use of io.helidon.security.SecurityLevel in project helidon by oracle.
the class AtnProviderSyncTest method testAnnotationSuccess.
@Test
public void testAnnotationSuccess() {
AtnProviderSync.AtnAnnot annot = new AtnProviderSync.AtnAnnot() {
@Override
public String value() {
return VALUE;
}
@Override
public int size() {
return SIZE;
}
@Override
public Class<? extends Annotation> annotationType() {
return AtnProviderSync.AtnAnnot.class;
}
};
SecurityContext context = mock(SecurityContext.class);
when(context.user()).thenReturn(Optional.empty());
when(context.service()).thenReturn(Optional.empty());
SecurityEnvironment se = SecurityEnvironment.create();
SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(AtnProviderSync.AtnAnnot.class, List.of(annot))).build();
EndpointConfig ep = EndpointConfig.builder().securityLevels(List.of(level)).build();
ProviderRequest request = mock(ProviderRequest.class);
when(request.securityContext()).thenReturn(context);
when(request.env()).thenReturn(se);
when(request.endpointConfig()).thenReturn(ep);
testSuccess(request);
}
use of io.helidon.security.SecurityLevel in project helidon by oracle.
the class SecurityFilter method securityForClass.
/**
* Creates security definition based on the annotations on a class and using a
* parent as a starting point. Obtains real class before processing to skip
* proxies.
*
* @param theClass class from which to create security definition
* @param parent base security definition or {@code null}
* @return security definition for the class
*/
private SecurityDefinition securityForClass(Class<?> theClass, SecurityDefinition parent) {
Class<?> realClass = getRealClass(theClass);
Authenticated atn = realClass.getAnnotation(Authenticated.class);
Authorized atz = realClass.getAnnotation(Authorized.class);
Audited audited = realClass.getAnnotation(Audited.class);
// as sometimes we may want to prevent calls to authorization provider unless
// explicitly invoked by developer
SecurityDefinition definition = ((null == parent) ? new SecurityDefinition(featureConfig().shouldAuthorizeAnnotatedOnly(), featureConfig().failOnFailureIfOptional()) : parent.copyMe());
definition.add(atn);
definition.add(atz);
definition.add(audited);
if (!featureConfig().shouldAuthenticateAnnotatedOnly()) {
definition.requiresAuthentication(true);
}
Map<Class<? extends Annotation>, List<Annotation>> customAnnotsMap = new HashMap<>();
addCustomAnnotations(customAnnotsMap, realClass);
SecurityLevel securityLevel = SecurityLevel.create(realClass.getName()).withClassAnnotations(customAnnotsMap).build();
definition.getSecurityLevels().add(securityLevel);
for (AnnotationAnalyzer analyzer : analyzers) {
AnnotationAnalyzer.AnalyzerResponse analyzerResponse;
if (null == parent) {
analyzerResponse = analyzer.analyze(realClass);
} else {
analyzerResponse = analyzer.analyze(realClass, parent.analyzerResponse(analyzer));
}
definition.analyzerResponse(analyzer, analyzerResponse);
}
return definition;
}
use of io.helidon.security.SecurityLevel in project helidon by oracle.
the class RoleValidatorTest method testDenyAllAndPermitAll.
@Test
void testDenyAllAndPermitAll() {
RoleValidator validator = RoleValidator.create();
PermitAll permitAll = mock(PermitAll.class);
DenyAll denyAll = mock(DenyAll.class);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(denyAll));
when(classSecurityLevel.filterAnnotations(PermitAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(permitAll));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("user")).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(rConfig, collector, request);
collector.collect().checkValid();
}
use of io.helidon.security.SecurityLevel in project helidon by oracle.
the class RoleValidatorTest method testRolesAllowedDeny.
@Test
void testRolesAllowedDeny() {
RoleValidator validator = RoleValidator.create();
RolesAllowed annot = mock(RolesAllowed.class);
String[] roleArray = new String[] { "admin" };
when(annot.value()).thenReturn(roleArray);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(annot));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("user")).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(rConfig, collector, request);
if (collector.collect().isValid()) {
fail("User is not in admin role, should have failed");
}
}
use of io.helidon.security.SecurityLevel in project helidon by oracle.
the class RoleValidatorTest method testAllAccessAnnotationsOnTheSameLevel.
@Test
void testAllAccessAnnotationsOnTheSameLevel() {
RoleValidator validator = RoleValidator.create();
PermitAll permitAll = mock(PermitAll.class);
DenyAll denyAll = mock(DenyAll.class);
RolesAllowed rolesAllowed = mock(RolesAllowed.class);
String[] roleArray = new String[] { "admin" };
when(rolesAllowed.value()).thenReturn(roleArray);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(PermitAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(permitAll));
when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(denyAll));
when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(rolesAllowed));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("admin")).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(rConfig, collector, request);
if (collector.collect().isValid()) {
fail("DenyAll is set on this method, this should have failed");
}
}
Aggregations