Examples with OpenIdGroupPrincipal org.dcache.auth.OpenIdGroupPrincipal used on opensource projects

Example 1 with OpenIdGroupPrincipal

use of org.dcache.auth.OpenIdGroupPrincipal in project dcache by dCache.

the class WlcgProfile method wlcgGroups.

private List<Principal> wlcgGroups(Map<String, JsonNode> claims) {
    if (!claims.containsKey("wlcg.groups")) {
        return Collections.emptyList();
    }
    JsonNode groups = claims.get("wlcg.groups");
    if (!groups.isArray()) {
        LOGGER.debug("Ignoring malformed \"wlcg.groups\": not an array");
        return Collections.emptyList();
    }
    List<Principal> principals = new ArrayList<>();
    for (JsonNode group : groups) {
        if (!group.isTextual()) {
            LOGGER.debug("Ignoring malformed \"wlcg.groups\" value: {}", group);
            continue;
        }
        var groupName = group.asText();
        var principal = new OpenIdGroupPrincipal(groupName);
        principals.add(principal);
    }
    return principals;
}

Example 2 with OpenIdGroupPrincipal

use of org.dcache.auth.OpenIdGroupPrincipal in project dcache by dCache.

the class OidcProfile method addWlcgGroups.

/**
 * Parse group-membership information, as described in "WLCG Common JWT Profiles" v1.0.  For
 * details, see: https://zenodo.org/record/3460258#.YVGMLyXRaV4
 * <p>
 * Here is an example:
 * <pre>
 * "wlcg.groups": [
 *     "/dteam/VO-Admin",
 *     "/dteam",
 *     "/dteam/itcms"
 * ],
 * </pre>
 *
 * REVISIT: should this be supported in the 'oidc' profile?  The semantics of this claim are
 * defined in the WLCG AuthZ JWT profile document, which is supported by a different profile.
 *
 * @param userInfo   The JSON node describing the user.
 * @param principals The set of principals into which any group information is to be added.
 */
private void addWlcgGroups(Map<String, JsonNode> claims, Set<Principal> principals) {
    if (!claims.containsKey("wlcg.groups")) {
        return;
    }
    JsonNode groups = claims.get("wlcg.groups");
    if (!groups.isArray()) {
        LOGGER.debug("Ignoring malformed \"wlcg.groups\": not an array");
        return;
    }
    for (JsonNode group : groups) {
        if (!group.isTextual()) {
            LOGGER.debug("Ignoring malformed \"wlcg.groups\" value: {}", group);
            continue;
        }
        var groupName = group.asText();
        var principal = new OpenIdGroupPrincipal(groupName);
        principals.add(principal);
    }
}

Example 3 with OpenIdGroupPrincipal

use of org.dcache.auth.OpenIdGroupPrincipal in project dcache by dCache.

the class SciTokenPlugin method authenticate.

@Override
public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals, Set<Restriction> restrictions) throws AuthenticationException {
    List<String> tokens = privateCredentials.stream().filter(BearerTokenCredential.class::isInstance).map(BearerTokenCredential.class::cast).map(BearerTokenCredential::getToken).filter(JsonWebToken::isCompatibleFormat).collect(Collectors.toList());
    checkAuthentication(!tokens.isEmpty(), "no JWT bearer token");
    checkAuthentication(tokens.size() == 1, "multiple JWT bearer tokens");
    try {
        JsonWebToken token = checkValid(new JsonWebToken(tokens.get(0)));
        Issuer issuer = issuerOf(token);
        validateWlcgVersionClaim(token);
        Collection<Principal> principals = new ArrayList<>();
        // REVISIT consider introducing an SPI to allow plugable support for handling claims.
        Optional<String> sub = token.getPayloadString("sub");
        sub.map(s -> new JwtSubPrincipal(issuer.getId(), s)).ifPresent(principals::add);
        sub.map(s -> new OidcSubjectPrincipal(s, issuer.getId())).ifPresent(principals::add);
        Optional<String> jti = token.getPayloadString("jti");
        jti.map(s -> new JwtJtiPrincipal(issuer.getId(), s)).ifPresent(principals::add);
        token.getPayloadStringOrArray("wlcg.groups").stream().map(OpenIdGroupPrincipal::new).forEach(principals::add);
        checkAuthentication(sub.isPresent() || jti.isPresent(), "missing sub and jti claims");
        principals.add(issuer.getOpIdentity());
        List<AuthorisationSupplier> scopes = token.getPayloadString("scope").map(SciTokenPlugin::parseScope).orElse(Collections.emptyList());
        if (scopes.isEmpty()) {
            // No scopes defined -> not explicit authorisation; however, perhaps the client
            // is allowed to do something based on asserted group-membership or from their
            // membership of the VO (implied by the OP issuing any token at all).
            // This only makes sense if the token follows the WLCG AuthZ profile.  A SciToken
            // is not valid (or useful) without at least one authorisation statements in the
            // 'scope' claim
            checkAuthentication(token.getPayloadString("wlcg.ver").isPresent(), "not a SciToken or WLCG profile.");
        // allow login to proceed with whatever information we've gained so far.
        } else {
            principals.addAll(issuer.getUserIdentity());
            Restriction r = buildRestriction(issuer.getPrefix(), scopes);
            LOGGER.debug("Authenticated user with restriction: {}", r);
            restrictions.add(r);
            principals.add(new ExemptFromNamespaceChecks());
        }
        identifiedPrincipals.addAll(principals);
    } catch (IOException e) {
        throw new AuthenticationException(e.getMessage());
    }
}

Example 4 with OpenIdGroupPrincipal

use of org.dcache.auth.OpenIdGroupPrincipal in project dcache by dCache.

the class GplazmaMultiMapFileTest method shouldPassWhenOpenIdGroupMapped.

@Test
public void shouldPassWhenOpenIdGroupMapped() throws Exception {
    givenConfig("oidcgrp:Users    group:desy");
    whenMapping(new OpenIdGroupPrincipal("Users"));
    assertThat(warnings, is(empty()));
    assertThat(mappedPrincipals, hasItem(new GroupNamePrincipal("desy")));
}