Search in sources :

Example 26 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class WebSecurity method registerContext.

private void registerContext(ServerRequest req, ServerResponse res) {
    Map<String, List<String>> allHeaders = new HashMap<>(req.headers().toMap());
    Optional<Map> newHeaders = req.context().get(CONTEXT_ADD_HEADERS, Map.class);
    newHeaders.ifPresent(allHeaders::putAll);
    // make sure there is no context
    if (!req.context().get(SecurityContext.class).isPresent()) {
        SecurityEnvironment env = security.environmentBuilder().targetUri(req.uri()).path(req.path().toString()).method(req.method().name()).addAttribute("userIp", req.remoteAddress()).addAttribute("userPort", req.remotePort()).transport(req.isSecure() ? "https" : "http").headers(allHeaders).build();
        EndpointConfig ec = EndpointConfig.builder().build();
        SecurityContext.Builder contextBuilder = security.contextBuilder(String.valueOf(SECURITY_COUNTER.incrementAndGet())).env(env).endpointConfig(ec);
        // only register if exists
        req.spanContext().ifPresent(contextBuilder::tracingSpan);
        SecurityContext context = contextBuilder.build();
        req.context().register(context);
        req.context().register(defaultHandler);
    }
    req.next();
}
Also used : HashMap(java.util.HashMap) SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) List(java.util.List) HashMap(java.util.HashMap) Map(java.util.Map) EndpointConfig(io.helidon.security.EndpointConfig)

Example 27 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class AbacProvider method syncAuthorize.

@Override
protected AuthorizationResponse syncAuthorize(ProviderRequest providerRequest) {
    // let's find attributes to be validated
    Errors.Collector collector = Errors.collector();
    List<RuntimeAttribute> attributes = new ArrayList<>();
    EndpointConfig epConfig = providerRequest.endpointConfig();
    // list all "Attribute" annotations and make sure we support them
    validateAnnotations(epConfig, collector);
    // list all children of abac config and make sure one of the AbacValidators supports them
    validateConfig(epConfig, collector);
    // list all custom objects and check those that implement AttributeConfig and ...
    validateCustom(epConfig, collector);
    Optional<Config> abacConfig = epConfig.config(CONFIG_KEY);
    for (var validator : validators) {
        // order of preference - explicit class, configuration, annotation
        Class<? extends AbacValidatorConfig> configClass = validator.configClass();
        String configKey = validator.configKey();
        Collection<Class<? extends Annotation>> annotations = validator.supportedAnnotations();
        Optional<? extends AbacValidatorConfig> customObject = epConfig.instance(configClass);
        if (customObject.isPresent()) {
            attributes.add(new RuntimeAttribute(validator, customObject.get()));
        } else {
            // only configure this validator if its config key exists
            // or it has a supported annotation
            abacConfig.flatMap(it -> it.get(configKey).asNode().asOptional()).ifPresentOrElse(attribConfig -> {
                attributes.add(new RuntimeAttribute(validator, validator.fromConfig(attribConfig)));
            }, () -> {
                List<Annotation> annotationConfig = new ArrayList<>();
                for (SecurityLevel securityLevel : epConfig.securityLevels()) {
                    for (Class<? extends Annotation> annotation : annotations) {
                        List<? extends Annotation> list = securityLevel.combineAnnotations(annotation, EndpointConfig.AnnotationScope.values());
                        annotationConfig.addAll(list);
                    }
                }
                if (!annotationConfig.isEmpty()) {
                    attributes.add(new RuntimeAttribute(validator, validator.fromAnnotations(epConfig)));
                }
            });
        }
    }
    for (RuntimeAttribute attribute : attributes) {
        validate(attribute.getValidator(), attribute.getConfig(), collector, providerRequest);
    }
    Errors errors = collector.collect();
    if (errors.isValid()) {
        return AuthorizationResponse.permit();
    }
    return AuthorizationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(errors.toString()).build();
}
Also used : ProviderRequest(io.helidon.security.ProviderRequest) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) Map(java.util.Map) AuthorizationProvider(io.helidon.security.spi.AuthorizationProvider) LinkedList(java.util.LinkedList) ConfiguredOption(io.helidon.config.metadata.ConfiguredOption) SecurityLevel(io.helidon.security.SecurityLevel) RolesAllowed(jakarta.annotation.security.RolesAllowed) AuthorizationResponse(io.helidon.security.AuthorizationResponse) DenyAll(jakarta.annotation.security.DenyAll) Config(io.helidon.config.Config) Collection(java.util.Collection) Configured(io.helidon.config.metadata.Configured) SecurityProvider(io.helidon.security.spi.SecurityProvider) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) Set(java.util.Set) ServiceLoader(java.util.ServiceLoader) PermitAll(jakarta.annotation.security.PermitAll) HelidonServiceLoader(io.helidon.common.serviceloader.HelidonServiceLoader) Collectors(java.util.stream.Collectors) SecurityResponse(io.helidon.security.SecurityResponse) AbacValidatorService(io.helidon.security.providers.abac.spi.AbacValidatorService) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig) Annotation(java.lang.annotation.Annotation) Optional(java.util.Optional) Errors(io.helidon.common.Errors) Collections(java.util.Collections) AbacValidator(io.helidon.security.providers.abac.spi.AbacValidator) Config(io.helidon.config.Config) EndpointConfig(io.helidon.security.EndpointConfig) ArrayList(java.util.ArrayList) Annotation(java.lang.annotation.Annotation) Errors(io.helidon.common.Errors) SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig)

Example 28 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class HeaderAtnProviderTest method testOutbound.

@Test
public void testOutbound() {
    HeaderAtnProvider provider = getFullProvider();
    SecurityEnvironment env = outboundEnv();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.env()).thenReturn(env);
    SecurityContext sc = mock(SecurityContext.class);
    when(sc.user()).thenReturn(Optional.of(Subject.builder().addPrincipal(Principal.create("username")).build()));
    when(sc.service()).thenReturn(Optional.empty());
    when(request.securityContext()).thenReturn(sc);
    SecurityEnvironment outboundEnv = outboundEnv();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat("Outbound should be supported", provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
    OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
    List<String> custom = response.requestHeaders().get("Custom");
    assertThat(custom, notNullValue());
    assertThat(custom.size(), is(1));
    String token = custom.get(0);
    assertThat(token, is("bearer username"));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) Test(org.junit.jupiter.api.Test)

Example 29 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class HeaderAtnProviderTest method testNoOutbound.

@Test
public void testNoOutbound() {
    String username = "username";
    HeaderAtnProvider provider = getNoSecurityProvider();
    SecurityEnvironment env = SecurityEnvironment.create();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.env()).thenReturn(env);
    SecurityContext sc = mock(SecurityContext.class);
    when(sc.user()).thenReturn(Optional.of(Subject.builder().addPrincipal(Principal.create(username)).build()));
    when(sc.service()).thenReturn(Optional.empty());
    when(request.securityContext()).thenReturn(sc);
    SecurityEnvironment outboundEnv = SecurityEnvironment.create();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat("Outbound should not be supported", provider.isOutboundSupported(request, outboundEnv, outboundEp), is(false));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Example 30 with EndpointConfig

use of io.helidon.security.EndpointConfig in project helidon by oracle.

the class AbacProviderTest method testExistingValidatorFail.

@Test
public void testExistingValidatorFail() {
    AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
    Attrib1 attrib = Mockito.mock(Attrib1.class);
    when(attrib.value()).thenReturn(false);
    doReturn(Attrib1.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
    assertThat(response.description(), not(Optional.empty()));
    response.description().ifPresent(desc -> assertThat(desc, containsString("Intentional unit test failure")));
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Aggregations

EndpointConfig (io.helidon.security.EndpointConfig)64 ProviderRequest (io.helidon.security.ProviderRequest)54 Test (org.junit.jupiter.api.Test)50 SecurityEnvironment (io.helidon.security.SecurityEnvironment)35 SecurityLevel (io.helidon.security.SecurityLevel)30 SecurityContext (io.helidon.security.SecurityContext)28 ArrayList (java.util.ArrayList)26 OutboundSecurityResponse (io.helidon.security.OutboundSecurityResponse)18 Errors (io.helidon.common.Errors)17 AuthenticationResponse (io.helidon.security.AuthenticationResponse)16 Subject (io.helidon.security.Subject)15 Principal (io.helidon.security.Principal)12 List (java.util.List)11 AuthorizationResponse (io.helidon.security.AuthorizationResponse)9 Config (io.helidon.config.Config)8 SignedJwt (io.helidon.security.jwt.SignedJwt)8 RolesAllowed (jakarta.annotation.security.RolesAllowed)8 DenyAll (jakarta.annotation.security.DenyAll)7 Locale (java.util.Locale)7 Jwt (io.helidon.security.jwt.Jwt)6