Repository: airavata Updated Branches: refs/heads/develop 1b6ee7e1d -> 5f59387a8
retreiving credentials from GatewayProfile in security manager Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/5f59387a Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/5f59387a Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/5f59387a Branch: refs/heads/develop Commit: 5f59387a87b407a7c69912507cebd8f3c3cdca2d Parents: 1b6ee7e Author: scnakandala <[email protected]> Authored: Mon May 2 13:05:33 2016 -0400 Committer: scnakandala <[email protected]> Committed: Mon May 2 13:05:33 2016 -0400 ---------------------------------------------------------------------- .../DefaultAiravataSecurityManager.java | 121 +++++++++++++----- .../server/security/authzcache/AuthzCache.java | 8 +- .../security/authzcache/AuthzCacheIndex.java | 20 ++- .../lib/airavata/security_model_types.cpp | 24 +++- .../lib/airavata/security_model_types.h | 12 +- .../lib/Airavata/Model/Security/Types.php | 25 +++- .../apache/airavata/model/security/ttypes.py | 19 ++- .../airavata/model/security/AuthzToken.java | 122 +++++++++++++++++-- .../airavata/common/utils/ServerSettings.java | 14 +-- .../airavata-apis/security_model.thrift | 3 +- 10 files changed, 300 insertions(+), 68 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java index 8420ddc..143e241 100644 --- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java @@ -27,17 +27,27 @@ import org.apache.airavata.api.server.security.xacml.DefaultXACMLPEP; import org.apache.airavata.common.exception.ApplicationSettingsException; import org.apache.airavata.common.utils.Constants; import org.apache.airavata.common.utils.ServerSettings; +import org.apache.airavata.credential.store.client.CredentialStoreClientFactory; +import org.apache.airavata.credential.store.cpi.CredentialStoreService; +import org.apache.airavata.credential.store.datamodel.PasswordCredential; +import org.apache.airavata.credential.store.exception.CredentialStoreException; +import org.apache.airavata.model.appcatalog.gatewayprofile.GatewayResourceProfile; import org.apache.airavata.model.security.AuthzToken; +import org.apache.airavata.registry.core.experiment.catalog.impl.RegistryFactory; +import org.apache.airavata.registry.cpi.AppCatalog; +import org.apache.airavata.registry.cpi.AppCatalogException; import org.apache.airavata.security.AiravataSecurityException; import org.apache.airavata.security.util.TrustStoreManager; import org.apache.axis2.AxisFault; import org.apache.axis2.context.ConfigurationContext; import org.apache.axis2.context.ConfigurationContextFactory; +import org.apache.thrift.TException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO; import java.io.*; +import java.util.List; import java.util.Map; /** @@ -46,6 +56,12 @@ import java.util.Map; public class DefaultAiravataSecurityManager implements AiravataSecurityManager { private final static Logger logger = LoggerFactory.getLogger(DefaultAiravataSecurityManager.class); + private CredentialStoreService.Client csClient; + + public DefaultAiravataSecurityManager() throws TException, ApplicationSettingsException { + csClient = getCredentialStoreServiceClient(); + } + @Override public void initializeSecurityInfra() throws AiravataSecurityException { /* in the default security manager, this method checks if the xacml authorization policy is published, @@ -60,27 +76,39 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager { TrustStoreManager trustStoreManager = new TrustStoreManager(); trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword()); - - DefaultPAPClient PAPClient = new DefaultPAPClient(ServerSettings.getRemoteAuthzServerUrl(), - ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext); - boolean policyAdded = PAPClient.isPolicyAdded(ServerSettings.getAuthorizationPoliyName()); - if (policyAdded) { - logger.info("Authorization policy is already added in the authorization server."); - } else { - //read the policy as a string - BufferedReader bufferedReader = new BufferedReader(new FileReader(new File( - ServerSettings.getAuthorizationPoliyName() + ".xml"))); - String line; - StringBuilder stringBuilder = new StringBuilder(); - while ((line = bufferedReader.readLine()) != null) { - stringBuilder.append(line); + AppCatalog appCatalog = RegistryFactory.getAppCatalog(); + List<GatewayResourceProfile> gwProfiles = appCatalog.getGatewayProfile().getAllGatewayProfiles(); + //read the policy as a string + BufferedReader bufferedReader = new BufferedReader(new FileReader(new File( + ServerSettings.getAuthorizationPoliyName() + ".xml"))); + String line; + StringBuilder stringBuilder = new StringBuilder(); + while ((line = bufferedReader.readLine()) != null) { + stringBuilder.append(line); + } + String defaultXACMLPolicy = stringBuilder.toString(); + for(GatewayResourceProfile gwrp : gwProfiles){ + if(gwrp.getIdentityServerPwdCredToken() != null && gwrp.getIdentityServerTenant() != null){ + PasswordCredential credential = csClient.getPasswordCredential(gwrp.getCredentialStoreToken(), gwrp.getGatewayID()); + String username = credential.getLoginUserName(); + if(gwrp.getIdentityServerTenant() != null && !gwrp.getIdentityServerTenant().isEmpty()) + username = username + "@" + gwrp.getIdentityServerTenant(); + String password = credential.getPassword(); + DefaultPAPClient PAPClient = new DefaultPAPClient(ServerSettings.getRemoteAuthzServerUrl(), + username, password, configContext); + boolean policyAdded = PAPClient.isPolicyAdded(ServerSettings.getAuthorizationPoliyName()); + if (policyAdded) { + logger.info("Authorization policy is already added in the authorization server."); + } else { + //publish the policy and enable it in a separate thread + PAPClient.addPolicy(defaultXACMLPolicy); + logger.info("Authorization policy is published in the authorization server."); + } + }else{ + logger.warn("Identity Server configuration missing for gateway : " + gwrp.getGatewayID()); } - //publish the policy and enable it in a separate thread - PAPClient.addPolicy(stringBuilder.toString()); - logger.info("Authorization policy is published in the authorization server."); } } - } catch (AxisFault axisFault) { logger.error(axisFault.getMessage(), axisFault); throw new AiravataSecurityException("Error in initializing the configuration context for creating the " + @@ -94,36 +122,49 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager { } catch (IOException e) { logger.error(e.getMessage(), e); throw new AiravataSecurityException("Error in reading the authorization policy."); + } catch (AppCatalogException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in reading the Gateway Profiles from App Catalog."); + } catch (TException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in connecting to Credential Store Service."); } - } public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException { try { + String subject = authzToken.getUserName(); + String accessToken = authzToken.getAccessToken(); + String gatewayId = authzToken.getGatewayId(); + String action = metaData.get(Constants.API_METHOD_NAME); + + AppCatalog appCatalog = RegistryFactory.getAppCatalog(); + GatewayResourceProfile gwrp = appCatalog.getGatewayProfile().getGatewayProfile(gatewayId); + PasswordCredential credential = csClient.getPasswordCredential(gwrp.getCredentialStoreToken(), gwrp.getGatewayID()); + String username = credential.getLoginUserName(); + if(gwrp.getIdentityServerTenant() != null && !gwrp.getIdentityServerTenant().isEmpty()) + username = username + "@" + gwrp.getIdentityServerTenant(); + String password = credential.getPassword(); + //if the authz cache is enabled, check in the cache if the authz decision is cached and if so, what the status is if (ServerSettings.isAuthzCacheEnabled()) { //obtain an instance of AuthzCacheManager implementation. AuthzCacheManager authzCacheManager = AuthzCacheManagerFactory.getAuthzCacheManager(); - //collect the necessary info for contructing the authz cache index - String subject = authzToken.getClaimsMap().get(Constants.USER_NAME); - String accessToken = authzToken.getAccessToken(); - String action = metaData.get(Constants.API_METHOD_NAME); + //check in the cache AuthzCachedStatus authzCachedStatus = authzCacheManager.getAuthzCachedStatus( - new AuthzCacheIndex(subject, accessToken, action)); + new AuthzCacheIndex(subject, gatewayId, accessToken, action)); if (AuthzCachedStatus.AUTHORIZED.equals(authzCachedStatus)) { - //TODO: following info log is for demonstration purpose. change it to debug log. logger.info("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache."); return true; } else if (AuthzCachedStatus.NOT_AUTHORIZED.equals(authzCachedStatus)) { - //TODO: following info log is for demonstration purpose. change it to debug log. logger.info("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache."); return false; } else if (AuthzCachedStatus.NOT_CACHED.equals(authzCachedStatus)) { - //TODO: following info log is for demonstration purpose. change it to debug log. logger.info("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is not in the cache. " + "Obtaining it from the authorization server."); + //talk to Authorization Server, obtain the decision, cache it and return the result. ConfigurationContext configContext = ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null); @@ -134,7 +175,7 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager { ServerSettings.getTrustStorePassword()); DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(), - ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext); + username, password, configContext); OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken( authzToken.getAccessToken()); boolean isOAuthTokenValid = validationResponse.getValid(); @@ -142,13 +183,13 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager { //check for fine grained authorization for the API invocation, based on XACML. DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(), - ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext); + username, password, configContext); boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData); boolean decision = isOAuthTokenValid && authorizationDecision; //cache the authorization decision - authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, accessToken, action), + authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, gatewayId, accessToken, action), new AuthzCacheEntry(decision, expiryTimestamp, System.currentTimeMillis())); return decision; @@ -167,13 +208,13 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager { ServerSettings.getTrustStorePassword()); DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(), - ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext); + username, password, configContext); OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken( authzToken.getAccessToken()); boolean isOAuthTokenValid = validationResponse.getValid(); //if XACML based authorization is enabled, check for role based authorization for the API invocation DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(), - ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext); + username, password, configContext); boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData); return (isOAuthTokenValid && authorizationDecision); @@ -185,6 +226,22 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager { } catch (ApplicationSettingsException e) { logger.error(e.getMessage(), e); throw new AiravataSecurityException("Error in reading OAuth server configuration."); + } catch (AppCatalogException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in accessing AppCatalog."); + } catch (TException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in connecting to Credential Store Service."); + } + } + + private CredentialStoreService.Client getCredentialStoreServiceClient() throws TException, ApplicationSettingsException { + final int serverPort = Integer.parseInt(ServerSettings.getCredentialStoreServerPort()); + final String serverHost = ServerSettings.getCredentialStoreServerHost(); + try { + return CredentialStoreClientFactory.createAiravataCSClient(serverHost, serverPort); + } catch (CredentialStoreException e) { + throw new TException("Unable to create credential store client...", e); } } } http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java index 8b14556..48d3f01 100644 --- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java @@ -20,15 +20,14 @@ */ package org.apache.airavata.api.server.security.authzcache; -import javax.management.MXBean; -import java.util.LinkedHashMap; -import java.util.Map; - import org.apache.airavata.common.exception.ApplicationSettingsException; import org.apache.airavata.common.utils.ServerSettings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.util.LinkedHashMap; +import java.util.Map; + public class AuthzCache extends LinkedHashMap<AuthzCacheIndex, AuthzCacheEntry> { private static int MAX_SIZE; @@ -54,7 +53,6 @@ public class AuthzCache extends LinkedHashMap<AuthzCacheIndex, AuthzCacheEntry> @Override protected boolean removeEldestEntry(Map.Entry<AuthzCacheIndex, AuthzCacheEntry> eldest) { - //TODO: following info log is for demonstration purposes. Remove it. if (size() > MAX_SIZE) { logger.info("Authz cache max size exceeded. Removing the old entries."); } http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java index 59667d8..f73a59e 100644 --- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java @@ -28,11 +28,13 @@ public class AuthzCacheIndex { private String subject; private String oauthAccessToken; private String action; + private String gatewayId; - public AuthzCacheIndex(String userName, String accessToken, String actionString) { + public AuthzCacheIndex(String userName, String gatewayId, String accessToken, String actionString) { this.subject = userName; this.oauthAccessToken = accessToken; this.action = actionString; + this.gatewayId = gatewayId; } public String getSubject() { @@ -59,20 +61,30 @@ public class AuthzCacheIndex { this.oauthAccessToken = oauthAccessToken; } - /*Equals and hash code methods are overriden since this is being used as an index of a map and that containsKey method - * should return true if the values of two index objects are equal.*/ + public String getGatewayId() { + return gatewayId; + } + + public void setGatewayId(String gatewayId) { + this.gatewayId = gatewayId; + } + + /*Equals and hash code methods are overridden since this is being used as an index of a map and that containsKey method + * should return true if the values of two index objects are equal.*/ @Override public boolean equals(Object other) { if (other == null || other.getClass() != getClass()) { return false; } return ((this.getSubject().equals(((AuthzCacheIndex) other).getSubject())) + && (this.getGatewayId().equals(((AuthzCacheIndex) other).getGatewayId())) && (this.getOauthAccessToken().equals(((AuthzCacheIndex) other).getOauthAccessToken())) && (this.getAction().equals(((AuthzCacheIndex) other).getAction()))); } @Override public int hashCode() { - return this.getSubject().hashCode() + this.getOauthAccessToken().hashCode() + this.getAction().hashCode(); + return this.getSubject().hashCode() + this.getOauthAccessToken().hashCode() + this.getGatewayId().hashCode() + + this.getAction().hashCode(); } } http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.cpp ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.cpp b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.cpp index 63eabf5..52968a8 100644 --- a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.cpp +++ b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.cpp @@ -44,6 +44,11 @@ void AuthzToken::__set_gatewayId(const std::string& val) { __isset.gatewayId = true; } +void AuthzToken::__set_userName(const std::string& val) { + this->userName = val; +__isset.userName = true; +} + void AuthzToken::__set_claimsMap(const std::map<std::string, std::string> & val) { this->claimsMap = val; __isset.claimsMap = true; @@ -88,6 +93,14 @@ uint32_t AuthzToken::read(::apache::thrift::protocol::TProtocol* iprot) { } break; case 3: + if (ftype == ::apache::thrift::protocol::T_STRING) { + xfer += iprot->readString(this->userName); + this->__isset.userName = true; + } else { + xfer += iprot->skip(ftype); + } + break; + case 4: if (ftype == ::apache::thrift::protocol::T_MAP) { { this->claimsMap.clear(); @@ -138,8 +151,13 @@ uint32_t AuthzToken::write(::apache::thrift::protocol::TProtocol* oprot) const { xfer += oprot->writeString(this->gatewayId); xfer += oprot->writeFieldEnd(); } + if (this->__isset.userName) { + xfer += oprot->writeFieldBegin("userName", ::apache::thrift::protocol::T_STRING, 3); + xfer += oprot->writeString(this->userName); + xfer += oprot->writeFieldEnd(); + } if (this->__isset.claimsMap) { - xfer += oprot->writeFieldBegin("claimsMap", ::apache::thrift::protocol::T_MAP, 3); + xfer += oprot->writeFieldBegin("claimsMap", ::apache::thrift::protocol::T_MAP, 4); { xfer += oprot->writeMapBegin(::apache::thrift::protocol::T_STRING, ::apache::thrift::protocol::T_STRING, static_cast<uint32_t>(this->claimsMap.size())); std::map<std::string, std::string> ::const_iterator _iter7; @@ -161,6 +179,7 @@ void swap(AuthzToken &a, AuthzToken &b) { using ::std::swap; swap(a.accessToken, b.accessToken); swap(a.gatewayId, b.gatewayId); + swap(a.userName, b.userName); swap(a.claimsMap, b.claimsMap); swap(a.__isset, b.__isset); } @@ -168,12 +187,14 @@ void swap(AuthzToken &a, AuthzToken &b) { AuthzToken::AuthzToken(const AuthzToken& other8) { accessToken = other8.accessToken; gatewayId = other8.gatewayId; + userName = other8.userName; claimsMap = other8.claimsMap; __isset = other8.__isset; } AuthzToken& AuthzToken::operator=(const AuthzToken& other9) { accessToken = other9.accessToken; gatewayId = other9.gatewayId; + userName = other9.userName; claimsMap = other9.claimsMap; __isset = other9.__isset; return *this; @@ -183,6 +204,7 @@ void AuthzToken::printTo(std::ostream& out) const { out << "AuthzToken("; out << "accessToken=" << to_string(accessToken); out << ", " << "gatewayId="; (__isset.gatewayId ? (out << to_string(gatewayId)) : (out << "<null>")); + out << ", " << "userName="; (__isset.userName ? (out << to_string(userName)) : (out << "<null>")); out << ", " << "claimsMap="; (__isset.claimsMap ? (out << to_string(claimsMap)) : (out << "<null>")); out << ")"; } http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.h ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.h b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.h index cce2875..77d618d 100644 --- a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.h +++ b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/security_model_types.h @@ -39,8 +39,9 @@ namespace apache { namespace airavata { namespace model { namespace security { class AuthzToken; typedef struct _AuthzToken__isset { - _AuthzToken__isset() : gatewayId(false), claimsMap(false) {} + _AuthzToken__isset() : gatewayId(false), userName(false), claimsMap(false) {} bool gatewayId :1; + bool userName :1; bool claimsMap :1; } _AuthzToken__isset; @@ -49,12 +50,13 @@ class AuthzToken { AuthzToken(const AuthzToken&); AuthzToken& operator=(const AuthzToken&); - AuthzToken() : accessToken(), gatewayId() { + AuthzToken() : accessToken(), gatewayId(), userName() { } virtual ~AuthzToken() throw(); std::string accessToken; std::string gatewayId; + std::string userName; std::map<std::string, std::string> claimsMap; _AuthzToken__isset __isset; @@ -63,6 +65,8 @@ class AuthzToken { void __set_gatewayId(const std::string& val); + void __set_userName(const std::string& val); + void __set_claimsMap(const std::map<std::string, std::string> & val); bool operator == (const AuthzToken & rhs) const @@ -73,6 +77,10 @@ class AuthzToken { return false; else if (__isset.gatewayId && !(gatewayId == rhs.gatewayId)) return false; + if (__isset.userName != rhs.__isset.userName) + return false; + else if (__isset.userName && !(userName == rhs.userName)) + return false; if (__isset.claimsMap != rhs.__isset.claimsMap) return false; else if (__isset.claimsMap && !(claimsMap == rhs.claimsMap)) http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Security/Types.php ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Security/Types.php b/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Security/Types.php index 901565c..7b9c143 100644 --- a/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Security/Types.php +++ b/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Security/Types.php @@ -29,6 +29,10 @@ class AuthzToken { */ public $gatewayId = null; /** + * @var string + */ + public $userName = null; + /** * @var array */ public $claimsMap = null; @@ -45,6 +49,10 @@ class AuthzToken { 'type' => TType::STRING, ), 3 => array( + 'var' => 'userName', + 'type' => TType::STRING, + ), + 4 => array( 'var' => 'claimsMap', 'type' => TType::MAP, 'ktype' => TType::STRING, @@ -65,6 +73,9 @@ class AuthzToken { if (isset($vals['gatewayId'])) { $this->gatewayId = $vals['gatewayId']; } + if (isset($vals['userName'])) { + $this->userName = $vals['userName']; + } if (isset($vals['claimsMap'])) { $this->claimsMap = $vals['claimsMap']; } @@ -105,6 +116,13 @@ class AuthzToken { } break; case 3: + if ($ftype == TType::STRING) { + $xfer += $input->readString($this->userName); + } else { + $xfer += $input->skip($ftype); + } + break; + case 4: if ($ftype == TType::MAP) { $this->claimsMap = array(); $_size0 = 0; @@ -147,11 +165,16 @@ class AuthzToken { $xfer += $output->writeString($this->gatewayId); $xfer += $output->writeFieldEnd(); } + if ($this->userName !== null) { + $xfer += $output->writeFieldBegin('userName', TType::STRING, 3); + $xfer += $output->writeString($this->userName); + $xfer += $output->writeFieldEnd(); + } if ($this->claimsMap !== null) { if (!is_array($this->claimsMap)) { throw new TProtocolException('Bad type in structure.', TProtocolException::INVALID_DATA); } - $xfer += $output->writeFieldBegin('claimsMap', TType::MAP, 3); + $xfer += $output->writeFieldBegin('claimsMap', TType::MAP, 4); { $output->writeMapBegin(TType::STRING, TType::STRING, count($this->claimsMap)); { http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/security/ttypes.py ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/security/ttypes.py b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/security/ttypes.py index f05fbaa..5b3cb4c 100644 --- a/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/security/ttypes.py +++ b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/security/ttypes.py @@ -22,6 +22,7 @@ class AuthzToken: Attributes: - accessToken - gatewayId + - userName - claimsMap """ @@ -29,12 +30,14 @@ class AuthzToken: None, # 0 (1, TType.STRING, 'accessToken', None, None, ), # 1 (2, TType.STRING, 'gatewayId', None, None, ), # 2 - (3, TType.MAP, 'claimsMap', (TType.STRING,None,TType.STRING,None), None, ), # 3 + (3, TType.STRING, 'userName', None, None, ), # 3 + (4, TType.MAP, 'claimsMap', (TType.STRING,None,TType.STRING,None), None, ), # 4 ) - def __init__(self, accessToken=None, gatewayId=None, claimsMap=None,): + def __init__(self, accessToken=None, gatewayId=None, userName=None, claimsMap=None,): self.accessToken = accessToken self.gatewayId = gatewayId + self.userName = userName self.claimsMap = claimsMap def read(self, iprot): @@ -57,6 +60,11 @@ class AuthzToken: else: iprot.skip(ftype) elif fid == 3: + if ftype == TType.STRING: + self.userName = iprot.readString() + else: + iprot.skip(ftype) + elif fid == 4: if ftype == TType.MAP: self.claimsMap = {} (_ktype1, _vtype2, _size0 ) = iprot.readMapBegin() @@ -85,8 +93,12 @@ class AuthzToken: oprot.writeFieldBegin('gatewayId', TType.STRING, 2) oprot.writeString(self.gatewayId) oprot.writeFieldEnd() + if self.userName is not None: + oprot.writeFieldBegin('userName', TType.STRING, 3) + oprot.writeString(self.userName) + oprot.writeFieldEnd() if self.claimsMap is not None: - oprot.writeFieldBegin('claimsMap', TType.MAP, 3) + oprot.writeFieldBegin('claimsMap', TType.MAP, 4) oprot.writeMapBegin(TType.STRING, TType.STRING, len(self.claimsMap)) for kiter7,viter8 in self.claimsMap.items(): oprot.writeString(kiter7) @@ -106,6 +118,7 @@ class AuthzToken: value = 17 value = (value * 31) ^ hash(self.accessToken) value = (value * 31) ^ hash(self.gatewayId) + value = (value * 31) ^ hash(self.userName) value = (value * 31) ^ hash(self.claimsMap) return value http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/security/AuthzToken.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/security/AuthzToken.java b/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/security/AuthzToken.java index 8c02925..019a908 100644 --- a/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/security/AuthzToken.java +++ b/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/security/AuthzToken.java @@ -57,7 +57,8 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke private static final org.apache.thrift.protocol.TField ACCESS_TOKEN_FIELD_DESC = new org.apache.thrift.protocol.TField("accessToken", org.apache.thrift.protocol.TType.STRING, (short)1); private static final org.apache.thrift.protocol.TField GATEWAY_ID_FIELD_DESC = new org.apache.thrift.protocol.TField("gatewayId", org.apache.thrift.protocol.TType.STRING, (short)2); - private static final org.apache.thrift.protocol.TField CLAIMS_MAP_FIELD_DESC = new org.apache.thrift.protocol.TField("claimsMap", org.apache.thrift.protocol.TType.MAP, (short)3); + private static final org.apache.thrift.protocol.TField USER_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("userName", org.apache.thrift.protocol.TType.STRING, (short)3); + private static final org.apache.thrift.protocol.TField CLAIMS_MAP_FIELD_DESC = new org.apache.thrift.protocol.TField("claimsMap", org.apache.thrift.protocol.TType.MAP, (short)4); private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); static { @@ -67,13 +68,15 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke private String accessToken; // required private String gatewayId; // optional + private String userName; // optional private Map<String,String> claimsMap; // optional /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { ACCESS_TOKEN((short)1, "accessToken"), GATEWAY_ID((short)2, "gatewayId"), - CLAIMS_MAP((short)3, "claimsMap"); + USER_NAME((short)3, "userName"), + CLAIMS_MAP((short)4, "claimsMap"); private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); @@ -92,7 +95,9 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke return ACCESS_TOKEN; case 2: // GATEWAY_ID return GATEWAY_ID; - case 3: // CLAIMS_MAP + case 3: // USER_NAME + return USER_NAME; + case 4: // CLAIMS_MAP return CLAIMS_MAP; default: return null; @@ -134,7 +139,7 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke } // isset id assignments - private static final _Fields optionals[] = {_Fields.GATEWAY_ID,_Fields.CLAIMS_MAP}; + private static final _Fields optionals[] = {_Fields.GATEWAY_ID,_Fields.USER_NAME,_Fields.CLAIMS_MAP}; public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; static { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); @@ -142,6 +147,8 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.GATEWAY_ID, new org.apache.thrift.meta_data.FieldMetaData("gatewayId", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); + tmpMap.put(_Fields.USER_NAME, new org.apache.thrift.meta_data.FieldMetaData("userName", org.apache.thrift.TFieldRequirementType.OPTIONAL, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.CLAIMS_MAP, new org.apache.thrift.meta_data.FieldMetaData("claimsMap", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING), @@ -170,6 +177,9 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke if (other.isSetGatewayId()) { this.gatewayId = other.gatewayId; } + if (other.isSetUserName()) { + this.userName = other.userName; + } if (other.isSetClaimsMap()) { Map<String,String> __this__claimsMap = new HashMap<String,String>(other.claimsMap); this.claimsMap = __this__claimsMap; @@ -184,6 +194,7 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke public void clear() { this.accessToken = null; this.gatewayId = null; + this.userName = null; this.claimsMap = null; } @@ -233,6 +244,29 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke } } + public String getUserName() { + return this.userName; + } + + public void setUserName(String userName) { + this.userName = userName; + } + + public void unsetUserName() { + this.userName = null; + } + + /** Returns true if field userName is set (has been assigned a value) and false otherwise */ + public boolean isSetUserName() { + return this.userName != null; + } + + public void setUserNameIsSet(boolean value) { + if (!value) { + this.userName = null; + } + } + public int getClaimsMapSize() { return (this.claimsMap == null) ? 0 : this.claimsMap.size(); } @@ -285,6 +319,14 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke } break; + case USER_NAME: + if (value == null) { + unsetUserName(); + } else { + setUserName((String)value); + } + break; + case CLAIMS_MAP: if (value == null) { unsetClaimsMap(); @@ -304,6 +346,9 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke case GATEWAY_ID: return getGatewayId(); + case USER_NAME: + return getUserName(); + case CLAIMS_MAP: return getClaimsMap(); @@ -322,6 +367,8 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke return isSetAccessToken(); case GATEWAY_ID: return isSetGatewayId(); + case USER_NAME: + return isSetUserName(); case CLAIMS_MAP: return isSetClaimsMap(); } @@ -359,6 +406,15 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke return false; } + boolean this_present_userName = true && this.isSetUserName(); + boolean that_present_userName = true && that.isSetUserName(); + if (this_present_userName || that_present_userName) { + if (!(this_present_userName && that_present_userName)) + return false; + if (!this.userName.equals(that.userName)) + return false; + } + boolean this_present_claimsMap = true && this.isSetClaimsMap(); boolean that_present_claimsMap = true && that.isSetClaimsMap(); if (this_present_claimsMap || that_present_claimsMap) { @@ -385,6 +441,11 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke if (present_gatewayId) list.add(gatewayId); + boolean present_userName = true && (isSetUserName()); + list.add(present_userName); + if (present_userName) + list.add(userName); + boolean present_claimsMap = true && (isSetClaimsMap()); list.add(present_claimsMap); if (present_claimsMap) @@ -421,6 +482,16 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke return lastComparison; } } + lastComparison = Boolean.valueOf(isSetUserName()).compareTo(other.isSetUserName()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetUserName()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.userName, other.userName); + if (lastComparison != 0) { + return lastComparison; + } + } lastComparison = Boolean.valueOf(isSetClaimsMap()).compareTo(other.isSetClaimsMap()); if (lastComparison != 0) { return lastComparison; @@ -468,6 +539,16 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke } first = false; } + if (isSetUserName()) { + if (!first) sb.append(", "); + sb.append("userName:"); + if (this.userName == null) { + sb.append("null"); + } else { + sb.append(this.userName); + } + first = false; + } if (isSetClaimsMap()) { if (!first) sb.append(", "); sb.append("claimsMap:"); @@ -541,7 +622,15 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; - case 3: // CLAIMS_MAP + case 3: // USER_NAME + if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { + struct.userName = iprot.readString(); + struct.setUserNameIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + case 4: // CLAIMS_MAP if (schemeField.type == org.apache.thrift.protocol.TType.MAP) { { org.apache.thrift.protocol.TMap _map0 = iprot.readMapBegin(); @@ -586,6 +675,13 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke oprot.writeFieldEnd(); } } + if (struct.userName != null) { + if (struct.isSetUserName()) { + oprot.writeFieldBegin(USER_NAME_FIELD_DESC); + oprot.writeString(struct.userName); + oprot.writeFieldEnd(); + } + } if (struct.claimsMap != null) { if (struct.isSetClaimsMap()) { oprot.writeFieldBegin(CLAIMS_MAP_FIELD_DESC); @@ -623,13 +719,19 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke if (struct.isSetGatewayId()) { optionals.set(0); } - if (struct.isSetClaimsMap()) { + if (struct.isSetUserName()) { optionals.set(1); } - oprot.writeBitSet(optionals, 2); + if (struct.isSetClaimsMap()) { + optionals.set(2); + } + oprot.writeBitSet(optionals, 3); if (struct.isSetGatewayId()) { oprot.writeString(struct.gatewayId); } + if (struct.isSetUserName()) { + oprot.writeString(struct.userName); + } if (struct.isSetClaimsMap()) { { oprot.writeI32(struct.claimsMap.size()); @@ -647,12 +749,16 @@ public class AuthzToken implements org.apache.thrift.TBase<AuthzToken, AuthzToke TTupleProtocol iprot = (TTupleProtocol) prot; struct.accessToken = iprot.readString(); struct.setAccessTokenIsSet(true); - BitSet incoming = iprot.readBitSet(2); + BitSet incoming = iprot.readBitSet(3); if (incoming.get(0)) { struct.gatewayId = iprot.readString(); struct.setGatewayIdIsSet(true); } if (incoming.get(1)) { + struct.userName = iprot.readString(); + struct.setUserNameIsSet(true); + } + if (incoming.get(2)) { { org.apache.thrift.protocol.TMap _map6 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.STRING, iprot.readI32()); struct.claimsMap = new HashMap<String,String>(2*_map6.size); http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java ---------------------------------------------------------------------- diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java index c75e73e..26d868d 100644 --- a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java +++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java @@ -21,13 +21,13 @@ package org.apache.airavata.common.utils; -import java.net.InetAddress; -import java.net.UnknownHostException; - import org.apache.airavata.common.exception.ApplicationSettingsException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.net.InetAddress; +import java.net.UnknownHostException; + public class ServerSettings extends ApplicationSettings { private static final Logger log = LoggerFactory.getLogger(ServerSettings.class); @@ -278,14 +278,6 @@ public class ServerSettings extends ApplicationSettings { return getSetting(Constants.REMOTE_OAUTH_SERVER_URL); } - public static String getAdminUsername() throws ApplicationSettingsException { - return getSetting(Constants.ADMIN_USERNAME); - } - - public static String getAdminPassword() throws ApplicationSettingsException { - return getSetting(Constants.ADMIN_PASSWORD); - } - public static String getAuthorizationPoliyName() throws ApplicationSettingsException { return getSetting(Constants.AUTHORIZATION_POLICY_NAME); } http://git-wip-us.apache.org/repos/asf/airavata/blob/5f59387a/thrift-interface-descriptions/airavata-apis/security_model.thrift ---------------------------------------------------------------------- diff --git a/thrift-interface-descriptions/airavata-apis/security_model.thrift b/thrift-interface-descriptions/airavata-apis/security_model.thrift index 0104165..158405d 100644 --- a/thrift-interface-descriptions/airavata-apis/security_model.thrift +++ b/thrift-interface-descriptions/airavata-apis/security_model.thrift @@ -32,5 +32,6 @@ namespace py apache.airavata.model.security struct AuthzToken { 1: required string accessToken, 2: optional string gatewayId, - 3: optional map<string, string> claimsMap + 3: optional string userName, + 4: optional map<string, string> claimsMap } \ No newline at end of file
