Search in sources :

Example 26 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class JwtProviderTest method testWrongToken.

@Test
public void testWrongToken() {
    JwtProvider provider = JwtProvider.create(providersConfig.get("jwt"));
    // now we need to use the same token to invoke authentication
    ProviderRequest atnRequest = mock(ProviderRequest.class);
    SecurityEnvironment se = SecurityEnvironment.builder().header("Authorization", "bearer " + WRONG_TOKEN).build();
    when(atnRequest.env()).thenReturn(se);
    AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
    assertThat(authenticationResponse.service(), is(Optional.empty()));
    assertThat(authenticationResponse.user(), is(Optional.empty()));
    assertThat(authenticationResponse.status(), is(SecurityResponse.SecurityStatus.FAILURE));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) AuthenticationResponse(io.helidon.security.AuthenticationResponse) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Example 27 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class HttpBasicAuthProvider method syncOutbound.

@Override
protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEp) {
    // explicit username in request properties
    Optional<Object> maybeUsername = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_USER);
    if (maybeUsername.isPresent()) {
        String username = maybeUsername.get().toString();
        char[] password = passwordFromEndpoint(outboundEp);
        return toBasicAuthOutbound(outboundEnv, HttpBasicOutboundConfig.DEFAULT_TOKEN_HANDLER, username, password);
    }
    var target = outboundConfig.findTargetCustomObject(outboundEnv, HttpBasicOutboundConfig.class, HttpBasicOutboundConfig::create, HttpBasicOutboundConfig::create);
    if (target.isEmpty()) {
        return OutboundSecurityResponse.abstain();
    }
    HttpBasicOutboundConfig outboundConfig = target.get();
    if (outboundConfig.hasExplicitUser()) {
        // use configured user
        return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), outboundConfig.explicitUser(), outboundConfig.explicitPassword());
    } else {
        // propagate current user (if possible)
        SecurityContext secContext = providerRequest.securityContext();
        // first try user
        Optional<BasicPrivateCredentials> creds = secContext.user().flatMap(this::credentialsFromSubject);
        if (creds.isEmpty()) {
            // if not present, try service
            creds = secContext.service().flatMap(this::credentialsFromSubject);
        }
        Optional<char[]> overridePassword = outboundEp.abacAttribute(EP_PROPERTY_OUTBOUND_PASSWORD).map(String::valueOf).map(String::toCharArray);
        return creds.map(credentials -> {
            char[] password = overridePassword.orElse(credentials.password);
            return toBasicAuthOutbound(outboundEnv, outboundConfig.tokenHandler(), credentials.username, password);
        }).orElseGet(OutboundSecurityResponse::abstain);
    }
}
Also used : OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) ProviderRequest(io.helidon.security.ProviderRequest) HashMap(java.util.HashMap) UserStoreService(io.helidon.security.providers.httpauth.spi.UserStoreService) AuthenticationProvider(io.helidon.security.spi.AuthenticationProvider) Matcher(java.util.regex.Matcher) Map(java.util.Map) Subject(io.helidon.security.Subject) LinkedList(java.util.LinkedList) ConfiguredOption(io.helidon.config.metadata.ConfiguredOption) Config(io.helidon.config.Config) SubjectType(io.helidon.security.SubjectType) OutboundSecurityProvider(io.helidon.security.spi.OutboundSecurityProvider) Configured(io.helidon.config.metadata.Configured) SecurityProvider(io.helidon.security.spi.SecurityProvider) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) ServiceLoader(java.util.ServiceLoader) SecurityContext(io.helidon.security.SecurityContext) HelidonServiceLoader(io.helidon.common.serviceloader.HelidonServiceLoader) TokenHandler(io.helidon.security.util.TokenHandler) Logger(java.util.logging.Logger) AuthenticationResponse(io.helidon.security.AuthenticationResponse) OutboundConfig(io.helidon.security.providers.common.OutboundConfig) Principal(io.helidon.security.Principal) StandardCharsets(java.nio.charset.StandardCharsets) SecurityResponse(io.helidon.security.SecurityResponse) Base64(java.util.Base64) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig) SecurityEnvironment(io.helidon.security.SecurityEnvironment) OutboundTarget(io.helidon.security.providers.common.OutboundTarget) Role(io.helidon.security.Role) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) SecurityContext(io.helidon.security.SecurityContext) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse)

Example 28 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class HttpSignProviderTest method testOutboundSignatureRsa.

@Test
public void testOutboundSignatureRsa() throws ExecutionException, InterruptedException {
    Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
    // the generated host contains port as well, so we must explicitly define it here
    headers.put("host", List.of("example.org"));
    headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
    headers.put("authorization", List.of("basic dXNlcm5hbWU6cGFzc3dvcmQ="));
    SecurityContext context = mock(SecurityContext.class);
    when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/my/resource").targetUri(URI.create("http://example.org/my/resource")).headers(headers).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
    assertThat("Outbound should be supported", outboundSupported, is(true));
    OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
    Map<String, List<String>> updatedHeaders = response.requestHeaders();
    assertThat(updatedHeaders, notNullValue());
    // and now the value
    validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "rsa-key-12345", "rsa-sha256", List.of("date", "host", REQUEST_TARGET, "authorization"), "Rm5PjuUdJ927esGQ2gm/6QBEM9IM7J5qSZuP8NV8+GXUf" + "boUV6ST2EYLYniFGt5/3BO/2+vqQdqezdTVPr/JCwqBx+9T9ZynG7YqRj" + "KvXzcmvQOu5vQmCK5x/HR0fXU41Pjq+jywsD0k6KdxF6TWr6tvWRbwFet" + "+YSb0088o/65Xeqghw7s0vShf7jPZsaaIHnvM9SjWgix9VvpdEn4NDvqh" + "ebieVD3Swb1VG5+/7ECQ9VAlX30U5/jQ5hPO3yuvRlg5kkMjJiN7tf/68" + "If/5O2Z4H+7VmW0b1U69/JoOQJA0av1gCX7HVfa/YTCxIK4UFiI6h963q" + "2x7LSkqhdWGA==");
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) List(java.util.List) TreeMap(java.util.TreeMap) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) Test(org.junit.jupiter.api.Test)

Example 29 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class HttpSignProviderTest method testInboundSignatureHmac.

@Test
public void testInboundSignatureHmac() throws InterruptedException, ExecutionException {
    Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
    headers.put("Signature", List.of("keyId=\"myServiceKeyId\",algorithm=\"hmac-sha256\",headers=\"date host (request-target) " + "authorization\"," + "signature=\"0BcQq9TckrtGvlpHiMxNqMq0vW6dPVTGVDUVDrGwZyI=\""));
    headers.put("host", List.of("example.org"));
    headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
    headers.put("authorization", List.of("basic dXNlcm5hbWU6cGFzc3dvcmQ="));
    HttpSignProvider provider = getProvider();
    SecurityContext context = mock(SecurityContext.class);
    when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
    SecurityEnvironment se = SecurityEnvironment.builder().path("/my/resource").headers(headers).build();
    EndpointConfig ep = EndpointConfig.create();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    when(request.env()).thenReturn(se);
    when(request.endpointConfig()).thenReturn(ep);
    AuthenticationResponse atnResponse = provider.authenticate(request).toCompletableFuture().get();
    assertThat(atnResponse.description().orElse("Unknown problem"), atnResponse.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
    atnResponse.service().map(Subject::principal).ifPresentOrElse(principal -> {
        assertThat(principal.getName(), is("aSetOfTrustedServices"));
        assertThat(principal.abacAttribute(HttpSignProvider.ATTRIB_NAME_KEY_ID), is(Optional.of("myServiceKeyId")));
    }, () -> fail("User must be filled"));
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) List(java.util.List) TreeMap(java.util.TreeMap) AuthenticationResponse(io.helidon.security.AuthenticationResponse) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Example 30 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class HttpSignProviderTest method testOutboundSignatureHmac.

@Test
public void testOutboundSignatureHmac() throws ExecutionException, InterruptedException {
    Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
    // the generated host contains port as well, so we must explicitly define it here
    headers.put("host", List.of("localhost"));
    headers.put("date", List.of("Thu, 08 Jun 2014 18:32:30 GMT"));
    SecurityContext context = mock(SecurityContext.class);
    when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/second/someOtherPath").targetUri(URI.create("http://localhost/second/someOtherPath")).headers(headers).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    boolean outboundSupported = getProvider().isOutboundSupported(request, outboundEnv, outboundEp);
    assertThat("Outbound should be supported", outboundSupported, is(true));
    OutboundSecurityResponse response = getProvider().outboundSecurity(request, outboundEnv, outboundEp).toCompletableFuture().get();
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
    Map<String, List<String>> updatedHeaders = response.requestHeaders();
    assertThat(updatedHeaders, notNullValue());
    // and now the value
    validateSignatureHeader(outboundEnv, updatedHeaders.get("Signature").iterator().next(), "myServiceKeyId", "hmac-sha256", List.of("date", REQUEST_TARGET, "host"), "SkeKVi6BoUd2/aUfXyIVIFAKEkKp7sg2KsS1UieB/+E=");
}
Also used : SecurityEnvironment(io.helidon.security.SecurityEnvironment) SecurityContext(io.helidon.security.SecurityContext) List(java.util.List) TreeMap(java.util.TreeMap) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) Test(org.junit.jupiter.api.Test)

Aggregations

SecurityEnvironment (io.helidon.security.SecurityEnvironment)63 Test (org.junit.jupiter.api.Test)54 ProviderRequest (io.helidon.security.ProviderRequest)46 EndpointConfig (io.helidon.security.EndpointConfig)35 SecurityContext (io.helidon.security.SecurityContext)35 AuthenticationResponse (io.helidon.security.AuthenticationResponse)22 OutboundSecurityResponse (io.helidon.security.OutboundSecurityResponse)20 Subject (io.helidon.security.Subject)18 List (java.util.List)18 Principal (io.helidon.security.Principal)12 TreeMap (java.util.TreeMap)10 SignedJwt (io.helidon.security.jwt.SignedJwt)8 HashMap (java.util.HashMap)7 Locale (java.util.Locale)7 Jwt (io.helidon.security.jwt.Jwt)6 Instant (java.time.Instant)6 Map (java.util.Map)6 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)6 Context (io.grpc.Context)5 Metadata (io.grpc.Metadata)5