Search in sources :

Example 16 with SecurityLevel

use of io.helidon.security.SecurityLevel in project helidon by oracle.

the class SecurityDefinition method requiresAuthorization.

boolean requiresAuthorization() {
    if (null != requiresAuthorization) {
        return requiresAuthorization;
    }
    int count = 0;
    for (SecurityLevel securityLevel : securityLevels) {
        count += securityLevel.getClassLevelAnnotations().size();
        count += securityLevel.getMethodLevelAnnotations().size();
    }
    return (count != 0) || authorizeByDefault;
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel)

Example 17 with SecurityLevel

use of io.helidon.security.SecurityLevel in project helidon by oracle.

the class AbacProvider method syncAuthorize.

@Override
protected AuthorizationResponse syncAuthorize(ProviderRequest providerRequest) {
    // let's find attributes to be validated
    Errors.Collector collector = Errors.collector();
    List<RuntimeAttribute> attributes = new ArrayList<>();
    EndpointConfig epConfig = providerRequest.endpointConfig();
    // list all "Attribute" annotations and make sure we support them
    validateAnnotations(epConfig, collector);
    // list all children of abac config and make sure one of the AbacValidators supports them
    validateConfig(epConfig, collector);
    // list all custom objects and check those that implement AttributeConfig and ...
    validateCustom(epConfig, collector);
    Optional<Config> abacConfig = epConfig.config(CONFIG_KEY);
    for (var validator : validators) {
        // order of preference - explicit class, configuration, annotation
        Class<? extends AbacValidatorConfig> configClass = validator.configClass();
        String configKey = validator.configKey();
        Collection<Class<? extends Annotation>> annotations = validator.supportedAnnotations();
        Optional<? extends AbacValidatorConfig> customObject = epConfig.instance(configClass);
        if (customObject.isPresent()) {
            attributes.add(new RuntimeAttribute(validator, customObject.get()));
        } else {
            // only configure this validator if its config key exists
            // or it has a supported annotation
            abacConfig.flatMap(it -> it.get(configKey).asNode().asOptional()).ifPresentOrElse(attribConfig -> {
                attributes.add(new RuntimeAttribute(validator, validator.fromConfig(attribConfig)));
            }, () -> {
                List<Annotation> annotationConfig = new ArrayList<>();
                for (SecurityLevel securityLevel : epConfig.securityLevels()) {
                    for (Class<? extends Annotation> annotation : annotations) {
                        List<? extends Annotation> list = securityLevel.combineAnnotations(annotation, EndpointConfig.AnnotationScope.values());
                        annotationConfig.addAll(list);
                    }
                }
                if (!annotationConfig.isEmpty()) {
                    attributes.add(new RuntimeAttribute(validator, validator.fromAnnotations(epConfig)));
                }
            });
        }
    }
    for (RuntimeAttribute attribute : attributes) {
        validate(attribute.getValidator(), attribute.getConfig(), collector, providerRequest);
    }
    Errors errors = collector.collect();
    if (errors.isValid()) {
        return AuthorizationResponse.permit();
    }
    return AuthorizationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(errors.toString()).build();
}
Also used : ProviderRequest(io.helidon.security.ProviderRequest) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) Map(java.util.Map) AuthorizationProvider(io.helidon.security.spi.AuthorizationProvider) LinkedList(java.util.LinkedList) ConfiguredOption(io.helidon.config.metadata.ConfiguredOption) SecurityLevel(io.helidon.security.SecurityLevel) RolesAllowed(jakarta.annotation.security.RolesAllowed) AuthorizationResponse(io.helidon.security.AuthorizationResponse) DenyAll(jakarta.annotation.security.DenyAll) Config(io.helidon.config.Config) Collection(java.util.Collection) Configured(io.helidon.config.metadata.Configured) SecurityProvider(io.helidon.security.spi.SecurityProvider) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) Set(java.util.Set) ServiceLoader(java.util.ServiceLoader) PermitAll(jakarta.annotation.security.PermitAll) HelidonServiceLoader(io.helidon.common.serviceloader.HelidonServiceLoader) Collectors(java.util.stream.Collectors) SecurityResponse(io.helidon.security.SecurityResponse) AbacValidatorService(io.helidon.security.providers.abac.spi.AbacValidatorService) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig) Annotation(java.lang.annotation.Annotation) Optional(java.util.Optional) Errors(io.helidon.common.Errors) Collections(java.util.Collections) AbacValidator(io.helidon.security.providers.abac.spi.AbacValidator) Config(io.helidon.config.Config) EndpointConfig(io.helidon.security.EndpointConfig) ArrayList(java.util.ArrayList) Annotation(java.lang.annotation.Annotation) Errors(io.helidon.common.Errors) SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig)

Example 18 with SecurityLevel

use of io.helidon.security.SecurityLevel in project helidon by oracle.

the class AbacProviderTest method testExistingValidatorFail.

@Test
public void testExistingValidatorFail() {
    AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
    Attrib1 attrib = Mockito.mock(Attrib1.class);
    when(attrib.value()).thenReturn(false);
    doReturn(Attrib1.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
    assertThat(response.description(), not(Optional.empty()));
    response.description().ifPresent(desc -> assertThat(desc, containsString("Intentional unit test failure")));
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Example 19 with SecurityLevel

use of io.helidon.security.SecurityLevel in project helidon by oracle.

the class AbacProviderTest method testExistingValidatorSucceed.

@Test
public void testExistingValidatorSucceed() {
    AbacProvider provider = AbacProvider.builder().addValidator(new Attrib1Validator()).build();
    Attrib1 attrib = Mockito.mock(Attrib1.class);
    when(attrib.value()).thenReturn(true);
    doReturn(Attrib1.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.description().orElse("Attrib1 value is true, so the authorization should succeed"), response.status(), is(SecurityResponse.SecurityStatus.SUCCESS));
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Example 20 with SecurityLevel

use of io.helidon.security.SecurityLevel in project helidon by oracle.

the class AbacProviderTest method testMissingValidator.

@Test
public void testMissingValidator() {
    AbacProvider provider = AbacProvider.create();
    Attrib1 attrib = Mockito.mock(Attrib1.class);
    doReturn(Attrib1.class).when(attrib).annotationType();
    SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(Attrib1.class, List.of(attrib))).build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
    ProviderRequest request = Mockito.mock(ProviderRequest.class);
    when(request.endpointConfig()).thenReturn(ec);
    AuthorizationResponse response = provider.syncAuthorize(request);
    assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
    assertThat(response.description(), not(Optional.empty()));
    response.description().ifPresent(desc -> {
        assertThat(desc, containsString("Attrib1 attribute annotation is not supported"));
    });
}
Also used : SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Test(org.junit.jupiter.api.Test)

Aggregations

SecurityLevel (io.helidon.security.SecurityLevel)36 EndpointConfig (io.helidon.security.EndpointConfig)30 ArrayList (java.util.ArrayList)26 ProviderRequest (io.helidon.security.ProviderRequest)25 Test (org.junit.jupiter.api.Test)22 Errors (io.helidon.common.Errors)17 Annotation (java.lang.annotation.Annotation)9 RolesAllowed (jakarta.annotation.security.RolesAllowed)8 DenyAll (jakarta.annotation.security.DenyAll)7 PermitAll (jakarta.annotation.security.PermitAll)6 AuthorizationResponse (io.helidon.security.AuthorizationResponse)5 LinkedList (java.util.LinkedList)5 List (java.util.List)5 SecurityEnvironment (io.helidon.security.SecurityEnvironment)3 AbacAnnotation (io.helidon.security.providers.abac.AbacAnnotation)3 Config (io.helidon.config.Config)2 AuthenticationResponse (io.helidon.security.AuthenticationResponse)2 Subject (io.helidon.security.Subject)2 Audited (io.helidon.security.annotations.Audited)2 Authenticated (io.helidon.security.annotations.Authenticated)2