private OutboundSecurityResponse propagate(JwtOutboundTarget outboundTarget, String token) { Map<String, List<String>> headers = new HashMap<>(); outboundTarget.outboundHandler.header(headers, token); return OutboundSecurityResponse.withHeaders(headers); }
private OutboundSecurityResponse outboundSecurity(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig, TokenCredential token) { if (!token.getIssuer().map(issuer -> issuer.endsWith(".google.com")).orElse(false)) { // not our token :( return OutboundSecurityResponse.abstain(); } Map<String, List<String>> headers = new TreeMap<>(String.CASE_INSENSITIVE_ORDER); headers.putAll(outboundEnv.headers()); tokenHandler.header(headers, token.token()); return OutboundSecurityResponse.withHeaders(headers); }
.completedFuture(new OutboundCall(OutboundSecurityResponse.abstain(), providerRequest, outboundEnv, if (call.response.status() == SecurityResponse.SecurityStatus.ABSTAIN) { if (call.response.status().isSuccess()) { OutboundSecurityResponse.Builder builder = OutboundSecurityResponse.builder(); prevResponse.requestHeaders().forEach(builder::requestHeader); prevResponse.responseHeaders().forEach(builder::responseHeader); thisResponse.requestHeaders().forEach(builder::requestHeader); thisResponse.responseHeaders().forEach(builder::responseHeader); SecurityEnvironment nextEnv = updateRequestHeaders(call.outboundEnv, thisResponse); builder.status(thisResponse.status()); return new OutboundCall(builder.build(), call.inboundContext, nextEnv, call.outboundConfig); });
switch (providerResponse.status()) { case FAILURE: case FAILURE_FINISH: HttpUtil.traceError(span, providerResponse.throwable().orElse(null), providerResponse.description() .orElse(providerResponse.status().toString())); break; case ABSTAIN: Map<String, List<String>> newHeaders = providerResponse.requestHeaders();
/** * There is nothing we can add - e.g. we do not propagate identity. * * @return response with no headers */ public static OutboundSecurityResponse empty() { return builder().status(SecurityStatus.SUCCESS).build(); }
return CompletableFuture.completedFuture(OutboundSecurityResponse.empty()); if (response.status().isSuccess()) { .addParam(AuditEvent.AuditParam.plain("request", this)) .addParam(AuditEvent.AuditParam .plain("message", response.description().orElse(null))) .addParam(AuditEvent.AuditParam .plain("exception", response.throwable().orElse(null))) .addParam(AuditEvent.AuditParam .plain("subject", context.user().orElse(SecurityContext.ANONYMOUS))));
@Override protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig) { return providerRequest.securityContext() .user() .flatMap(subject -> subject.publicCredential(TokenCredential.class)) .map(token -> outboundSecurity(providerRequest, outboundEnv, outboundEndpointConfig, token)) .orElse(OutboundSecurityResponse.abstain()); }
private SecurityEnvironment updateRequestHeaders(SecurityEnvironment env, OutboundSecurityResponse response) { SecurityEnvironment.Builder builder = env.derive(); response.requestHeaders().forEach(builder::header); return builder.build(); }
switch (providerResponse.status()) { case FAILURE: case FAILURE_FINISH: HttpUtil.traceError(span, providerResponse.throwable().orElse(null), providerResponse.description() .orElse(providerResponse.status().toString())); break; case ABSTAIN: Map<String, List<String>> newHeaders = providerResponse.requestHeaders();
/** * Create a response with these headers. Only needs additional headers (e.g. actual headers sent with * request will be existing headers + headers provided here). * * @param headers Headers to add to request to propagate identity (can also be used to delete headers, if the value list * is empty) * @return response correctly initialized */ public static OutboundSecurityResponse withHeaders(Map<String, List<String>> headers) { return builder().status(SecurityStatus.SUCCESS).requestHeaders(headers).build(); }
private OutboundSecurityResponse propagate(JwtOutboundTarget outboundTarget, String token) { Map<String, List<String>> headers = new HashMap<>(); outboundTarget.outboundHandler.header(headers, token); return OutboundSecurityResponse.withHeaders(headers); }
@Override protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig) { Optional<Subject> toPropagate; if (subjectType == SubjectType.USER) { toPropagate = providerRequest.securityContext().user(); } else { toPropagate = providerRequest.securityContext().service(); } return toPropagate .map(Subject::principal) .map(Principal::id) .map(id -> { Map<String, List<String>> headers = new HashMap<>(); outboundTokenHandler.header(headers, id); return OutboundSecurityResponse.withHeaders(headers); }) .orElse(OutboundSecurityResponse.abstain()); }
.flatMap(username -> { if (!allowImpersonation) { return Optional.of(OutboundSecurityResponse.builder() .description( "Attempting to impersonate a user, when impersonation is not allowed" return Optional.of(OutboundSecurityResponse.builder() .description("Cannot do explicit user propagation if no kid is defined.") .status(SecurityResponse.SecurityStatus.FAILURE)
private static OutboundSecurityResponse toBasicAuthOutbound(UserStore.User user) { String b64 = Base64.getEncoder() .encodeToString((user.login() + ":" + new String(user.password())).getBytes(StandardCharsets.UTF_8)); String basicAuthB64 = "basic " + b64; return OutboundSecurityResponse .withHeaders(CollectionsHelper.mapOf("Authorization", CollectionsHelper.listOf(basicAuthB64))); }
@Override protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig) { Optional<Subject> toPropagate; if (subjectType == SubjectType.USER) { toPropagate = providerRequest.getContext().getUser(); } else { toPropagate = providerRequest.getContext().getService(); } return toPropagate .map(Subject::getPrincipal) .map(Principal::getId) .map(id -> { Map<String, List<String>> headers = new HashMap<>(); outboundTokenHandler.setHeader(headers, id); return OutboundSecurityResponse.withHeaders(headers); }) .orElse(OutboundSecurityResponse.abstain()); }
.flatMap(username -> { if (!allowImpersonation) { return Optional.of(OutboundSecurityResponse.builder() .description( "Attempting to impersonate a user, when impersonation is not allowed" return Optional.of(OutboundSecurityResponse.builder() .description("Cannot do explicit user propagation if no kid is defined.") .status(SecurityResponse.SecurityStatus.FAILURE)
private OutboundSecurityResponse impersonate(JwtOutboundTarget ot, String username) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Jwt.Builder builder = Jwt.builder(); builder.addPayloadClaim("name", username); builder.subject(username) .preferredUsername(username) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
@Override protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig) { Optional<Subject> toPropagate; if (subjectType == SubjectType.USER) { toPropagate = providerRequest.securityContext().user(); } else { toPropagate = providerRequest.securityContext().service(); } return toPropagate .map(Subject::principal) .map(Principal::id) .map(id -> { Map<String, List<String>> headers = new HashMap<>(); outboundTokenHandler.header(headers, id); return OutboundSecurityResponse.withHeaders(headers); }) .orElse(OutboundSecurityResponse.abstain()); }
.flatMap(username -> { if (!allowImpersonation) { return Optional.of(OutboundSecurityResponse.builder() .description( "Attempting to impersonate a user, when impersonation is not allowed" return Optional.of(OutboundSecurityResponse.builder() .description("Cannot do explicit user propagation if no kid is defined.") .status(SecurityResponse.SecurityStatus.FAILURE)