Search in sources :

Example 31 with SyncopeClient

use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.

the class JWTITCase method thirdPartyTokenUnknownIssuer.

@Test
public void thirdPartyTokenUnknownIssuer() throws ParseException {
    // Create a new token
    Date now = new Date();
    long currentTime = now.getTime() / 1000L;
    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);
    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(UUID.randomUUID().toString());
    jwtClaims.setSubject("puccini@apache.org");
    jwtClaims.setIssuedAt(currentTime);
    jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER + "_");
    jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
    jwtClaims.setNotBefore(currentTime);
    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.HS512);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
    JwsSignatureProvider jwsSignatureProvider = new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), SignatureAlgorithm.HS512);
    String signed = producer.signWith(jwsSignatureProvider);
    SyncopeClient jwtClient = clientFactory.create(signed);
    try {
        jwtClient.self();
        fail("Failure expected on an unknown issuer");
    } catch (AccessControlException ex) {
    // expected
    }
}
Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) Calendar(java.util.Calendar) HmacJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider) AccessControlException(java.security.AccessControlException) Date(java.util.Date) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider) NoneJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider) HmacJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider) Test(org.junit.jupiter.api.Test)

Example 32 with SyncopeClient

use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.

the class JWTITCase method noneSignature.

@Test
public void noneSignature() throws ParseException {
    // Get an initial token
    SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
    AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
    Response response = accessTokenService.login();
    String token = response.getHeaderString(RESTHeaders.TOKEN);
    assertNotNull(token);
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
    String tokenId = consumer.getJwtClaims().getTokenId();
    // Create a new token using the Id of the first token
    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(tokenId);
    jwtClaims.setSubject(consumer.getJwtClaims().getSubject());
    jwtClaims.setIssuedAt(consumer.getJwtClaims().getIssuedAt());
    jwtClaims.setIssuer(consumer.getJwtClaims().getIssuer());
    jwtClaims.setExpiryTime(consumer.getJwtClaims().getExpiryTime());
    jwtClaims.setNotBefore(consumer.getJwtClaims().getNotBefore());
    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.NONE);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
    JwsSignatureProvider jwsSignatureProvider = new NoneJwsSignatureProvider();
    String signed = producer.signWith(jwsSignatureProvider);
    SyncopeClient jwtClient = clientFactory.create(signed);
    UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
    try {
        jwtUserSelfService.read();
        fail("Failure expected on no signature");
    } catch (AccessControlException ex) {
    // expected
    }
}
Also used : JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) UserSelfService(org.apache.syncope.common.rest.api.service.UserSelfService) AccessControlException(java.security.AccessControlException) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) Response(javax.ws.rs.core.Response) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer) AccessTokenService(org.apache.syncope.common.rest.api.service.AccessTokenService) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) NoneJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider) JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider) NoneJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider) HmacJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider) Test(org.junit.jupiter.api.Test)

Example 33 with SyncopeClient

use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.

the class JWTITCase method tokenValidation.

@Test
public void tokenValidation() throws ParseException {
    // Get an initial token
    SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
    AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
    Response response = accessTokenService.login();
    String token = response.getHeaderString(RESTHeaders.TOKEN);
    assertNotNull(token);
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
    String tokenId = consumer.getJwtClaims().getTokenId();
    // Create a new token using the Id of the first token
    Date now = new Date();
    long currentTime = now.getTime() / 1000L;
    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);
    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(tokenId);
    jwtClaims.setSubject(ADMIN_UNAME);
    jwtClaims.setIssuedAt(currentTime);
    jwtClaims.setIssuer(JWT_ISSUER);
    jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
    jwtClaims.setNotBefore(currentTime);
    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.HS512);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
    JwsSignatureProvider jwsSignatureProvider = new HmacJwsSignatureProvider(JWS_KEY.getBytes(), SignatureAlgorithm.HS512);
    String signed = producer.signWith(jwsSignatureProvider);
    SyncopeClient jwtClient = clientFactory.create(signed);
    UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
    jwtUserSelfService.read();
}
Also used : JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) UserSelfService(org.apache.syncope.common.rest.api.service.UserSelfService) Calendar(java.util.Calendar) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) Date(java.util.Date) Response(javax.ws.rs.core.Response) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer) AccessTokenService(org.apache.syncope.common.rest.api.service.AccessTokenService) HmacJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider) NoneJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider) HmacJwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider) Test(org.junit.jupiter.api.Test)

Example 34 with SyncopeClient

use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.

the class DynRealmITCase method delegatedAdmin.

@Test
public void delegatedAdmin() {
    DynRealmTO dynRealm = null;
    RoleTO role = null;
    try {
        // 1. create dynamic realm for all users and groups having resource-ldap assigned
        dynRealm = new DynRealmTO();
        dynRealm.setKey("LDAPLovers" + getUUIDString());
        dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "$resources==resource-ldap");
        dynRealm.getDynMembershipConds().put(AnyTypeKind.GROUP.name(), "$resources==resource-ldap");
        Response response = dynRealmService.create(dynRealm);
        dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
        assertNotNull(dynRealm);
        // 2. create role for such dynamic realm
        role = new RoleTO();
        role.setKey("Administer LDAP" + getUUIDString());
        role.getEntitlements().add(StandardEntitlement.USER_SEARCH);
        role.getEntitlements().add(StandardEntitlement.USER_READ);
        role.getEntitlements().add(StandardEntitlement.USER_UPDATE);
        role.getEntitlements().add(StandardEntitlement.GROUP_READ);
        role.getEntitlements().add(StandardEntitlement.GROUP_UPDATE);
        role.getDynRealms().add(dynRealm.getKey());
        role = createRole(role);
        assertNotNull(role);
        // 3. create new user and assign the new role
        UserTO dynRealmAdmin = UserITCase.getUniqueSampleTO("dynRealmAdmin@apache.org");
        dynRealmAdmin.setPassword("password123");
        dynRealmAdmin.getRoles().add(role.getKey());
        dynRealmAdmin = createUser(dynRealmAdmin).getEntity();
        assertNotNull(dynRealmAdmin);
        // 4. create new user and group, assign resource-ldap
        UserTO user = UserITCase.getUniqueSampleTO("dynRealmUser@apache.org");
        user.setRealm("/even/two");
        user.getResources().clear();
        user.getResources().add(RESOURCE_NAME_LDAP);
        user = createUser(user).getEntity();
        assertNotNull(user);
        final String userKey = user.getKey();
        GroupTO group = GroupITCase.getSampleTO("dynRealmGroup");
        group.setRealm("/odd");
        group.getResources().clear();
        group.getResources().add(RESOURCE_NAME_LDAP);
        group = createGroup(group).getEntity();
        assertNotNull(group);
        final String groupKey = group.getKey();
        if (ElasticsearchDetector.isElasticSearchEnabled(syncopeService)) {
            try {
                Thread.sleep(2000);
            } catch (InterruptedException ex) {
            // ignore
            }
        }
        // 5. verify that the new user and group are found when searching by dynamic realm
        PagedResult<UserTO> matchingUsers = userService.search(new AnyQuery.Builder().realm("/").fiql(SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
        assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));
        PagedResult<GroupTO> matchingGroups = groupService.search(new AnyQuery.Builder().realm("/").fiql(SyncopeClient.getGroupSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
        assertTrue(matchingGroups.getResult().stream().anyMatch(object -> object.getKey().equals(groupKey)));
        // 6. prepare to act as delegated admin
        SyncopeClient delegatedClient = clientFactory.create(dynRealmAdmin.getUsername(), "password123");
        UserService delegatedUserService = delegatedClient.getService(UserService.class);
        GroupService delegatedGroupService = delegatedClient.getService(GroupService.class);
        // 7. verify delegated administration
        // USER_READ
        assertNotNull(delegatedUserService.read(userKey));
        // GROUP_READ
        assertNotNull(delegatedGroupService.read(groupKey));
        // USER_SEARCH
        matchingUsers = delegatedUserService.search(new AnyQuery.Builder().realm("/").build());
        assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));
        // USER_UPDATE
        UserPatch userPatch = new UserPatch();
        userPatch.setKey(userKey);
        userPatch.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_LDAP).operation(PatchOperation.DELETE).build());
        // this will fail because unassigning resource-ldap would result in removing the user from the dynamic realm
        try {
            delegatedUserService.update(userPatch);
            fail("This should not happen");
        } catch (SyncopeClientException e) {
            assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
        }
        // this will succeed instead
        userPatch.getResources().clear();
        userPatch.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_NOPROPAGATION).build());
        user = delegatedUserService.update(userPatch).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
        }).getEntity();
        assertNotNull(user);
        assertTrue(user.getResources().contains(RESOURCE_NAME_NOPROPAGATION));
        // GROUP_UPDATE
        GroupPatch groupPatch = new GroupPatch();
        groupPatch.setKey(groupKey);
        groupPatch.getPlainAttrs().add(new AttrPatch.Builder().attrTO(attrTO("icon", "modified")).build());
        group = delegatedGroupService.update(groupPatch).readEntity(new GenericType<ProvisioningResult<GroupTO>>() {
        }).getEntity();
        assertNotNull(group);
        assertEquals("modified", group.getPlainAttr("icon").get().getValues().get(0));
    } finally {
        if (role != null) {
            roleService.delete(role.getKey());
        }
        if (dynRealm != null) {
            dynRealmService.delete(dynRealm.getKey());
        }
    }
}
Also used : Assertions.fail(org.junit.jupiter.api.Assertions.fail) Assertions.assertNotNull(org.junit.jupiter.api.Assertions.assertNotNull) StringPatchItem(org.apache.syncope.common.lib.patch.StringPatchItem) StandardEntitlement(org.apache.syncope.common.lib.types.StandardEntitlement) DynRealmTO(org.apache.syncope.common.lib.to.DynRealmTO) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) ElasticsearchDetector(org.apache.syncope.fit.ElasticsearchDetector) UserService(org.apache.syncope.common.rest.api.service.UserService) GroupService(org.apache.syncope.common.rest.api.service.GroupService) Assertions.assertNotEquals(org.junit.jupiter.api.Assertions.assertNotEquals) UserPatch(org.apache.syncope.common.lib.patch.UserPatch) ProvisioningResult(org.apache.syncope.common.lib.to.ProvisioningResult) DynRealmService(org.apache.syncope.common.rest.api.service.DynRealmService) AnyTypeKind(org.apache.syncope.common.lib.types.AnyTypeKind) GroupPatch(org.apache.syncope.common.lib.patch.GroupPatch) RoleTO(org.apache.syncope.common.lib.to.RoleTO) ClientExceptionType(org.apache.syncope.common.lib.types.ClientExceptionType) Assertions.assertEquals(org.junit.jupiter.api.Assertions.assertEquals) AbstractITCase(org.apache.syncope.fit.AbstractITCase) AnyQuery(org.apache.syncope.common.rest.api.beans.AnyQuery) PagedResult(org.apache.syncope.common.lib.to.PagedResult) GroupTO(org.apache.syncope.common.lib.to.GroupTO) GenericType(javax.ws.rs.core.GenericType) Test(org.junit.jupiter.api.Test) AttrPatch(org.apache.syncope.common.lib.patch.AttrPatch) Response(javax.ws.rs.core.Response) PatchOperation(org.apache.syncope.common.lib.types.PatchOperation) Assertions.assertTrue(org.junit.jupiter.api.Assertions.assertTrue) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) UserTO(org.apache.syncope.common.lib.to.UserTO) DynRealmService(org.apache.syncope.common.rest.api.service.DynRealmService) DynRealmTO(org.apache.syncope.common.lib.to.DynRealmTO) UserPatch(org.apache.syncope.common.lib.patch.UserPatch) GroupPatch(org.apache.syncope.common.lib.patch.GroupPatch) UserService(org.apache.syncope.common.rest.api.service.UserService) ProvisioningResult(org.apache.syncope.common.lib.to.ProvisioningResult) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) RoleTO(org.apache.syncope.common.lib.to.RoleTO) GroupService(org.apache.syncope.common.rest.api.service.GroupService) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) AttrPatch(org.apache.syncope.common.lib.patch.AttrPatch) GroupTO(org.apache.syncope.common.lib.to.GroupTO) Response(javax.ws.rs.core.Response) UserTO(org.apache.syncope.common.lib.to.UserTO) StringPatchItem(org.apache.syncope.common.lib.patch.StringPatchItem) Test(org.junit.jupiter.api.Test)

Example 35 with SyncopeClient

use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.

the class UserITCase method async.

@Test
public void async() {
    SyncopeClient asyncClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
    UserService asyncService = asyncClient.nullPriorityAsync(asyncClient.getService(UserService.class), true);
    UserTO user = getUniqueSampleTO("async@syncope.apache.org");
    user.getResources().add(RESOURCE_NAME_TESTDB);
    user.getResources().add(RESOURCE_NAME_TESTDB2);
    user.getResources().add(RESOURCE_NAME_LDAP);
    ProvisioningResult<UserTO> result = asyncService.create(user, true).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
    });
    assertNotNull(result);
    verifyAsyncResult(result.getPropagationStatuses());
    UserPatch userPatch = new UserPatch();
    userPatch.setKey(result.getEntity().getKey());
    userPatch.setPassword(new PasswordPatch.Builder().onSyncope(true).resources(RESOURCE_NAME_LDAP, RESOURCE_NAME_TESTDB, RESOURCE_NAME_TESTDB2).value("password321").build());
    result = asyncService.update(userPatch).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
    });
    assertNotNull(result);
    verifyAsyncResult(result.getPropagationStatuses());
    result = asyncService.delete(result.getEntity().getKey()).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
    });
    assertNotNull(result);
    verifyAsyncResult(result.getPropagationStatuses());
}
Also used : GenericType(javax.ws.rs.core.GenericType) PasswordPatch(org.apache.syncope.common.lib.patch.PasswordPatch) UserService(org.apache.syncope.common.rest.api.service.UserService) UserTO(org.apache.syncope.common.lib.to.UserTO) ProvisioningResult(org.apache.syncope.common.lib.to.ProvisioningResult) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) UserPatch(org.apache.syncope.common.lib.patch.UserPatch) Test(org.junit.jupiter.api.Test)

Aggregations

SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)40 Test (org.junit.jupiter.api.Test)31 Response (javax.ws.rs.core.Response)15 UserTO (org.apache.syncope.common.lib.to.UserTO)15 UserSelfService (org.apache.syncope.common.rest.api.service.UserSelfService)15 AccessControlException (java.security.AccessControlException)12 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)11 Date (java.util.Date)10 HmacJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider)10 JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)10 JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)10 JwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)10 NoneJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider)10 JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)10 Calendar (java.util.Calendar)9 IOException (java.io.IOException)8 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)8 AccessTokenService (org.apache.syncope.common.rest.api.service.AccessTokenService)8 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)7 SyncopeClientFactoryBean (org.apache.syncope.client.lib.SyncopeClientFactoryBean)7