Search in sources :

Example 21 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class ScopeValidatorTest method testScopesAndPermit.

@Test
public void testScopesAndPermit() {
    ScopeValidator validator = ScopeValidator.create();
    ScopeValidator.Scope annot = mock(ScopeValidator.Scope.class);
    when(annot.value()).thenReturn("calendar_get");
    ScopeValidator.Scope annotTwo = mock(ScopeValidator.Scope.class);
    when(annotTwo.value()).thenReturn("calendar_update");
    ScopeValidator.Scopes scopes = mock(ScopeValidator.Scopes.class);
    when(scopes.value()).thenReturn(new ScopeValidator.Scope[] { annot, annotTwo });
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(ScopeValidator.Scopes.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(scopes));
    ScopeValidator.ScopesConfig sConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Grant.builder().type("scope").name("calendar_get").build()).addGrant(Grant.builder().type("scope").name("calendar_update").build()).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(sConfig, collector, request);
    collector.collect().checkValid();
}
Also used : Errors(io.helidon.common.Errors) SecurityLevel(io.helidon.security.SecurityLevel) ArrayList(java.util.ArrayList) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Example 22 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class ScopeValidatorTest method testScopesOrDeny.

@Test
public void testScopesOrDeny() {
    ScopeValidator validator = ScopeValidator.builder().useOrOperator(true).build();
    ScopeValidator.Scope annot = mock(ScopeValidator.Scope.class);
    when(annot.value()).thenReturn("calendar_get");
    ScopeValidator.Scope annotTwo = mock(ScopeValidator.Scope.class);
    when(annotTwo.value()).thenReturn("calendar_update");
    ScopeValidator.Scopes scopes = mock(ScopeValidator.Scopes.class);
    when(scopes.value()).thenReturn(new ScopeValidator.Scope[] { annot, annotTwo });
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(ScopeValidator.Scopes.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(scopes));
    ScopeValidator.ScopesConfig sConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Grant.builder().type("scope").name("calendar_other").build()).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(sConfig, collector, request);
    if (collector.collect().isValid()) {
        fail("User does not have any of the required scopes, should have failed");
    }
}
Also used : Errors(io.helidon.common.Errors) SecurityLevel(io.helidon.security.SecurityLevel) ArrayList(java.util.ArrayList) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Example 23 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class TimeValidator method fromAnnotations.

@Override
public TimeConfig fromAnnotations(EndpointConfig endpointConfig) {
    TimeConfig.Builder builder = TimeConfig.builder();
    for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
        for (EndpointConfig.AnnotationScope scope : EndpointConfig.AnnotationScope.values()) {
            List<Annotation> annotations = new ArrayList<>();
            for (Class<? extends Annotation> annotation : supportedAnnotations()) {
                annotations.addAll(securityLevel.filterAnnotations(annotation, scope));
            }
            for (Annotation annotation : annotations) {
                if (annotation instanceof DaysOfWeek) {
                    DaysOfWeek daw = (DaysOfWeek) annotation;
                    for (DayOfWeek dayOfWeek : daw.value()) {
                        builder.addDaysOfWeek(dayOfWeek);
                    }
                } else if (annotation instanceof TimesOfDay) {
                    TimesOfDay tods = (TimesOfDay) annotation;
                    for (TimeOfDay tod : tods.value()) {
                        builder.addBetween(LocalTime.parse(tod.from()), LocalTime.parse(tod.to()));
                    }
                } else if (annotation instanceof TimeOfDay) {
                    TimeOfDay tod = (TimeOfDay) annotation;
                    builder.addBetween(LocalTime.parse(tod.from()), LocalTime.parse(tod.to()));
                }
            }
        }
    }
    return builder.build();
}
Also used : DayOfWeek(java.time.DayOfWeek) ArrayList(java.util.ArrayList) AbacAnnotation(io.helidon.security.providers.abac.AbacAnnotation) Annotation(java.lang.annotation.Annotation) SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig)

Example 24 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class SecurityFilterCommon method doFilter.

protected void doFilter(ContainerRequestContext request, SecurityContext securityContext) {
    SecurityTracing tracing = SecurityTracing.get();
    tracing.securityContext(securityContext);
    SecurityFilter.FilterContext filterContext = initRequestFiltering(request);
    if (filterContext.isShouldFinish()) {
        // 404
        tracing.finish();
        return;
    }
    URI requestUri = request.getUriInfo().getRequestUri();
    String query = requestUri.getQuery();
    String origRequest;
    if ((null == query) || query.isEmpty()) {
        origRequest = requestUri.getPath();
    } else {
        origRequest = requestUri.getPath() + "?" + query;
    }
    Map<String, List<String>> allHeaders = new HashMap<>(filterContext.getHeaders());
    allHeaders.put(Security.HEADER_ORIG_URI, List.of(origRequest));
    SecurityEnvironment.Builder envBuilder = SecurityEnvironment.builder(security.serverTime()).path(filterContext.getResourcePath()).targetUri(filterContext.getTargetUri()).method(filterContext.getMethod()).headers(allHeaders).addAttribute("resourceType", filterContext.getResourceName());
    // The following two lines are not possible in JAX-RS or Jersey - we would have to touch
    // underlying web server's request...
    String remoteHost = (String) request.getProperty("io.helidon.jaxrs.remote-host");
    Integer remotePort = (Integer) request.getProperty("io.helidon.jaxrs.remote-port");
    if (remoteHost != null) {
        envBuilder.addAttribute("userIp", remoteHost);
    }
    if (remotePort != null) {
        envBuilder.addAttribute("userPort", remotePort);
    }
    SecurityEnvironment env = envBuilder.build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(filterContext.getMethodSecurity().getSecurityLevels()).build();
    try {
        securityContext.env(env);
        securityContext.endpointConfig(ec);
        request.setProperty(PROP_FILTER_CONTEXT, filterContext);
        // context is needed even if authn/authz fails - for auditing
        request.setSecurityContext(new JerseySecurityContext(securityContext, filterContext.getMethodSecurity(), "https".equals(filterContext.getTargetUri().getScheme())));
        processSecurity(request, filterContext, tracing, securityContext);
    } finally {
        if (filterContext.isTraceSuccess()) {
            tracing.logProceed();
            tracing.finish();
        } else {
            tracing.logDeny();
            tracing.error("aborted");
        }
    }
}
Also used : SecurityTracing(io.helidon.security.integration.common.SecurityTracing) HashMap(java.util.HashMap) SecurityEnvironment(io.helidon.security.SecurityEnvironment) URI(java.net.URI) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig)

Example 25 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class GrpcSecurity method registerContext.

@SuppressWarnings("unchecked")
<ReqT, RespT> Context registerContext(ServerCall<ReqT, RespT> call, Metadata headers) {
    Context grpcContext;
    if (SECURITY_CONTEXT.get() == null) {
        SocketAddress remoteSocket = call.getAttributes().get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR);
        String address = null;
        int port = -1;
        if (remoteSocket instanceof InetSocketAddress) {
            address = ((InetSocketAddress) remoteSocket).getHostName();
            port = ((InetSocketAddress) remoteSocket).getPort();
        } else {
            address = String.valueOf(remoteSocket);
        }
        Map<String, List<String>> headerMap = new HashMap<>();
        Map mapExtra = CONTEXT_ADD_HEADERS.get();
        if (mapExtra != null) {
            headerMap.putAll(mapExtra);
        }
        for (String name : headers.keys()) {
            Metadata.Key key = Metadata.Key.of(name, Metadata.ASCII_STRING_MARSHALLER);
            Iterable<Object> iterable = headers.getAll(key);
            List<String> values = new ArrayList<>();
            if (iterable != null) {
                for (Object o : iterable) {
                    values.add(String.valueOf(o));
                }
            }
            headerMap.put(name, values);
        }
        MethodDescriptor<ReqT, RespT> methodDescriptor = call.getMethodDescriptor();
        String methodName = methodDescriptor.getFullMethodName();
        SecurityEnvironment env = security.environmentBuilder().path(methodName).method(methodName).headers(headerMap).addAttribute(ABAC_ATTRIBUTE_REMOTE_ADDRESS, address).addAttribute(ABAC_ATTRIBUTE_REMOTE_PORT, port).addAttribute(ABAC_ATTRIBUTE_HEADERS, headers).addAttribute(ABAC_ATTRIBUTE_METHOD, methodDescriptor).transport("grpc").build();
        EndpointConfig ec = EndpointConfig.builder().build();
        Span span = OpenTracingContextKey.getKey().get();
        SpanContext spanContext = span == null ? null : span.context();
        SecurityContext context = security.contextBuilder(String.valueOf(SECURITY_COUNTER.incrementAndGet())).tracingSpan(spanContext).env(env).endpointConfig(ec).build();
        Contexts.context().ifPresent(ctx -> ctx.register(context));
        grpcContext = Context.current().withValue(SECURITY_CONTEXT, context);
    } else {
        grpcContext = Context.current();
    }
    return grpcContext;
}
Also used : Context(io.grpc.Context) SecurityContext(io.helidon.security.SecurityContext) SpanContext(io.opentracing.SpanContext) SpanContext(io.opentracing.SpanContext) HashMap(java.util.HashMap) InetSocketAddress(java.net.InetSocketAddress) SecurityEnvironment(io.helidon.security.SecurityEnvironment) Metadata(io.grpc.Metadata) ArrayList(java.util.ArrayList) Span(io.opentracing.Span) SecurityContext(io.helidon.security.SecurityContext) ArrayList(java.util.ArrayList) List(java.util.List) SocketAddress(java.net.SocketAddress) InetSocketAddress(java.net.InetSocketAddress) HashMap(java.util.HashMap) Map(java.util.Map) EndpointConfig(io.helidon.security.EndpointConfig)

Aggregations

EndpointConfig (io.helidon.security.EndpointConfig)64 ProviderRequest (io.helidon.security.ProviderRequest)54 Test (org.junit.jupiter.api.Test)50 SecurityEnvironment (io.helidon.security.SecurityEnvironment)35 SecurityLevel (io.helidon.security.SecurityLevel)30 SecurityContext (io.helidon.security.SecurityContext)28 ArrayList (java.util.ArrayList)26 OutboundSecurityResponse (io.helidon.security.OutboundSecurityResponse)18 Errors (io.helidon.common.Errors)17 AuthenticationResponse (io.helidon.security.AuthenticationResponse)16 Subject (io.helidon.security.Subject)15 Principal (io.helidon.security.Principal)12 List (java.util.List)11 AuthorizationResponse (io.helidon.security.AuthorizationResponse)9 Config (io.helidon.config.Config)8 SignedJwt (io.helidon.security.jwt.SignedJwt)8 RolesAllowed (jakarta.annotation.security.RolesAllowed)8 DenyAll (jakarta.annotation.security.DenyAll)7 Locale (java.util.Locale)7 Jwt (io.helidon.security.jwt.Jwt)6