use of io.helidon.security.SecurityEnvironment in project helidon by oracle.
the class JwtProviderTest method testWrongToken.
@Test
public void testWrongToken() {
JwtProvider provider = JwtProvider.create(providersConfig.get("jwt"));
// now we need to use the same token to invoke authentication
ProviderRequest atnRequest = mock(ProviderRequest.class);
SecurityEnvironment se = SecurityEnvironment.builder().header("Authorization", "bearer " + WRONG_TOKEN).build();
when(atnRequest.env()).thenReturn(se);
AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
assertThat(authenticationResponse.service(), is(Optional.empty()));
assertThat(authenticationResponse.user(), is(Optional.empty()));
assertThat(authenticationResponse.status(), is(SecurityResponse.SecurityStatus.FAILURE));
}
use of io.helidon.security.SecurityEnvironment in project helidon by oracle.
the class HttpBasicAuthProvider method syncOutbound.
@Override
protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEp) {
// explicit username in request properties
Optional<Object> maybeUsername = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_USER);
if (maybeUsername.isPresent()) {
String username = maybeUsername.get().toString();
char[] password = passwordFromEndpoint(outboundEp);
return toBasicAuthOutbound(outboundEnv, HttpBasicOutboundConfig.DEFAULT_TOKEN_HANDLER, username, password);
}
var target = outboundConfig.findTargetCustomObject(outboundEnv, HttpBasicOutboundConfig.class, HttpBasicOutboundConfig::create, HttpBasicOutboundConfig::create);
if (target.isEmpty()) {
return OutboundSecurityResponse.abstain();
}
HttpBasicOutboundConfig outboundConfig = target.get();
if (outboundConfig.hasExplicitUser()) {
// use configured user
return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), outboundConfig.explicitUser(), outboundConfig.explicitPassword());
} else {
// propagate current user (if possible)
SecurityContext secContext = providerRequest.securityContext();
// first try user
Optional<BasicPrivateCredentials> creds = secContext.user().flatMap(this::credentialsFromSubject);
if (creds.isEmpty()) {
// if not present, try service
creds = secContext.service().flatMap(this::credentialsFromSubject);
}
Optional<char[]> overridePassword = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_PASSWORD).map(String::valueOf).map(String::toCharArray);
return creds.map(credentials -> {
char[] password = overridePassword.orElse(credentials.password);
return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), credentials.username, password);
}).orElseGet(OutboundSecurityResponse::abstain);
}
}
use of io.helidon.security.SecurityEnvironment in project helidon by oracle.
the class HttpSignProviderTest method testOutboundSignatureRsa.
@Test
public void testOutboundSignatureRsa() throws ExecutionException, InterruptedException {
Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
// the generated host contains port as well, so we must explicitly define it here
headers.put("host", List.of("example.org"));
headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
headers.put("authorization", List.of("basic dXNlcm5hbWU6cGFzc3dvcmQ="));
SecurityContext context = mock(SecurityContext.class);
when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/my/resource").targetUri(URI.create("http://example.org/my/resource")).headers(headers).build();
EndpointConfig outboundEp = EndpointConfig.create();
boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
assertThat("Outbound should be supported", outboundSupported, is(true));
OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
Map<String, List<String>> updatedHeaders = response.requestHeaders();
assertThat(updatedHeaders, notNullValue());
// and now the value
validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "rsa-key-12345", "rsa-sha256", List.of("date", "host", REQUEST_TARGET, "authorization"), "Rm5PjuUdJ927esGQ2gm/6QBEM9IM7J5qSZuP8NV8+GXUf" + "boUV6ST2EYLYniFGt5/3BO/2+vqQdqezdTVPr/JCwqBx+9T9ZynG7YqRj" + "KvXzcmvQOu5vQmCK5x/HR0fXU41Pjq+jywsD0k6KdxF6TWr6tvWRbwFet" + "+YSb0088o/65Xeqghw7s0vShf7jPZsaaIHnvM9SjWgix9VvpdEn4NDvqh" + "ebieVD3Swb1VG5+/7ECQ9VAlX30U5/jQ5hPO3yuvRlg5kkMjJiN7tf/68" + "If/5O2Z4H+7VmW0b1U69/JoOQJA0av1gCX7HVfa/YTCxIK4UFiI6h963q" + "2x7LSkqhdWGA==");
}
use of io.helidon.security.SecurityEnvironment in project helidon by oracle.
the class HttpSignProviderTest method testInboundSignatureHmac.
@Test
public void testInboundSignatureHmac() throws InterruptedException, ExecutionException {
Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
headers.put("Signature", List.of("keyId=\"myServiceKeyId\",algorithm=\"hmac-sha256\",headers=\"date host (request-target) " + "authorization\"," + "signature=\"0BcQq9TckrtGvlpHiMxNqMq0vW6dPVTGVDUVDrGwZyI=\""));
headers.put("host", List.of("example.org"));
headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
headers.put("authorization", List.of("basic dXNlcm5hbWU6cGFzc3dvcmQ="));
HttpSignProvider provider = getProvider();
SecurityContext context = mock(SecurityContext.class);
when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
SecurityEnvironment se = SecurityEnvironment.builder().path("/my/resource").headers(headers).build();
EndpointConfig ep = EndpointConfig.create();
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
when(request.env()).thenReturn(se);
when(request.endpointConfig()).thenReturn(ep);
AuthenticationResponse atnResponse = provider.authenticate(request).toCompletableFuture().get();
assertThat(atnResponse.description().orElse("Unknown problem"), atnResponse.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
atnResponse.service().map(Subject::principal).ifPresentOrElse(principal -> {
assertThat(principal.getName(), is("aSetOfTrustedServices"));
assertThat(principal.abacAttribute(HttpSignProvider.ATTRIB_NAME_KEY_ID), is(Optional.of("myServiceKeyId")));
}, () -> fail("User must be filled"));
}
use of io.helidon.security.SecurityEnvironment in project helidon by oracle.
the class HttpSignProviderTest method testOutboundSignatureHmac.
@Test
public void testOutboundSignatureHmac() throws ExecutionException, InterruptedException {
Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
// the generated host contains port as well, so we must explicitly define it here
headers.put("host", List.of("localhost"));
headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
SecurityContext context = mock(SecurityContext.class);
when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/second/someOtherPath").targetUri(URI.create("http://localhost/second/someOtherPath")).headers(headers).build();
EndpointConfig outboundEp = EndpointConfig.create();
boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
assertThat("Outbound should be supported", outboundSupported, is(true));
OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
Map<String, List<String>> updatedHeaders = response.requestHeaders();
assertThat(updatedHeaders, notNullValue());
// and now the value
validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "myServiceKeyId", "hmac-sha256", List.of("date", REQUEST_TARGET, "host"), "SkeKVi6BoUd2/aUfXyIVIFAKEkKp7sg2KsS1UieB/+E=");
}
Aggregations