builder.setClaims(ctx.getClaims()); builder.setToken(ctx.getToken());
public AuthorizationContext createAuthorizationContext(Signer tokenSigner, String userLink) { Claims.Builder cb = new Claims.Builder(); cb.setIssuer(AuthenticationConstants.DEFAULT_ISSUER); cb.setSubject(userLink); cb.setExpirationTime(Instant.MAX.getEpochSecond()); // Generate token for set of claims Claims claims = cb.getResult(); String token; try { token = tokenSigner.sign(claims); } catch (GeneralSecurityException e) { // This function is run first when the host starts, which will fail if this // exception comes up. This is necessary because the host cannot function // without having access to the system user's context. throw new RuntimeException(e); } AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); ab.setPropagateToClient(false); return ab.getResult(); }
ab.setClaims(claims); ab.setToken(token); op.setBody(ab.getResult());
authCtxBuilder.setClaims(claimsBuilder.getResult()); authCtxBuilder.setToken("super-token"); authCtxBuilder.setClaims(claimsBuilder.getResult()); authCtxBuilder.setToken("regular-token"); authCtxBuilder.setClaims(claimsBuilder.getResult()); authCtxBuilder.setToken("regular-token"); authCtxBuilder.setClaims(claimsBuilder.getResult()); authCtxBuilder.setToken("guest-token");
ab.setClaims(claims); ab.setToken(token); ab.setPropagateToClient(propagateToClient);
@Test public void testIsDevOpsAdmin() throws Throwable { Method setAuthCtxMethod = Operation.class.getDeclaredMethod("setAuthorizationContext", AuthorizationContext.class); Claims guestClaims = new Claims.Builder().setSubject(GuestUserService.SELF_LINK) .getResult(); AuthorizationContext guestContext = AuthorizationContext.Builder.create() .setClaims(guestClaims).getResult(); // TODO Currently all authorized non-guest users are devOpsAdmins. Needs to be changed after // roles are introduced. Also, a case for developer authorization context and cloud admin // need to be added. Claims devOpsClaims = new Claims.Builder() .setSubject(AuthUtil.buildUserServicePathFromPrincipalId(encode("some-user@local"))) .getResult(); AuthorizationContext devOpsContext = AuthorizationContext.Builder.create() .setClaims(devOpsClaims).getResult(); setAuthCtxMethod.setAccessible(true); Operation op = new Operation(); setAuthCtxMethod.invoke(op, (AuthorizationContext) null); assertEquals(null, op.getAuthorizationContext()); assertFalse("<null> authorization context should not be treated as devOps admin context", AuthUtil.isDevOpsAdmin(op)); setAuthCtxMethod.invoke(op, guestContext); assertFalse("Guest authorization context should not be trated as devOps admin context", AuthUtil.isDevOpsAdmin(op)); setAuthCtxMethod.invoke(op, devOpsContext); assertTrue("Any non-guest authorized user should be a devOps admin", AuthUtil.isDevOpsAdmin(op)); setAuthCtxMethod.setAccessible(false); }
private AuthorizationContext checkAndGetAuthorizationContext(AuthorizationContext ctx, Claims claims, String token, Operation op, OperationProcessingContext context) { ServiceHost host = context.getHost(); if (claims == null) { host.log(Level.INFO, "Request to %s has no claims found with token: %s", op.getUri().getPath(), token); return null; } Long expirationTime = claims.getExpirationTime(); if (expirationTime != null && TimeUnit.SECONDS.toMicros(expirationTime) <= Utils.getSystemNowMicrosUtc()) { host.log(Level.FINE, "Token expired for %s", claims.getSubject()); host.clearAuthorizationContext(null, claims.getSubject()); return null; } if (ctx != null) { return ctx; } AuthorizationContext.Builder b = AuthorizationContext.Builder.create(); b.setClaims(claims); b.setToken(token); ctx = b.getResult(); host.cacheAuthorizationContext(null, token, ctx); return ctx; }
/** * Inject user identity into operation context. * * @param userServicePath user document link * @param properties custom properties in claims * @throws GeneralSecurityException any generic security exception */ public AuthorizationContext assumeIdentity(String userServicePath, Map<String, String> properties) throws GeneralSecurityException { Claims.Builder builder = new Claims.Builder(); builder.setSubject(userServicePath); builder.setProperties(properties); Claims claims = builder.getResult(); String token = getTokenSigner().sign(claims); AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); // Associate resulting authorization context with this thread AuthorizationContext authContext = ab.getResult(); setAuthorizationContext(authContext); return authContext; }
/** * Inject user identity into operation context. * * @param userServicePath user document link * @param properties custom properties in claims * @throws GeneralSecurityException any generic security exception */ public AuthorizationContext assumeIdentity(String userServicePath, Map<String, String> properties) throws GeneralSecurityException { Claims.Builder builder = new Claims.Builder(); builder.setSubject(userServicePath); builder.setProperties(properties); Claims claims = builder.getResult(); String token = getTokenSigner().sign(claims); AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); // Associate resulting authorization context with this thread AuthorizationContext authContext = ab.getResult(); setAuthorizationContext(authContext); return authContext; }
private void handleSetAuthorizationContext(Operation op) { Claims claims = op.getBody(Claims.class); String token; // This signs an unchecked set of claims. // Never do this in production code... try { token = getTokenSigner().sign(claims); } catch (Exception e) { op.fail(e); return; } AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); ab.setPropagateToClient(true); // Associate resulting authorization context with operation. setAuthorizationContext(op, ab.getResult()); op.complete(); }
private void handleSetAuthorizationContext(Operation op) { Claims claims = op.getBody(Claims.class); String token; // This signs an unchecked set of claims. // Never do this in production code... try { token = getTokenSigner().sign(claims); } catch (Exception e) { op.fail(e); return; } AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); ab.setPropagateToClient(true); // Associate resulting authorization context with operation. setAuthorizationContext(op, ab.getResult()); op.complete(); }
AuthorizationContext createAuthorizationContext(String subject, VerificationHost host) throws GeneralSecurityException { Map<String, String> properties = new HashMap<>(); properties.put("hello", "world"); Claims.Builder builder = new Claims.Builder(); builder.setIssuer(AuthenticationConstants.DEFAULT_ISSUER); builder.setSubject(UriUtils.buildUriPath(ServiceUriPaths.CORE_AUTHZ_USERS, subject)); long expirationTimeMicros = Utils.fromNowMicrosUtc(TimeUnit.HOURS.toMicros(1)); builder.setExpirationTime(TimeUnit.MICROSECONDS.toSeconds(expirationTimeMicros)); builder.setProperties(properties); Claims claims = builder.getResult(); AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(host.getTokenSigner().sign(claims)); return ab.getResult(); }
AuthorizationContext createAuthorizationContext(String subject, VerificationHost host) throws GeneralSecurityException { Map<String, String> properties = new HashMap<>(); properties.put("hello", "world"); Claims.Builder builder = new Claims.Builder(); builder.setIssuer(AuthenticationConstants.DEFAULT_ISSUER); builder.setSubject(UriUtils.buildUriPath(ServiceUriPaths.CORE_AUTHZ_USERS, subject)); long expirationTimeMicros = Utils.fromNowMicrosUtc(TimeUnit.HOURS.toMicros(1)); builder.setExpirationTime(TimeUnit.MICROSECONDS.toSeconds(expirationTimeMicros)); builder.setProperties(properties); Claims claims = builder.getResult(); AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(host.getTokenSigner().sign(claims)); return ab.getResult(); }
private static AuthorizationContext createAuthorizationContext(boolean withValidUser) { Builder claimsBuilder = new Builder(); if (withValidUser) { claimsBuilder.setSubject("some-user"); } com.vmware.xenon.common.Operation.AuthorizationContext.Builder ctxBuilder = com.vmware.xenon.common.Operation.AuthorizationContext.Builder .create(); ctxBuilder.setClaims(claimsBuilder.getResult()); return ctxBuilder.getResult(); }
private AuthorizationContext createAuthContext(ServiceHost host, String subject, long expiration) throws Exception { Claims.Builder builder = new Claims.Builder(); builder.setIssuer(AuthenticationConstants.DEFAULT_ISSUER); builder.setSubject(subject); builder.setExpirationTime(expiration); Claims claims = builder.getResult(); String token = host.getTokenSigner().sign(claims); AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); return ab.getResult(); }
private void associateAuthorizationContext(Service service, Operation op, String token) { Claims claims = getClaims(); AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); ab.setPropagateToClient(true); // associate resulting authorization context with operation. service.setAuthorizationContext(op, ab.getResult()); }
private void associateAuthorizationContext(Service service, Operation op, String token) { Claims claims = getClaims(); AuthorizationContext.Builder ab = AuthorizationContext.Builder.create(); ab.setClaims(claims); ab.setToken(token); ab.setPropagateToClient(true); // associate resulting authorization context with operation. service.setAuthorizationContext(op, ab.getResult()); }