use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class WebSecurity method registerContext.
private void registerContext(ServerRequest req, ServerResponse res) {
Map<String, List<String>> allHeaders = new HashMap<>(req.headers().toMap());
Optional<Map> newHeaders = req.context().get(CONTEXT_ADD_HEADERS, Map.class);
newHeaders.ifPresent(allHeaders::putAll);
// make sure there is no context
if (!req.context().get(SecurityContext.class).isPresent()) {
SecurityEnvironment env = security.environmentBuilder().targetUri(req.uri()).path(req.path().toString()).method(req.method().name()).addAttribute("userIp", req.remoteAddress()).addAttribute("userPort", req.remotePort()).transport(req.isSecure() ? "https" : "http").headers(allHeaders).build();
EndpointConfig ec = EndpointConfig.builder().build();
SecurityContext.Builder contextBuilder = security.contextBuilder(String.valueOf(SECURITY_COUNTER.incrementAndGet())).env(env).endpointConfig(ec);
// only register if exists
req.spanContext().ifPresent(contextBuilder::tracingSpan);
SecurityContext context = contextBuilder.build();
req.context().register(context);
req.context().register(defaultHandler);
}
req.next();
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class AbacProvider method syncAuthorize.
@Override
protected AuthorizationResponse syncAuthorize(ProviderRequest providerRequest) {
// let's find attributes to be validated
Errors.Collector collector = Errors.collector();
List<RuntimeAttribute> attributes = new ArrayList<>();
EndpointConfig epConfig = providerRequest.endpointConfig();
// list all "Attribute" annotations and make sure we support them
validateAnnotations(epConfig, collector);
// list all children of abac config and make sure one of the AbacValidators supports them
validateConfig(epConfig, collector);
// list all custom objects and check those that implement AttributeConfig and ...
validateCustom(epConfig, collector);
Optional<Config> abacConfig = epConfig.config(CONFIG_KEY);
for (var validator : validators) {
// order of preference - explicit class, configuration, annotation
Class<? extends AbacValidatorConfig> configClass = validator.configClass();
String configKey = validator.configKey();
Collection<Class<? extends Annotation>> annotations = validator.supportedAnnotations();
Optional<? extends AbacValidatorConfig> customObject = epConfig.instance(configClass);
if (customObject.isPresent()) {
attributes.add(new RuntimeAttribute(validator, customObject.get()));
} else {
// only configure this validator if its config key exists
// or it has a supported annotation
abacConfig.flatMap(it -> it.get(configKey).asNode().asOptional()).ifPresentOrElse(attribConfig -> {
attributes.add(new RuntimeAttribute(validator, validator.fromConfig(attribConfig)));
}, () -> {
List<Annotation> annotationConfig = new ArrayList<>();
for (SecurityLevel securityLevel : epConfig.securityLevels()) {
for (Class<? extends Annotation> annotation : annotations) {
List<? extends Annotation> list = securityLevel.combineAnnotations(annotation, EndpointConfig.AnnotationScope.values());
annotationConfig.addAll(list);
}
}
if (!annotationConfig.isEmpty()) {
attributes.add(new RuntimeAttribute(validator, validator.fromAnnotations(epConfig)));
}
});
}
}
for (RuntimeAttribute attribute : attributes) {
validate(attribute.getValidator(), attribute.getConfig(), collector, providerRequest);
}
Errors errors = collector.collect();
if (errors.isValid()) {
return AuthorizationResponse.permit();
}
return AuthorizationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(errors.toString()).build();
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class HeaderAtnProviderTest method testOutbound.
@Test
public void testOutbound() {
HeaderAtnProvider provider = getFullProvider();
SecurityEnvironment env = outboundEnv();
ProviderRequest request = mock(ProviderRequest.class);
when(request.env()).thenReturn(env);
SecurityContext sc = mock(SecurityContext.class);
when(sc.user()).thenReturn(Optional.of(Subject.builder().addPrincipal(Principal.create("username")).build()));
when(sc.service()).thenReturn(Optional.empty());
when(request.securityContext()).thenReturn(sc);
SecurityEnvironment outboundEnv = outboundEnv();
EndpointConfig outboundEp = EndpointConfig.create();
assertThat("Outbound should be supported", provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
List<String> custom = response.requestHeaders().get("Custom");
assertThat(custom, notNullValue());
assertThat(custom.size(), is(1));
String token = custom.get(0);
assertThat(token, is("bearer username"));
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class HeaderAtnProviderTest method testNoOutbound.
@Test
public void testNoOutbound() {
String username = "username";
HeaderAtnProvider provider = getNoSecurityProvider();
SecurityEnvironment env = SecurityEnvironment.create();
ProviderRequest request = mock(ProviderRequest.class);
when(request.env()).thenReturn(env);
SecurityContext sc = mock(SecurityContext.class);
when(sc.user()).thenReturn(Optional.of(Subject.builder().addPrincipal(Principal.create(username)).build()));
when(sc.service()).thenReturn(Optional.empty());
when(request.securityContext()).thenReturn(sc);
SecurityEnvironment outboundEnv = SecurityEnvironment.create();
EndpointConfig outboundEp = EndpointConfig.create();
assertThat("Outbound should not be supported", provider.isOutboundSupported(request, outboundEnv, outboundEp), is(false));
}
use of io.helidon.security.EndpointConfig in project helidon by oracle.
the class AbacProviderTest method testExistingValidatorFail.
@Test
public void testExistingValidatorFail() {
AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
Attrib1 attrib = Mockito.mock(Attrib1.class);
when(attrib.value()).thenReturn(false);
doReturn(Attrib1.class).when(attrib).annotationType();
SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
ProviderRequest request = Mockito.mock(ProviderRequest.class);
when(request.endpointConfig()).thenReturn(ec);
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.description(), not(Optional.empty()));
response.description().ifPresent(desc -> assertThat(desc, containsString("Intentional unit test failure")));
}
Aggregations