use of org.eclipse.hono.auth.Authorities in project hono by eclipse.
the class AddressAuthzHelper method processAddressAuthzCapability.
/**
* Processes a peer's AMQP <em>open</em> frame by setting a connection property with a map of the authenticated
* user's authorities as described in
* <a href="https://github.com/EnMasseProject/enmasse/issues/702">EnMasse issue #702</a>.
*
* @param connection The connection to get authorities for.
*/
public static void processAddressAuthzCapability(final ProtonConnection connection) {
if (LOG.isDebugEnabled()) {
final Map<Symbol, Object> remoteProperties = connection.getRemoteProperties();
if (remoteProperties != null) {
final String props = remoteProperties.entrySet().stream().map(entry -> String.format("[%s: %s]", entry.getKey(), entry.getValue().toString())).collect(Collectors.joining(", "));
LOG.debug("client connection [container: {}] includes properties: {}", connection.getRemoteContainer(), props);
}
}
final HonoUser clientPrincipal = Constants.getClientPrincipal(connection);
final Map<String, String[]> permissions = getPermissionsFromAuthorities(clientPrincipal.getAuthorities());
final Map<Symbol, Object> properties = new HashMap<>();
final boolean isLegacy = isLegacyClient(connection);
if (isLegacy) {
properties.put(PROPERTY_AUTH_IDENTITY, clientPrincipal.getName());
} else {
properties.put(PROPERTY_AUTH_IDENTITY, Collections.singletonMap("sub", clientPrincipal.getName()));
}
properties.put(PROPERTY_ADDRESS_AUTHZ, permissions);
connection.setProperties(properties);
connection.setOfferedCapabilities(new Symbol[] { CAPABILITY_ADDRESS_AUTHZ });
LOG.debug("transferring {} permissions of client [container: {}, user: {}] in open frame [legacy format: {}]", permissions.size(), connection.getRemoteContainer(), clientPrincipal.getName(), isLegacy);
}
use of org.eclipse.hono.auth.Authorities in project hono by eclipse.
the class FileBasedAuthenticationService method getAuthorities.
private Authorities getAuthorities(final JsonObject user) {
final AuthoritiesImpl result = new AuthoritiesImpl();
user.getJsonArray(FIELD_AUTHORITIES).forEach(obj -> {
final String authority = (String) obj;
final Authorities roleAuthorities = roles.get(authority);
if (roleAuthorities != null) {
result.addAll(roleAuthorities);
}
});
return result;
}
use of org.eclipse.hono.auth.Authorities in project hono by eclipse.
the class FileBasedAuthenticationService method verify.
private void verify(final String authenticationId, final JsonObject user, final String authorizationId, final Handler<AsyncResult<HonoUser>> authenticationResultHandler) {
JsonObject effectiveUser = user;
String effectiveAuthorizationId = authenticationId;
if (authorizationId != null && !authorizationId.isEmpty() && isAuthorizedToImpersonate(user)) {
final JsonObject impersonatedUser = users.get(authorizationId);
if (impersonatedUser != null) {
effectiveUser = impersonatedUser;
effectiveAuthorizationId = authorizationId;
log.debug("granting authorization id specified by client");
} else {
log.debug("no user found for authorization id provided by client, granting authentication id instead");
}
}
final Authorities grantedAuthorities = getAuthorities(effectiveUser);
final String grantedAuthorizationId = effectiveAuthorizationId;
final Instant tokenExpirationTime = Instant.now().plus(tokenFactory.getTokenLifetime());
final String token = tokenFactory.createToken(grantedAuthorizationId, grantedAuthorities);
final HonoUser honoUser = new HonoUser() {
@Override
public String getName() {
return grantedAuthorizationId;
}
@Override
public String getToken() {
return token;
}
@Override
public Authorities getAuthorities() {
return grantedAuthorities;
}
@Override
public boolean isExpired() {
return !Instant.now().isBefore(tokenExpirationTime);
}
@Override
public Instant getExpirationTime() {
return tokenExpirationTime;
}
};
authenticationResultHandler.handle(Future.succeededFuture(honoUser));
}
use of org.eclipse.hono.auth.Authorities in project hono by eclipse.
the class AuthTokenHelperImplTest method testCreateAndExpandToken.
/**
* Verifies that the helper can create a token for a given set of
* authorities and can then parse the token again.
*/
@Test
public void testCreateAndExpandToken() {
final Authorities authorities = new AuthoritiesImpl().addResource("telemetry", "*", Activity.READ, Activity.WRITE).addOperation("registration", "*", "assert");
final Instant expirationMin = Instant.now().plusSeconds(59);
final Instant expirationMax = expirationMin.plusSeconds(2);
final String token = helper.createToken("userA", authorities);
final Jws<Claims> parsedToken = helper.expand(token);
assertThat(parsedToken.getBody()).isNotNull();
assertThat(parsedToken.getBody().getExpiration().toInstant()).isAtLeast(expirationMin);
assertThat(parsedToken.getBody().getExpiration().toInstant()).isAtMost(expirationMax);
}
Aggregations