Examples with SecurityEnvironment io.helidon.security.SecurityEnvironment used on opensource projects

Example 36 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class OidcSupportTest method testOutboundFull.

@Test
void testOutboundFull() {
    String tokenContent = "huhahihohyhe";
    TokenCredential tokenCredential = TokenCredential.builder().token(tokenContent).build();
    Subject subject = Subject.builder().addPublicCredential(TokenCredential.class, tokenCredential).build();
    ProviderRequest providerRequest = Mockito.mock(ProviderRequest.class);
    SecurityContext ctx = Mockito.mock(SecurityContext.class);
    when(ctx.user()).thenReturn(Optional.of(subject));
    when(providerRequest.securityContext()).thenReturn(ctx);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().targetUri(URI.create("http://www.example.com:7777")).path("/test").build();
    EndpointConfig endpointConfig = EndpointConfig.builder().build();
    boolean outboundSupported = provider.isOutboundSupported(providerRequest, outboundEnv, endpointConfig);
    assertThat("Outbound should not be supported by default", outboundSupported, is(false));
    OutboundSecurityResponse response = provider.outboundSecurity(providerRequest, outboundEnv, endpointConfig).toCompletableFuture().join();
    assertThat("Disabled target should have empty headers", response.requestHeaders().size(), is(0));
}

Example 37 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class GoogleTokenProviderTest method createInboundRequest.

private ProviderRequest createInboundRequest(String headerName, String headerValue) {
    SecurityEnvironment env = SecurityEnvironment.builder().header(headerName, headerValue).build();
    Span secSpan = GlobalTracer.get().buildSpan("security").start();
    SecurityContext context = mock(SecurityContext.class);
    when(context.executorService()).thenReturn(ForkJoinPool.commonPool());
    when(context.tracer()).thenReturn(GlobalTracer.get());
    when(context.tracingSpan()).thenReturn(secSpan.context());
    ProviderRequest mock = mock(ProviderRequest.class);
    when(mock.securityContext()).thenReturn(context);
    when(mock.env()).thenReturn(env);
    return mock;
}

Example 38 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class GoogleTokenProviderTest method testOutbound.

@Test
public void testOutbound() {
    ProviderRequest outboundRequest = buildOutboundRequest();
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().targetUri(URI.create("http://localhost:8080/path")).method("GET").build();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat("Outbound should be supported", provider.isOutboundSupported(outboundRequest, outboundEnv, outboundEp), is(true));
    OutboundSecurityResponse response = provider.syncOutbound(outboundRequest, outboundEnv, outboundEp);
    List<String> authorization = response.requestHeaders().get("Authorization");
    assertThat(authorization, notNullValue());
    assertThat(authorization.size(), is(1));
    String header = authorization.get(0);
    assertThat(header.toLowerCase(), startsWith("bearer "));
    assertThat(header, endsWith(TOKEN_VALUE));
}

Example 39 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class HeaderAtnProvider method syncOutbound.

@Override
protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig) {
    Optional<Subject> toPropagate;
    if (subjectType == SubjectType.USER) {
        toPropagate = providerRequest.securityContext().user();
    } else {
        toPropagate = providerRequest.securityContext().service();
    }
    // find the target
    var target = outboundConfig.findTargetCustomObject(outboundEnv, HeaderAtnOutboundConfig.class, HeaderAtnOutboundConfig::create, HeaderAtnOutboundConfig::create);
    // we have no target, let's fall back to original behavior
    if (target.isEmpty()) {
        if (outboundTokenHandler != null) {
            return toPropagate.map(Subject::principal).map(Principal::id).map(id -> respond(outboundEnv, outboundTokenHandler, id)).orElseGet(OutboundSecurityResponse::abstain);
        }
        return OutboundSecurityResponse.abstain();
    }
    // we found a target
    HeaderAtnOutboundConfig outboundConfig = target.get();
    TokenHandler tokenHandler = outboundConfig.tokenHandler().orElse(defaultOutboundTokenHandler);
    return outboundConfig.explicitUser().or(() -> toPropagate.map(Subject::principal).map(Principal::id)).map(id -> respond(outboundEnv, tokenHandler, id)).orElseGet(OutboundSecurityResponse::abstain);
}

Example 40 with SecurityEnvironment

use of io.helidon.security.SecurityEnvironment in project helidon by oracle.

the class HttpDigestAuthProvider method validateDigestAuth.

private AuthenticationResponse validateDigestAuth(String headerValue, SecurityEnvironment env) {
    DigestToken token;
    try {
        token = DigestToken.fromAuthorizationHeader(headerValue.substring(DIGEST_PREFIX.length()), env.method().toLowerCase());
    } catch (HttpAuthException e) {
        LOGGER.log(Level.FINEST, "Failed to process digest token", e);
        return failOrAbstain(e.getMessage());
    }
    // decrypt
    byte[] bytes;
    try {
        bytes = Base64.getDecoder().decode(token.getNonce());
    } catch (IllegalArgumentException e) {
        LOGGER.log(Level.FINEST, "Failed to base64 decode nonce", e);
        // not base 64
        return failOrAbstain("Nonce must be base64 encoded");
    }
    if (bytes.length < 17) {
        return failOrAbstain("Invalid nonce length");
    }
    byte[] salt = new byte[SALT_LENGTH];
    byte[] aesNonce = new byte[AES_NONCE_LENGTH];
    byte[] encryptedBytes = new byte[bytes.length - SALT_LENGTH - AES_NONCE_LENGTH];
    System.arraycopy(bytes, 0, salt, 0, salt.length);
    System.arraycopy(bytes, SALT_LENGTH, aesNonce, 0, aesNonce.length);
    System.arraycopy(bytes, SALT_LENGTH + AES_NONCE_LENGTH, encryptedBytes, 0, encryptedBytes.length);
    Cipher cipher = HttpAuthUtil.cipher(digestServerSecret, salt, aesNonce, Cipher.DECRYPT_MODE);
    try {
        byte[] timestampBytes = cipher.doFinal(encryptedBytes);
        long nonceTimestamp = HttpAuthUtil.toLong(timestampBytes, 0, timestampBytes.length);
        // validate nonce
        if ((System.currentTimeMillis() - nonceTimestamp) > digestNonceTimeoutMillis) {
            return failOrAbstain("Nonce timeout");
        }
    } catch (Exception e) {
        LOGGER.log(Level.FINEST, "Failed to validate nonce", e);
        return failOrAbstain("Invalid nonce value");
    }
    // validate realm
    if (!realm.equals(token.getRealm())) {
        return failOrAbstain("Invalid realm");
    }
    return userStore.user(token.getUsername()).map(user -> {
        if (token.validateLogin(user)) {
            // yay, correct user and password!!!
            if (subjectType == SubjectType.USER) {
                return AuthenticationResponse.success(buildSubject(user));
            } else {
                return AuthenticationResponse.successService(buildSubject(user));
            }
        } else {
            return failOrAbstain("Invalid username or password");
        }
    }).orElse(failOrAbstain("Invalid username or password"));
}