use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class ScopeValidatorTest method testScopesAndPermit.
@Test
public void testScopesAndPermit() {
ScopeValidator validator = ScopeValidator.create();
ScopeValidator.Scope annot = mock(ScopeValidator.Scope.class);
when(annot.value()).thenReturn("calendar_get");
ScopeValidator.Scope annotTwo = mock(ScopeValidator.Scope.class);
when(annotTwo.value()).thenReturn("calendar_update");
ScopeValidator.Scopes scopes = mock(ScopeValidator.Scopes.class);
when(scopes.value()).thenReturn(new ScopeValidator.Scope[] { annot, annotTwo });
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(ScopeValidator.Scopes.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(scopes));
ScopeValidator.ScopesConfig sConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Grant.builder().type("scope").name("calendar_get").build()).addGrant(Grant.builder().type("scope").name("calendar_update").build()).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(sConfig, collector, request);
collector.collect().checkValid();
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class ScopeValidatorTest method testScopesOrDeny.
@Test
public void testScopesOrDeny() {
ScopeValidator validator = ScopeValidator.builder().useOrOperator(true).build();
ScopeValidator.Scope annot = mock(ScopeValidator.Scope.class);
when(annot.value()).thenReturn("calendar_get");
ScopeValidator.Scope annotTwo = mock(ScopeValidator.Scope.class);
when(annotTwo.value()).thenReturn("calendar_update");
ScopeValidator.Scopes scopes = mock(ScopeValidator.Scopes.class);
when(scopes.value()).thenReturn(new ScopeValidator.Scope[] { annot, annotTwo });
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(ScopeValidator.Scopes.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(scopes));
ScopeValidator.ScopesConfig sConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Grant.builder().type("scope").name("calendar_other").build()).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(sConfig, collector, request);
if (collector.collect().isValid()) {
fail("User does not have any of the required scopes, should have failed");
}
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class TimeValidator method fromAnnotations.
@Override
public TimeConfig fromAnnotations(EndpointConfig endpointConfig) {
TimeConfig.Builder builder = TimeConfig.builder();
for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
for (EndpointConfig.AnnotationScope scope : EndpointConfig.AnnotationScope.values()) {
List<Annotation> annotations = new ArrayList<>();
for (Class<? extends Annotation> annotation : supportedAnnotations()) {
annotations.addAll(securityLevel.filterAnnotations(annotation, scope));
}
for (Annotation annotation : annotations) {
if (annotation instanceof DaysOfWeek) {
DaysOfWeek daw = (DaysOfWeek) annotation;
for (DayOfWeek dayOfWeek : daw.value()) {
builder.addDaysOfWeek(dayOfWeek);
}
} else if (annotation instanceof TimesOfDay) {
TimesOfDay tods = (TimesOfDay) annotation;
for (TimeOfDay tod : tods.value()) {
builder.addBetween(LocalTime.parse(tod.from()), LocalTime.parse(tod.to()));
}
} else if (annotation instanceof TimeOfDay) {
TimeOfDay tod = (TimeOfDay) annotation;
builder.addBetween(LocalTime.parse(tod.from()), LocalTime.parse(tod.to()));
}
}
}
}
return builder.build();
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class SecurityFilterCommon method doFilter.
protected void doFilter(ContainerRequestContext request, SecurityContext securityContext) {
SecurityTracing tracing = SecurityTracing.get();
tracing.securityContext(securityContext);
SecurityFilter.FilterContext filterContext = initRequestFiltering(request);
if (filterContext.isShouldFinish()) {
// 404
tracing.finish();
return;
}
URI requestUri = request.getUriInfo().getRequestUri();
String query = requestUri.getQuery();
String origRequest;
if ((null == query) || query.isEmpty()) {
origRequest = requestUri.getPath();
} else {
origRequest = requestUri.getPath() + "?" + query;
}
Map<String, List<String>> allHeaders = new HashMap<>(filterContext.getHeaders());
allHeaders.put(Security.HEADER_ORIG_URI, List.of(origRequest));
SecurityEnvironment.Builder envBuilder = SecurityEnvironment.builder(security.serverTime()).path(filterContext.getResourcePath()).targetUri(filterContext.getTargetUri()).method(filterContext.getMethod()).headers(allHeaders).addAttribute("resourceType", filterContext.getResourceName());
// The following two lines are not possible in JAX-RS or Jersey - we would have to touch
// underlying web server's request...
String remoteHost = (String) request.getProperty("io.helidon.jaxrs.remote-host");
Integer remotePort = (Integer) request.getProperty("io.helidon.jaxrs.remote-port");
if (remoteHost != null) {
envBuilder.addAttribute("userIp", remoteHost);
}
if (remotePort != null) {
envBuilder.addAttribute("userPort", remotePort);
}
SecurityEnvironment env = envBuilder.build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(filterContext.getMethodSecurity().getSecurityLevels()).build();
try {
securityContext.env(env);
securityContext.endpointConfig(ec);
request.setProperty(PROP_FILTER_CONTEXT, filterContext);
// context is needed even if authn/authz fails - for auditing
request.setSecurityContext(new JerseySecurityContext(securityContext, filterContext.getMethodSecurity(), "https".equals(filterContext.getTargetUri().getScheme())));
processSecurity(request, filterContext, tracing, securityContext);
} finally {
if (filterContext.isTraceSuccess()) {
tracing.logProceed();
tracing.finish();
} else {
tracing.logDeny();
tracing.error("aborted");
}
}
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class GrpcSecurity method registerContext.
@SuppressWarnings("unchecked")
<ReqT, RespT> Context registerContext(ServerCall<ReqT, RespT> call, Metadata headers) {
Context grpcContext;
if (SECURITY_CONTEXT.get() == null) {
SocketAddress remoteSocket = call.getAttributes().get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR);
String address = null;
int port = -1;
if (remoteSocket instanceof InetSocketAddress) {
address = ((InetSocketAddress) remoteSocket).getHostName();
port = ((InetSocketAddress) remoteSocket).getPort();
} else {
address = String.valueOf(remoteSocket);
}
Map<String, List<String>> headerMap = new HashMap<>();
Map mapExtra = CONTEXT_ADD_HEADERS.get();
if (mapExtra != null) {
headerMap.putAll(mapExtra);
}
for (String name : headers.keys()) {
Metadata.Key key = Metadata.Key.of(name, Metadata.ASCII_STRING_MARSHALLER);
Iterable<Object> iterable = headers.getAll(key);
List<String> values = new ArrayList<>();
if (iterable != null) {
for (Object o : iterable) {
values.add(String.valueOf(o));
}
}
headerMap.put(name, values);
}
MethodDescriptor<ReqT, RespT> methodDescriptor = call.getMethodDescriptor();
String methodName = methodDescriptor.getFullMethodName();
SecurityEnvironment env = security.environmentBuilder().path(methodName).method(methodName).headers(headerMap).addAttribute(ABAC_ATTRIBUTE_REMOTE_ADDRESS, address).addAttribute(ABAC_ATTRIBUTE_REMOTE_PORT, port).addAttribute(ABAC_ATTRIBUTE_HEADERS, headers).addAttribute(ABAC_ATTRIBUTE_METHOD, methodDescriptor).transport("grpc").build();
EndpointConfig ec = EndpointConfig.builder().build();
Span span = OpenTracingContextKey.getKey().get();
SpanContext spanContext = span == null ? null : span.context();
SecurityContext context = security.contextBuilder(String.valueOf(SECURITY_COUNTER.incrementAndGet())).tracingSpan(spanContext).env(env).endpointConfig(ec).build();
Contexts.context().ifPresent(ctx -> ctx.register(context));
grpcContext = Context.current().withValue(SECURITY_CONTEXT, context);
} else {
grpcContext = Context.current();
}
return grpcContext;
}
Aggregations