use of org.apache.shiro.authz.AuthorizationException in project killbill by killbill.
the class TestKillBillJdbcRealm method testCustomPermissionsAcrossRealms.
@Test(groups = "slow")
public void testCustomPermissionsAcrossRealms() throws Exception {
final String role = "writer_off";
final ImmutableList<String> rolePermissions = ImmutableList.<String>of(Permission.INVOICE_CAN_DELETE_CBA.toString(), /* Built-in permission */
"invoice:write_off", /* Built-in group but custom value */
"acme:kb_dev");
securityApi.addRoleDefinition(role, rolePermissions, callContext);
validateUserRoles(securityApi.getRoleDefinition(role, callContext), rolePermissions);
final List<String> roleDefinitions = securityApi.getRoleDefinition(role, callContext);
Assert.assertEqualsNoOrder(roleDefinitions.toArray(), rolePermissions.toArray());
final String username = "tester";
final String password = "tester";
securityApi.addUserRoles(username, password, ImmutableList.<String>of(role), callContext);
final AuthenticationToken goodToken = new UsernamePasswordToken(username, password);
final Subject subject = securityManager.login(null, goodToken);
try {
ThreadContext.bind(subject);
// JDBC Realm
subject.checkPermission(Permission.INVOICE_CAN_DELETE_CBA.toString());
subject.checkPermission("invoice:write_off");
subject.checkPermission("acme:kb_dev");
// Shiro Realm
subject.checkPermission("invoice:credit");
subject.checkPermission("customx:customy");
try {
subject.checkPermission("acme:kb_deployer");
Assert.fail("Subject should not have rights to deploy Kill Bill");
} catch (final AuthorizationException e) {
}
final Set<String> permissions = securityApi.getCurrentUserPermissions(callContext);
final Set<String> expectedPermissions = new HashSet<String>(rolePermissions);
expectedPermissions.add("invoice:credit");
expectedPermissions.add("customx:customy");
Assert.assertEquals(permissions, expectedPermissions);
} finally {
ThreadContext.unbindSubject();
subject.logout();
}
}
use of org.apache.shiro.authz.AuthorizationException in project shiro by apache.
the class TextConfigurationRealmTest method testCheckPermission.
/*
* Tests that a principal's permissions can't be checked while the realm is being loaded.
*/
@Test
public void testCheckPermission() throws InterruptedException {
setUpForReadConfigurationTest();
executeTest(new Runnable() {
public void run() {
PrincipalCollection principalCollection = new SimplePrincipalCollection("user1", "realm1");
try {
realm.checkPermission(principalCollection, "role1_permission1");
realm.checkPermissions(principalCollection, new String[] { "role1_permission1", "role2_permission2" });
} catch (AuthorizationException ae) {
fail("principal doesn't have permission when it should");
}
}
});
}
use of org.apache.shiro.authz.AuthorizationException in project killbill by killbill.
the class KillBillAuth0Realm method findAuth0UserPermissions.
private Set<String> findAuth0UserPermissions(final String userId, final String token) {
final String path;
try {
path = "/api/v2/users/" + URLEncoder.encode(userId, "UTF-8") + "/permissions";
} catch (final UnsupportedEncodingException e) {
// Should never happen
throw new IllegalStateException(e);
}
final Response auth0RawResponse = doGetRequest(path, token);
try {
final List<Map<String, Object>> auth0Response = mapper.readValue(auth0RawResponse.getResponseBodyAsStream(), new TypeReference<List<Map<String, Object>>>() {
});
final Set<String> permissions = new HashSet<String>();
for (final Map<String, Object> group : auth0Response) {
final Object permission = group.get("permission_name");
if (permission != null) {
permissions.add((String) permission);
}
}
return permissions;
} catch (final IOException e) {
log.warn("Unable to read response from Auth0", e);
throw new AuthorizationException(e);
}
}
use of org.apache.shiro.authz.AuthorizationException in project killbill by killbill.
the class KillBillOktaRealm method findOktaUserId.
private String findOktaUserId(final String login) {
final String path;
try {
path = "/api/v1/users/" + URLEncoder.encode(login, "UTF-8");
} catch (final UnsupportedEncodingException e) {
// Should never happen
throw new IllegalStateException(e);
}
final Response oktaRawResponse = doGetRequest(path);
try {
final Map oktaResponse = mapper.readValue(oktaRawResponse.getResponseBodyAsStream(), Map.class);
return (String) oktaResponse.get("id");
} catch (final IOException e) {
log.warn("Unable to read response from Okta");
throw new AuthorizationException(e);
}
}
use of org.apache.shiro.authz.AuthorizationException in project killbill by killbill.
the class KillBillOktaRealm method getGroups.
private Set<String> getGroups(final Response oktaRawResponse) {
try {
final List<Map> oktaResponse = mapper.readValue(oktaRawResponse.getResponseBodyAsStream(), new TypeReference<List<Map>>() {
});
final Set<String> groups = new HashSet<String>();
for (final Map group : oktaResponse) {
final Object groupProfile = group.get("profile");
if (groupProfile != null && groupProfile instanceof Map) {
groups.add((String) ((Map) groupProfile).get("name"));
}
}
return groups;
} catch (final IOException e) {
log.warn("Unable to read response from Okta");
throw new AuthorizationException(e);
}
}
Aggregations