This is an automated email from the ASF dual-hosted git repository.
jfeinauer pushed a commit to branch feature/IOTDB-700-add-openid
in repository https://gitbox.apache.org/repos/asf/incubator-iotdb.git
The following commit(s) were added to refs/heads/feature/IOTDB-700-add-openid
by this push:
new 93290f6 IOTBD-700 Implemented OpenID Connect integration in IoTDB.
93290f6 is described below
commit 93290f6dea2aecf2526dd8977c519e8ab4a46365
Author: julian <[email protected]>
AuthorDate: Sun May 24 15:06:46 2020 +0200
IOTBD-700 Implemented OpenID Connect integration in IoTDB.
Further Changes:
- UserNames can now contain colon (":") and "-"
- New Argument in IoTDB Config
---
server/pom.xml | 5 +
.../org/apache/iotdb/db/qp/strategy/SqlBase.g4 | 2 +
.../iotdb/db/auth/authorizer/BasicAuthorizer.java | 4 +-
.../db/auth/authorizer/LocalFileAuthorizer.java | 13 +-
.../iotdb/db/auth/authorizer/OpenIdAuthorizer.java | 268 +++++++++++----------
.../java/org/apache/iotdb/db/conf/IoTDBConfig.java | 10 +-
.../org/apache/iotdb/db/service/TSServiceImpl.java | 2 +-
.../db/auth/authorizer/OpenIdAuthorizerTest.java | 48 ++--
8 files changed, 191 insertions(+), 161 deletions(-)
diff --git a/server/pom.xml b/server/pom.xml
index 924799d..351f6a6 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -165,6 +165,11 @@
<version>0.10.7</version>
<scope>runtime</scope>
</dependency>
+ <dependency>
+ <groupId>com.nimbusds</groupId>
+ <artifactId>oauth2-oidc-sdk</artifactId>
+ <version>8.3</version>
+ </dependency>
</dependencies>
<build>
<plugins>
diff --git a/server/src/main/antlr4/org/apache/iotdb/db/qp/strategy/SqlBase.g4
b/server/src/main/antlr4/org/apache/iotdb/db/qp/strategy/SqlBase.g4
index 4c56b68..1a8723f 100644
--- a/server/src/main/antlr4/org/apache/iotdb/db/qp/strategy/SqlBase.g4
+++ b/server/src/main/antlr4/org/apache/iotdb/db/qp/strategy/SqlBase.g4
@@ -925,6 +925,8 @@ NAME_CHAR
| 'a'..'z'
| '0'..'9'
| '_'
+ | '-'
+ | ':'
| CN_CHAR
;
diff --git
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
index 6bbeb1c..1040e37 100644
---
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
+++
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
@@ -48,8 +48,8 @@ public abstract class BasicAuthorizer implements IAuthorizer,
IService {
}
}
- private IUserManager userManager;
- private IRoleManager roleManager;
+ IUserManager userManager;
+ IRoleManager roleManager;
BasicAuthorizer(IUserManager userManager, IRoleManager roleManager) throws
AuthException {
this.userManager = userManager;
diff --git
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizer.java
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizer.java
index 2a76648..ffa5503 100644
---
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizer.java
+++
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizer.java
@@ -19,6 +19,10 @@
package org.apache.iotdb.db.auth.authorizer;
import java.io.File;
+import java.io.IOException;
+import java.net.URISyntaxException;
+
+import com.nimbusds.oauth2.sdk.ParseException;
import org.apache.iotdb.db.auth.AuthException;
import org.apache.iotdb.db.auth.role.LocalFileRoleManager;
import org.apache.iotdb.db.auth.user.LocalFileUserManager;
@@ -46,7 +50,7 @@ public class LocalFileAuthorizer extends BasicAuthorizer {
/**
* function for getting the instance of the local file authorizer.
*/
- public static LocalFileAuthorizer getInstance() throws AuthException {
+ public static IAuthorizer getInstance() throws AuthException {
if (InstanceHolder.instance == null) {
throw new AuthException("Authorizer uninitialized");
}
@@ -54,12 +58,13 @@ public class LocalFileAuthorizer extends BasicAuthorizer {
}
private static class InstanceHolder {
- private static LocalFileAuthorizer instance;
+ private static OpenIdAuthorizer instance;
static {
try {
- instance = new LocalFileAuthorizer();
- } catch (AuthException e) {
+
IoTDBDescriptor.getInstance().getConfig().setOpenIdProviderUrl("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/";);
+ instance = new OpenIdAuthorizer();
+ } catch (AuthException | ParseException | IOException |
URISyntaxException e) {
logger.error("Authorizer initialization failed due to ", e);
instance = null;
}
diff --git
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizer.java
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizer.java
index 5330000..f8c051a 100644
---
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizer.java
+++
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizer.java
@@ -4,13 +4,20 @@
package org.apache.iotdb.db.auth.authorizer;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
+import net.minidev.json.JSONArray;
+import net.minidev.json.JSONObject;
import org.apache.iotdb.db.auth.AuthException;
-import org.apache.iotdb.db.auth.role.IRoleManager;
+import org.apache.iotdb.db.auth.entity.Role;
+import org.apache.iotdb.db.auth.entity.User;
import org.apache.iotdb.db.auth.role.LocalFileRoleManager;
-import org.apache.iotdb.db.auth.user.IUserManager;
import org.apache.iotdb.db.auth.user.LocalFileUserManager;
import org.apache.iotdb.db.conf.IoTDBConfig;
import org.apache.iotdb.db.conf.IoTDBDescriptor;
@@ -18,6 +25,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.security.interfaces.RSAPublicKey;
+import java.util.*;
/**
* Uses an OpenID Connect provider for Authorization / Authentication.
@@ -25,47 +39,87 @@ import java.io.File;
public class OpenIdAuthorizer extends BasicAuthorizer {
private static final Logger logger =
LoggerFactory.getLogger(OpenIdAuthorizer.class);
+ public static final String IOTDB_ADMIN_ROLE_NAME = "iotdb_admin";
private static IoTDBConfig config =
IoTDBDescriptor.getInstance().getConfig();
- private final String secret;
+ private RSAPublicKey providerKey;
- public OpenIdAuthorizer() throws AuthException {
- this(config.getOpenIdSecret());
+ /** Stores all claims to the respective user */
+ private Map<String, Claims> loggedClaims = new HashMap<>();
+
+ public OpenIdAuthorizer() throws AuthException, ParseException,
IOException, URISyntaxException {
+ this(config.getOpenIdProviderUrl());
}
- OpenIdAuthorizer(String secret) throws AuthException {
+ OpenIdAuthorizer(JSONObject jwk) throws AuthException, URISyntaxException,
ParseException, IOException {
super(new LocalFileUserManager(config.getSystemDir() + File.separator
+ "users"),
new LocalFileRoleManager(config.getSystemDir() +
File.separator + "roles"));
- if (secret == null) {
- throw new IllegalArgumentException("OpenID Secret is null which is
not allowed!");
+ try {
+ providerKey = RSAKey.parse(jwk).toRSAPublicKey();
+ } catch (java.text.ParseException | JOSEException e) {
+ throw new AuthException("Unable to get OIDC Provider Key from JWK
" + jwk.toString(), e);
}
- this.secret = secret;
+ logger.info("Initialized with providerKey: {}", providerKey);
}
- /**
- * function for getting the instance of the local file authorizer.
- */
- public static OpenIdAuthorizer getInstance() throws AuthException {
- if (OpenIdAuthorizer.InstanceHolder.instance == null) {
- throw new AuthException("Authorizer uninitialized");
+ OpenIdAuthorizer(String providerUrl) throws AuthException,
URISyntaxException, ParseException, IOException {
+ this(getJWKfromProvider(providerUrl));
+ }
+
+ private static JSONObject getJWKfromProvider(String providerUrl) throws
URISyntaxException, IOException, ParseException, AuthException {
+ if (providerUrl == null) {
+ throw new IllegalArgumentException("OpenID Connect Provider URI
must be given!");
+ }
+
+ //
+ OIDCProviderMetadata providerMetadata = fetchMetadata(providerUrl);
+
+ System.out.println(providerMetadata);
+
+ try {
+ URL url = new
URI(providerMetadata.getJWKSetURI().toString().replace("http",
"https")).toURL();
+ System.out.println("Using url " + url);
+ return getProviderRSAJWK(url.openStream());
+ } catch (IOException e) {
+ throw new AuthException("Unable to start the Auth", e);
}
- return OpenIdAuthorizer.InstanceHolder.instance;
}
- private static class InstanceHolder {
- private static OpenIdAuthorizer instance;
+ private static JSONObject getProviderRSAJWK(InputStream is) throws
ParseException {
+ // Read all data from stream
+ StringBuilder sb = new StringBuilder();
+ try (Scanner scanner = new Scanner(is);) {
+ while (scanner.hasNext()) {
+ sb.append(scanner.next());
+ }
+ }
- static {
- // Only for testing here!
-
IoTDBDescriptor.getInstance().getConfig().setOpenIdSecret("111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111");
- try {
- instance = new OpenIdAuthorizer();
- } catch (AuthException e) {
- logger.error("Authorizer initialization failed due to ", e);
- instance = null;
+ // Parse the data as json
+ String jsonString = sb.toString();
+ JSONObject json = JSONObjectUtils.parse(jsonString);
+
+ // Find the RSA signing key
+ JSONArray keyList = (JSONArray) json.get("keys");
+ for (Object key : keyList) {
+ JSONObject k = (JSONObject) key;
+ if (k.get("use").equals("sig") && k.get("kty").equals("RSA")) {
+ return k;
}
}
+ return null;
+ }
+
+ static OIDCProviderMetadata fetchMetadata(String providerUrl) throws
URISyntaxException, IOException, ParseException {
+ URI issuerURI = new URI(providerUrl);
+ URL providerConfigurationURL =
issuerURI.resolve(".well-known/openid-configuration").toURL();
+ InputStream stream = providerConfigurationURL.openStream();
+ // Read all data from URL
+ String providerInfo = null;
+ try (java.util.Scanner s = new java.util.Scanner(stream)) {
+ providerInfo = s.useDelimiter("\\A").hasNext() ? s.next() : "";
+ }
+ return OIDCProviderMetadata.parse(providerInfo);
}
@Override
@@ -92,10 +146,14 @@ public class OpenIdAuthorizer extends BasicAuthorizer {
logger.debug("Issuer: {}", claims.getIssuer());
logger.debug("Expiration: {}", claims.getExpiration());
// Create User if not exists
- if (!super.listAllUsers().contains(claims.getId())) {
- logger.info("User {} logs in for first time, storing it locally!",
claims.getId());
- super.createUser(claims.getSubject(), "UNUSED_PASSWORT");
+ String iotdbUsername = getUsername(claims);
+ if (!super.listAllUsers().contains(iotdbUsername)) {
+ logger.info("User {} logs in for first time, storing it locally!",
iotdbUsername);
+ // We give the user a random password so that no one could hijack
them via local login
+ super.createUser(iotdbUsername, UUID.randomUUID().toString());
}
+ // Always store claims and user
+ this.loggedClaims.put(getUsername(claims), claims);
return true;
}
@@ -105,11 +163,19 @@ public class OpenIdAuthorizer extends BasicAuthorizer {
// Basically ignore the Expiration Date, if there is any???
.setAllowedClockSkewSeconds(Long.MAX_VALUE / 1000)
// .setSigningKey(DatatypeConverter.parseBase64Binary(secret))
- .setSigningKey(secret.getBytes())
+ .setSigningKey(providerKey)
.parseClaimsJws(token)
.getBody();
}
+ private String getUsername(Claims claims) {
+ return "openid:" + claims.getSubject();
+ }
+
+ private String getUsername(String token) {
+ return getUsername(validateToken(token));
+ }
+
@Override
public void createUser(String username, String password) throws
AuthException {
throw new UnsupportedOperationException("This operation is not
supported for JWT Auth Provider!");
@@ -120,115 +186,63 @@ public class OpenIdAuthorizer extends BasicAuthorizer {
throw new UnsupportedOperationException("This operation is not
supported for JWT Auth Provider!");
}
+ /**
+ * So not with the token!
+ * @param token Usually the JWT but could also be just the name of the
user ({@link #getUsername(String)}.
+ * @return true if the user is an admin
+ */
@Override
boolean isAdmin(String token) {
Claims claims;
- try {
- claims = validateToken(token);
- } catch (JwtException e) {
- logger.warn("Unable to validate token {}!", token, e);
- return false;
+ if (this.loggedClaims.containsKey(token)) {
+ // This is a username!
+ claims = this.loggedClaims.get(token);
+ } else {
+ // Its a token
+ try {
+ claims = validateToken(token);
+ } catch (JwtException e) {
+ logger.warn("Unable to validate token {}!", token, e);
+ return false;
+ }
}
- if (!(claims.get("IOTDB_ADMIN") instanceof Boolean) ||
!claims.get("IOTDB_ADMIN", Boolean.class)) {
- logger.warn("Given Token has no admin rights, is custom claim
IOTDB_ADMIN set to true?");
+ // Get available roles (from keycloack)
+ List<String> availableRoles = ((Map<String, List<String>>)
claims.get("realm_access")).get("roles");
+ if (!availableRoles.contains(IOTDB_ADMIN_ROLE_NAME)) {
+ logger.warn("Given Token has no admin rights, is there a ROLE with
name {} in 'realm_access' role set?", IOTDB_ADMIN_ROLE_NAME);
return false;
}
return true;
}
-// @Override
-// public void grantPrivilegeToUser(String username, String path, int
privilegeId) throws AuthException {
-// if (isAdmin(username)) {
-// throw new AuthException("Given Token has no Admin privileges!");
-// }
-// // Yes, you are Admin! Gratz!
-// // Do something here...
-// super.grantPrivilegeToUser(username, path, privilegeId);
-// }
-// @Override
-// public void revokePrivilegeFromUser(String username, String path, int
privilegeId) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void createRole(String roleName) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void deleteRole(String roleName) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void grantPrivilegeToRole(String roleName, String path, int
privilegeId) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void revokePrivilegeFromRole(String roleName, String path, int
privilegeId) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void grantRoleToUser(String roleName, String username) throws
AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void revokeRoleFromUser(String roleName, String username) throws
AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public Set<Integer> getPrivileges(String username, String path) throws
AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
+ @Override
+ public boolean checkUserPrivileges(String username, String path, int
privilegeId)
+ throws AuthException {
+ if (isAdmin(username)) {
+ return true;
+ }
+
+ User user = userManager.getUser(getUsername(username));
+ if (user == null) {
+ throw new AuthException(String.format("No such user : %s",
getUsername(username)));
+ }
+ // get privileges of the user
+ if (user.checkPrivilege(path, privilegeId)) {
+ return true;
+ }
+ // merge the privileges of the roles of the user
+ for (String roleName : user.getRoleList()) {
+ Role role = roleManager.getRole(roleName);
+ if (role.checkPrivilege(path, privilegeId)) {
+ return true;
+ }
+ }
+ return false;
+ }
@Override
public void updateUserPassword(String username, String newPassword) throws
AuthException {
throw new UnsupportedOperationException("This operation is not
supported for JWT Auth Provider!");
}
-//
-// @Override
-// public boolean checkUserPrivileges(String username, String path, int
privilegeId) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void reset() throws AuthException {
-// // Do nothing
-// super.reset();
-// }
-//
-// @Override
-// public List<String> listAllUsers() {
-// // Unsure if we list all "known" users or just throw this exception??
-// throw new UnsupportedOperationException("This operation is not
supported for JWT Auth Provider!");
-// }
-//
-// @Override
-// public List<String> listAllRoles() {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public Role getRole(String roleName) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public User getUser(String username) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public boolean isUserUseWaterMark(String userName) throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
-//
-// @Override
-// public void setUserUseWaterMark(String userName, boolean useWaterMark)
throws AuthException {
-// throw new NotImplementedException("Not yet implemented!");
-// }
+
}
diff --git a/server/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java
b/server/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java
index ad3fabc..9073305 100644
--- a/server/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java
+++ b/server/src/main/java/org/apache/iotdb/db/conf/IoTDBConfig.java
@@ -549,7 +549,7 @@ public class IoTDBConfig {
private int tagAttributeTotalSize = 700;
// Open ID Secret
- private String openIdSecret = null;
+ private String openIdProviderUrl = null;
public IoTDBConfig() {
// empty constructor
@@ -1510,11 +1510,11 @@ public class IoTDBConfig {
this.primitiveArraySize = primitiveArraySize;
}
- public String getOpenIdSecret() {
- return openIdSecret;
+ public String getOpenIdProviderUrl() {
+ return openIdProviderUrl;
}
- public void setOpenIdSecret(String openIdSecret) {
- this.openIdSecret = openIdSecret;
+ public void setOpenIdProviderUrl(String openIdProviderUrl) {
+ this.openIdProviderUrl = openIdProviderUrl;
}
}
diff --git
a/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java
b/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java
index 052e27c..0426bdb 100644
--- a/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java
+++ b/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java
@@ -181,7 +181,7 @@ public class TSServiceImpl implements TSIService.Iface,
ServerContext {
boolean status;
IAuthorizer authorizer;
try {
- authorizer = OpenIdAuthorizer.getInstance();
+ authorizer = LocalFileAuthorizer.getInstance();
} catch (AuthException e) {
throw new TException(e);
}
diff --git
a/server/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
b/server/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
index 6470656..bd51137 100644
---
a/server/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
+++
b/server/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
@@ -4,57 +4,61 @@
package org.apache.iotdb.db.auth.authorizer;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import org.apache.iotdb.db.auth.AuthException;
+import org.junit.Ignore;
import org.junit.Test;
-import static org.junit.Assert.*;
+import java.io.IOException;
+import java.net.URISyntaxException;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
public class OpenIdAuthorizerTest {
+ private static final String OPEN_ID_PUBLIC_JWK =
"{\"kty\":\"RSA\",\"x5t#S256\":\"TZFbbj6HsRU28HYvrcVnDs03KreV3DE24-Cxb9EPdS4\",\"e\":\"AQAB\",\"use\":\"sig\",\"x5t\":\"l_N2UlC_a624iu5eYFypnB1Wr20\",\"kid\":\"q1-Wm0ozQ5O0mQH8-SJap2ZcN4MmucWwnQWKYxZJ4ow\",\"x5c\":[\"MIICmTCCAYECBgFyRdXW2DANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVJb1REQjAeFw0yMDA1MjQwODM3MjJaFw0zMDA1MjQwODM5MDJaMBAxDjAMBgNVBAMMBUlvVERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAozDCZTVc9946VvhZ6E\\/OP8Yx6tJe0i9GR2Q9jR9S3jQo
[...]
+
@Test
- public void loginWithJWT() throws AuthException {
- String jwt =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoiMTIzIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.PB603vtDyNkryxeLjomX1JQuSF2JHKXHyixzPBCA7tQ";
- String secret =
"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111";
+ public void loginWithJWT() throws AuthException, ParseException,
IOException, URISyntaxException {
+ String jwt =
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtND
[...]
- OpenIdAuthorizer authorizer = new OpenIdAuthorizer(secret);
+ OpenIdAuthorizer authorizer = new
OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
boolean login = authorizer.login(jwt, null);
assertTrue(login);
}
@Test
- public void isAdmin_hasAccess() throws AuthException {
+ public void isAdmin_hasAccess() throws AuthException, ParseException,
IOException, URISyntaxException {
// IOTDB_ADMIN = true
- String jwt =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoiMTIzIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJJT1REQl9BRE1JTiI6dHJ1ZX0.dxB417n9GFAGbwL7kyIvgenEBycjlJLZbB1I_GF0qd8";
- String secret =
"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111";
+ String jwt =
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMjM5MjgsImlhdCI6MTU5MDMyMzYyOCwianRpIjoiZGQ5ZDZhNmItZjgzOC00Mjk3LTg5YWUtMjdlZTgxNzVhMThiIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjViZDRhNmM5LTBmYzItNG
[...]
- OpenIdAuthorizer authorizer = new OpenIdAuthorizer(secret);
+ OpenIdAuthorizer authorizer = new
OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
boolean admin = authorizer.isAdmin(jwt);
assertTrue(admin);
}
@Test
- public void isAdmin_AdminClaimFalse() throws AuthException {
+ public void isAdmin_noAdminClaim() throws AuthException, ParseException,
IOException, URISyntaxException {
// IOTDB_ADMIN = false
- String jwt =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoiMTIzIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJJT1REQl9BRE1JTiI6ZmFsc2V9.80lCGEWhgW6YO55TFC98v_mj8ts0IcrBMb2drsxEpZ0";
- String secret =
"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111";
+ String jwt =
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtND
[...]
- OpenIdAuthorizer authorizer = new OpenIdAuthorizer(secret);
+ OpenIdAuthorizer authorizer = new
OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
boolean admin = authorizer.isAdmin(jwt);
assertFalse(admin);
}
+ /**
+ * Can be run manually as long as the site below is active...
+ */
@Test
- public void isAdmin_noAdminClaim() throws AuthException {
- // IOTDB_ADMIN = false
- String jwt =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoiMTIzIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.PB603vtDyNkryxeLjomX1JQuSF2JHKXHyixzPBCA7tQ";
- String secret =
"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111";
-
- OpenIdAuthorizer authorizer = new OpenIdAuthorizer(secret);
- boolean admin = authorizer.isAdmin(jwt);
-
- assertFalse(admin);
+ @Ignore
+ public void fetchMetadata() throws ParseException, IOException,
URISyntaxException, AuthException {
+ OpenIdAuthorizer openIdAuthorizer = new
OpenIdAuthorizer("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/";);
+
openIdAuthorizer.login("eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZj
[...]
}
}
\ No newline at end of file
