Search in sources :

Example 6 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class OutboundProviderSyncTest method testAbstain.

@Test
public void testAbstain() {
    SecurityContext context = mock(SecurityContext.class);
    when(context.user()).thenReturn(Optional.empty());
    when(context.service()).thenReturn(Optional.empty());
    SecurityEnvironment se = SecurityEnvironment.create();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    when(request.env()).thenReturn(se);
    OutboundProviderSync ops = new OutboundProviderSync();
    OutboundSecurityResponse response = ops.syncOutbound(request, SecurityEnvironment.create(), EndpointConfig.create());
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.ABSTAIN));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) Test(org.junit.jupiter.api.Test)

Example 7 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class JwtAuthProviderTest method mockRequest.

private ProviderRequest mockRequest(String signedToken) {
    ProviderRequest atnRequest = mock(ProviderRequest.class);
    SecurityEnvironment se = SecurityEnvironment.builder().header("Authorization", "bearer " + signedToken).build();
    when(atnRequest.env()).thenReturn(se);
    EndpointConfig ep = mock(EndpointConfig.class);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    LoginConfig lc = mock(LoginConfig.class);
    when(lc.authMethod()).thenReturn(JwtAuthAnnotationAnalyzer.LOGIN_CONFIG_METHOD);
    when(lc.realmName()).thenReturn("");
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(appSecurityLevel.filterAnnotations(LoginConfig.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(lc));
    when(atnRequest.endpointConfig()).thenReturn(ep);
    return atnRequest;
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityLevel(io.helidon.security.SecurityLevel) ArrayList(java.util.ArrayList) LoginConfig(org.eclipse.microprofile.auth.LoginConfig) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest)

Example 8 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class JwtAuthProviderTest method testRsaBothWays.

@Test
public void testRsaBothWays() {
    String username = "user1";
    String userId = "user1-id";
    String email = "user1@example.org";
    String familyName = "Novak";
    String givenName = "Standa";
    String fullName = "Standa Novak";
    Locale locale = Locale.CANADA_FRENCH;
    Principal principal = Principal.builder().name(username).id(userId).addAttribute("email", email).addAttribute("email_verified", true).addAttribute("family_name", familyName).addAttribute("given_name", givenName).addAttribute("full_name", fullName).addAttribute("locale", locale).build();
    Subject subject = Subject.create(principal);
    JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("security.providers.0.mp-jwt-auth"));
    SecurityContext context = Mockito.mock(SecurityContext.class);
    when(context.user()).thenReturn(Optional.of(subject));
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/rsa").transport("http").targetUri(URI.create("http://localhost:8080/rsa")).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
    OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
    String signedToken = response.requestHeaders().get("Authorization").get(0);
    signedToken = signedToken.substring("bearer ".length());
    // now I want to validate it to prove it was correctly signed
    SignedJwt signedJwt = SignedJwt.parseToken(signedToken);
    signedJwt.verifySignature(verifyKeys).checkValid();
    Jwt jwt = signedJwt.getJwt();
    assertThat(jwt.subject(), is(Optional.of(userId)));
    assertThat(jwt.preferredUsername(), is(Optional.of(username)));
    assertThat(jwt.email(), is(Optional.of(email)));
    assertThat(jwt.emailVerified(), is(Optional.of(true)));
    assertThat(jwt.familyName(), is(Optional.of(familyName)));
    assertThat(jwt.givenName(), is(Optional.of(givenName)));
    assertThat(jwt.fullName(), is(Optional.of(fullName)));
    assertThat(jwt.locale(), is(Optional.of(locale)));
    assertThat(jwt.audience(), is(Optional.of(List.of("audience.application.id"))));
    assertThat(jwt.issuer(), is(Optional.of("jwt.example.com")));
    assertThat(jwt.algorithm(), is(Optional.of(JwkRSA.ALG_RS256)));
    assertThat(jwt.issueTime(), is(not(Optional.empty())));
    jwt.issueTime().ifPresent(instant -> {
        boolean compareResult = Instant.now().minusSeconds(10).compareTo(instant) < 0;
        assertThat("Issue time must not be older than 10 seconds", compareResult, is(true));
        Instant expectedNotBefore = instant.minus(60, ChronoUnit.SECONDS);
        assertThat(jwt.notBefore(), is(Optional.of(expectedNotBefore)));
        Instant expectedExpiry = instant.plus(3600, ChronoUnit.SECONDS);
        assertThat(jwt.expirationTime(), is(Optional.of(expectedExpiry)));
    });
    // now we need to use the same token to invoke authentication
    ProviderRequest atnRequest = mockRequest(signedToken);
    AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
    authenticationResponse.user().map(Subject::principal).ifPresentOrElse(atnPrincipal -> {
        assertThat(atnPrincipal.id(), is(userId));
        assertThat(atnPrincipal.getName(), is(username));
        assertThat(atnPrincipal.abacAttribute("email"), is(Optional.of(email)));
        assertThat(atnPrincipal.abacAttribute("email_verified"), is(Optional.of(true)));
        assertThat(atnPrincipal.abacAttribute("family_name"), is(Optional.of(familyName)));
        assertThat(atnPrincipal.abacAttribute("given_name"), is(Optional.of(givenName)));
        assertThat(atnPrincipal.abacAttribute("full_name"), is(Optional.of(fullName)));
        assertThat(atnPrincipal.abacAttribute("locale"), is(Optional.of(locale)));
    }, () -> fail("User must be present in response"));
}
Also used : Locale(java.util.Locale) SecurityEnvironment(io.helidon.security.SecurityEnvironment) SignedJwt(io.helidon.security.jwt.SignedJwt) Jwt(io.helidon.security.jwt.Jwt) Instant(java.time.Instant) SignedJwt(io.helidon.security.jwt.SignedJwt) AuthenticationResponse(io.helidon.security.AuthenticationResponse) Subject(io.helidon.security.Subject) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) SecurityContext(io.helidon.security.SecurityContext) Principal(io.helidon.security.Principal) EndpointConfig(io.helidon.security.EndpointConfig) Test(org.junit.jupiter.api.Test)

Example 9 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class JwtAuthProviderTest method testOctBothWays.

@Test
public void testOctBothWays() {
    String userId = "user1-id";
    Principal tp = Principal.create(userId);
    Subject subject = Subject.create(tp);
    JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("security.providers.0.mp-jwt-auth"));
    SecurityContext context = Mockito.mock(SecurityContext.class);
    when(context.user()).thenReturn(Optional.of(subject));
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/oct").transport("http").targetUri(URI.create("http://localhost:8080/oct")).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
    OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
    String signedToken = response.requestHeaders().get("Authorization").get(0);
    signedToken = signedToken.substring("bearer ".length());
    // now I want to validate it to prove it was correctly signed
    SignedJwt signedJwt = SignedJwt.parseToken(signedToken);
    signedJwt.verifySignature(verifyKeys).checkValid();
    Jwt jwt = signedJwt.getJwt();
    assertThat(jwt.subject(), is(Optional.of(userId)));
    assertThat(jwt.preferredUsername(), is(Optional.of(userId)));
    assertThat(jwt.email(), is(Optional.empty()));
    assertThat(jwt.emailVerified(), is(Optional.empty()));
    assertThat(jwt.familyName(), is(Optional.empty()));
    assertThat(jwt.givenName(), is(Optional.empty()));
    // stored as "name" attribute on principal, full name is stored as "name" in JWT
    assertThat(jwt.fullName(), is(Optional.empty()));
    assertThat(jwt.locale(), is(Optional.empty()));
    assertThat(jwt.audience(), is(Optional.of(List.of("audience.application.id"))));
    assertThat(jwt.issuer(), is(Optional.of("jwt.example.com")));
    assertThat(jwt.algorithm(), is(Optional.of(JwkOctet.ALG_HS256)));
    Instant instant = jwt.issueTime().get();
    boolean compareResult = Instant.now().minusSeconds(10).compareTo(instant) < 0;
    assertThat("Issue time must not be older than 10 seconds", compareResult, is(true));
    Instant expectedNotBefore = instant.minus(5, ChronoUnit.SECONDS);
    assertThat(jwt.notBefore(), is(Optional.of(expectedNotBefore)));
    Instant expectedExpiry = instant.plus(60 * 60 * 24, ChronoUnit.SECONDS);
    assertThat(jwt.expirationTime(), is(Optional.of(expectedExpiry)));
    // now we need to use the same token to invoke authentication
    ProviderRequest atnRequest = mockRequest(signedToken);
    AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
    authenticationResponse.user().map(Subject::principal).ifPresentOrElse(atnPrincipal -> {
        assertThat(atnPrincipal.id(), is(userId));
        assertThat(atnPrincipal.getName(), is(userId));
        assertThat(atnPrincipal.abacAttribute("email"), is(Optional.empty()));
        assertThat(atnPrincipal.abacAttribute("email_verified"), is(Optional.empty()));
        assertThat(atnPrincipal.abacAttribute("family_name"), is(Optional.empty()));
        assertThat(atnPrincipal.abacAttribute("given_name"), is(Optional.empty()));
        assertThat(atnPrincipal.abacAttribute("full_name"), is(Optional.empty()));
        assertThat(atnPrincipal.abacAttribute("locale"), is(Optional.empty()));
    }, () -> fail("User must be present in response"));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SignedJwt(io.helidon.security.jwt.SignedJwt) Jwt(io.helidon.security.jwt.Jwt) Instant(java.time.Instant) SignedJwt(io.helidon.security.jwt.SignedJwt) AuthenticationResponse(io.helidon.security.AuthenticationResponse) Subject(io.helidon.security.Subject) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) SecurityContext(io.helidon.security.SecurityContext) Principal(io.helidon.security.Principal) EndpointConfig(io.helidon.security.EndpointConfig) Test(org.junit.jupiter.api.Test)

Example 10 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class JwtAuthProviderTest method testWrongToken.

@Test
public void testWrongToken() {
    JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("security.providers.0.mp-jwt-auth"));
    // now we need to use the same token to invoke authentication
    ProviderRequest atnRequest = mock(ProviderRequest.class);
    SecurityEnvironment se = SecurityEnvironment.builder().header("Authorization", "bearer " + WRONG_TOKEN).build();
    EndpointConfig ec = mock(EndpointConfig.class);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    when(ec.securityLevels()).thenReturn(securityLevels);
    when(appSecurityLevel.filterAnnotations(LoginConfig.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(new LoginConfig() {

        @Override
        public Class<? extends Annotation> annotationType() {
            return LoginConfig.class;
        }

        @Override
        public String authMethod() {
            return JwtAuthAnnotationAnalyzer.LOGIN_CONFIG_METHOD;
        }

        @Override
        public String realmName() {
            return "helidon-realm";
        }
    }));
    when(atnRequest.env()).thenReturn(se);
    when(atnRequest.endpointConfig()).thenReturn(ec);
    AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
    assertThat(authenticationResponse.service(), is(Optional.empty()));
    assertThat(authenticationResponse.user(), is(Optional.empty()));
    assertThat(authenticationResponse.status(), is(SecurityResponse.SecurityStatus.FAILURE));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityLevel(io.helidon.security.SecurityLevel) ArrayList(java.util.ArrayList) LoginConfig(org.eclipse.microprofile.auth.LoginConfig) AuthenticationResponse(io.helidon.security.AuthenticationResponse) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Aggregations

SecurityEnvironment (io.helidon.security.SecurityEnvironment)63 Test (org.junit.jupiter.api.Test)54 ProviderRequest (io.helidon.security.ProviderRequest)46 EndpointConfig (io.helidon.security.EndpointConfig)35 SecurityContext (io.helidon.security.SecurityContext)35 AuthenticationResponse (io.helidon.security.AuthenticationResponse)22 OutboundSecurityResponse (io.helidon.security.OutboundSecurityResponse)20 Subject (io.helidon.security.Subject)18 List (java.util.List)18 Principal (io.helidon.security.Principal)12 TreeMap (java.util.TreeMap)10 SignedJwt (io.helidon.security.jwt.SignedJwt)8 HashMap (java.util.HashMap)7 Locale (java.util.Locale)7 Jwt (io.helidon.security.jwt.Jwt)6 Instant (java.time.Instant)6 Map (java.util.Map)6 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)6 Context (io.grpc.Context)5 Metadata (io.grpc.Metadata)5