Example 16 with ProcessedClaim
use of org.apache.cxf.sts.claims.ProcessedClaim in project cxf by apache.
the class LDAPClaimsTest method testMultiUserBaseDNs.
@org.junit.Test
public void testMultiUserBaseDNs() throws Exception {
LdapClaimsHandler claimsHandler = (LdapClaimsHandler) appContext.getBean("testClaimsHandlerMultipleUserBaseDNs");
ClaimsManager claimsManager = new ClaimsManager();
claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler));
String user = props.getProperty("claimUser");
Assert.assertNotNull(user, "Property 'claimUser' not configured");
String otherUser = props.getProperty("otherClaimUser");
Assert.assertNotNull(otherUser, "Property 'otherClaimUser' not configured");
ClaimCollection requestedClaims = createRequestClaimCollection();
List<URI> expectedClaims = new ArrayList<>();
expectedClaims.add(ClaimTypes.FIRSTNAME);
expectedClaims.add(ClaimTypes.LASTNAME);
expectedClaims.add(ClaimTypes.EMAILADDRESS);
// First user
ClaimsParameters params = new ClaimsParameters();
params.setPrincipal(new CustomTokenPrincipal(user));
ProcessedClaimCollection retrievedClaims = claimsManager.retrieveClaimValues(requestedClaims, params);
Assert.assertTrue("Retrieved number of claims [" + retrievedClaims.size() + "] doesn't match with expected [" + expectedClaims.size() + "]", retrievedClaims.size() == expectedClaims.size());
for (ProcessedClaim c : retrievedClaims) {
if (expectedClaims.contains(c.getClaimType())) {
expectedClaims.remove(c.getClaimType());
} else {
Assert.assertTrue("Claim '" + c.getClaimType() + "' not requested", false);
}
}
// Second user
params.setPrincipal(new CustomTokenPrincipal(otherUser));
retrievedClaims = claimsManager.retrieveClaimValues(requestedClaims, params);
expectedClaims.add(ClaimTypes.FIRSTNAME);
expectedClaims.add(ClaimTypes.LASTNAME);
expectedClaims.add(ClaimTypes.EMAILADDRESS);
Assert.assertTrue("Retrieved number of claims [" + retrievedClaims.size() + "] doesn't match with expected [" + expectedClaims.size() + "]", retrievedClaims.size() == expectedClaims.size());
for (ProcessedClaim c : retrievedClaims) {
if (expectedClaims.contains(c.getClaimType())) {
expectedClaims.remove(c.getClaimType());
} else {
Assert.assertTrue("Claim '" + c.getClaimType() + "' not requested", false);
}
}
}
Also used :
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim)
ArrayList(java.util.ArrayList)
LdapClaimsHandler(org.apache.cxf.sts.claims.LdapClaimsHandler)
ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
URI(java.net.URI)
ClaimsParameters(org.apache.cxf.sts.claims.ClaimsParameters)
Example 17 with ProcessedClaim
use of org.apache.cxf.sts.claims.ProcessedClaim in project cxf by apache.
the class LDAPClaimsTest method testRetrieveClaims.
@org.junit.Test
public void testRetrieveClaims() throws Exception {
LdapClaimsHandler claimsHandler = (LdapClaimsHandler) appContext.getBean("testClaimsHandler");
ClaimsManager claimsManager = new ClaimsManager();
claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler));
String user = props.getProperty("claimUser");
Assert.assertNotNull(user, "Property 'claimUser' not configured");
ClaimCollection requestedClaims = createRequestClaimCollection();
List<URI> expectedClaims = new ArrayList<>();
expectedClaims.add(ClaimTypes.FIRSTNAME);
expectedClaims.add(ClaimTypes.LASTNAME);
expectedClaims.add(ClaimTypes.EMAILADDRESS);
ClaimsParameters params = new ClaimsParameters();
params.setPrincipal(new CustomTokenPrincipal(user));
ProcessedClaimCollection retrievedClaims = claimsManager.retrieveClaimValues(requestedClaims, params);
Assert.assertTrue("Retrieved number of claims [" + retrievedClaims.size() + "] doesn't match with expected [" + expectedClaims.size() + "]", retrievedClaims.size() == expectedClaims.size());
for (ProcessedClaim c : retrievedClaims) {
if (expectedClaims.contains(c.getClaimType())) {
expectedClaims.remove(c.getClaimType());
} else {
Assert.assertTrue("Claim '" + c.getClaimType() + "' not requested", false);
}
}
}
Also used :
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim)
ArrayList(java.util.ArrayList)
LdapClaimsHandler(org.apache.cxf.sts.claims.LdapClaimsHandler)
ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
URI(java.net.URI)
ClaimsParameters(org.apache.cxf.sts.claims.ClaimsParameters)
Example 18 with ProcessedClaim
use of org.apache.cxf.sts.claims.ProcessedClaim in project cas by apereo.
the class WrappingSecurityTokenServiceClaimsHandler method retrieveClaimValues.
@Override
public ProcessedClaimCollection retrieveClaimValues(final ClaimCollection claims, final ClaimsParameters parameters) {
if (parameters.getRealm() == null || !parameters.getRealm().equalsIgnoreCase(this.handlerRealm)) {
LOGGER.warn("Realm [{}] doesn't match with configured realm [{}]", parameters.getRealm(), this.handlerRealm);
return new ProcessedClaimCollection();
}
if (parameters.getPrincipal() == null) {
LOGGER.warn("No principal could be identified in the claim parameters request");
return new ProcessedClaimCollection();
}
if (claims == null || claims.isEmpty()) {
LOGGER.warn("No claims are available to process");
return new ProcessedClaimCollection();
}
final ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
claims.stream().map(requestClaim -> {
final ProcessedClaim claim = new ProcessedClaim();
claim.setClaimType(requestClaim.getClaimType());
claim.setIssuer(this.issuer);
claim.setOriginalIssuer(this.issuer);
claim.setValues(requestClaim.getValues());
return claim;
}).forEach(claimCollection::add);
return claimCollection;
}
Also used :
ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler)
Getter(lombok.Getter)
ClaimsParameters(org.apache.cxf.sts.claims.ClaimsParameters)
Collectors(java.util.stream.Collectors)
RealmSupport(org.apache.cxf.sts.token.realm.RealmSupport)
WSFederationClaims(org.apereo.cas.ws.idp.WSFederationClaims)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
CollectionUtils(org.apereo.cas.util.CollectionUtils)
UriBuilder(javax.ws.rs.core.UriBuilder)
URI(java.net.URI)
AllArgsConstructor(lombok.AllArgsConstructor)
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim)
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim)
Example 19 with ProcessedClaim
use of org.apache.cxf.sts.claims.ProcessedClaim in project ddf by codice.
the class LdapClaimsHandler method retrieveClaimValues.
@Override
public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claims, ClaimsParameters parameters) {
Principal principal = parameters.getPrincipal();
String user = AttributeMapLoader.getUser(principal);
if (user == null) {
LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
return new ProcessedClaimCollection();
}
ProcessedClaimCollection claimsColl = new ProcessedClaimCollection();
Connection connection = null;
try {
AndFilter filter = new AndFilter();
filter.and(new EqualsFilter("objectclass", this.getObjectClass())).and(new EqualsFilter(this.getUserNameAttribute(), user));
List<String> searchAttributeList = new ArrayList<String>();
for (Claim claim : claims) {
if (getClaimsLdapAttributeMapping().keySet().contains(claim.getClaimType().toString())) {
searchAttributeList.add(getClaimsLdapAttributeMapping().get(claim.getClaimType().toString()));
} else {
LOGGER.debug("Unsupported claim: {}", claim.getClaimType());
}
}
String[] searchAttributes = null;
searchAttributes = searchAttributeList.toArray(new String[searchAttributeList.size()]);
connection = connectionFactory.getConnection();
if (connection != null) {
BindRequest request = BindMethodChooser.selectBindMethod(bindMethod, bindUserDN, bindUserCredentials, kerberosRealm, kdcAddress);
BindResult bindResult = connection.bind(request);
if (bindResult.isSuccess()) {
String baseDN = AttributeMapLoader.getBaseDN(principal, getUserBaseDN(), overrideCertDn);
LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", baseDN, filter.toString());
ConnectionEntryReader entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), searchAttributes);
SearchResultEntry entry;
while (entryReader.hasNext()) {
entry = entryReader.readEntry();
for (Claim claim : claims) {
URI claimType = claim.getClaimType();
String ldapAttribute = getClaimsLdapAttributeMapping().get(claimType.toString());
Attribute attr = entry.getAttribute(ldapAttribute);
if (attr == null) {
LOGGER.trace("Claim '{}' is null", claim.getClaimType());
} else {
ProcessedClaim c = new ProcessedClaim();
c.setClaimType(claimType);
c.setPrincipal(principal);
for (ByteString value : attr) {
String itemValue = value.toString();
if (this.isX500FilterEnabled()) {
try {
X500Principal x500p = new X500Principal(itemValue);
itemValue = x500p.getName();
int index = itemValue.indexOf('=');
itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index));
} catch (Exception ex) {
// Ignore, not X500 compliant thus use the whole
// string as the value
LOGGER.debug("Not X500 compliant", ex);
}
}
c.addValue(itemValue);
}
claimsColl.add(c);
}
}
}
} else {
LOGGER.info("LDAP Connection failed.");
}
}
} catch (LdapException e) {
LOGGER.info("Cannot connect to server, therefore unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
LOGGER.debug("Cannot connect to server, therefore unable to set user attributes.", e);
} catch (SearchResultReferenceIOException e) {
LOGGER.info("Unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
LOGGER.debug("Unable to set user attributes.", e);
} finally {
if (connection != null) {
connection.close();
}
}
return claimsColl;
}
Also used :
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
Attribute(org.forgerock.opendj.ldap.Attribute)
ByteString(org.forgerock.opendj.ldap.ByteString)
Connection(org.forgerock.opendj.ldap.Connection)
ArrayList(java.util.ArrayList)
BindRequest(org.forgerock.opendj.ldap.requests.BindRequest)
ByteString(org.forgerock.opendj.ldap.ByteString)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
URI(java.net.URI)
LdapException(org.forgerock.opendj.ldap.LdapException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
AndFilter(org.springframework.ldap.filter.AndFilter)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
X500Principal(javax.security.auth.x500.X500Principal)
EqualsFilter(org.springframework.ldap.filter.EqualsFilter)
LdapException(org.forgerock.opendj.ldap.LdapException)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim)
Claim(org.apache.cxf.rt.security.claims.Claim)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 20 with ProcessedClaim
use of org.apache.cxf.sts.claims.ProcessedClaim in project ddf by codice.
the class RoleClaimsHandlerTest method testRetrieveClaimsValuesNotNullPrincipal.
@Test
public void testRetrieveClaimsValuesNotNullPrincipal() throws LdapException, SearchResultReferenceIOException {
BindResult bindResult = mock(BindResult.class);
ClaimsParameters claimsParameters;
Connection connection = mock(Connection.class);
ConnectionEntryReader membershipReader = mock(ConnectionEntryReader.class);
ConnectionEntryReader groupNameReader = mock(ConnectionEntryReader.class);
LDAPConnectionFactory connectionFactory = PowerMockito.mock(LDAPConnectionFactory.class);
LinkedAttribute membershipAttribute = new LinkedAttribute("uid");
LinkedAttribute groupNameAttribute = new LinkedAttribute("cn");
ProcessedClaimCollection processedClaims;
RoleClaimsHandler claimsHandler;
SearchResultEntry membershipSearchResult = mock(SearchResultEntry.class);
SearchResultEntry groupNameSearchResult = mock(SearchResultEntry.class);
String groupName = "avengers";
when(bindResult.isSuccess()).thenReturn(true);
membershipAttribute.add("tstark");
when(membershipSearchResult.getAttribute(anyString())).thenReturn(membershipAttribute);
// hasNext() returns 'true' the first time, then 'false' every time after.
when(membershipReader.hasNext()).thenReturn(true, false);
when(membershipReader.readEntry()).thenReturn(membershipSearchResult);
groupNameAttribute.add(groupName);
when(groupNameSearchResult.getAttribute(anyString())).thenReturn(groupNameAttribute);
when(groupNameReader.hasNext()).thenReturn(true, false);
when(groupNameReader.readEntry()).thenReturn(groupNameSearchResult);
when(connection.bind(anyObject())).thenReturn(bindResult);
when(connection.search(anyObject(), anyObject(), eq("(&(objectClass=groupOfNames)(member=uid=tstark,))"), anyVararg())).thenReturn(groupNameReader);
when(connection.search(anyString(), anyObject(), anyString(), matches("uid"))).thenReturn(membershipReader);
when(connectionFactory.getConnection()).thenReturn(connection);
claimsHandler = new RoleClaimsHandler();
claimsHandler.setLdapConnectionFactory(connectionFactory);
claimsHandler.setBindMethod("Simple");
claimsHandler.setBindUserCredentials("foo");
claimsHandler.setBindUserDN("bar");
claimsParameters = new ClaimsParameters();
claimsParameters.setPrincipal(new UserPrincipal(USER_CN));
ClaimCollection claimCollection = new ClaimCollection();
processedClaims = claimsHandler.retrieveClaimValues(claimCollection, claimsParameters);
assertThat(processedClaims, hasSize(1));
ProcessedClaim claim = processedClaims.get(0);
assertThat(claim.getPrincipal(), equalTo(new UserPrincipal(USER_CN)));
assertThat(claim.getValues(), hasSize(1));
assertThat(claim.getValues().get(0), equalTo(groupName));
}
Also used :
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
Connection(org.forgerock.opendj.ldap.Connection)
Matchers.anyString(org.mockito.Matchers.anyString)
UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal)
ClaimsParameters(org.apache.cxf.sts.claims.ClaimsParameters)
LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
ProcessedClaim(org.apache.cxf.sts.claims.ProcessedClaim)
BindResult(org.forgerock.opendj.ldap.responses.BindResult)
LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Aggregations
ProcessedClaim (org.apache.cxf.sts.claims.ProcessedClaim)46
ProcessedClaimCollection (org.apache.cxf.sts.claims.ProcessedClaimCollection)35
ArrayList (java.util.ArrayList)15
Claim (org.apache.cxf.rt.security.claims.Claim)12
Test (org.junit.Test)12
URI (java.net.URI)11
ClaimsParameters (org.apache.cxf.sts.claims.ClaimsParameters)9
ClaimCollection (org.apache.cxf.rt.security.claims.ClaimCollection)8
ClaimsManager (org.apache.cxf.sts.claims.ClaimsManager)6
CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)6
Principal (java.security.Principal)5
LdapClaimsHandler (org.apache.cxf.sts.claims.LdapClaimsHandler)5
List (java.util.List)4
X500Principal (javax.security.auth.x500.X500Principal)3
Connection (org.forgerock.opendj.ldap.Connection)3
BindResult (org.forgerock.opendj.ldap.responses.BindResult)3
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)3
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)3
GuestPrincipal (ddf.security.principal.GuestPrincipal)2
AttributeBean (org.apache.wss4j.common.saml.bean.AttributeBean)2
