Search in sources :

Example 61 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class SessionManagementServiceImplTest method setup.

@Before
public void setup() throws ParserConfigurationException, SAXException, IOException, SecurityServiceException {
    request = mock(HttpServletRequest.class);
    principalCollection = new SimplePrincipalCollection();
    refreshedPrincipalCollection = mock(PrincipalCollection.class);
    principalHolderMock = mock(PrincipalHolder.class);
    manager = mock(SecurityManager.class);
    sessionFactory = mock(SessionFactory.class);
    session = mock(HttpSession.class);
    Subject subject = mock(Subject.class);
    when(request.getSession(false)).thenReturn(session);
    when(principalHolderMock.getPrincipals()).thenReturn(principalCollection);
    when(manager.getSubject(isA(BaseAuthenticationToken.class))).thenReturn(subject);
    when(sessionFactory.getOrCreateSession(any())).thenReturn(session);
    when(session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
    when(session.getMaxInactiveInterval()).thenReturn(Integer.MAX_VALUE);
    when(subject.getPrincipals()).thenReturn(refreshedPrincipalCollection);
    sessionManagementServiceImpl = new SessionManagementServiceImpl();
    sessionManagementServiceImpl.setSessionFactory(sessionFactory);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) SessionFactory(ddf.security.http.SessionFactory) SecurityManager(ddf.security.service.SecurityManager) HttpSession(javax.servlet.http.HttpSession) BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) PrincipalHolder(ddf.security.common.PrincipalHolder) Subject(ddf.security.Subject) Before(org.junit.Before)

Example 62 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class WebSSOFilterTest method testDoFilterGetResultFromSession.

@Test
public void testDoFilterGetResultFromSession() throws Exception {
    PrincipalCollection principalCollectionMock = mock(PrincipalCollection.class);
    when(principalCollectionMock.byType(any())).thenReturn(Collections.singletonList("principal"));
    PrincipalHolder principalHolderMock = mock(PrincipalHolder.class);
    when(principalHolderMock.getPrincipals()).thenReturn(principalCollectionMock);
    HttpSession sessionMock = mock(HttpSession.class);
    when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
    HttpServletRequest requestMock = mock(HttpServletRequest.class);
    when(requestMock.getSession(any(Boolean.class))).thenReturn(sessionMock);
    when(requestMock.getRequestURI()).thenReturn(MOCK_CONTEXT);
    when(requestMock.getRequestedSessionId()).thenReturn("JSESSIONID");
    HttpServletResponse responseMock = mock(HttpServletResponse.class);
    ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
    when(policyManager.getSessionAccess()).thenReturn(true);
    when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
    ContextPolicy testPolicy = mock(ContextPolicy.class);
    when(testPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("basic"));
    when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
    AuthenticationHandler handlerMock = mock(AuthenticationHandler.class);
    when(handlerMock.getAuthenticationType()).thenReturn("basic");
    HandlerResult completedResult = mock(HandlerResult.class);
    when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
    when(completedResult.getToken()).thenReturn(mock(BaseAuthenticationToken.class));
    when(handlerMock.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), anyBoolean())).thenReturn(completedResult);
    SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
    WebSSOFilter filter = new WebSSOFilter();
    filter.setContextPolicyManager(policyManager);
    filter.setHandlerList(Collections.singletonList(handlerMock));
    filter.doFilter(requestMock, responseMock, filterChain);
    verify(sessionMock, times(1)).getAttribute(SECURITY_TOKEN_KEY);
    verify(handlerMock, times(0)).getNormalizedToken(any(), any(), any(), anyBoolean());
    verify(requestMock, times(1)).setAttribute(eq(AUTHENTICATION_TOKEN_KEY), any());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletRequest(javax.servlet.ServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServletResponse(javax.servlet.ServletResponse) HttpSession(javax.servlet.http.HttpSession) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) HttpServletResponse(javax.servlet.http.HttpServletResponse) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy) ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager) HttpServletRequest(javax.servlet.http.HttpServletRequest) SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain) BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken) AuthenticationHandler(org.codice.ddf.security.handler.api.AuthenticationHandler) Mockito.anyBoolean(org.mockito.Mockito.anyBoolean) PrincipalHolder(ddf.security.common.PrincipalHolder) Test(org.junit.Test)

Example 63 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class LoginFilter method addToSession.

/**
 * Attaches a subject to the HttpSession associated with an HttpRequest. If a session does not
 * already exist, one will be created.
 *
 * @param httpRequest HttpRequest associated with an HttpSession to attach the Subject to
 * @param subject Subject to attach to request
 */
private void addToSession(HttpServletRequest httpRequest, Subject subject) {
    HttpSession session = getSession(httpRequest);
    PrincipalCollection principals = subject.getPrincipals();
    PrincipalHolder principalHolder = (PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
    PrincipalCollection oldPrincipals = principalHolder.getPrincipals();
    if (!principals.equals(oldPrincipals)) {
        principalHolder.setPrincipals(principals);
    }
}
Also used : HttpSession(javax.servlet.http.HttpSession) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) PrincipalHolder(ddf.security.common.PrincipalHolder)

Example 64 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class AuthzRealmTest method testIsPermittedOneMultiple.

@Test
public void testIsPermittedOneMultiple() throws PdpException {
    permissionList.clear();
    KeyValuePermission kvp = new KeyValuePermissionImpl("country", Arrays.asList("AUS", "CAN", "GBR"));
    permissionList.add(kvp);
    String ruleClaim = "FineAccessControls";
    String countryClaim = "CountryOfAffiliation";
    // create a new user here with multiple country permissions to test
    List<Permission> permissions = new ArrayList<Permission>();
    KeyValuePermission rulePermission = new KeyValuePermissionImpl(ruleClaim);
    rulePermission.addValue("A");
    rulePermission.addValue("B");
    permissions.add(rulePermission);
    KeyValuePermission countryPermission = new KeyValuePermissionImpl(countryClaim);
    countryPermission.addValue("USA");
    countryPermission.addValue("AUS");
    permissions.add(countryPermission);
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    authorizationInfo.addObjectPermission(rulePermission);
    authorizationInfo.addObjectPermission(countryPermission);
    authorizationInfo.addRole("admin");
    AuthzRealm testRealm = new AuthzRealm("src/test/resources/policies", new XmlParser()) {

        @Override
        public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
            return authorizationInfo;
        }
    };
    testRealm.setSecurityLogger(mock(SecurityLogger.class));
    testRealm.setMatchOneMappings(Arrays.asList("CountryOfAffiliation=country"));
    testRealm.setMatchAllMappings(Arrays.asList("FineAccessControls=rule"));
    testRealm.setRolePermissionResolver(roleString -> Arrays.asList(new KeyValuePermissionImpl("role", Arrays.asList(roleString))));
    boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
    for (boolean permitted : permittedArray) {
        Assert.assertEquals(true, permitted);
    }
}
Also used : XmlParser(org.codice.ddf.parser.xml.XmlParser) AuthzRealm(ddf.security.pdp.realm.AuthzRealm) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) ArrayList(java.util.ArrayList) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) WildcardPermission(org.apache.shiro.authz.permission.WildcardPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) SecurityLogger(ddf.security.audit.SecurityLogger) Test(org.junit.Test)

Example 65 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class GuestRealmTest method testDoGetAuthenticationInfo.

@Test
public void testDoGetAuthenticationInfo() {
    BaseAuthenticationToken baseAuthenticationToken = new MockBaseAuthenticationToken("principal", "credentials", "0.0.0.0");
    baseAuthenticationToken.setAllowGuest(true);
    AuthenticationInfo authenticationInfo = guestRealm.doGetAuthenticationInfo(baseAuthenticationToken);
    assertEquals(baseAuthenticationToken.getCredentials(), authenticationInfo.getCredentials());
    PrincipalCollection principals = authenticationInfo.getPrincipals();
    assertEquals(2, principals.asList().size());
    Iterator iterator = principals.iterator();
    assertEquals("Guest@0.0.0.0", iterator.next());
    Object next = iterator.next();
    assertTrue(next instanceof SecurityAssertion);
    SecurityAssertion securityAssertion = (SecurityAssertion) next;
    assertEquals(2, securityAssertion.getAttributeStatements().get(0).getAttributes().size());
    boolean claim1 = false;
    boolean claim2 = false;
    boolean claim3 = false;
    boolean claim4 = false;
    for (Attribute attribute : securityAssertion.getAttributeStatements().get(0).getAttributes()) {
        if (attribute.getName().equals("claim1")) {
            claim1 = true;
            assertEquals("value1", attribute.getValues().get(0));
        }
        if (attribute.getName().equals("claim2")) {
            claim2 = true;
            assertTrue(attribute.getValues().stream().anyMatch(v -> v.equals("value2")));
            assertTrue(attribute.getValues().stream().anyMatch(v -> v.equals("value3")));
        }
        if (attribute.getName().equals(":")) {
            claim3 = true;
        }
        if (attribute.getName().equals("bad")) {
            claim4 = true;
        }
    }
    assertTrue(claim1);
    assertTrue(claim2);
    assertFalse(claim3);
    assertFalse(claim4);
    AuthenticationInfo newAuthenticationInfo = guestRealm.doGetAuthenticationInfo(baseAuthenticationToken);
    assertNotSame(authenticationInfo, newAuthenticationInfo);
}
Also used : SecurityAssertion(ddf.security.assertion.SecurityAssertion) AuthenticationInfo(org.apache.shiro.authc.AuthenticationInfo) Arrays(java.util.Arrays) Attribute(ddf.security.assertion.Attribute) Iterator(java.util.Iterator) BeforeClass(org.junit.BeforeClass) SecurityLogger(ddf.security.audit.SecurityLogger) Assert.assertNotSame(org.junit.Assert.assertNotSame) Assert.assertTrue(org.junit.Assert.assertTrue) AuthenticationToken(org.apache.shiro.authc.AuthenticationToken) Test(org.junit.Test) Assert.assertFalse(org.junit.Assert.assertFalse) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken) Assert.assertEquals(org.junit.Assert.assertEquals) Mockito.mock(org.mockito.Mockito.mock) Attribute(ddf.security.assertion.Attribute) BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken) Iterator(java.util.Iterator) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) AuthenticationInfo(org.apache.shiro.authc.AuthenticationInfo) Test(org.junit.Test)

Aggregations

PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)88 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)40 Test (org.junit.Test)36 SecurityAssertion (ddf.security.assertion.SecurityAssertion)23 Subject (ddf.security.Subject)15 Subject (org.apache.shiro.subject.Subject)15 Principal (java.security.Principal)14 ArrayList (java.util.ArrayList)10 DefaultSecurityManager (org.apache.shiro.mgt.DefaultSecurityManager)10 AuthorizationInfo (org.apache.shiro.authz.AuthorizationInfo)9 Permission (org.apache.shiro.authz.Permission)8 Session (org.apache.shiro.session.Session)8 SimpleSession (org.apache.shiro.session.mgt.SimpleSession)8 HttpServletRequest (javax.servlet.http.HttpServletRequest)7 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)7 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)6 Attribute (ddf.security.assertion.Attribute)5 Map (java.util.Map)5 AuthenticationToken (org.apache.shiro.authc.AuthenticationToken)5 CollectionPermission (ddf.security.permission.CollectionPermission)4