diff options
Diffstat (limited to 'sdnr/wt/oauth-provider')
12 files changed, 224 insertions, 14 deletions
diff --git a/sdnr/wt/oauth-provider/pom.xml b/sdnr/wt/oauth-provider/pom.xml index 801c1abc2..1391a2f92 100755 --- a/sdnr/wt/oauth-provider/pom.xml +++ b/sdnr/wt/oauth-provider/pom.xml @@ -28,7 +28,7 @@ <parent> <groupId>org.onap.ccsdk.parent</groupId> <artifactId>odlparent-lite</artifactId> - <version>2.2.2</version> + <version>2.2.3</version> <relativePath/> </parent> diff --git a/sdnr/wt/oauth-provider/provider-jar/pom.xml b/sdnr/wt/oauth-provider/provider-jar/pom.xml index e0aa4ef76..da4708b6c 100644 --- a/sdnr/wt/oauth-provider/provider-jar/pom.xml +++ b/sdnr/wt/oauth-provider/provider-jar/pom.xml @@ -28,7 +28,7 @@ <parent> <groupId>org.onap.ccsdk.parent</groupId> <artifactId>binding-parent</artifactId> - <version>2.2.2</version> + <version>2.2.3</version> <relativePath/> </parent> @@ -65,7 +65,7 @@ <artifactId>java-jwt</artifactId> </dependency> <dependency> - <groupId>com.highstreet-technologies.aaa</groupId> + <groupId>org.opendaylight.aaa</groupId> <artifactId>aaa-shiro</artifactId> <exclusions> <!-- <exclusion> --> diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java index 0a40e8ddc..6dbed1f85 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java @@ -34,7 +34,7 @@ import org.apache.shiro.subject.PrincipalCollection; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.aaa.shiro.realm.TokenAuthRealm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java index 1a695f2b0..b05d3948a 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java @@ -23,7 +23,7 @@ package org.onap.ccsdk.features.sdnr.wt.oauthprovider.data; import com.auth0.jwt.JWT; import com.auth0.jwt.interfaces.DecodedJWT; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; public class OAuthToken { private final String access_token; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/AnyRoleHttpAuthenticationFilter.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/AnyRoleHttpAuthenticationFilter.java new file mode 100644 index 000000000..0dc58efff --- /dev/null +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/AnyRoleHttpAuthenticationFilter.java @@ -0,0 +1,75 @@ +/* + * ============LICENSE_START======================================================= + * ONAP : ccsdk features + * ================================================================================ + * Copyright (C) 2020 highstreet technologies GmbH Intellectual Property. + * All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + */ +package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters; + +import java.util.Arrays; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import org.apache.shiro.subject.Subject; +import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +/** + * Requires the requesting user to be {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} for the + * request to continue, and if they're not, requires the user to login via the HTTP Bearer protocol-specific challenge. + * Upon successful login, they're allowed to continue on to the requested resource/url. + * <p/> + * The {@link #onAccessDenied(ServletRequest, ServletResponse)} method will only be called if the subject making the + * request is not {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} + * + * @see <a href="https://tools.ietf.org/html/rfc2617">RFC 2617</a> + * @see <a href="https://tools.ietf.org/html/rfc6750#section-2.1">OAuth2 Authorization Request Header Field</a> + * @since 1.5 + */ + +public class AnyRoleHttpAuthenticationFilter extends RolesAuthorizationFilter { + + /** + * This class's private logger. + */ + private static final Logger LOG = LoggerFactory.getLogger(AnyRoleHttpAuthenticationFilter.class); + + @Override + public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { + final Subject subject = getSubject(request, response); + final String[] rolesArray = (String[]) mappedValue; + LOG.debug("isAccessAllowed {}", Arrays.asList(rolesArray)); + + if (rolesArray == null || rolesArray.length == 0) { + //no roles specified, so nothing to check - allow access. + LOG.debug("no role specified: access allowed"); + return true; + } + + for (String roleName : rolesArray) { + LOG.debug("checking role {}", roleName); + if (subject.hasRole(roleName)) { + LOG.debug("role matched to {}: access allowed", roleName); + return true; + } + } + LOG.debug("no role matched: access denied"); + return false; + } +}
\ No newline at end of file diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/BearerAndBasicHttpAuthenticationFilter.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/BearerAndBasicHttpAuthenticationFilter.java new file mode 100644 index 000000000..6fb41d799 --- /dev/null +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/BearerAndBasicHttpAuthenticationFilter.java @@ -0,0 +1,134 @@ +/* + * ============LICENSE_START======================================================= + * ONAP : ccsdk features + * ================================================================================ + * Copyright (C) 2020 highstreet technologies GmbH Intellectual Property. + * All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + */ +package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters; + +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import org.apache.shiro.authc.AuthenticationToken; +import org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter; +import org.apache.shiro.web.util.WebUtils; +import org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class BearerAndBasicHttpAuthenticationFilter extends BearerHttpAuthenticationFilter{ + + // defined in lower-case for more efficient string comparison + private static final Logger LOG = LoggerFactory.getLogger(BearerAndBasicHttpAuthenticationFilter.class); + private ODLHttpAuthenticationHelperFilter basicAuthFilter; + + public BearerAndBasicHttpAuthenticationFilter() { + this.basicAuthFilter = new ODLHttpAuthenticationHelperFilter(); + } + + protected static final String OPTIONS_HEADER = "OPTIONS"; + + @Override + protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) { + final String authHeader = this.getAuthzHeader(request); + if (authHeader != null && authHeader.startsWith("Basic")) { + return this.createBasicAuthToken(request, response); + } + return super.createToken(request, response); + } + + @Override + protected String[] getPrincipalsAndCredentials(String scheme, String token) { + LOG.debug("getPrincipalsAndCredentials with scheme {} and token {}", scheme, token); + if (scheme.toLowerCase().equals("basic")) { + return this.basicAuthFilter.getPrincipalsAndCredentials(scheme, token); + } + return super.getPrincipalsAndCredentials(scheme, token); + } + + @Override + protected boolean isLoginAttempt(String authzHeader) { + LOG.debug("isLoginAttempt with header {}", authzHeader); + if (this.basicAuthFilter.isLoginAttempt(authzHeader)) { + return true; + } + return super.isLoginAttempt(authzHeader); + } + + @Override + protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { + final HttpServletRequest httpRequest = WebUtils.toHttp(request); + final String httpMethod = httpRequest.getMethod(); + if (OPTIONS_HEADER.equalsIgnoreCase(httpMethod)) { + return true; + } else { + if (this.basicAuthFilter.isAccessAllowed(httpRequest, response, mappedValue)) { + LOG.debug("isAccessAllowed succeeded on basicAuth"); + return true; + } + } + return super.isAccessAllowed(request, response, mappedValue); + } + + protected AuthenticationToken createBasicAuthToken(ServletRequest request, ServletResponse response) { + String authorizationHeader = getAuthzHeader(request); + if (authorizationHeader == null || authorizationHeader.length() == 0) { + // Create an empty authentication token since there is no + // Authorization header. + return createToken("", "", request, response); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("Attempting to execute login with headers [" + authorizationHeader + "]"); + } + + String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request); + if (prinCred == null || prinCred.length < 2) { + // Create an authentication token with an empty password, + // since one hasn't been provided in the request. + String username = prinCred == null || prinCred.length == 0 ? "" : prinCred[0]; + return createToken(username, "", request, response); + } + + String username = prinCred[0]; + String password = prinCred[1]; + + return createToken(username, password, request, response); + } + + + private static class ODLHttpAuthenticationHelperFilter extends ODLHttpAuthenticationFilter{ + + ODLHttpAuthenticationHelperFilter(){ + super(); + } + + @Override + protected boolean isLoginAttempt(String authzHeader) { + return super.isLoginAttempt(authzHeader); + } + @Override + protected String[] getPrincipalsAndCredentials(String scheme, String encoded) { + return super.getPrincipalsAndCredentials(scheme, encoded); + } + @Override + protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { + return super.isAccessAllowed(request, response, mappedValue); + } + } +} diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java index 85fe1ced2..686684f35 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java @@ -56,7 +56,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.MdSalAuthorizatio import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.OAuthProviderFactory; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.mdsal.binding.api.DataBroker; import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.ShiroConfiguration; import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.configuration.Main; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java index 56a62f5c1..f16975f6f 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java @@ -47,7 +47,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client.MappedBaseHttpResponse; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client.MappingBaseHttpClient; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java index cf8109ef0..c2515e2b9 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java @@ -33,7 +33,7 @@ import javax.servlet.http.HttpServletRequest; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java index bf2a39b55..1fbe43a07 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java @@ -57,7 +57,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.test.helper.OdlJsonMapper; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.test.helper.OdlXmlMapper; import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.mdsal.binding.api.DataBroker; import org.opendaylight.mdsal.binding.api.ReadTransaction; import org.opendaylight.mdsal.common.api.LogicalDatastoreType; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java index fe9dae31d..4b2011836 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java @@ -44,7 +44,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.aaa.shiro.tokenauthrealm.auth.AuthenticationManager; import org.opendaylight.aaa.shiro.tokenauthrealm.auth.TokenAuthenticators; import org.opendaylight.aaa.shiro.web.env.ThreadLocals; diff --git a/sdnr/wt/oauth-provider/provider-osgi/pom.xml b/sdnr/wt/oauth-provider/provider-osgi/pom.xml index c2265deea..7c184d81c 100644 --- a/sdnr/wt/oauth-provider/provider-osgi/pom.xml +++ b/sdnr/wt/oauth-provider/provider-osgi/pom.xml @@ -28,7 +28,7 @@ <parent> <groupId>org.onap.ccsdk.parent</groupId> <artifactId>binding-parent</artifactId> - <version>2.2.2</version> + <version>2.2.3</version> <relativePath/> </parent> @@ -61,7 +61,7 @@ <artifactId>aaa-shiro</artifactId> </exclusion> <exclusion> - <groupId>com.highstreet-technologies.aaa</groupId> + <groupId>org.opendaylight.aaa</groupId> <artifactId>aaa-shiro</artifactId> </exclusion> <exclusion> @@ -87,6 +87,7 @@ <Bundle-Version>${project.version}</Bundle-Version> <Export-Package> org.onap.ccsdk.features.sdnr.wt.oauthprovider;version=${project.version}, + org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;version=${project.version}, org.onap.ccsdk.features.sdnr.wt.oauthprovider.http;version=${project.version}, org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client;version=${project.version}, org.onap.ccsdk.features.sdnr.wt.oauthprovider.data;version=${project.version}, @@ -116,7 +117,7 @@ org.opendaylight.aaa.api, org.opendaylight.aaa.api.shiro.principal, org.opendaylight.aaa.shiro.realm, - org.opendaylight.aaa.shiro.filters.backport, + org.opendaylight.aaa.shiro.filters, org.opendaylight.mdsal.binding.api, org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619, org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.configuration, @@ -136,7 +137,7 @@ <Embed-Dependency>*;scope=compile|runtime;inline=false</Embed-Dependency> <Embed-Dependency>*;scope=compile|runtime;artifactId=!shiro-core;inline=false</Embed-Dependency> <Embed-Transitive>true</Embed-Transitive> - <Fragment-Host>org.apache.shiro.core</Fragment-Host> + <Fragment-Host>org.opendaylight.aaa.repackaged-shiro</Fragment-Host> </instructions> </configuration> </plugin> |