use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.
the class JwtAuthTest method testRsa.
@Test
void testRsa() {
String username = "user1";
String userId = "user1-id";
String email = "user1@example.org";
String familyName = "Novak";
String givenName = "Standa";
String fullName = "Standa Novak";
Locale locale = Locale.CANADA_FRENCH;
Principal principal = Principal.builder().name(username).id(userId).addAttribute("email", email).addAttribute("email_verified", true).addAttribute("family_name", familyName).addAttribute("given_name", givenName).addAttribute("full_name", fullName).addAttribute("locale", locale).build();
Subject subject = Subject.create(principal);
JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("security.providers.0.mp-jwt-auth"));
io.helidon.security.SecurityContext context = Mockito.mock(io.helidon.security.SecurityContext.class);
when(context.user()).thenReturn(Optional.of(subject));
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/rsa").transport("http").targetUri(URI.create("http://localhost:8080/rsa")).build();
EndpointConfig outboundEp = EndpointConfig.create();
assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
String signedToken = response.requestHeaders().get("Authorization").get(0);
// authenticated
String httpResponse = target.path("/hello").request().header("Authorization", signedToken).get(String.class);
assertThat(httpResponse, is("Hello user1"));
httpResponse = target.path("/public").path("/hello").request().header("Authorization", signedToken).get(String.class);
assertThat(httpResponse, is("Hello user1"));
}
use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.
the class HeaderAtnProviderTest method testOutbound.
@Test
public void testOutbound() {
HeaderAtnProvider provider = getFullProvider();
SecurityEnvironment env = outboundEnv();
ProviderRequest request = mock(ProviderRequest.class);
when(request.env()).thenReturn(env);
SecurityContext sc = mock(SecurityContext.class);
when(sc.user()).thenReturn(Optional.of(Subject.builder().addPrincipal(Principal.create("username")).build()));
when(sc.service()).thenReturn(Optional.empty());
when(request.securityContext()).thenReturn(sc);
SecurityEnvironment outboundEnv = outboundEnv();
EndpointConfig outboundEp = EndpointConfig.create();
assertThat("Outbound should be supported", provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
List<String> custom = response.requestHeaders().get("Custom");
assertThat(custom, notNullValue());
assertThat(custom.size(), is(1));
String token = custom.get(0);
assertThat(token, is("bearer username"));
}
use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.
the class HttpBasicAuthProvider method syncOutbound.
@Override
protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEp) {
// explicit username in request properties
Optional<Object> maybeUsername = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_USER);
if (maybeUsername.isPresent()) {
String username = maybeUsername.get().toString();
char[] password = passwordFromEndpoint(outboundEp);
return toBasicAuthOutbound(outboundEnv, HttpBasicOutboundConfig.DEFAULT_TOKEN_HANDLER, username, password);
}
var target = outboundConfig.findTargetCustomObject(outboundEnv, HttpBasicOutboundConfig.class, HttpBasicOutboundConfig::create, HttpBasicOutboundConfig::create);
if (target.isEmpty()) {
return OutboundSecurityResponse.abstain();
}
HttpBasicOutboundConfig outboundConfig = target.get();
if (outboundConfig.hasExplicitUser()) {
// use configured user
return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), outboundConfig.explicitUser(), outboundConfig.explicitPassword());
} else {
// propagate current user (if possible)
SecurityContext secContext = providerRequest.securityContext();
// first try user
Optional<BasicPrivateCredentials> creds = secContext.user().flatMap(this::credentialsFromSubject);
if (creds.isEmpty()) {
// if not present, try service
creds = secContext.service().flatMap(this::credentialsFromSubject);
}
Optional<char[]> overridePassword = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_PASSWORD).map(String::valueOf).map(String::toCharArray);
return creds.map(credentials -> {
char[] password = overridePassword.orElse(credentials.password);
return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), credentials.username, password);
}).orElseGet(OutboundSecurityResponse::abstain);
}
}
use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.
the class HttpSignProviderTest method testOutboundSignatureRsa.
@Test
public void testOutboundSignatureRsa() throws ExecutionException, InterruptedException {
Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
// the generated host contains port as well, so we must explicitly define it here
headers.put("host", List.of("example.org"));
headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
headers.put("authorization", List.of("basic dXNlcm5hbWU6cGFzc3dvcmQ="));
SecurityContext context = mock(SecurityContext.class);
when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/my/resource").targetUri(URI.create("http://example.org/my/resource")).headers(headers).build();
EndpointConfig outboundEp = EndpointConfig.create();
boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
assertThat("Outbound should be supported", outboundSupported, is(true));
OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
Map<String, List<String>> updatedHeaders = response.requestHeaders();
assertThat(updatedHeaders, notNullValue());
// and now the value
validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "rsa-key-12345", "rsa-sha256", List.of("date", "host", REQUEST_TARGET, "authorization"), "Rm5PjuUdJ927esGQ2gm/6QBEM9IM7J5qSZuP8NV8+GXUf" + "boUV6ST2EYLYniFGt5/3BO/2+vqQdqezdTVPr/JCwqBx+9T9ZynG7YqRj" + "KvXzcmvQOu5vQmCK5x/HR0fXU41Pjq+jywsD0k6KdxF6TWr6tvWRbwFet" + "+YSb0088o/65Xeqghw7s0vShf7jPZsaaIHnvM9SjWgix9VvpdEn4NDvqh" + "ebieVD3Swb1VG5+/7ECQ9VAlX30U5/jQ5hPO3yuvRlg5kkMjJiN7tf/68" + "If/5O2Z4H+7VmW0b1U69/JoOQJA0av1gCX7HVfa/YTCxIK4UFiI6h963q" + "2x7LSkqhdWGA==");
}
use of io.helidon.security.OutboundSecurityResponse in project helidon by oracle.
the class HttpSignProviderTest method testOutboundSignatureHmac.
@Test
public void testOutboundSignatureHmac() throws ExecutionException, InterruptedException {
Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
// the generated host contains port as well, so we must explicitly define it here
headers.put("host", List.of("localhost"));
headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
SecurityContext context = mock(SecurityContext.class);
when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/second/someOtherPath").targetUri(URI.create("http://localhost/second/someOtherPath")).headers(headers).build();
EndpointConfig outboundEp = EndpointConfig.create();
boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
assertThat("Outbound should be supported", outboundSupported, is(true));
OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
Map<String, List<String>> updatedHeaders = response.requestHeaders();
assertThat(updatedHeaders, notNullValue());
// and now the value
validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "myServiceKeyId", "hmac-sha256", List.of("date", REQUEST_TARGET, "host"), "SkeKVi6BoUd2/aUfXyIVIFAKEkKp7sg2KsS1UieB/+E=");
}
Aggregations