Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
IA2
GMS
Commits
6eef3264
Commit
6eef3264
authored
Nov 28, 2020
by
Sonia Zorba
Browse files
SKADC version support
parent
bffca64b
Changes
5
Hide whitespace changes
Inline
Side-by-side
gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java
View file @
6eef3264
package
it.inaf.ia2.gms.authn
;
import
it.inaf.ia2.aa.AuthConfig
;
import
it.inaf.ia2.
rap.client.RapClient
;
import
it.inaf.ia2.
aa.UserManager
;
import
java.io.IOException
;
import
java.net.URI
;
import
javax.servlet.Filter
;
...
...
@@ -15,11 +15,11 @@ public class ClientDbFilter implements Filter {
public
static
final
String
CLIENT_DB
=
"client_db"
;
private
final
RapClient
rapClient
;
private
final
UserManager
userManager
;
private
final
String
defaultJwksUri
;
public
ClientDbFilter
(
AuthConfig
authConfig
,
RapClient
rapClient
)
{
this
.
rapClient
=
rapClient
;
public
ClientDbFilter
(
AuthConfig
authConfig
,
UserManager
userManager
)
{
this
.
userManager
=
userManager
;
defaultJwksUri
=
URI
.
create
(
authConfig
.
getRapBaseUri
()).
resolve
(
authConfig
.
getJwksEndpoint
()).
toString
();
}
...
...
@@ -32,7 +32,7 @@ public class ClientDbFilter implements Filter {
if
(
clientDb
!=
null
)
{
request
.
getSession
().
setAttribute
(
CLIENT_DB
,
clientDb
);
String
newUrl
=
defaultJwksUri
.
replaceAll
(
"\\?client_name=(.*)"
,
"?client_name="
+
clientDb
);
rapClient
.
addJwksUri
(
URI
.
create
(
newUrl
));
userManager
.
addJwksUri
(
URI
.
create
(
newUrl
));
}
fc
.
doFilter
(
req
,
res
);
...
...
gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java
0 → 100644
View file @
6eef3264
package
it.inaf.ia2.gms.authn
;
import
static
it
.
inaf
.
ia2
.
gms
.
authn
.
ClientDbFilter
.
CLIENT_DB
;
import
it.inaf.ia2.gms.exception.BadRequestException
;
import
it.inaf.ia2.rap.client.call.GetUserCall
;
import
it.inaf.ia2.rap.data.RapUser
;
import
java.net.URI
;
import
java.net.http.HttpRequest
;
import
java.util.List
;
import
java.util.stream.Collectors
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpSession
;
import
org.slf4j.Logger
;
import
org.slf4j.LoggerFactory
;
public
class
ClientDbRapClient
extends
ServletRapClient
{
private
static
final
Logger
LOG
=
LoggerFactory
.
getLogger
(
ClientDbRapClient
.
class
);
public
ClientDbRapClient
(
String
baseUrl
)
{
super
(
baseUrl
);
}
@Override
protected
HttpRequest
.
Builder
newAuthRequest
(
HttpRequest
.
Builder
requestBuilder
,
HttpServletRequest
request
)
{
return
setClientDb
(
super
.
newClientSecretRequest
(
requestBuilder
),
request
);
}
@Override
public
HttpRequest
.
Builder
newRequest
(
String
endpoint
,
HttpServletRequest
context
)
{
return
setClientDb
(
super
.
newRequest
(
endpoint
),
context
);
}
@Override
public
HttpRequest
.
Builder
newRequest
(
URI
uri
,
HttpServletRequest
context
)
{
return
setClientDb
(
super
.
newRequest
(
uri
),
context
);
}
private
HttpRequest
.
Builder
setClientDb
(
HttpRequest
.
Builder
builder
,
HttpServletRequest
request
)
{
HttpSession
session
=
request
.
getSession
(
false
);
if
(
session
!=
null
)
{
String
clientDb
=
(
String
)
session
.
getAttribute
(
"client_db"
);
if
(
clientDb
!=
null
)
{
builder
.
setHeader
(
"client_db"
,
clientDb
);
LOG
.
debug
(
"client_db="
+
clientDb
);
}
}
return
builder
;
}
@Override
public
URI
getAuthorizationUri
(
HttpServletRequest
request
)
{
// for a better security we should check for allowed redirects
String
redirect
=
request
.
getParameter
(
"redirect"
);
URI
uri
;
if
(
redirect
!=
null
)
{
uri
=
URI
.
create
(
redirect
);
}
else
{
uri
=
super
.
getAuthorizationUri
(
request
);
}
String
clientDb
=
request
.
getParameter
(
CLIENT_DB
);
if
(
clientDb
==
null
)
{
HttpSession
session
=
request
.
getSession
(
false
);
if
(
session
!=
null
)
{
clientDb
=
(
String
)
session
.
getAttribute
(
CLIENT_DB
);
}
}
if
(
clientDb
==
null
)
{
throw
new
BadRequestException
(
"client_db not set"
);
}
redirect
=
uri
.
toString
();
redirect
+=
redirect
.
contains
(
"?"
)
?
"&"
:
"?"
;
redirect
+=
CLIENT_DB
+
"="
+
clientDb
;
return
URI
.
create
(
redirect
);
}
@Override
public
URI
getAccessTokenUri
(
HttpServletRequest
request
)
{
String
tokenUri
=
request
.
getParameter
(
"token_uri"
);
if
(
tokenUri
!=
null
)
{
return
URI
.
create
(
tokenUri
);
}
return
super
.
getAccessTokenUri
(
request
);
}
@Override
public
List
<
RapUser
>
getUsers
(
String
searchText
,
HttpServletRequest
request
)
{
List
<
RapUser
>
users
=
new
GetUserCall
(
this
).
getUsers
(
searchText
,
request
);
return
users
.
stream
()
.
filter
(
u
->
u
.
getDisplayName
().
contains
(
searchText
)
||
u
.
getPrimaryEmailAddress
().
contains
(
searchText
))
.
collect
(
Collectors
.
toList
());
}
}
gms/src/main/resources/application.properties
View file @
6eef3264
...
...
@@ -4,14 +4,6 @@ server.servlet.context-path=/gms
spring.main.allow-bean-definition-overriding
=
true
server.error.whitelabel.enabled
=
false
security.oauth2.client.client-id
=
gms
security.oauth2.client.client-secret
=
gms-secret
security.oauth2.client.access-token-uri
=
http://localhost/franco/fake-rap/token.php
security.oauth2.client.user-authorization-uri
=
http://localhost/franco/fake-rap/index.php
security.oauth2.resource.token-info-uri
=
http://localhost/franco/fake-rap/check-token.php
security.oauth2.client.scope
=
openid,email,profile
security.oauth2.resource.jwk.key-set-uri
=
http://localhost/franco/fake-rap/jwks.php
logging.level.it.inaf
=
TRACE
logging.level.org.springframework.security
=
DEBUG
logging.level.org.springframework.jdbc
=
TRACE
...
...
@@ -21,8 +13,6 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/postgres
spring.datasource.username
=
gms
spring.datasource.password
=
gms
rap.ws-url
=
http://localhost/franco/fake-rap/get-users.php
rap.ws.basic-auth
=
true
support.contact.label
=
IA2 team
support.contact.email
=
ia2@inaf.it
...
...
gms/src/main/resources/auth.properties
View file @
6eef3264
client_id
=
gms
client_secret
=
gms-secret
rap_uri
=
http://localhost/rap-ia2
jwks_endpoint
=
/auth/oidc/jwks
access_token_uri
=
http://localhost/rap-ia2/auth/oauth2/token
user_authorization_uri
=
http://localhost/rap-ia2/auth/oauth2/authorize
check_token_uri
=
http://localhost/rap-ia2/auth/oauth2/token
jwks_uri
=
http://localhost/rap-ia2/auth/oidc/jwks
gms_uri
=
http://localhost:8082/gms/ws/jwt
client_id
=
client_secret
=
rap_uri
=
https://auth.inaf.it/auth/prod/
access_token_endpoint
=
accessToken/
user_authorization_endpoint
=
authorization/
check_token_endpoint
=
userInfo/
jwks_endpoint
=
jwks?client_name=ia2gms
rap_ws_user_endpoint
=
portal/SendUsers.php/user
rap_client_class
=
it.inaf.ia2.gms.authn.ClientDbRapClient
gms_uri
=
https://sso-devel.ia2.inaf.it/gms
groups_autoload
=
false
store_state_on_login_endpoint
=
true
scope
=
openid email profile read:rap
gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java
View file @
6eef3264
package
it.inaf.ia2.gms.authn
;
import
it.inaf.ia2.aa.AuthConfig
;
import
it.inaf.ia2.
rap.client.RapClient
;
import
it.inaf.ia2.
aa.UserManager
;
import
java.net.URI
;
import
javax.servlet.FilterChain
;
import
javax.servlet.http.HttpServletRequest
;
...
...
@@ -26,7 +26,7 @@ public class ClientDbFilterTest {
private
AuthConfig
authConfig
;
@Mock
private
RapClient
rapClient
;
private
UserManager
userManager
;
private
ClientDbFilter
filter
;
...
...
@@ -38,9 +38,9 @@ public class ClientDbFilterTest {
when
(
request
.
getSession
()).
thenReturn
(
mock
(
HttpSession
.
class
));
when
(
request
.
getParameter
(
eq
(
"client_db"
))).
thenReturn
(
"other_db"
);
filter
=
new
ClientDbFilter
(
authConfig
,
rapClient
);
filter
=
new
ClientDbFilter
(
authConfig
,
userManager
);
filter
.
doFilter
(
request
,
mock
(
HttpServletResponse
.
class
),
mock
(
FilterChain
.
class
));
verify
(
rapClient
).
addJwksUri
(
eq
(
URI
.
create
(
"http://ia2.inaf.it/jwks?client_name=other_db"
)));
verify
(
userManager
).
addJwksUri
(
eq
(
URI
.
create
(
"http://ia2.inaf.it/jwks?client_name=other_db"
)));
}
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment