role.create("group2")).addGrant(Role.create("group3")).build();
JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("security.providers.0.mp-jwt-auth"));
SecurityContext context = Mockito.mock(SecurityContext.class);
when(context.user()).thenReturn(Optional.of(subject));
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/ec").transport("http").targetUri(URI.create("http://localhost:8080/ec")).build();
EndpointConfig outboundEp = EndpointConfig.create();
assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
String signedToken = response.requestHeaders().get("Authorization").get(0);
signedToken = signedToken.substring("bearer ".length());
// now I want to validate it to prove it was correctly signed
SignedJwt signedJwt = SignedJwt.parseToken(signedToken);
signedJwt.verifySignature(verifyKeys).checkValid();
Jwt jwt = signedJwt.getJwt();
// MP specific additions
assertThat(jwt.payloadClaim("upn"), not(Optional.empty()));
assertThat(jwt.payloadClaim("groups"), not(Optional.empty()));
assertThat(jwt.userPrincipal(), is(Optional.of(username)));
assertThat(jwt.userGroups(), not(Optional.empty()));
assertThat(jwt.userGroups().get(), hasItems("group1", "group2", "group3"));
// End of MP specific additions
assertThat(jwt.subject(), is(Optional.of(userId)));
assertThat(jwt.preferredUsername(), is(Optional.of(username)));
assertThat(jwt.email(), is(Optional.of(email)));
assertThat(jwt.emailVerified(), is(Optional.of(true)));
assertThat(jwt.familyName(), is(Optional.of(familyName)));
assertThat(jwt.givenName(), is(Optional.of(givenName)));
assertThat(jwt.fullName(), is(Optional.of(fullName)));
assertThat(jwt.locale(), is(Optional.of(locale)));
assertThat(jwt.audience(), is(Optional.of(List.of("audience.application.id"))));
assertThat(jwt.issuer(), is(Optional.of("jwt.example.com")));
assertThat(jwt.algorithm(), is(Optional.of(JwkEC.ALG_ES256)));
Instant instant = jwt.issueTime().get();
boolean compareResult = Instant.now().minusSeconds(10).compareTo(instant) < 0;
assertThat("Issue time must not be older than 10 seconds", compareResult, is(true));
Instant expectedNotBefore = instant.minus(5, ChronoUnit.SECONDS);
assertThat(jwt.notBefore(), is(Optional.of(expectedNotBefore)));
Instant expectedExpiry = instant.plus(60 * 60 * 24, ChronoUnit.SECONDS);
assertThat(jwt.expirationTime(), is(Optional.of(expectedExpiry)));
// now we need to use the same token to invoke authentication
ProviderRequest atnRequest = mockRequest(signedToken);
AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
authenticationResponse.user().map(Subject::principal).ifPresentOrElse(atnPrincipal -> {
assertThat(atnPrincipal, instanceOf(JsonWebTokenImpl.class));
JsonWebTokenImpl jsonWebToken = (JsonWebTokenImpl) atnPrincipal;
String upn = jsonWebToken.getClaim(Claims.upn.name());
assertThat(upn, is(username));
assertThat(atnPrincipal.id(), is(userId));
assertThat(atnPrincipal.getName(), is(username));
assertThat(atnPrincipal.abacAttribute("email"), is(Optional.of(email)));
assertThat(atnPrincipal.abacAttribute("email_verified"), is(Optional.of(true)));
assertThat(atnPrincipal.abacAttribute("family_name"), is(Optional.of(familyName)));
assertThat(atnPrincipal.abacAttribute("given_name"), is(Optional.of(givenName)));
assertThat(atnPrincipal.abacAttribute("full_name"), is(Optional.of(fullName)));
assertThat(atnPrincipal.abacAttribute("locale"), is(Optional.of(locale)));
}, () -> fail("User must be present in response"));
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class JwtAuthTest method testRsa.
@Test
void testRsa() {
String username = "user1";
String userId = "user1-id";
String email = "user1@example.org";
String familyName = "Novak";
String givenName = "Standa";
String fullName = "Standa Novak";
Locale locale = Locale.CANADA_FRENCH;
Principal principal = Principal.builder().name(username).id(userId).addAttribute("email", email).addAttribute("email_verified", true).addAttribute("family_name", familyName).addAttribute("given_name", givenName).addAttribute("full_name", fullName).addAttribute("locale", locale).build();
Subject subject = Subject.create(principal);
JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("security.providers.0.mp-jwt-auth"));
io.helidon.security.SecurityContext context = Mockito.mock(io.helidon.security.SecurityContext.class);
when(context.user()).thenReturn(Optional.of(subject));
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/rsa").transport("http").targetUri(URI.create("http://localhost:8080/rsa")).build();
EndpointConfig outboundEp = EndpointConfig.create();
assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
String signedToken = response.requestHeaders().get("Authorization").get(0);
// authenticated
String httpResponse = target.path("/hello").request().header("Authorization", signedToken).get(String.class);
assertThat(httpResponse, is("Hello user1"));
httpResponse = target.path("/public").path("/hello").request().header("Authorization", signedToken).get(String.class);
assertThat(httpResponse, is("Hello user1"));
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class RoleValidator method fromAnnotations.
@Override
public RoleConfig fromAnnotations(EndpointConfig endpointConfig) {
RoleConfig.Builder builder = RoleConfig.builder();
for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
for (EndpointConfig.AnnotationScope scope : EndpointConfig.AnnotationScope.values()) {
// Order of the annotations matters because of annotation handling.
List<Annotation> annotations = new ArrayList<>();
for (Class<? extends Annotation> annotation : supportedAnnotations()) {
annotations.addAll(securityLevel.filterAnnotations(annotation, scope));
}
List<String> roles = new ArrayList<>();
List<String> serviceRoles = new ArrayList<>();
for (Annotation annotation : annotations) {
if (annotation instanceof RolesAllowed) {
// these are user roles by default
roles.addAll(Arrays.asList(((RolesAllowed) annotation).value()));
builder.permitAll(false);
builder.denyAll(false);
} else if (annotation instanceof Roles) {
// these are configured
Roles r = (Roles) annotation;
if (r.subjectType() == SubjectType.USER) {
roles.addAll(Arrays.asList(r.value()));
} else {
serviceRoles.addAll(Arrays.asList(r.value()));
}
builder.permitAll(false);
builder.denyAll(false);
} else if (annotation instanceof PermitAll) {
builder.permitAll(true);
builder.denyAll(false);
} else if (annotation instanceof DenyAll) {
builder.permitAll(false);
builder.denyAll(true);
}
}
if (!roles.isEmpty()) {
builder.clearRoles().addRoles(roles);
}
if (!serviceRoles.isEmpty()) {
builder.clearServiceRoles().addServiceRoles(serviceRoles);
}
}
}
return builder.build();
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class RoleValidatorTest method testDenyAllAndRoles.
@Test
void testDenyAllAndRoles() {
RoleValidator validator = RoleValidator.create();
DenyAll denyAll = mock(DenyAll.class);
RolesAllowed rolesAllowed = mock(RolesAllowed.class);
String[] roleArray = new String[] { "admin" };
when(rolesAllowed.value()).thenReturn(roleArray);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(denyAll));
when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(rolesAllowed));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("admin")).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(rConfig, collector, request);
collector.collect().checkValid();
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class RoleValidatorTest method testServiceRoles.
@Test
void testServiceRoles() {
RoleValidator validator = RoleValidator.create();
RoleValidator.Roles annot = mock(RoleValidator.Roles.class);
String[] roleArray = new String[] { "admin" };
when(annot.value()).thenReturn(roleArray);
when(annot.subjectType()).thenReturn(SubjectType.SERVICE);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(RoleValidator.Roles.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(annot));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.service()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("service")).addGrant(Role.create("admin")).build()));
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("user")).build()));
validator.validate(rConfig, collector, request);
collector.collect().checkValid();
}
Aggregations