Search in sources :

Example 6 with OutboundSecurityResponse

use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.

the class JwtAuthTest method testRsa.

@Test
void testRsa() {
    String username = "user1";
    String userId = "user1-id";
    String email = "user1@example.org";
    String familyName = "Novak";
    String givenName = "Standa";
    String fullName = "Standa Novak";
    Locale locale = Locale.CANADA_FRENCH;
    Principal principal = Principal.builder().name(username).id(userId).addAttribute("email", email).addAttribute("email_verified", true).addAttribute("family_name", familyName).addAttribute("given_name", givenName).addAttribute("full_name", fullName).addAttribute("locale", locale).build();
    Subject subject = Subject.create(principal);
    JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("security.providers.0.mp-jwt-auth"));
    io.helidon.security.SecurityContext context = Mockito.mock(io.helidon.security.SecurityContext.class);
    when(context.user()).thenReturn(Optional.of(subject));
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/rsa").transport("http").targetUri(URI.create("http://localhost:8080/rsa")).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
    OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
    String signedToken = response.requestHeaders().get("Authorization").get(0);
    // authenticated
    String httpResponse = target.path("/hello").request().header("Authorization", signedToken).get(String.class);
    assertThat(httpResponse, is("Hello user1"));
    httpResponse = target.path("/public").path("/hello").request().header("Authorization", signedToken).get(String.class);
    assertThat(httpResponse, is("Hello user1"));
}
Also used : Locale(java.util.Locale) SecurityEnvironment(io.helidon.security.SecurityEnvironment) JsonString(jakarta.json.JsonString) Principal(io.helidon.security.Principal) Subject(io.helidon.security.Subject) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) HelidonTest(io.helidon.microprofile.tests.junit5.HelidonTest) Test(org.junit.jupiter.api.Test)

Example 7 with OutboundSecurityResponse

use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.

the class HeaderAtnProviderTest method testOutbound.

@Test
public void testOutbound() {
    HeaderAtnProvider provider = getFullProvider();
    SecurityEnvironment env = outboundEnv();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.env()).thenReturn(env);
    SecurityContext sc = mock(SecurityContext.class);
    when(sc.user()).thenReturn(Optional.of(Subject.builder().addPrincipal(Principal.create("username")).build()));
    when(sc.service()).thenReturn(Optional.empty());
    when(request.securityContext()).thenReturn(sc);
    SecurityEnvironment outboundEnv = outboundEnv();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat("Outbound should be supported", provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
    OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
    List<String> custom = response.requestHeaders().get("Custom");
    assertThat(custom, notNullValue());
    assertThat(custom.size(), is(1));
    String token = custom.get(0);
    assertThat(token, is("bearer username"));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) Test(org.junit.jupiter.api.Test)

Example 8 with OutboundSecurityResponse

use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.

the class HttpBasicAuthProvider method syncOutbound.

@Override
protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEp) {
    // explicit username in request properties
    Optional<Object> maybeUsername = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_USER);
    if (maybeUsername.isPresent()) {
        String username = maybeUsername.get().toString();
        char[] password = passwordFromEndpoint(outboundEp);
        return toBasicAuthOutbound(outboundEnv, HttpBasicOutboundConfig.DEFAULT_TOKEN_HANDLER, username, password);
    }
    var target = outboundConfig.findTargetCustomObject(outboundEnv, HttpBasicOutboundConfig.class, HttpBasicOutboundConfig::create, HttpBasicOutboundConfig::create);
    if (target.isEmpty()) {
        return OutboundSecurityResponse.abstain();
    }
    HttpBasicOutboundConfig outboundConfig = target.get();
    if (outboundConfig.hasExplicitUser()) {
        // use configured user
        return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), outboundConfig.explicitUser(), outboundConfig.explicitPassword());
    } else {
        // propagate current user (if possible)
        SecurityContext secContext = providerRequest.securityContext();
        // first try user
        Optional<BasicPrivateCredentials> creds = secContext.user().flatMap(this::credentialsFromSubject);
        if (creds.isEmpty()) {
            // if not present, try service
            creds = secContext.service().flatMap(this::credentialsFromSubject);
        }
        Optional<char[]> overridePassword = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_PASSWORD).map(String::valueOf).map(String::toCharArray);
        return creds.map(credentials -> {
            char[] password = overridePassword.orElse(credentials.password);
            return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), credentials.username, password);
        }).orElseGet(OutboundSecurityResponse::abstain);
    }
}
Also used : OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) ProviderRequest(io.helidon.security.ProviderRequest) HashMap(java.util.HashMap) UserStoreService(io.helidon.security.providers.httpauth.spi.UserStoreService) AuthenticationProvider(io.helidon.security.spi.AuthenticationProvider) Matcher(java.util.regex.Matcher) Map(java.util.Map) Subject(io.helidon.security.Subject) LinkedList(java.util.LinkedList) ConfiguredOption(io.helidon.config.metadata.ConfiguredOption) Config(io.helidon.config.Config) SubjectType(io.helidon.security.SubjectType) OutboundSecurityProvider(io.helidon.security.spi.OutboundSecurityProvider) Configured(io.helidon.config.metadata.Configured) SecurityProvider(io.helidon.security.spi.SecurityProvider) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) ServiceLoader(java.util.ServiceLoader) SecurityContext(io.helidon.security.SecurityContext) HelidonServiceLoader(io.helidon.common.serviceloader.HelidonServiceLoader) TokenHandler(io.helidon.security.util.TokenHandler) Logger(java.util.logging.Logger) AuthenticationResponse(io.helidon.security.AuthenticationResponse) OutboundConfig(io.helidon.security.providers.common.OutboundConfig) Principal(io.helidon.security.Principal) StandardCharsets(java.nio.charset.StandardCharsets) SecurityResponse(io.helidon.security.SecurityResponse) Base64(java.util.Base64) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig) SecurityEnvironment(io.helidon.security.SecurityEnvironment) OutboundTarget(io.helidon.security.providers.common.OutboundTarget) Role(io.helidon.security.Role) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) SecurityContext(io.helidon.security.SecurityContext) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse)

Example 9 with OutboundSecurityResponse

use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.

the class HttpSignProviderTest method testOutboundSignatureRsa.

@Test
public void testOutboundSignatureRsa() throws ExecutionException, InterruptedException {
    Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
    // the generated host contains port as well, so we must explicitly define it here
    headers.put("host", List.of("example.org"));
    headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
    headers.put("authorization", List.of("basic dXNlcm5hbWU6cGFzc3dvcmQ="));
    SecurityContext context = mock(SecurityContext.class);
    when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/my/resource").targetUri(URI.create("http://example.org/my/resource")).headers(headers).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
    assertThat("Outbound should be supported", outboundSupported, is(true));
    OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
    Map<String, List<String>> updatedHeaders = response.requestHeaders();
    assertThat(updatedHeaders, notNullValue());
    // and now the value
    validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "rsa-key-12345", "rsa-sha256", List.of("date", "host", REQUEST_TARGET, "authorization"), "Rm5PjuUdJ927esGQ2gm/6QBEM9IM7J5qSZuP8NV8+GXUf" + "boUV6ST2EYLYniFGt5/3BO/2+vqQdqezdTVPr/JCwqBx+9T9ZynG7YqRj" + "KvXzcmvQOu5vQmCK5x/HR0fXU41Pjq+jywsD0k6KdxF6TWr6tvWRbwFet" + "+YSb0088o/65Xeqghw7s0vShf7jPZsaaIHnvM9SjWgix9VvpdEn4NDvqh" + "ebieVD3Swb1VG5+/7ECQ9VAlX30U5/jQ5hPO3yuvRlg5kkMjJiN7tf/68" + "If/5O2Z4H+7VmW0b1U69/JoOQJA0av1gCX7HVfa/YTCxIK4UFiI6h963q" + "2x7LSkqhdWGA==");
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) List(java.util.List) TreeMap(java.util.TreeMap) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) Test(org.junit.jupiter.api.Test)

Example 10 with OutboundSecurityResponse

use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.

the class HttpSignProviderTest method testOutboundSignatureHmac.

@Test
public void testOutboundSignatureHmac() throws ExecutionException, InterruptedException {
    Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
    // the generated host contains port as well, so we must explicitly define it here
    headers.put("host", List.of("localhost"));
    headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
    SecurityContext context = mock(SecurityContext.class);
    when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/second/someOtherPath").targetUri(URI.create("http://localhost/second/someOtherPath")).headers(headers).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
    assertThat("Outbound should be supported", outboundSupported, is(true));
    OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
    Map<String, List<String>> updatedHeaders = response.requestHeaders();
    assertThat(updatedHeaders, notNullValue());
    // and now the value
    validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "myServiceKeyId", "hmac-sha256", List.of("date", REQUEST_TARGET, "host"), "SkeKVi6BoUd2/aUfXyIVIFAKEkKp7sg2KsS1UieB/+E=");
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) List(java.util.List) TreeMap(java.util.TreeMap) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) Test(org.junit.jupiter.api.Test)

Aggregations

OutboundSecurityResponse (io.helidon.security.OutboundSecurityResponse)22 SecurityEnvironment (io.helidon.security.SecurityEnvironment)22 EndpointConfig (io.helidon.security.EndpointConfig)20 ProviderRequest (io.helidon.security.ProviderRequest)20 Test (org.junit.jupiter.api.Test)18 SecurityContext (io.helidon.security.SecurityContext)17 Subject (io.helidon.security.Subject)14 Principal (io.helidon.security.Principal)11 AuthenticationResponse (io.helidon.security.AuthenticationResponse)10 SignedJwt (io.helidon.security.jwt.SignedJwt)8 Locale (java.util.Locale)7 Jwt (io.helidon.security.jwt.Jwt)6 Instant (java.time.Instant)6 List (java.util.List)6 Map (java.util.Map)4 SecurityResponse (io.helidon.security.SecurityResponse)3 HashMap (java.util.HashMap)3 Config (io.helidon.config.Config)2 OutboundSecurityClientBuilder (io.helidon.security.OutboundSecurityClientBuilder)2 SubjectType (io.helidon.security.SubjectType)2