summaryrefslogtreecommitdiffstats
path: root/sdnr/wt/oauth-provider
diff options
context:
space:
mode:
authorMichael Dürre <michael.duerre@highstreet-technologies.com>2022-07-20 09:32:50 +0200
committerMichael Dürre <michael.duerre@highstreet-technologies.com>2022-07-21 12:38:52 +0200
commit25423c50e504676f15c7a57c03aad40bfc35c7e6 (patch)
tree811649e2ec44e0332e601c6563e00e914d355b9a /sdnr/wt/oauth-provider
parentcea47224b7b6afdd7b3d3ead8d08baf46eadc575 (diff)
migrate sdnr features to sulfur
fix sdnr code for sulfur Issue-ID: CCSDK-3692 Signed-off-by: Michael Dürre <michael.duerre@highstreet-technologies.com> Change-Id: I0a62ade424bb978222e7ce6450215fb327f957b7 Signed-off-by: Michael Dürre <michael.duerre@highstreet-technologies.com>
Diffstat (limited to 'sdnr/wt/oauth-provider')
-rwxr-xr-xsdnr/wt/oauth-provider/pom.xml3
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/pom.xml3
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java17
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OpenIdConfigResponseData.java54
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/UnableToConfigureOAuthService.java12
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/CustomizedMDSALDynamicAuthorizationFilter.java155
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java11
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java35
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/GitlabProviderService.java3
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java3
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/MdSalAuthorizationStore.java3
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/NextcloudProviderService.java3
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/OAuthProviderFactory.java3
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java5
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java5
-rw-r--r--sdnr/wt/oauth-provider/provider-osgi/pom.xml8
16 files changed, 294 insertions, 29 deletions
diff --git a/sdnr/wt/oauth-provider/pom.xml b/sdnr/wt/oauth-provider/pom.xml
index faba3bee9..b6d86cdba 100755
--- a/sdnr/wt/oauth-provider/pom.xml
+++ b/sdnr/wt/oauth-provider/pom.xml
@@ -22,13 +22,14 @@
~ ============LICENSE_END=======================================================
~
-->
+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.onap.ccsdk.parent</groupId>
<artifactId>odlparent-lite</artifactId>
- <version>2.4.0</version>
+ <version>2.4.1-SNAPSHOT</version>
<relativePath/>
</parent>
diff --git a/sdnr/wt/oauth-provider/provider-jar/pom.xml b/sdnr/wt/oauth-provider/provider-jar/pom.xml
index 974e4330e..0657cb541 100644
--- a/sdnr/wt/oauth-provider/provider-jar/pom.xml
+++ b/sdnr/wt/oauth-provider/provider-jar/pom.xml
@@ -22,13 +22,14 @@
~ ============LICENSE_END=======================================================
~
-->
+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.onap.ccsdk.parent</groupId>
<artifactId>binding-parent</artifactId>
- <version>2.4.0</version>
+ <version>2.4.1-SNAPSHOT</version>
<relativePath/>
</parent>
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java
index 11e13e226..4fb0d0069 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java
@@ -36,6 +36,8 @@ public class OAuthProviderConfig {
private String title;
private String scope;
private String realmName;
+ private String openIdConfigUrl;
+
private boolean trustAll;
private OAuthProvider type;
private Map<String, String> roleMapping;
@@ -45,7 +47,7 @@ public class OAuthProviderConfig {
}
public OAuthProviderConfig(String id, String url, String internalUrl, String clientId, String secret, String scope,
- String title, String realmName, boolean trustAll) {
+ String title, String realmName, String openIdConfigUrl, boolean trustAll) {
this.id = id;
this.url = url;
this.internalUrl = internalUrl;
@@ -55,6 +57,7 @@ public class OAuthProviderConfig {
this.title = title;
this.realmName = realmName;
this.trustAll = trustAll;
+ this.openIdConfigUrl = openIdConfigUrl;
this.roleMapping = new HashMap<>();
}
@@ -70,7 +73,7 @@ public class OAuthProviderConfig {
}
public OAuthProviderConfig() {
- this(null, null, null, null, null, null, null, null, false);
+ this(null, null, null, null, null, null, null, null, null, false);
}
public void setUrl(String url) {
@@ -153,6 +156,9 @@ public class OAuthProviderConfig {
this.internalUrl = internalUrl;
}
+ public void setOpenIdConfigUrl(String openIdConfigUrl){ this.openIdConfigUrl = openIdConfigUrl;}
+
+ public String getOpenIdConfigUrl() { return this.openIdConfigUrl;}
@JsonIgnore
public void handleEnvironmentVars() {
if (Config.isEnvExpression(this.id)) {
@@ -179,6 +185,9 @@ public class OAuthProviderConfig {
if (Config.isEnvExpression(this.realmName)) {
this.realmName = Config.getProperty(this.realmName, null);
}
+ if (Config.isEnvExpression(this.openIdConfigUrl)) {
+ this.openIdConfigUrl = Config.getProperty(this.openIdConfigUrl, null);
+ }
}
@JsonIgnore
@@ -186,4 +195,8 @@ public class OAuthProviderConfig {
return this.internalUrl != null && this.internalUrl.length() > 0 ? this.internalUrl : this.url;
}
+ @JsonIgnore
+ public boolean hasToBeConfigured(){
+ return this.openIdConfigUrl!=null && this.openIdConfigUrl.length()>0;
+ }
}
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OpenIdConfigResponseData.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OpenIdConfigResponseData.java
new file mode 100644
index 000000000..2af46b6b4
--- /dev/null
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OpenIdConfigResponseData.java
@@ -0,0 +1,54 @@
+package org.onap.ccsdk.features.sdnr.wt.oauthprovider.data;
+
+public class OpenIdConfigResponseData {
+
+ private String issuer;
+ private String authorization_endpoint;
+ private String token_endpoint;
+ private String userinfo_endpoint;
+ private String jwks_uri;
+
+ public OpenIdConfigResponseData(){
+
+ }
+
+ public String getIssuer() {
+ return issuer;
+ }
+
+ public void setIssuer(String issuer) {
+ this.issuer = issuer;
+ }
+
+ public String getAuthorization_endpoint() {
+ return authorization_endpoint;
+ }
+
+ public void setAuthorization_endpoint(String authorization_endpoint) {
+ this.authorization_endpoint = authorization_endpoint;
+ }
+
+ public String getToken_endpoint() {
+ return token_endpoint;
+ }
+
+ public void setToken_endpoint(String token_endpoint) {
+ this.token_endpoint = token_endpoint;
+ }
+
+ public String getUserinfo_endpoint() {
+ return userinfo_endpoint;
+ }
+
+ public void setUserinfo_endpoint(String userinfo_endpoint) {
+ this.userinfo_endpoint = userinfo_endpoint;
+ }
+
+ public String getJwks_uri() {
+ return jwks_uri;
+ }
+
+ public void setJwks_uri(String jwks_uri) {
+ this.jwks_uri = jwks_uri;
+ }
+}
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/UnableToConfigureOAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/UnableToConfigureOAuthService.java
new file mode 100644
index 000000000..b791a4040
--- /dev/null
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/UnableToConfigureOAuthService.java
@@ -0,0 +1,12 @@
+package org.onap.ccsdk.features.sdnr.wt.oauthprovider.data;
+
+public class UnableToConfigureOAuthService extends Exception {
+
+ public UnableToConfigureOAuthService(String configUrl){
+ super(String.format("Unable to configure OAuth service from url %s", configUrl));
+ }
+ public UnableToConfigureOAuthService(String configUrl, int responseCode){
+ super(String.format("Unable to configure OAuth service from url %s. bad response with code %d", configUrl, responseCode));
+ }
+
+}
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/CustomizedMDSALDynamicAuthorizationFilter.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/CustomizedMDSALDynamicAuthorizationFilter.java
new file mode 100644
index 000000000..80d9d1bb6
--- /dev/null
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/CustomizedMDSALDynamicAuthorizationFilter.java
@@ -0,0 +1,155 @@
+package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static java.util.Objects.requireNonNull;
+
+import com.google.common.collect.Iterables;
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
+
+import java.util.*;
+import java.util.concurrent.ExecutionException;
+import javax.servlet.Filter;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.web.filter.authz.AuthorizationFilter;
+import org.opendaylight.aaa.shiro.web.env.ThreadLocals;
+import org.opendaylight.mdsal.binding.api.ClusteredDataTreeChangeListener;
+import org.opendaylight.mdsal.binding.api.DataBroker;
+import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
+import org.opendaylight.mdsal.binding.api.DataTreeModification;
+import org.opendaylight.mdsal.binding.api.ReadTransaction;
+import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.HttpAuthorization;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies.Policies;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.permission.Permissions;
+import org.opendaylight.yangtools.concepts.ListenerRegistration;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
+public class CustomizedMDSALDynamicAuthorizationFilter extends AuthorizationFilter
+ implements ClusteredDataTreeChangeListener<HttpAuthorization> {
+
+ private static final Logger LOG = LoggerFactory.getLogger(CustomizedMDSALDynamicAuthorizationFilter.class);
+
+ private static final DataTreeIdentifier<HttpAuthorization> AUTHZ_CONTAINER = DataTreeIdentifier.create(
+ LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(HttpAuthorization.class));
+
+ private final DataBroker dataBroker;
+
+ private ListenerRegistration<?> reg;
+ private volatile ListenableFuture<Optional<HttpAuthorization>> authContainer;
+
+ public CustomizedMDSALDynamicAuthorizationFilter() {
+ dataBroker = requireNonNull(ThreadLocals.DATABROKER_TL.get());
+ }
+
+ @Override
+ public Filter processPathConfig(final String path, final String config) {
+ try (ReadTransaction tx = dataBroker.newReadOnlyTransaction()) {
+ authContainer = tx.read(AUTHZ_CONTAINER.getDatastoreType(), AUTHZ_CONTAINER.getRootIdentifier());
+ }
+ this.reg = dataBroker.registerDataTreeChangeListener(AUTHZ_CONTAINER, this);
+ return super.processPathConfig(path, config);
+ }
+
+ @Override
+ public void destroy() {
+ if (reg != null) {
+ reg.close();
+ reg = null;
+ }
+ super.destroy();
+ }
+
+ @Override
+ public void onDataTreeChanged(final Collection<DataTreeModification<HttpAuthorization>> changes) {
+ final HttpAuthorization newVal = Iterables.getLast(changes).getRootNode().getDataAfter();
+ LOG.debug("Updating authorization information to {}", newVal);
+ authContainer = Futures.immediateFuture(Optional.ofNullable(newVal));
+ }
+
+ @Override
+ public boolean isAccessAllowed(final ServletRequest request, final ServletResponse response,
+ final Object mappedValue) {
+ checkArgument(request instanceof HttpServletRequest, "Expected HttpServletRequest, received {}", request);
+
+ final Subject subject = getSubject(request, response);
+ final HttpServletRequest httpServletRequest = (HttpServletRequest)request;
+ final String requestURI = httpServletRequest.getRequestURI();
+ LOG.debug("isAccessAllowed for user={} to requestURI={}", subject, requestURI);
+
+ final Optional<HttpAuthorization> authorizationOptional;
+ try {
+ authorizationOptional = authContainer.get();
+ } catch (ExecutionException | InterruptedException e) {
+ // Something went completely wrong trying to read the authz container. Deny access.
+ LOG.warn("MDSAL attempt to read Http Authz Container failed, disallowing access", e);
+ return false;
+ }
+
+ if (!authorizationOptional.isPresent()) {
+ // The authorization container does not exist-- hence no authz rules are present
+ // Allow access.
+ LOG.debug("Authorization Container does not exist");
+ return true;
+ }
+
+ final HttpAuthorization httpAuthorization = authorizationOptional.get();
+ final var policies = httpAuthorization.getPolicies();
+ List<Policies> policiesList = policies != null ? policies.getPolicies() : null;
+ if (policiesList == null || policiesList.isEmpty()) {
+ // The authorization container exists, but no rules are present. Allow access.
+ LOG.debug("Exiting successfully early since no authorization rules exist");
+ return true;
+ }
+
+ // Sort the Policies list based on index
+ policiesList = new ArrayList<>(policiesList);
+ policiesList.sort(Comparator.comparing(Policies::getIndex));
+
+ for (Policies policy : policiesList) {
+ final String resource = policy.getResource();
+ final boolean pathsMatch = pathsMatch(resource, requestURI);
+ if (pathsMatch) {
+ LOG.debug("paths match for pattern={} and requestURI={}", resource, requestURI);
+ final String method = httpServletRequest.getMethod();
+ LOG.trace("method={}", method);
+ List<Permissions> permissions = policy.getPermissions();
+ if(permissions !=null) {
+ for (Permissions permission : permissions) {
+ final String role = permission.getRole();
+ LOG.trace("role={}", role);
+ Set<Permissions.Actions> actions = permission.getActions();
+ if (actions != null) {
+ for (Permissions.Actions action : actions) {
+ LOG.trace("action={}", action.getName());
+ if (action.getName().equalsIgnoreCase(method)) {
+ final boolean hasRole = subject.hasRole(role);
+ LOG.trace("hasRole({})={}", role, hasRole);
+ if (hasRole) {
+ return true;
+ }
+ }
+ }
+ }
+ else{
+ LOG.trace("no actions found");
+ }
+ }
+ }
+ else {
+ LOG.trace("no permissions found");
+ }
+ LOG.debug("couldn't authorize the user for access");
+ return false;
+ }
+ }
+ LOG.debug("successfully authorized the user for access");
+ return true;
+ }
+}
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
index 15ff9c480..7c88e50b0 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
@@ -44,13 +44,7 @@ import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.jolokia.osgi.security.Authenticator;
import org.onap.ccsdk.features.sdnr.wt.common.http.BaseHTTPClient;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.InvalidConfigurationException;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.NoDefinitionFoundException;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthToken;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OdlPolicy;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.*;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.AuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.AuthService.PublicOAuthProviderConfig;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.MdSalAuthorizationStore;
@@ -102,7 +96,8 @@ public class AuthHttpServlet extends HttpServlet {
private static ShiroConfiguration shiroConfiguration;
private static MdSalAuthorizationStore mdsalAuthStore;
- public AuthHttpServlet() throws IllegalArgumentException, IOException, InvalidConfigurationException {
+ public AuthHttpServlet() throws IllegalArgumentException, IOException, InvalidConfigurationException,
+ UnableToConfigureOAuthService {
this.config = Config.getInstance();
this.tokenCreator = TokenCreator.getInstance(this.config);
this.mapper = new ObjectMapper();
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java
index 835ea8c09..192da6371 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java
@@ -41,9 +41,8 @@ import java.util.stream.Collectors;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthResponseData;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
+
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.*;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client.MappedBaseHttpResponse;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client.MappingBaseHttpClient;
@@ -60,6 +59,8 @@ public abstract class AuthService {
protected final OAuthProviderConfig config;
protected final TokenCreator tokenCreator;
private final String redirectUri;
+ private final String tokenEndpoint;
+ private final String authEndpoint;
protected abstract String getTokenVerifierUri();
@@ -78,13 +79,30 @@ public abstract class AuthService {
protected abstract boolean verifyState(String state);
- public AuthService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) {
+ public AuthService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) throws UnableToConfigureOAuthService {
this.config = config;
this.tokenCreator = tokenCreator;
this.redirectUri = redirectUri;
this.mapper = new ObjectMapper();
this.mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
this.httpClient = new MappingBaseHttpClient(this.config.getUrlOrInternal(), this.config.trustAll());
+ if (this.config.hasToBeConfigured()){
+ Optional<MappedBaseHttpResponse<OpenIdConfigResponseData>> oresponse = this.httpClient.sendMappedRequest(
+ this.config.getOpenIdConfigUrl(), "GET", null, null, OpenIdConfigResponseData.class);
+ if(oresponse.isEmpty()){
+ throw new UnableToConfigureOAuthService(this.config.getOpenIdConfigUrl());
+ }
+ MappedBaseHttpResponse<OpenIdConfigResponseData> response = oresponse.get();
+ if(!response.isSuccess()){
+ throw new UnableToConfigureOAuthService(this.config.getOpenIdConfigUrl(), response.code);
+ }
+ this.tokenEndpoint = response.body.getToken_endpoint();
+ this.authEndpoint = response.body.getAuthorization_endpoint();
+ }
+ else{
+ this.tokenEndpoint = null;
+ this.authEndpoint = null;
+ }
}
public PublicOAuthProviderConfig getConfig() {
@@ -110,7 +128,11 @@ public abstract class AuthService {
public void sendLoginRedirectResponse(HttpServletResponse resp, String callbackUrl) {
resp.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
- resp.setHeader("Location", this.getLoginUrl(callbackUrl));
+ String url = this.authEndpoint!=null?String.format(
+ "%s?client_id=%s&response_type=code&scope=%s&redirect_uri=%s",
+ this.authEndpoint, urlEncode(this.config.getClientId()), this.config.getScope(),
+ urlEncode(callbackUrl)):this.getLoginUrl(callbackUrl);
+ resp.setHeader("Location", url);
}
private static void sendErrorResponse(HttpServletResponse resp, String message) throws IOException {
@@ -204,8 +226,9 @@ public abstract class AuthService {
body.append(String.format("%s=%s&", p.getKey(), urlEncode(p.getValue())));
}
+ String url = this.tokenEndpoint!=null?this.tokenEndpoint:this.getTokenVerifierUri();
Optional<MappedBaseHttpResponse<OAuthResponseData>> response =
- this.httpClient.sendMappedRequest(this.getTokenVerifierUri(), "POST",
+ this.httpClient.sendMappedRequest(url, "POST",
body.substring(0, body.length() - 1), headers, OAuthResponseData.class);
if (response.isPresent() && response.get().isSuccess()) {
return response.get().body;
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/GitlabProviderService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/GitlabProviderService.java
index 1111603c9..10f701ec2 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/GitlabProviderService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/GitlabProviderService.java
@@ -30,6 +30,7 @@ import java.util.Map;
import java.util.Optional;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client.MappedBaseHttpResponse;
import org.slf4j.Logger;
@@ -43,7 +44,7 @@ public class GitlabProviderService extends AuthService {
private static final String API_USER_URI = "/api/v4/user";
private static final String API_GROUP_URI = "/api/v4/groups?min_access_level=10";
- public GitlabProviderService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) {
+ public GitlabProviderService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) throws UnableToConfigureOAuthService {
super(config, redirectUri, tokenCreator);
this.additionalTokenVerifierParams = new HashMap<>();
this.additionalTokenVerifierParams.put("grant_type", "authorization_code");
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java
index dbc577664..05000199e 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java
@@ -29,6 +29,7 @@ import java.util.Map;
import java.util.stream.Collectors;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.KeycloakUserTokenPayload;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
public class KeycloakProviderService extends AuthService {
@@ -36,7 +37,7 @@ public class KeycloakProviderService extends AuthService {
public static final String ID = "keycloak";
private Map<String, String> additionalTokenVerifierParams;
- public KeycloakProviderService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) {
+ public KeycloakProviderService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) throws UnableToConfigureOAuthService {
super(config, redirectUri, tokenCreator);
this.additionalTokenVerifierParams = new HashMap<>();
this.additionalTokenVerifierParams.put("grant_type", "authorization_code");
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/MdSalAuthorizationStore.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/MdSalAuthorizationStore.java
index ca7f47138..4bf35e72d 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/MdSalAuthorizationStore.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/MdSalAuthorizationStore.java
@@ -23,6 +23,7 @@ package org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers;
import java.util.List;
import java.util.Optional;
+import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OdlPolicy;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OdlPolicy.PolicyMethods;
@@ -85,7 +86,7 @@ public class MdSalAuthorizationStore {
return Optional.of(mapPolicy(path, rolePm.get().getActions()));
}
- private OdlPolicy mapPolicy(String path, List<Actions> actions) {
+ private OdlPolicy mapPolicy(String path, Set<Actions> actions) {
PolicyMethods methods = new PolicyMethods();
String action;
for (Actions a : actions) {
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/NextcloudProviderService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/NextcloudProviderService.java
index b6f045cdd..336de5600 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/NextcloudProviderService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/NextcloudProviderService.java
@@ -25,11 +25,12 @@ import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonMappingException;
import java.util.Map;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
public class NextcloudProviderService extends AuthService {
- public NextcloudProviderService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) {
+ public NextcloudProviderService(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) throws UnableToConfigureOAuthService {
super(config, redirectUri, tokenCreator);
// TODO Auto-generated constructor stub
}
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/OAuthProviderFactory.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/OAuthProviderFactory.java
index 193e7a7f7..152569930 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/OAuthProviderFactory.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/OAuthProviderFactory.java
@@ -22,12 +22,13 @@
package org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
public class OAuthProviderFactory {
public static AuthService create(OAuthProvider key, OAuthProviderConfig config, String redirectUri,
- TokenCreator tokenCreator) {
+ TokenCreator tokenCreator) throws UnableToConfigureOAuthService {
switch (key) {
case KEYCLOAK:
return new KeycloakProviderService(config, redirectUri, tokenCreator);
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java
index dda3ba1e0..6c2390ea0 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java
@@ -43,6 +43,7 @@ import org.junit.BeforeClass;
import org.junit.Test;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.GitlabProviderService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator;
@@ -62,7 +63,7 @@ public class TestGitlabAuthService {
TokenCreator tokenCreator = TokenCreator.getInstance(Config.TOKENALG_HS256, TOKENCREATOR_SECRET, "issuer", 30*60);
OAuthProviderConfig config = new OAuthProviderConfig("git", GITURL, null, "odlux.app", OAUTH_SECRET, "openid",
- "gitlab test", "", false);
+ "gitlab test", "", null, false);
oauthService = new GitlabProviderServiceToTest(config, REDIRECT_URI, tokenCreator);
try {
initGitlabTestWebserver(PORT, "/");
@@ -102,7 +103,7 @@ public class TestGitlabAuthService {
public static class GitlabProviderServiceToTest extends GitlabProviderService {
- public GitlabProviderServiceToTest(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) {
+ public GitlabProviderServiceToTest(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) throws UnableToConfigureOAuthService {
super(config, redirectUri, tokenCreator);
}
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java
index e4c5e4d82..e5ec2fb32 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java
@@ -43,6 +43,7 @@ import org.junit.BeforeClass;
import org.junit.Test;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.KeycloakProviderService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator;
@@ -62,7 +63,7 @@ public class TestKeycloakAuthService {
TokenCreator tokenCreator = TokenCreator.getInstance(Config.TOKENALG_HS256, TOKENCREATOR_SECRET, "issuer", 30*60);
OAuthProviderConfig config = new OAuthProviderConfig("kc", KEYCLOAKURL, null, "odlux.app", OAUTH_SECRET,
- "openid", "keycloak test", "onap", false);
+ "openid", "keycloak test", "onap",null, false);
oauthService = new KeycloakProviderServiceToTest(config, REDIRECT_URI, tokenCreator);
try {
initKeycloakTestWebserver(PORT, "/");
@@ -102,7 +103,7 @@ public class TestKeycloakAuthService {
public static class KeycloakProviderServiceToTest extends KeycloakProviderService {
public KeycloakProviderServiceToTest(OAuthProviderConfig config, String redirectUri,
- TokenCreator tokenCreator) {
+ TokenCreator tokenCreator) throws UnableToConfigureOAuthService {
super(config, redirectUri, tokenCreator);
}
}
diff --git a/sdnr/wt/oauth-provider/provider-osgi/pom.xml b/sdnr/wt/oauth-provider/provider-osgi/pom.xml
index 87805b0a1..2db8e6ec7 100644
--- a/sdnr/wt/oauth-provider/provider-osgi/pom.xml
+++ b/sdnr/wt/oauth-provider/provider-osgi/pom.xml
@@ -22,13 +22,14 @@
~ ============LICENSE_END=======================================================
~
-->
+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.onap.ccsdk.parent</groupId>
<artifactId>binding-parent</artifactId>
- <version>2.4.0</version>
+ <version>2.4.1-SNAPSHOT</version>
<relativePath/>
</parent>
@@ -112,6 +113,7 @@
org.apache.shiro.authz,
org.apache.shiro.realm,
org.apache.shiro.subject,
+ org.apache.shiro.web.filter.authz,
org.jolokia.osgi.security,
org.onap.ccsdk.features.sdnr.wt.common.http,
org.opendaylight.aaa.api,
@@ -132,7 +134,9 @@
com.fasterxml.jackson.annotation,
com.fasterxml.jackson.core.type,
com.fasterxml.jackson.core,
- org.apache.commons.codec.binary
+ org.apache.commons.codec.binary,
+ com.google.common.collect,
+ com.google.common.util.concurrent
</Import-Package>
<Embed-Dependency>*;scope=compile|runtime;inline=false</Embed-Dependency>
<Embed-Dependency>*;scope=compile|runtime;artifactId=!shiro-core;inline=false</Embed-Dependency>