Search in sources :

Example 6 with Authorities

use of org.eclipse.hono.auth.Authorities in project hono by eclipse.

the class AddressAuthzHelper method processAddressAuthzCapability.

/**
 * Processes a peer's AMQP <em>open</em> frame by setting a connection property with a map of the authenticated
 * user's authorities as described in
 * <a href="https://github.com/EnMasseProject/enmasse/issues/702">EnMasse issue #702</a>.
 *
 * @param connection The connection to get authorities for.
 */
public static void processAddressAuthzCapability(final ProtonConnection connection) {
    if (LOG.isDebugEnabled()) {
        final Map<Symbol, Object> remoteProperties = connection.getRemoteProperties();
        if (remoteProperties != null) {
            final String props = remoteProperties.entrySet().stream().map(entry -> String.format("[%s: %s]", entry.getKey(), entry.getValue().toString())).collect(Collectors.joining(", "));
            LOG.debug("client connection [container: {}] includes properties: {}", connection.getRemoteContainer(), props);
        }
    }
    final HonoUser clientPrincipal = Constants.getClientPrincipal(connection);
    final Map<String, String[]> permissions = getPermissionsFromAuthorities(clientPrincipal.getAuthorities());
    final Map<Symbol, Object> properties = new HashMap<>();
    final boolean isLegacy = isLegacyClient(connection);
    if (isLegacy) {
        properties.put(PROPERTY_AUTH_IDENTITY, clientPrincipal.getName());
    } else {
        properties.put(PROPERTY_AUTH_IDENTITY, Collections.singletonMap("sub", clientPrincipal.getName()));
    }
    properties.put(PROPERTY_ADDRESS_AUTHZ, permissions);
    connection.setProperties(properties);
    connection.setOfferedCapabilities(new Symbol[] { CAPABILITY_ADDRESS_AUTHZ });
    LOG.debug("transferring {} permissions of client [container: {}, user: {}] in open frame [legacy format: {}]", permissions.size(), connection.getRemoteContainer(), clientPrincipal.getName(), isLegacy);
}
Also used : ProtonConnection(io.vertx.proton.ProtonConnection) AuthoritiesImpl(org.eclipse.hono.auth.AuthoritiesImpl) Arrays(java.util.Arrays) Logger(org.slf4j.Logger) LoggerFactory(org.slf4j.LoggerFactory) Set(java.util.Set) HashMap(java.util.HashMap) HonoUser(org.eclipse.hono.auth.HonoUser) Collectors(java.util.stream.Collectors) Constants(org.eclipse.hono.util.Constants) Objects(java.util.Objects) Symbol(org.apache.qpid.proton.amqp.Symbol) Map(java.util.Map) Optional(java.util.Optional) Collections(java.util.Collections) Authorities(org.eclipse.hono.auth.Authorities) HonoUser(org.eclipse.hono.auth.HonoUser) HashMap(java.util.HashMap) Symbol(org.apache.qpid.proton.amqp.Symbol)

Example 7 with Authorities

use of org.eclipse.hono.auth.Authorities in project hono by eclipse.

the class FileBasedAuthenticationService method getAuthorities.

private Authorities getAuthorities(final JsonObject user) {
    final AuthoritiesImpl result = new AuthoritiesImpl();
    user.getJsonArray(FIELD_AUTHORITIES).forEach(obj -> {
        final String authority = (String) obj;
        final Authorities roleAuthorities = roles.get(authority);
        if (roleAuthorities != null) {
            result.addAll(roleAuthorities);
        }
    });
    return result;
}
Also used : AuthoritiesImpl(org.eclipse.hono.auth.AuthoritiesImpl) Authorities(org.eclipse.hono.auth.Authorities)

Example 8 with Authorities

use of org.eclipse.hono.auth.Authorities in project hono by eclipse.

the class FileBasedAuthenticationService method verify.

private void verify(final String authenticationId, final JsonObject user, final String authorizationId, final Handler<AsyncResult<HonoUser>> authenticationResultHandler) {
    JsonObject effectiveUser = user;
    String effectiveAuthorizationId = authenticationId;
    if (authorizationId != null && !authorizationId.isEmpty() && isAuthorizedToImpersonate(user)) {
        final JsonObject impersonatedUser = users.get(authorizationId);
        if (impersonatedUser != null) {
            effectiveUser = impersonatedUser;
            effectiveAuthorizationId = authorizationId;
            log.debug("granting authorization id specified by client");
        } else {
            log.debug("no user found for authorization id provided by client, granting authentication id instead");
        }
    }
    final Authorities grantedAuthorities = getAuthorities(effectiveUser);
    final String grantedAuthorizationId = effectiveAuthorizationId;
    final Instant tokenExpirationTime = Instant.now().plus(tokenFactory.getTokenLifetime());
    final String token = tokenFactory.createToken(grantedAuthorizationId, grantedAuthorities);
    final HonoUser honoUser = new HonoUser() {

        @Override
        public String getName() {
            return grantedAuthorizationId;
        }

        @Override
        public String getToken() {
            return token;
        }

        @Override
        public Authorities getAuthorities() {
            return grantedAuthorities;
        }

        @Override
        public boolean isExpired() {
            return !Instant.now().isBefore(tokenExpirationTime);
        }

        @Override
        public Instant getExpirationTime() {
            return tokenExpirationTime;
        }
    };
    authenticationResultHandler.handle(Future.succeededFuture(honoUser));
}
Also used : HonoUser(org.eclipse.hono.auth.HonoUser) Instant(java.time.Instant) JsonObject(io.vertx.core.json.JsonObject) Authorities(org.eclipse.hono.auth.Authorities)

Example 9 with Authorities

use of org.eclipse.hono.auth.Authorities in project hono by eclipse.

the class AuthTokenHelperImplTest method testCreateAndExpandToken.

/**
 * Verifies that the helper can create a token for a given set of
 * authorities and can then parse the token again.
 */
@Test
public void testCreateAndExpandToken() {
    final Authorities authorities = new AuthoritiesImpl().addResource("telemetry", "*", Activity.READ, Activity.WRITE).addOperation("registration", "*", "assert");
    final Instant expirationMin = Instant.now().plusSeconds(59);
    final Instant expirationMax = expirationMin.plusSeconds(2);
    final String token = helper.createToken("userA", authorities);
    final Jws<Claims> parsedToken = helper.expand(token);
    assertThat(parsedToken.getBody()).isNotNull();
    assertThat(parsedToken.getBody().getExpiration().toInstant()).isAtLeast(expirationMin);
    assertThat(parsedToken.getBody().getExpiration().toInstant()).isAtMost(expirationMax);
}
Also used : Claims(io.jsonwebtoken.Claims) AuthoritiesImpl(org.eclipse.hono.auth.AuthoritiesImpl) Instant(java.time.Instant) Authorities(org.eclipse.hono.auth.Authorities) Test(org.junit.jupiter.api.Test)

Aggregations

Authorities (org.eclipse.hono.auth.Authorities)9 AuthoritiesImpl (org.eclipse.hono.auth.AuthoritiesImpl)7 Instant (java.time.Instant)6 HonoUser (org.eclipse.hono.auth.HonoUser)6 JsonObject (io.vertx.core.json.JsonObject)5 HashMap (java.util.HashMap)4 Map (java.util.Map)4 Objects (java.util.Objects)4 AsyncResult (io.vertx.core.AsyncResult)3 Future (io.vertx.core.Future)3 Handler (io.vertx.core.Handler)3 JsonArray (io.vertx.core.json.JsonArray)3 FileNotFoundException (java.io.FileNotFoundException)3 List (java.util.List)3 Activity (org.eclipse.hono.auth.Activity)3 AbstractHonoAuthenticationService (org.eclipse.hono.service.auth.AbstractHonoAuthenticationService)3 AuthTokenHelper (org.eclipse.hono.service.auth.AuthTokenHelper)3 IOException (java.io.IOException)2 InputStreamReader (java.io.InputStreamReader)2 Reader (java.io.Reader)2