forked from community/device-mgt-core
parent
48bc9b661d
commit
80c1a8c8ca
@ -1,75 +0,0 @@
|
|||||||
/*
|
|
||||||
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
||||||
*
|
|
||||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
|
||||||
* Version 2.0 (the "License"); you may not use this file except
|
|
||||||
* in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing,
|
|
||||||
* software distributed under the License is distributed on an
|
|
||||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
||||||
* KIND, either express or implied. See the License for the
|
|
||||||
* specific language governing permissions and limitations
|
|
||||||
* under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
|
||||||
|
|
||||||
import org.apache.catalina.connector.Request;
|
|
||||||
import org.apache.catalina.connector.Response;
|
|
||||||
import org.apache.commons.logging.Log;
|
|
||||||
import org.apache.commons.logging.LogFactory;
|
|
||||||
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
|
|
||||||
import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
|
|
||||||
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
|
|
||||||
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletResponse;
|
|
||||||
|
|
||||||
public class PermissionAuthorizationValve extends CarbonTomcatValve {
|
|
||||||
|
|
||||||
private static final Log log = LogFactory.getLog(PermissionAuthorizationValve.class);
|
|
||||||
private static final String AUTHORIZATION_ENABLED = "authorization-enabled";
|
|
||||||
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void invoke(Request request, Response response, CompositeValve compositeValve) {
|
|
||||||
|
|
||||||
String permissionStatus = request.getContext().findParameter(AUTHORIZATION_ENABLED);
|
|
||||||
if (permissionStatus == null || permissionStatus.isEmpty()) {
|
|
||||||
this.processResponse(request, response, compositeValve, WebappAuthenticator.Status.CONTINUE);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
// check whether the permission checking function is enabled in web.xml
|
|
||||||
boolean isEnabled = Boolean.valueOf(permissionStatus);
|
|
||||||
if (!isEnabled) {
|
|
||||||
this.processResponse(request, response, compositeValve, WebappAuthenticator.Status.CONTINUE);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (log.isDebugEnabled()) {
|
|
||||||
log.debug("Checking permission of request: " + request.getRequestURI());
|
|
||||||
}
|
|
||||||
PermissionAuthorizer permissionAuthorizer = new PermissionAuthorizer();
|
|
||||||
WebappAuthenticator.Status status = permissionAuthorizer.authorize(request, response);
|
|
||||||
this.processResponse(request, response, compositeValve, status);
|
|
||||||
}
|
|
||||||
|
|
||||||
private void processResponse(Request request, Response response, CompositeValve compositeValve,
|
|
||||||
WebappAuthenticator.Status status) {
|
|
||||||
switch (status) {
|
|
||||||
case SUCCESS:
|
|
||||||
case CONTINUE:
|
|
||||||
this.getNext().invoke(request, response, compositeValve);
|
|
||||||
break;
|
|
||||||
case FAILURE:
|
|
||||||
String msg = "Failed to authorize incoming request";
|
|
||||||
log.error(msg);
|
|
||||||
AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, msg);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,48 +0,0 @@
|
|||||||
/*
|
|
||||||
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
||||||
*
|
|
||||||
* WSO2 Inc. licenses this file to you under the Apache License,
|
|
||||||
* Version 2.0 (the "License"); you may not use this file except
|
|
||||||
* in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing,
|
|
||||||
* software distributed under the License is distributed on an
|
|
||||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
||||||
* KIND, either express or implied. See the License for the
|
|
||||||
* specific language governing permissions and limitations
|
|
||||||
* under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package org.wso2.carbon.webapp.authenticator.framework.authorizer;
|
|
||||||
|
|
||||||
import org.apache.catalina.connector.Request;
|
|
||||||
import org.apache.catalina.connector.Response;
|
|
||||||
import org.apache.commons.logging.Log;
|
|
||||||
import org.apache.commons.logging.LogFactory;
|
|
||||||
import org.owasp.encoder.Encode;
|
|
||||||
import org.wso2.carbon.context.CarbonContext;
|
|
||||||
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
|
|
||||||
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
|
|
||||||
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
|
|
||||||
import org.wso2.carbon.user.api.UserStoreException;
|
|
||||||
import org.wso2.carbon.webapp.authenticator.framework.Constants;
|
|
||||||
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
|
|
||||||
|
|
||||||
import java.util.Properties;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* This class represents the methods that are used to authorize requests.
|
|
||||||
*/
|
|
||||||
public class PermissionAuthorizer {
|
|
||||||
|
|
||||||
private static final Log log = LogFactory.getLog(PermissionAuthorizer.class);
|
|
||||||
|
|
||||||
public WebappAuthenticator.Status authorize(Request request, Response response) {
|
|
||||||
|
|
||||||
return WebappAuthenticator.Status.SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -0,0 +1,149 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.webapp.authenticator.framework;
|
||||||
|
|
||||||
|
import org.apache.catalina.Context;
|
||||||
|
import org.apache.catalina.connector.Connector;
|
||||||
|
import org.apache.catalina.connector.Request;
|
||||||
|
import org.apache.catalina.connector.Response;
|
||||||
|
import org.apache.catalina.core.StandardContext;
|
||||||
|
import org.apache.tomcat.util.buf.MessageBytes;
|
||||||
|
import org.apache.tomcat.util.http.MimeHeaders;
|
||||||
|
import org.mockito.Mockito;
|
||||||
|
import org.testng.Assert;
|
||||||
|
import org.testng.annotations.BeforeClass;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
|
||||||
|
import org.wso2.carbon.webapp.authenticator.framework.util.TestRequest;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
import java.lang.reflect.Field;
|
||||||
|
import java.util.Base64;
|
||||||
|
|
||||||
|
import static org.wso2.carbon.security.SecurityConstants.ADMIN_USER;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This is a test class for {@link WebappAuthenticationValve}.
|
||||||
|
*/
|
||||||
|
public class WebappAuthenticationValveTest {
|
||||||
|
private WebappAuthenticationValve webappAuthenticationValve;
|
||||||
|
private CompositeValve compositeValve;
|
||||||
|
|
||||||
|
@BeforeClass()
|
||||||
|
public void setup() {
|
||||||
|
webappAuthenticationValve = new WebappAuthenticationValve();
|
||||||
|
compositeValve = Mockito.mock(CompositeValve.class);
|
||||||
|
Mockito.doNothing().when(compositeValve).continueInvocation(Mockito.any(), Mockito.any());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(description = "This method tests the invoke method of the WebAppAuthenticationValve with the context path "
|
||||||
|
+ "starting with carbon")
|
||||||
|
public void testInvokeWithContextSkippedScenario1() {
|
||||||
|
Request request = new Request();
|
||||||
|
Context context = new StandardContext();
|
||||||
|
context.setPath("carbon");
|
||||||
|
CompositeValve compositeValve = Mockito.mock(CompositeValve.class);
|
||||||
|
Mockito.doNothing().when(compositeValve).continueInvocation(Mockito.any(), Mockito.any());
|
||||||
|
request.setContext(context);
|
||||||
|
webappAuthenticationValve.invoke(request, null, compositeValve);
|
||||||
|
|
||||||
|
request = new TestRequest("", "test");
|
||||||
|
context = new StandardContext();
|
||||||
|
compositeValve = Mockito.mock(CompositeValve.class);
|
||||||
|
Mockito.doNothing().when(compositeValve).continueInvocation(Mockito.any(), Mockito.any());
|
||||||
|
request.setContext(context);
|
||||||
|
webappAuthenticationValve.invoke(request, null, compositeValve);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(description = "This method tests the behaviour of the invoke method of WebAuthenticationValve when "
|
||||||
|
+ "un-secured endpoints are invoked.")
|
||||||
|
public void testInvokeUnSecuredEndpoints() {
|
||||||
|
Request request = new TestRequest("", "test");
|
||||||
|
Context context = new StandardContext();
|
||||||
|
context.setPath("carbon1");
|
||||||
|
context.addParameter("doAuthentication", String.valueOf(true));
|
||||||
|
context.addParameter("nonSecuredEndPoints", "test, test1");
|
||||||
|
CompositeValve compositeValve = Mockito.mock(CompositeValve.class);
|
||||||
|
Mockito.doNothing().when(compositeValve).continueInvocation(Mockito.any(), Mockito.any());
|
||||||
|
request.setContext(context);
|
||||||
|
webappAuthenticationValve.invoke(request, null, compositeValve);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(description = "This method tests the behaviour of the invoke method of WebAuthenticationValve when "
|
||||||
|
+ "secured endpoints are invoked.")
|
||||||
|
public void testInvokeSecuredEndpoints() throws NoSuchFieldException, IllegalAccessException {
|
||||||
|
String encodedString = new String(Base64.getEncoder().encode((ADMIN_USER + ":" + ADMIN_USER).getBytes()));
|
||||||
|
Request request = createRequest("basic " + encodedString);
|
||||||
|
webappAuthenticationValve.invoke(request, null, compositeValve);
|
||||||
|
|
||||||
|
encodedString = new String(Base64.getEncoder().encode((ADMIN_USER + ":" + ADMIN_USER + "test").getBytes()));
|
||||||
|
request = createRequest("basic " + encodedString);
|
||||||
|
Response response = new Response();
|
||||||
|
org.apache.coyote.Response coyoteResponse = new org.apache.coyote.Response();
|
||||||
|
Connector connector = new Connector();
|
||||||
|
response.setConnector(connector);
|
||||||
|
response.setCoyoteResponse(coyoteResponse);
|
||||||
|
webappAuthenticationValve.invoke(request, response, compositeValve);
|
||||||
|
Assert.assertEquals(response.getStatus(), HttpServletResponse.SC_UNAUTHORIZED,
|
||||||
|
"Response of un-authorized request is not updated");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(description = "This method tests the behaviour of invoke method when the request does not satisfy any "
|
||||||
|
+ "authenticator requirements")
|
||||||
|
public void testInvokeWithoutProperAuthenticator() throws NoSuchFieldException, IllegalAccessException {
|
||||||
|
Request request = createRequest("basic");
|
||||||
|
Response response = new Response();
|
||||||
|
org.apache.coyote.Response coyoteResponse = new org.apache.coyote.Response();
|
||||||
|
Connector connector = new Connector();
|
||||||
|
response.setConnector(connector);
|
||||||
|
response.setCoyoteResponse(coyoteResponse);
|
||||||
|
webappAuthenticationValve.invoke(request, response, compositeValve);
|
||||||
|
Assert.assertEquals(response.getStatus(), HttpServletResponse.SC_UNAUTHORIZED,
|
||||||
|
"Response of un-authorized request is not updated");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* To create a request with the given authorization header
|
||||||
|
*
|
||||||
|
* @param authorizationHeader Authorization header
|
||||||
|
* @return the relevant request.
|
||||||
|
* @throws IllegalAccessException Illegal Access Exception.
|
||||||
|
* @throws NoSuchFieldException No Such Field Exception.
|
||||||
|
*/
|
||||||
|
private Request createRequest(String authorizationHeader) throws IllegalAccessException, NoSuchFieldException {
|
||||||
|
Request request = new TestRequest("", "");
|
||||||
|
Context context = new StandardContext();
|
||||||
|
context.addParameter("basicAuth", "true");
|
||||||
|
context.addParameter("managed-api-enabled", "true");
|
||||||
|
context.setPath("carbon1");
|
||||||
|
context.addParameter("doAuthentication", String.valueOf(true));
|
||||||
|
request.setContext(context);
|
||||||
|
|
||||||
|
MimeHeaders mimeHeaders = new MimeHeaders();
|
||||||
|
MessageBytes bytes = mimeHeaders.addValue(BaseWebAppAuthenticatorFrameworkTest.AUTHORIZATION_HEADER);
|
||||||
|
bytes.setString(authorizationHeader);
|
||||||
|
Field headersField = org.apache.coyote.Request.class.getDeclaredField("headers");
|
||||||
|
headersField.setAccessible(true);
|
||||||
|
org.apache.coyote.Request coyoteRequest = new org.apache.coyote.Request();
|
||||||
|
headersField.set(coyoteRequest, mimeHeaders);
|
||||||
|
request.setCoyoteRequest(coyoteRequest);
|
||||||
|
return request;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,44 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.webapp.authenticator.framework.util;
|
||||||
|
|
||||||
|
import org.apache.catalina.connector.Request;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This is a test class implementation of {@link Request}
|
||||||
|
*/
|
||||||
|
public class TestRequest extends Request {
|
||||||
|
private String contextPath;
|
||||||
|
private String requestURI;
|
||||||
|
|
||||||
|
public TestRequest(String contextPath, String requestURI) {
|
||||||
|
this.contextPath = contextPath;
|
||||||
|
this.requestURI = requestURI;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getContextPath() {
|
||||||
|
return contextPath;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getRequestURI() {
|
||||||
|
return requestURI;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in new issue