/* Alice has removed Dave's rights to EDIT, so EDIT needs removing from the active Dave -> Ed policy, and adding to an inactive policy. */ @Test public void shouldRemoveLostRights() throws Exception { // Given List<Resource> policies = excludePolicies(DAVE, ED); policies.add(makePolicy(DAVE, ED, true, VIEW, DELETE, EDIT)); PolicyGraph graph = makePolicyGraph(policies); graph.computeGraph(); given(resourceSetStore.read(anyString())) .willReturn(new ResourceSetDescription(RESOURCE_SET_ID, "RESOURCE_SERVER_ID", ALICE, null)); given(delegate.updatePolicies(isNull(ServerContext.class), anySet())) .willReturn( Promises.<List<Resource>, ResourceException>newResultPromise( Collections.<Resource>emptyList())); given(delegate.createPolicies(isNull(ServerContext.class), anySet())) .willReturn( Promises.<List<Resource>, ResourceException>newResultPromise( Collections.<Resource>emptyList())); // When Promise<List<List<Resource>>, ResourceException> promise = graph.update(null, delegate); // Then AssertJPromiseAssert.assertThat(promise).succeeded(); JsonValue created = policyCreated(); assertThat(UmaPolicyUtils.getPolicyScopes(created)).containsOnly(EDIT); assertThat(created.get("active").asBoolean()).isFalse(); assertThat(UmaPolicyUtils.getPolicyScopes(policyUpdated())).containsOnly(VIEW, DELETE); verifyNoMoreInteractions(delegate); }
/* Dave had previously re-shared VIEW scope to ED, but that was made invalid when he lost that scope himself. He has been re-granted that scope so the VIEW scope should move the active policy and the empty inactive policy should be deleted. */ @Test public void shouldUpdateInvalidRightsTree() throws Exception { // Given List<Resource> policies = excludePolicies(DAVE, ED); policies.add(makePolicy(DAVE, ED, true, DELETE)); policies.add(makePolicy(DAVE, ED, false, VIEW)); PolicyGraph graph = makePolicyGraph(policies); graph.computeGraph(); given(delegate.updatePolicies(isNull(ServerContext.class), anySet())) .willReturn( Promises.<List<Resource>, ResourceException>newResultPromise( Collections.<Resource>emptyList())); given(delegate.deletePolicies(isNull(ServerContext.class), anySet())) .willReturn( Promises.<List<Resource>, ResourceException>newResultPromise( Collections.<Resource>emptyList())); // When Promise<List<List<Resource>>, ResourceException> promise = graph.update(null, delegate); // Then AssertJPromiseAssert.assertThat(promise).succeeded(); assertThat(UmaPolicyUtils.getPolicyScopes(policyUpdated())).containsOnly(VIEW, DELETE); assertThat(policyDeleted()).isEqualTo("Dave-Ed-false"); verifyNoMoreInteractions(delegate); }
@Test public void crestActionBlowupIsAllowed() throws SSOException, DelegationException { // Given... final Set<String> actions = new HashSet<>(Arrays.asList("MODIFY")); final DelegationPermission permission = new DelegationPermission( "/abc", "rest", "1.0", "policies", "destroy", actions, EXTENSIONS, DUMB_FUNC); given(factory.newInstance("/abc", "rest", "1.0", "policies", "destroy", actions, EXTENSIONS)) .willReturn(permission); given(subjectContext.getCallerSSOToken()).willReturn(token); given(evaluator.isAllowed(eq(token), eq(permission), eq(ENVIRONMENT))).willReturn(true); JsonValue jsonValue = json(object(field("someKey", "someValue"))); Promise<ActionResponse, ResourceException> promise = Promises.newResultPromise(Responses.newActionResponse(jsonValue)); given(provider.actionCollection(isA(Context.class), isA(ActionRequest.class))) .willReturn(promise); // When... final FilterChain chain = AuthorizationFilters.createAuthorizationFilter(provider, module); final Router router = new Router(); router.addRoute(RoutingMode.STARTS_WITH, Router.uriTemplate("/policies"), chain); final RealmContext context = new RealmContext(subjectContext); context.setSubRealm("abc", "abc"); final ActionRequest request = Requests.newActionRequest("/policies", "blowup"); Promise<ActionResponse, ResourceException> result = router.handleAction(context, request); // Then... assertThat(result).succeeded().withContent().stringAt("someKey").isEqualTo("someValue"); }
// 1st time called: Mock a 401 (Unauthorized status) response @Override public Promise<Response, NeverThrowsException> answer(InvocationOnMock invocation) throws Throwable { Response response = new Response(); response.setStatus(Status.UNAUTHORIZED); response.getHeaders().putSingle(AUTHENTICATE_HEADER, "Basic realm=\"Login\""); return Promises.newResultPromise(response); }
@Override public Promise<Response, NeverThrowsException> handle(Context context, Request request) { try { latch2.countDown(); latch1.await(); return null; } catch (InterruptedException e) { return Promises.newResultPromise(new Response(Status.INTERNAL_SERVER_ERROR)); } }
@Override public Promise<Response, NeverThrowsException> answer(InvocationOnMock invocation) throws Throwable { Request request = (Request) invocation.getArguments()[1]; // Verify the authorization header: base64(user:pass) assertThat(request.getHeaders().getFirst(AUTHORIZATION_HEADER)) .isEqualTo("Basic " + credentials); // Produce a valid response, no special headers are required Response response = new Response(); response.setStatus(Status.OK); return Promises.newResultPromise(response); }
/** {@inheritDoc} */ @Override public Promise<AuthorizationResult, ResourceException> authorizeCreate( Context context, CreateRequest request) { try { if (!getUserId(context).equalsIgnoreCase(getUserIdFromUri(context))) { return Promises.newResultPromise( AuthorizationResult.accessDenied( "Only resource owner of resource set can create UMA " + "policies for it.")); } else { return authorize(context); } } catch (ResourceException e) { return e.asPromise(); } }
private Promise<AuthStatus, AuthenticationException> validateRequest( final MessageInfoContext messageInfo, final Subject clientSubject, final Subject serviceSubject) { if (position < authModules.size()) { final AsyncServerAuthModule authModule = authModules.get(position); return authModule .validateRequest(messageInfo, clientSubject, serviceSubject) .thenOnResult( new ResultHandler<AuthStatus>() { @Override public void handleResult(AuthStatus authStatus) { if (isSuccess(authStatus)) { /* * Save the index of the authenticating module so that it can * be retrieved when securing the response */ logger.trace( "Adding authenticating auth module to private context map, {}", authModule.getClass().getSimpleName()); state.setAuthenticatedAuthModuleIndex(position); } } }) .thenAsync( new AsyncFunction<AuthStatus, AuthStatus, AuthenticationException>() { @Override public Promise<AuthStatus, AuthenticationException> apply(AuthStatus authStatus) { if (isSendFailure(authStatus)) { return next().validateRequest(messageInfo, clientSubject, serviceSubject); } else { return Promises.newResultPromise(authStatus); } } }); } else { return Promises.newResultPromise(AuthStatus.SEND_FAILURE); } }
/* Dave had removed Ed's ability to DELETE, so Ed's resharing policy to Bob had been made inactive. Dave has re-granted Ed's DELETE, so the inactive policy can be made active again. */ @Test public void shouldSwitchAllScopesInvalid() throws Exception { // Given List<Resource> policies = excludePolicies(ED, BOB); policies.add(makePolicy(ED, BOB, false, DELETE)); PolicyGraph graph = makePolicyGraph(policies); graph.computeGraph(); given(delegate.updatePolicies(isNull(ServerContext.class), anySet())) .willReturn( Promises.<List<Resource>, ResourceException>newResultPromise( Collections.<Resource>emptyList())); // When Promise<List<List<Resource>>, ResourceException> promise = graph.update(null, delegate); // Then AssertJPromiseAssert.assertThat(promise).succeeded(); assertThat(policyUpdated().get("active").asBoolean()).isTrue(); verifyNoMoreInteractions(delegate); }
/** * Allows users to query OAuth2 applications that they have given their consent access to and that * have active access and/or refresh tokens. * * <p>Applications consist of an id, a name (the client id), a set of scopes and an expiry time. * The scopes field is the union of the scopes of the individual access/refresh tokens. The expiry * time is the time when the last access/refresh token will expire, or null if the server is * configured to allow tokens to be refreshed indefinitely. * * @param context The request context. * @param queryHandler The query handler. * @param request Unused but necessary for used of the {@link @Query} annotation. * @return A promise of a query response. */ @Query public Promise<QueryResponse, ResourceException> query( Context context, QueryResourceHandler queryHandler, QueryRequest request) { String userId = contextHelper.getUserId(context); String realm = contextHelper.getRealm(context); try { QueryFilter<CoreTokenField> queryFilter = getQueryFilter(userId, realm); JsonValue tokens = tokenStore.query(queryFilter); Map<String, Set<JsonValue>> applicationTokensMap = new HashMap<>(); for (JsonValue token : tokens) { String clientId = getAttributeValue(token, CLIENT_ID.getOAuthField()); Set<JsonValue> applicationTokens = applicationTokensMap.get(clientId); if (applicationTokens == null) { applicationTokens = new HashSet<>(); applicationTokensMap.put(clientId, applicationTokens); } applicationTokens.add(token); } for (Map.Entry<String, Set<JsonValue>> applicationTokens : applicationTokensMap.entrySet()) { ResourceResponse resource = getResourceResponse(context, applicationTokens.getKey(), applicationTokens.getValue()); queryHandler.handleResource(resource); } return Promises.newResultPromise(Responses.newQueryResponse()); } catch (CoreTokenException | ServerException | InvalidClientException | NotFoundException e) { debug.message("Failed to query OAuth2 clients for user {}", userId, e); return new InternalServerErrorException(e).asPromise(); } catch (InternalServerErrorException e) { debug.message("Failed to query OAuth2 clients for user {}", userId, e); return e.asPromise(); } }
@Test public void crestQueryIsAllowed() throws SSOException, DelegationException, ResourceException { // Given... final Set<String> actions = new HashSet<>(Arrays.asList("READ")); final DelegationPermission permission = new DelegationPermission( "/abc", "rest", "1.0", "policies", "read", actions, EXTENSIONS, DUMB_FUNC); given(factory.newInstance("/abc", "rest", "1.0", "policies", "read", actions, EXTENSIONS)) .willReturn(permission); given(subjectContext.getCallerSSOToken()).willReturn(token); given(evaluator.isAllowed(eq(token), eq(permission), eq(ENVIRONMENT))).willReturn(true); QueryResourceHandler handler = mock(QueryResourceHandler.class); Promise<QueryResponse, ResourceException> promise = Promises.newResultPromise(Responses.newQueryResponse("abc-def")); given( provider.queryCollection( isA(Context.class), isA(QueryRequest.class), isA(QueryResourceHandler.class))) .willReturn(promise); // When... final FilterChain chain = AuthorizationFilters.createAuthorizationFilter(provider, module); final Router router = new Router(); router.addRoute(RoutingMode.STARTS_WITH, Router.uriTemplate("/policies"), chain); final RealmContext context = new RealmContext(subjectContext); context.setSubRealm("abc", "abc"); final QueryRequest request = Requests.newQueryRequest("/policies"); Promise<QueryResponse, ResourceException> result = router.handleQuery(context, request, handler); // Then... QueryResponse response = result.getOrThrowUninterruptibly(); assertThat(response.getPagedResultsCookie()).isEqualTo("abc-def"); }
@Override public Promise<Response, NeverThrowsException> handle( final Context context, final Request request) { return Promises.newResultPromise(response); }