Search in sources :

Example 1 with SecurityTracing

use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.

the class SecurityFilterCommon method doFilter.

protected void doFilter(ContainerRequestContext request, SecurityContext securityContext) {
    SecurityTracing tracing = SecurityTracing.get();
    tracing.securityContext(securityContext);
    SecurityFilter.FilterContext filterContext = initRequestFiltering(request);
    if (filterContext.isShouldFinish()) {
        // 404
        tracing.finish();
        return;
    }
    URI requestUri = request.getUriInfo().getRequestUri();
    String query = requestUri.getQuery();
    String origRequest;
    if ((null == query) || query.isEmpty()) {
        origRequest = requestUri.getPath();
    } else {
        origRequest = requestUri.getPath() + "?" + query;
    }
    Map<String, List<String>> allHeaders = new HashMap<>(filterContext.getHeaders());
    allHeaders.put(Security.HEADER_ORIG_URI, List.of(origRequest));
    SecurityEnvironment.Builder envBuilder = SecurityEnvironment.builder(security.serverTime()).path(filterContext.getResourcePath()).targetUri(filterContext.getTargetUri()).method(filterContext.getMethod()).headers(allHeaders).addAttribute("resourceType", filterContext.getResourceName());
    // The following two lines are not possible in JAX-RS or Jersey - we would have to touch
    // underlying web server's request...
    String remoteHost = (String) request.getProperty("io.helidon.jaxrs.remote-host");
    Integer remotePort = (Integer) request.getProperty("io.helidon.jaxrs.remote-port");
    if (remoteHost != null) {
        envBuilder.addAttribute("userIp", remoteHost);
    }
    if (remotePort != null) {
        envBuilder.addAttribute("userPort", remotePort);
    }
    SecurityEnvironment env = envBuilder.build();
    EndpointConfig ec = EndpointConfig.builder().securityLevels(filterContext.getMethodSecurity().getSecurityLevels()).build();
    try {
        securityContext.env(env);
        securityContext.endpointConfig(ec);
        request.setProperty(PROP_FILTER_CONTEXT, filterContext);
        // context is needed even if authn/authz fails - for auditing
        request.setSecurityContext(new JerseySecurityContext(securityContext, filterContext.getMethodSecurity(), "https".equals(filterContext.getTargetUri().getScheme())));
        processSecurity(request, filterContext, tracing, securityContext);
    } finally {
        if (filterContext.isTraceSuccess()) {
            tracing.logProceed();
            tracing.finish();
        } else {
            tracing.logDeny();
            tracing.error("aborted");
        }
    }
}
Also used : SecurityTracing(io.helidon.security.integration.common.SecurityTracing) HashMap(java.util.HashMap) SecurityEnvironment(io.helidon.security.SecurityEnvironment) URI(java.net.URI) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig)

Example 2 with SecurityTracing

use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.

the class GrpcSecurityHandler method processSecurity.

private <ReqT, RespT> ServerCall.Listener<ReqT> processSecurity(SecurityContext securityContext, ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
    SecurityTracing tracing = SecurityTracing.get();
    tracing.securityContext(securityContext);
    securityContext.endpointConfig(securityContext.endpointConfig().derive().configMap(configMap).customObjects(customObjects.orElse(new ClassToInstanceStore<>())).build());
    CompletionStage<Boolean> stage = processAuthentication(call, headers, securityContext, tracing.atnTracing()).thenCompose(atnResult -> {
        if (atnResult.proceed) {
            // authentication was OK or disabled, we should continue
            return processAuthorization(securityContext, tracing.atzTracing());
        } else {
            // authentication told us to stop processing
            return CompletableFuture.completedFuture(AtxResult.STOP);
        }
    }).thenApply(atzResult -> {
        if (atzResult.proceed) {
            // authorization was OK, we can continue processing
            tracing.logProceed();
            tracing.finish();
            return true;
        } else {
            tracing.logDeny();
            tracing.finish();
            return false;
        }
    });
    ServerCall.Listener<ReqT> listener;
    CallWrapper<ReqT, RespT> callWrapper = new CallWrapper<>(call);
    try {
        boolean proceed = stage.toCompletableFuture().get();
        if (proceed) {
            listener = next.startCall(callWrapper, headers);
        } else {
            callWrapper.close(Status.PERMISSION_DENIED, new Metadata());
            listener = new EmptyListener<>();
        }
    } catch (Throwable throwable) {
        tracing.error(throwable);
        LOGGER.log(Level.SEVERE, "Unexpected exception during security processing", throwable);
        callWrapper.close(Status.INTERNAL, new Metadata());
        listener = new EmptyListener<>();
    }
    return new AuditingListener<>(listener, callWrapper, headers, securityContext);
}
Also used : Arrays(java.util.Arrays) Security(io.helidon.security.Security) Context(io.grpc.Context) AtnTracing(io.helidon.security.integration.common.AtnTracing) InterceptorPriorities(io.helidon.grpc.core.InterceptorPriorities) ServerCallHandler(io.grpc.ServerCallHandler) SecurityRequestBuilder(io.helidon.security.SecurityRequestBuilder) HashMap(java.util.HashMap) CompletableFuture(java.util.concurrent.CompletableFuture) AtomicReference(java.util.concurrent.atomic.AtomicReference) Level(java.util.logging.Level) AuditParam.plain(io.helidon.security.AuditEvent.AuditParam.plain) HashSet(java.util.HashSet) ClassToInstanceStore(io.helidon.security.ClassToInstanceStore) SecurityRequest(io.helidon.security.SecurityRequest) AuditEvent(io.helidon.security.AuditEvent) ServerInterceptor(io.grpc.ServerInterceptor) Map(java.util.Map) AtzTracing(io.helidon.security.integration.common.AtzTracing) ForwardingServerCallListener(io.grpc.ForwardingServerCallListener) Status(io.grpc.Status) Priority(jakarta.annotation.Priority) SecurityTracing(io.helidon.security.integration.common.SecurityTracing) AuthorizationResponse(io.helidon.security.AuthorizationResponse) ServiceDescriptor(io.helidon.grpc.server.ServiceDescriptor) Contexts(io.grpc.Contexts) Config(io.helidon.config.Config) Collection(java.util.Collection) Set(java.util.Set) SecurityContext(io.helidon.security.SecurityContext) ForwardingServerCall(io.grpc.ForwardingServerCall) Logger(java.util.logging.Logger) AuthenticationResponse(io.helidon.security.AuthenticationResponse) SpanContext(io.opentracing.SpanContext) Consumer(java.util.function.Consumer) SecurityResponse(io.helidon.security.SecurityResponse) CompletionStage(java.util.concurrent.CompletionStage) SecurityClientBuilder(io.helidon.security.SecurityClientBuilder) Optional(java.util.Optional) ServerCall(io.grpc.ServerCall) Metadata(io.grpc.Metadata) Collections(java.util.Collections) SecurityAuditEvent(io.helidon.security.internal.SecurityAuditEvent) SecurityTracing(io.helidon.security.integration.common.SecurityTracing) Metadata(io.grpc.Metadata) ClassToInstanceStore(io.helidon.security.ClassToInstanceStore) ForwardingServerCall(io.grpc.ForwardingServerCall) ServerCall(io.grpc.ServerCall)

Example 3 with SecurityTracing

use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.

the class SecurityHandler method processSecurity.

private void processSecurity(SecurityContext securityContext, ServerRequest req, ServerResponse res) {
    // authentication and authorization
    // start security span
    SecurityTracing tracing = SecurityTracing.get();
    tracing.securityContext(securityContext);
    // extract headers
    extractQueryParams(securityContext, req);
    securityContext.endpointConfig(securityContext.endpointConfig().derive().configMap(configMap).customObjects(customObjects.orElse(new ClassToInstanceStore<>())).build());
    Optional<Context> context = Contexts.context();
    processAuthentication(res, securityContext, tracing.atnTracing()).thenCompose(atnResult -> {
        if (atnResult.proceed) {
            // authentication was OK or disabled, we should continue
            return processAuthorization(req, res, securityContext, tracing.atzTracing());
        } else {
            // authentication told us to stop processing
            return CompletableFuture.completedFuture(AtxResult.STOP);
        }
    }).thenAccept(atzResult -> {
        if (atzResult.proceed) {
            // authorization was OK, we can continue processing
            tracing.logProceed();
            tracing.finish();
            // propagate context information in call to next
            context.ifPresentOrElse(c -> Contexts.runInContext(c, (Runnable) req::next), req::next);
        } else {
            tracing.logDeny();
            tracing.finish();
        }
    }).exceptionally(throwable -> {
        tracing.error(throwable);
        LOGGER.log(Level.SEVERE, "Unexpected exception during security processing", throwable);
        abortRequest(res, null, Http.Status.INTERNAL_SERVER_ERROR_500.code(), Map.of());
        return null;
    });
    // auditing
    res.whenSent().thenAccept(sr -> processAudit(req, sr, securityContext));
}
Also used : Context(io.helidon.common.context.Context) SecurityContext(io.helidon.security.SecurityContext) SpanContext(io.opentracing.SpanContext) Arrays(java.util.Arrays) Security(io.helidon.security.Security) AtnTracing(io.helidon.security.integration.common.AtnTracing) Context(io.helidon.common.context.Context) SecurityRequestBuilder(io.helidon.security.SecurityRequestBuilder) HashMap(java.util.HashMap) CompletableFuture(java.util.concurrent.CompletableFuture) AtomicReference(java.util.concurrent.atomic.AtomicReference) Level(java.util.logging.Level) AuditParam.plain(io.helidon.security.AuditEvent.AuditParam.plain) HashSet(java.util.HashSet) ClassToInstanceStore(io.helidon.security.ClassToInstanceStore) SecurityRequest(io.helidon.security.SecurityRequest) AuditEvent(io.helidon.security.AuditEvent) Map(java.util.Map) ServerResponse(io.helidon.webserver.ServerResponse) Subject(io.helidon.security.Subject) AtzTracing(io.helidon.security.integration.common.AtzTracing) LinkedList(java.util.LinkedList) Http(io.helidon.common.http.Http) SecurityTracing(io.helidon.security.integration.common.SecurityTracing) AuthorizationResponse(io.helidon.security.AuthorizationResponse) Config(io.helidon.config.Config) Collection(java.util.Collection) Set(java.util.Set) SecurityContext(io.helidon.security.SecurityContext) TokenHandler(io.helidon.security.util.TokenHandler) Logger(java.util.logging.Logger) AuthenticationResponse(io.helidon.security.AuthenticationResponse) Contexts(io.helidon.common.context.Contexts) ServerRequest(io.helidon.webserver.ServerRequest) SpanContext(io.opentracing.SpanContext) Consumer(java.util.function.Consumer) SecurityResponse(io.helidon.security.SecurityResponse) List(java.util.List) ResponseHeaders(io.helidon.webserver.ResponseHeaders) CompletionStage(java.util.concurrent.CompletionStage) SecurityClientBuilder(io.helidon.security.SecurityClientBuilder) Handler(io.helidon.webserver.Handler) Optional(java.util.Optional) Collections(java.util.Collections) QueryParamMapping(io.helidon.security.QueryParamMapping) SecurityAuditEvent(io.helidon.security.internal.SecurityAuditEvent) HttpRequest(io.helidon.common.http.HttpRequest) SecurityTracing(io.helidon.security.integration.common.SecurityTracing) ClassToInstanceStore(io.helidon.security.ClassToInstanceStore)

Example 4 with SecurityTracing

use of io.helidon.security.integration.common.SecurityTracing in project helidon by oracle.

the class SecurityPreMatchingFilter method filter.

@Override
public void filter(ContainerRequestContext request) {
    SecurityTracing tracing = SecurityTracing.get();
    // create a new security context
    SecurityContext securityContext = security().contextBuilder(Integer.toString(CONTEXT_COUNTER.incrementAndGet(), Character.MAX_RADIX)).tracingSpan(tracing.findParent().orElse(null)).build();
    Contexts.context().ifPresent(ctx -> ctx.register(securityContext));
    injectionManager.<Ref<SecurityContext>>getInstance((new GenericType<Ref<SecurityContext>>() {
    }).getType()).set(securityContext);
    if (featureConfig().shouldUsePrematchingAuthentication()) {
        doFilter(request, securityContext);
    }
}
Also used : GenericType(jakarta.ws.rs.core.GenericType) SecurityTracing(io.helidon.security.integration.common.SecurityTracing) SecurityContext(io.helidon.security.SecurityContext)

Aggregations

SecurityTracing (io.helidon.security.integration.common.SecurityTracing)4 SecurityContext (io.helidon.security.SecurityContext)3 HashMap (java.util.HashMap)3 Config (io.helidon.config.Config)2 AuditEvent (io.helidon.security.AuditEvent)2 AuditParam.plain (io.helidon.security.AuditEvent.AuditParam.plain)2 AuthenticationResponse (io.helidon.security.AuthenticationResponse)2 AuthorizationResponse (io.helidon.security.AuthorizationResponse)2 ClassToInstanceStore (io.helidon.security.ClassToInstanceStore)2 Security (io.helidon.security.Security)2 SecurityClientBuilder (io.helidon.security.SecurityClientBuilder)2 SecurityRequest (io.helidon.security.SecurityRequest)2 SecurityRequestBuilder (io.helidon.security.SecurityRequestBuilder)2 SecurityResponse (io.helidon.security.SecurityResponse)2 AtnTracing (io.helidon.security.integration.common.AtnTracing)2 AtzTracing (io.helidon.security.integration.common.AtzTracing)2 SecurityAuditEvent (io.helidon.security.internal.SecurityAuditEvent)2 SpanContext (io.opentracing.SpanContext)2 Arrays (java.util.Arrays)2 Collection (java.util.Collection)2