Example 66 with ApplicationSettingsException
use of org.apache.airavata.common.exception.ApplicationSettingsException in project airavata by apache.
the class UserProfileServiceHandler method getIamAdminServicesClient.
private IamAdminServices.Client getIamAdminServicesClient() throws UserProfileServiceException {
try {
final int serverPort = Integer.parseInt(ServerSettings.getProfileServiceServerPort());
final String serverHost = ServerSettings.getProfileServiceServerHost();
return ProfileServiceClientFactory.createIamAdminServiceClient(serverHost, serverPort);
} catch (IamAdminServicesException | ApplicationSettingsException e) {
logger.error("Failed to create IAM Admin Services client", e);
UserProfileServiceException ex = new UserProfileServiceException("Failed to create IAM Admin Services client");
throw ex;
}
}
Also used :
ApplicationSettingsException(org.apache.airavata.common.exception.ApplicationSettingsException)
IamAdminServicesException(org.apache.airavata.service.profile.iam.admin.services.cpi.exception.IamAdminServicesException)
UserProfileServiceException(org.apache.airavata.service.profile.user.cpi.exception.UserProfileServiceException)
Example 67 with ApplicationSettingsException
use of org.apache.airavata.common.exception.ApplicationSettingsException in project airavata by apache.
the class DefaultAiravataSecurityManager method isUserAuthorized.
public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
try {
String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
String accessToken = authzToken.getAccessToken();
String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
String action = metaData.get(Constants.API_METHOD_NAME);
// if the authz cache is enabled, check in the cache if the authz decision is cached and if so, what the status is
if (ServerSettings.isAuthzCacheEnabled()) {
// obtain an instance of AuthzCacheManager implementation.
AuthzCacheManager authzCacheManager = AuthzCacheManagerFactory.getAuthzCacheManager();
// check in the cache
AuthzCachedStatus authzCachedStatus = authzCacheManager.getAuthzCachedStatus(new AuthzCacheIndex(subject, gatewayId, accessToken, action));
if (AuthzCachedStatus.AUTHORIZED.equals(authzCachedStatus)) {
logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache.");
return true;
} else if (AuthzCachedStatus.NOT_AUTHORIZED.equals(authzCachedStatus)) {
logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache.");
return false;
} else if (AuthzCachedStatus.NOT_CACHED.equals(authzCachedStatus)) {
logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is not in the cache. " + "Obtaining it from the authorization server.");
CredentialStoreService.Client csClient = getCredentialStoreServiceClient();
GatewayResourceProfile gwrp = getRegistryServiceClient().getGatewayResourceProfile(gatewayId);
PasswordCredential credential = csClient.getPasswordCredential(gwrp.getIdentityServerPwdCredToken(), gwrp.getGatewayID());
String username = credential.getLoginUserName();
if (gwrp.getIdentityServerTenant() != null && !gwrp.getIdentityServerTenant().isEmpty())
username = username + "@" + gwrp.getIdentityServerTenant();
String password = credential.getPassword();
// talk to Authorization Server, obtain the decision, cache it and return the result.
ConfigurationContext configContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
// initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
TrustStoreManager trustStoreManager = new TrustStoreManager();
trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword());
DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(), username, password, configContext);
OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken(authzToken.getAccessToken());
if (validationResponse.getValid()) {
String authorizedUserName = validationResponse.getAuthorizedUser();
if (authorizedUserName.contains("@")) {
authorizedUserName = authorizedUserName.split("@")[0];
}
if (subject.contains("@")) {
subject = subject.split("@")[0];
}
// cannot impersonate users
if (!authorizedUserName.toLowerCase().equals(subject.toLowerCase()))
return false;
long expiryTimestamp = validationResponse.getExpiryTime();
// check for fine grained authorization for the API invocation, based on XACML.
DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(), username, password, configContext);
boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData);
// cache the authorization decision
authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, gatewayId, accessToken, action), new AuthzCacheEntry(authorizationDecision, expiryTimestamp, System.currentTimeMillis()));
return authorizationDecision;
} else {
return false;
}
} else {
// undefined status returned from the authz cache manager
throw new AiravataSecurityException("Error in reading from the authorization cache.");
}
} else {
CredentialStoreService.Client csClient = getCredentialStoreServiceClient();
GatewayResourceProfile gwrp = getRegistryServiceClient().getGatewayResourceProfile(gatewayId);
PasswordCredential credential = csClient.getPasswordCredential(gwrp.getIdentityServerPwdCredToken(), gwrp.getGatewayID());
String username = credential.getLoginUserName();
if (gwrp.getIdentityServerTenant() != null && !gwrp.getIdentityServerTenant().isEmpty())
username = username + "@" + gwrp.getIdentityServerTenant();
String password = credential.getPassword();
// talk to Authorization Server, obtain the decision and return the result (authz cache is not enabled).
ConfigurationContext configContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
// initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
TrustStoreManager trustStoreManager = new TrustStoreManager();
trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword());
DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(), username, password, configContext);
OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken(authzToken.getAccessToken());
boolean isOAuthTokenValid = validationResponse.getValid();
// if XACML based authorization is enabled, check for role based authorization for the API invocation
DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(), username, password, configContext);
boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData);
return (isOAuthTokenValid && authorizationDecision);
}
} catch (AxisFault axisFault) {
logger.error(axisFault.getMessage(), axisFault);
throw new AiravataSecurityException("Error in initializing the configuration context for creating the OAuth validation client.");
} catch (ApplicationSettingsException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in reading OAuth server configuration.");
} catch (RegistryServiceException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in accessing AppCatalog.");
} catch (TException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in connecting to Credential Store Service.");
}
}
Also used :
AxisFault(org.apache.axis2.AxisFault)
TException(org.apache.thrift.TException)
ConfigurationContext(org.apache.axis2.context.ConfigurationContext)
DefaultXACMLPEP(org.apache.airavata.service.security.xacml.DefaultXACMLPEP)
ApplicationSettingsException(org.apache.airavata.common.exception.ApplicationSettingsException)
GatewayResourceProfile(org.apache.airavata.model.appcatalog.gatewayprofile.GatewayResourceProfile)
RegistryServiceException(org.apache.airavata.registry.api.exception.RegistryServiceException)
PasswordCredential(org.apache.airavata.model.credential.store.PasswordCredential)
OAuth2TokenValidationResponseDTO(org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO)
DefaultOAuthClient(org.apache.airavata.service.security.oauth.DefaultOAuthClient)
TrustStoreManager(org.apache.airavata.security.util.TrustStoreManager)
AiravataSecurityException(org.apache.airavata.security.AiravataSecurityException)
CredentialStoreService(org.apache.airavata.credential.store.cpi.CredentialStoreService)
Example 68 with ApplicationSettingsException
use of org.apache.airavata.common.exception.ApplicationSettingsException in project airavata by apache.
the class DefaultAiravataSecurityManager method initializeSecurityInfra.
@Override
public void initializeSecurityInfra() throws AiravataSecurityException {
/* in the default security manager, this method checks if the xacml authorization policy is published,
* and if not, publish the policy to the PDP (of WSO2 Identity Server)
*/
try {
if (ServerSettings.isAPISecured()) {
ConfigurationContext configContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
// initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
TrustStoreManager trustStoreManager = new TrustStoreManager();
trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword());
List<GatewayResourceProfile> gwProfiles = getRegistryServiceClient().getAllGatewayResourceProfiles();
// read the policy as a string
BufferedReader bufferedReader = new BufferedReader(new FileReader(new File(ServerSettings.getAuthorizationPoliyName() + ".xml")));
String line;
StringBuilder stringBuilder = new StringBuilder();
while ((line = bufferedReader.readLine()) != null) {
stringBuilder.append(line);
}
String defaultXACMLPolicy = stringBuilder.toString();
CredentialStoreService.Client csClient = getCredentialStoreServiceClient();
for (GatewayResourceProfile gwrp : gwProfiles) {
if (gwrp.getIdentityServerPwdCredToken() != null && gwrp.getIdentityServerTenant() != null) {
PasswordCredential credential = csClient.getPasswordCredential(gwrp.getIdentityServerPwdCredToken(), gwrp.getGatewayID());
String username = credential.getLoginUserName();
if (gwrp.getIdentityServerTenant() != null && !gwrp.getIdentityServerTenant().isEmpty())
username = username + "@" + gwrp.getIdentityServerTenant();
String password = credential.getPassword();
DefaultPAPClient PAPClient = new DefaultPAPClient(ServerSettings.getRemoteAuthzServerUrl(), username, password, configContext);
boolean policyAdded = PAPClient.isPolicyAdded(ServerSettings.getAuthorizationPoliyName());
if (policyAdded) {
logger.debug("Authorization policy is already added in the authorization server.");
} else {
// publish the policy and enable it in a separate thread
PAPClient.addPolicy(defaultXACMLPolicy);
logger.debug("Authorization policy is published in the authorization server.");
}
} else {
logger.warn("Identity Server configuration missing for gateway : " + gwrp.getGatewayID());
}
}
}
} catch (AxisFault axisFault) {
logger.error(axisFault.getMessage(), axisFault);
throw new AiravataSecurityException("Error in initializing the configuration context for creating the " + "PAP client.");
} catch (ApplicationSettingsException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in reading configuration when creating the PAP client.");
} catch (FileNotFoundException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in reading authorization policy.");
} catch (IOException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in reading the authorization policy.");
} catch (RegistryServiceException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in reading the Gateway Profiles from App Catalog.");
} catch (TException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in connecting to Credential Store Service.");
}
}
Also used :
AxisFault(org.apache.axis2.AxisFault)
TException(org.apache.thrift.TException)
ConfigurationContext(org.apache.axis2.context.ConfigurationContext)
ApplicationSettingsException(org.apache.airavata.common.exception.ApplicationSettingsException)
GatewayResourceProfile(org.apache.airavata.model.appcatalog.gatewayprofile.GatewayResourceProfile)
RegistryServiceException(org.apache.airavata.registry.api.exception.RegistryServiceException)
PasswordCredential(org.apache.airavata.model.credential.store.PasswordCredential)
DefaultPAPClient(org.apache.airavata.service.security.xacml.DefaultPAPClient)
TrustStoreManager(org.apache.airavata.security.util.TrustStoreManager)
AiravataSecurityException(org.apache.airavata.security.AiravataSecurityException)
CredentialStoreService(org.apache.airavata.credential.store.cpi.CredentialStoreService)
Example 69 with ApplicationSettingsException
use of org.apache.airavata.common.exception.ApplicationSettingsException in project airavata by apache.
the class KeyCloakSecurityManager method isUserAuthorized.
/**
* Implement this method with the user authentication/authorization logic in your SecurityManager.
*
* @param authzToken : this includes OAuth token and user's claims
* @param metaData : this includes other meta data needed for security enforcements.
* @return
* @throws AiravataSecurityException
*/
@Override
public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
String accessToken = authzToken.getAccessToken();
String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
try {
if (!ServerSettings.isAPISecured()) {
return true;
}
if (ServerSettings.isAuthzCacheEnabled()) {
// obtain an instance of AuthzCacheManager implementation.
AuthzCacheManager authzCacheManager = AuthzCacheManagerFactory.getAuthzCacheManager();
// check in the cache
AuthzCachedStatus authzCachedStatus = authzCacheManager.getAuthzCachedStatus(new AuthzCacheIndex(subject, gatewayId, accessToken, action));
if (AuthzCachedStatus.AUTHORIZED.equals(authzCachedStatus)) {
logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache.");
return true;
} else if (AuthzCachedStatus.NOT_AUTHORIZED.equals(authzCachedStatus)) {
logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache.");
return false;
} else if (AuthzCachedStatus.NOT_CACHED.equals(authzCachedStatus)) {
logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is not in the cache. " + "Obtaining it from the authorization server.");
String[] roles = getUserRolesFromOAuthToken(subject, accessToken, gatewayId);
boolean authorizationDecision = hasPermission(roles, action);
// cache the authorization decision
long currentTime = System.currentTimeMillis();
// TODO get the actual token expiration time
authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, gatewayId, accessToken, action), new AuthzCacheEntry(authorizationDecision, currentTime + 1000 * 60 * 60, currentTime));
return authorizationDecision;
} else {
// undefined status returned from the authz cache manager
throw new AiravataSecurityException("Error in reading from the authorization cache.");
}
} else {
String[] roles = getUserRolesFromOAuthToken(subject, accessToken, gatewayId);
return hasPermission(roles, action);
}
} catch (ApplicationSettingsException e) {
e.printStackTrace();
throw new AiravataSecurityException(e.getMessage(), e);
} catch (Exception e) {
e.printStackTrace();
throw new AiravataSecurityException(e.getMessage(), e);
}
}
Also used :
ApplicationSettingsException(org.apache.airavata.common.exception.ApplicationSettingsException)
AiravataSecurityException(org.apache.airavata.security.AiravataSecurityException)
RegistryServiceException(org.apache.airavata.registry.api.exception.RegistryServiceException)
AiravataSecurityException(org.apache.airavata.security.AiravataSecurityException)
CredentialStoreException(org.apache.airavata.credential.store.exception.CredentialStoreException)
TException(org.apache.thrift.TException)
ApplicationSettingsException(org.apache.airavata.common.exception.ApplicationSettingsException)
Example 70 with ApplicationSettingsException
use of org.apache.airavata.common.exception.ApplicationSettingsException in project airavata by apache.
the class TenantManagementKeycloakImpl method updateUserProfile.
@Override
public void updateUserProfile(PasswordCredential realmAdminCreds, String tenantId, String username, UserProfile userDetails) throws IamAdminServicesException {
Keycloak client = null;
try {
client = TenantManagementKeycloakImpl.getClient(ServerSettings.getIamServerUrl(), tenantId, realmAdminCreds);
List<UserRepresentation> retrieveUserList = client.realm(tenantId).users().search(username, null, null, null, 0, 1);
if (!retrieveUserList.isEmpty()) {
UserRepresentation userRepresentation = retrieveUserList.get(0);
userRepresentation.setFirstName(userDetails.getFirstName());
userRepresentation.setLastName(userDetails.getLastName());
userRepresentation.setEmail(userDetails.getEmails().get(0));
UserResource userResource = client.realm(tenantId).users().get(userRepresentation.getId());
userResource.update(userRepresentation);
} else {
throw new IamAdminServicesException("User [" + username + "] wasn't found in Keycloak!");
}
} catch (ApplicationSettingsException ex) {
logger.error("Error getting values from property file, reason: " + ex.getMessage(), ex);
IamAdminServicesException exception = new IamAdminServicesException();
exception.setMessage("Error getting values from property file, reason " + ex.getMessage());
throw exception;
} catch (Exception ex) {
logger.error("Error updating user profile in keycloak server, reason: " + ex.getMessage(), ex);
IamAdminServicesException exception = new IamAdminServicesException();
exception.setMessage("Error updating user profile in keycloak server, reason: " + ex.getMessage());
throw exception;
} finally {
if (client != null) {
client.close();
}
}
}
Also used :
ApplicationSettingsException(org.apache.airavata.common.exception.ApplicationSettingsException)
IamAdminServicesException(org.apache.airavata.service.profile.iam.admin.services.cpi.exception.IamAdminServicesException)
UserResource(org.keycloak.admin.client.resource.UserResource)
Keycloak(org.keycloak.admin.client.Keycloak)
IOException(java.io.IOException)
ApplicationSettingsException(org.apache.airavata.common.exception.ApplicationSettingsException)
IamAdminServicesException(org.apache.airavata.service.profile.iam.admin.services.cpi.exception.IamAdminServicesException)
Aggregations
ApplicationSettingsException (org.apache.airavata.common.exception.ApplicationSettingsException)263
EntityManager (javax.persistence.EntityManager)193
AppCatalogException (org.apache.airavata.registry.cpi.AppCatalogException)172
Query (javax.persistence.Query)147
AppCatalogQueryGenerator (org.apache.airavata.registry.core.app.catalog.util.AppCatalogQueryGenerator)129
HashMap (java.util.HashMap)71
Map (java.util.Map)69
ArrayList (java.util.ArrayList)47
WorkflowCatalogException (org.apache.airavata.registry.cpi.WorkflowCatalogException)26
IOException (java.io.IOException)23
IamAdminServicesException (org.apache.airavata.service.profile.iam.admin.services.cpi.exception.IamAdminServicesException)20
TException (org.apache.thrift.TException)19
WorkflowCatalogQueryGenerator (org.apache.airavata.registry.core.workflow.catalog.utils.WorkflowCatalogQueryGenerator)18
GFacException (org.apache.airavata.gfac.core.GFacException)11
PasswordCredential (org.apache.airavata.model.credential.store.PasswordCredential)11
Keycloak (org.keycloak.admin.client.Keycloak)11
RegistryServiceException (org.apache.airavata.registry.api.exception.RegistryServiceException)7
CompositeIdentifier (org.apache.airavata.registry.cpi.CompositeIdentifier)7
File (java.io.File)6
Connection (java.sql.Connection)6
