use of io.helidon.security.SecurityException in project helidon by oracle.
the class IdcsMtRoleMapperRxProvider method getGrantsFromServer.
/**
* Get grants from IDCS server. The result is cached.
*
* @param idcsTenantId ID of the IDCS tenant
* @param idcsAppName Name of IDCS application
* @param subject subject to get grants for
* @return optional list of grants from server
*/
protected Single<List<? extends Grant>> getGrantsFromServer(String idcsTenantId, String idcsAppName, Subject subject) {
String subjectName = subject.principal().getName();
String subjectType = (String) subject.principal().abacAttribute("sub_type").orElse(defaultIdcsSubjectType());
RoleMapTracing tracing = SecurityTracing.get().roleMapTracing("idcs");
return Single.create(getAppToken(idcsTenantId, tracing)).flatMapSingle(maybeAppToken -> {
if (maybeAppToken.isEmpty()) {
return Single.error(new SecurityException("Application token not available"));
}
return Single.just(maybeAppToken.get());
}).flatMapSingle(appToken -> {
JsonObjectBuilder requestBuilder = JSON.createObjectBuilder().add("mappingAttributeValue", subjectName).add("subjectType", subjectType).add("appName", idcsAppName).add("includeMemberships", true);
JsonArrayBuilder arrayBuilder = JSON.createArrayBuilder();
arrayBuilder.add("urn:ietf:params:scim:schemas:oracle:idcs:Asserter");
requestBuilder.add("schemas", arrayBuilder);
Context parentContext = Contexts.context().orElseGet(Contexts::globalContext);
Context childContext = Context.builder().parent(parentContext).build();
tracing.findParent().ifPresent(childContext::register);
WebClientRequestBuilder post = oidcConfig().generalWebClient().post().context(childContext).uri(multitenantEndpoints.assertEndpoint(idcsTenantId)).headers(it -> {
it.add(Http.Header.AUTHORIZATION, "Bearer " + appToken);
return it;
});
return processRoleRequest(post, requestBuilder.build(), subjectName);
});
}
use of io.helidon.security.SecurityException in project helidon by oracle.
the class DbService method getNoContext.
/**
* Get the TODO identified by the given ID from the database, fails if the
* entry is not associated with the given {@code userId}.
* @param id the ID identifying the entry to retrieve
* @param userId the database user id
* @return retrieved entry as {@code Optional}
*/
private Optional<Todo> getNoContext(final String id, final String userId) {
BoundStatement bs = getStatement.bind(id);
ResultSet rs = session.execute(bs);
Row one = rs.one();
if (null == one) {
return Optional.empty();
}
Todo result = Todo.fromDb(one);
if (userId.equals(result.getUserId())) {
return Optional.of(result);
}
throw new SecurityException("User " + userId + " attempted to read record " + id + " of another user");
}
use of io.helidon.security.SecurityException in project helidon by oracle.
the class IdcsRoleMapperRxProvider method getGrantsFromServer.
/**
* Retrieves grants from IDCS server.
*
* @param subject to get grants for
* @return optional list of grants to be added
*/
protected Single<List<? extends Grant>> getGrantsFromServer(Subject subject) {
String subjectName = subject.principal().getName();
String subjectType = (String) subject.principal().abacAttribute("sub_type").orElse(defaultIdcsSubjectType());
RoleMapTracing tracing = SecurityTracing.get().roleMapTracing("idcs");
return Single.create(appToken.getToken(tracing)).flatMapSingle(maybeAppToken -> {
if (maybeAppToken.isEmpty()) {
return Single.error(new SecurityException("Application token not available"));
}
String appToken = maybeAppToken.get();
JsonObjectBuilder requestBuilder = JSON.createObjectBuilder().add("mappingAttributeValue", subjectName).add("subjectType", subjectType).add("includeMemberships", true);
JsonArrayBuilder arrayBuilder = JSON.createArrayBuilder();
arrayBuilder.add("urn:ietf:params:scim:schemas:oracle:idcs:Asserter");
requestBuilder.add("schemas", arrayBuilder);
// use current span context as a parent for client outbound
// using a custom child context, so we do not replace the parent in the current context
Context parentContext = Contexts.context().orElseGet(Contexts::globalContext);
Context childContext = Context.builder().parent(parentContext).build();
tracing.findParent().ifPresent(childContext::register);
WebClientRequestBuilder request = oidcConfig().generalWebClient().post().uri(asserterUri).context(childContext).headers(it -> {
it.add(Http.Header.AUTHORIZATION, "Bearer " + appToken);
return it;
});
return processRoleRequest(request, requestBuilder.build(), subjectName);
}).peek(ignored -> tracing.finish()).onError(tracing::error);
}
use of io.helidon.security.SecurityException in project helidon by oracle.
the class IdcsSupport method signJwk.
// load signature jwk with a token, blocking operation
static JwkKeys signJwk(WebClient appWebClient, WebClient generalClient, URI tokenEndpointUri, URI signJwkUri, Duration clientTimeout) {
// need to get token to be able to request this endpoint
FormParams form = FormParams.builder().add("grant_type", "client_credentials").add("scope", "urn:opc:idm:__myscopes__").build();
try {
WebClientResponse response = appWebClient.post().uri(tokenEndpointUri).accept(MediaType.APPLICATION_JSON).submit(form).await(clientTimeout.toMillis(), TimeUnit.MILLISECONDS);
if (response.status().family() == Http.ResponseStatus.Family.SUCCESSFUL) {
JsonObject json = response.content().as(JsonObject.class).await(clientTimeout.toMillis(), TimeUnit.MILLISECONDS);
String accessToken = json.getString("access_token");
// get the jwk from server
JsonObject jwkJson = generalClient.get().uri(signJwkUri).headers(it -> {
it.add(Http.Header.AUTHORIZATION, "Bearer " + accessToken);
return it;
}).request(JsonObject.class).await(clientTimeout.toMillis(), TimeUnit.MILLISECONDS);
return JwkKeys.create(jwkJson);
} else {
String errorEntity = response.content().as(String.class).await(clientTimeout.toMillis(), TimeUnit.MILLISECONDS);
throw new SecurityException("Failed to read JWK from IDCS. Status: " + response.status() + ", entity: " + errorEntity);
}
} catch (SecurityException e) {
throw e;
} catch (Exception e) {
throw new SecurityException("Failed to read JWK from IDCS", e);
}
}
use of io.helidon.security.SecurityException in project helidon by oracle.
the class OciOutboundSecurityProvider method sign.
private OutboundSecurityResponse sign(SecurityEnvironment outboundEnv, OutboundTarget target) {
SignatureTarget signatureTarget = target.customObject(SignatureTarget.class).orElseThrow(() -> new SecurityException("Failed to find signature configuration for target " + target.name()));
Map<String, List<String>> newHeaders = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
newHeaders.putAll(outboundEnv.headers());
OciSignatureData sigData = signatureData.get();
LOGGER.finest("Creating request signature with kid: " + sigData.keyId());
OciHttpSignature signature = OciHttpSignature.sign(SignatureRequest.builder().env(outboundEnv).privateKey(sigData.privateKey()).keyId(sigData.keyId()).headersConfig(signatureTarget.signedHeadersConfig).newHeaders(newHeaders).build());
TOKEN_HANDLER.addHeader(newHeaders, signature.toSignatureHeader());
return OutboundSecurityResponse.builder().requestHeaders(newHeaders).status(SecurityResponse.SecurityStatus.SUCCESS).build();
}
Aggregations