Author: kwall
Date: Mon Feb 15 16:48:12 2016
New Revision: 1730565
URL: http://svn.apache.org/viewvc?rev=1730565&view=rev
Log:
QPID-7028, QPID-7029, QPID-7030, QPID-7031, QPID-7045: [Java Broker/Java
Client] Add OAUTH2 authentication support for management and messaging
QPID-7055: Improve GroupProvider API
svn merge -c
1729215,1729406,1729408,1729412,1729515,1729656,1729657,1729783,1730019,1730025,1730052,1730559
^/qpid/java/trunk
Added:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/
- copied from r1729215,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
- copied, changed from r1729412,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/
- copied from r1729406,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/
- copied from r1729406,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/microsoftlive/
- copied from r1729515,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/microsoftlive/
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
- copied unchanged from r1729656,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/util/ParameterizedTypes.java
- copied unchanged from r1729783,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/util/ParameterizedTypes.java
qpid/java/branches/6.0.x/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/
- copied from r1729215,
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/oauth2/
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
- copied, changed from r1729215,
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2PreemptiveAuthenticator.java
- copied, changed from r1729215,
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2PreemptiveAuthenticator.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/resources/logout.html
- copied unchanged from r1730052,
qpid/java/trunk/broker-plugins/management-http/src/main/java/resources/logout.html
qpid/java/branches/6.0.x/client/src/main/java/org/apache/qpid/client/security/oauth2/
- copied from r1729215,
qpid/java/trunk/client/src/main/java/org/apache/qpid/client/security/oauth2/
qpid/java/branches/6.0.x/client/src/test/java/org/apache/qpid/client/security/oauth2/
- copied from r1729215,
qpid/java/trunk/client/src/test/java/org/apache/qpid/client/security/oauth2/
Removed:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverServiceFactory.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverServiceFactory.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverServiceFactory.java
Modified:
qpid/java/branches/6.0.x/ (props changed)
qpid/java/branches/6.0.x/broker-codegen/src/main/java/org/apache/qpid/server/model/validation/AttributeAnnotationValidator.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/connection/ConnectionVersionValidator.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/BrokerAttributeInjector.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/GroupProvider.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2Utils.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/microsoftlive/MicrosoftLiveOAuth2IdentityResolverService.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/group/GroupProviderImpl.java
qpid/java/branches/6.0.x/broker-core/src/test/java/org/apache/qpid/server/security/SubjectCreatorTest.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpRequestInteractiveAuthenticator.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/AnonymousPreemptiveAuthenticator.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/BasicAuthPreemptiveAuthenticator.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/UsernamePasswordInteractiveLogin.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/LogoutServlet.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/resources/index.html
qpid/java/branches/6.0.x/client/src/main/java/org/apache/qpid/client/security/CallbackHandlerRegistry.properties
qpid/java/branches/6.0.x/client/src/main/java/org/apache/qpid/client/security/DynamicSaslRegistrar.properties
qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Propchange: qpid/java/branches/6.0.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Feb 15 16:48:12 2016
@@ -9,5 +9,5 @@
/qpid/branches/java-broker-vhost-refactor/java:1493674-1494547
/qpid/branches/java-network-refactor/qpid/java:805429-821809
/qpid/branches/qpid-2935/qpid/java:1061302-1072333
-/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1718889,1718893,1718918,1718922,1719026,1719028,1719033,1719037,1719047,1719051,1720340,1720664,1721151,1721198,1722019-1722020,1722246,1722339,1722416,1722674,1722678,1722683,1722711,1723064,1723194,1723563,1724216,1724251,1724257,1724292,1724375,1724397,1724432,1724582,1724603,1724780,1724843-1724844,1725295,1725569,1725760,1726176,1726244-1726246,1726249,1726358,1726436,1726449,1726456,1726646,1726653,1726755,1726778,1727532,1727555,1727608,1727951,1728089,1728167,1728302,1728497,1728524,1728639,1728772,1729297,1729347,1729356,1729638,1729828,1729832,1729841,1729851,1729904,1729973,1730072,1730494,1730499
+/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1718889,1718893,1718918,1718922,1719026,1719028,1719033,1719037,1719047,1719051,1720340,1720664,1721151,1721198,1722019-1722020,1722246,1722339,1722416,1722674,1722678,1722683,1722711,1723064,1723194,1723563,1724216,1724251,1724257,1724292,1724375,1724397,1724432,1724582,1724603,1724780,1724843-1724844,1725295,1725569,1725760,1726176,1726244-1726246,1726249,1726358,1726436,1726449,1726456,1726646,1726653,1726755,1726778,1727532,1727555,1727608,1727951,1728089,1728167,1728302,1728497,1728524,1728639,1728772,1729215,1729297,1729347,1729356,1729406,1729408,1729412,1729515,1729638,1729656-1729657,1729783,1729828,1729
832,1729841,1729851,1729904,1729973,1730019,1730025,1730052,1730072,1730494,1730499,1730559
/qpid/trunk/qpid:796646-796653
Modified:
qpid/java/branches/6.0.x/broker-codegen/src/main/java/org/apache/qpid/server/model/validation/AttributeAnnotationValidator.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-codegen/src/main/java/org/apache/qpid/server/model/validation/AttributeAnnotationValidator.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-codegen/src/main/java/org/apache/qpid/server/model/validation/AttributeAnnotationValidator.java
(original)
+++
qpid/java/branches/6.0.x/broker-codegen/src/main/java/org/apache/qpid/server/model/validation/AttributeAnnotationValidator.java
Mon Feb 15 16:48:12 2016
@@ -317,6 +317,10 @@ public class AttributeAnnotationValidato
return true;
}
+
if(typeUtils.isSameType(type,elementUtils.getTypeElement("java.net.URI").asType()))
+ {
+ return true;
+ }
if(typeUtils.isSameType(type,elementUtils.getTypeElement("java.security.cert.Certificate").asType()))
{
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/connection/ConnectionVersionValidator.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/connection/ConnectionVersionValidator.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/connection/ConnectionVersionValidator.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/connection/ConnectionVersionValidator.java
Mon Feb 15 16:48:12 2016
@@ -20,8 +20,6 @@
*/
package org.apache.qpid.server.connection;
-import java.lang.reflect.ParameterizedType;
-import java.lang.reflect.Type;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
@@ -35,6 +33,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.server.logging.messages.ConnectionMessages;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.plugin.ConnectionValidator;
import org.apache.qpid.server.plugin.PluggableService;
@@ -128,28 +127,8 @@ public class ConnectionVersionValidator
if (virtualHost.getContextKeys(false).contains(variableName))
{
return (List<String>) virtualHost.getContextValue(List.class,
- new
ParameterizedType()
- {
- @Override
- public
Type[] getActualTypeArguments()
- {
- return
new Type[]{String.class};
- }
-
- @Override
- public Type
getRawType()
- {
- return
List.class;
- }
-
- @Override
- public Type
getOwnerType()
- {
- return
null;
- }
- },
- variableName
- );
+
ParameterizedTypes.LIST_OF_STRINGS,
+ variableName);
}
else
{
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
Mon Feb 15 16:48:12 2016
@@ -1084,6 +1084,13 @@ public abstract class AbstractConfigured
+
autoAttr.validValues());
}
}
+ if(autoAttr.isMandatory() && autoAttr.getValue(this) == null)
+ {
+ throw new IllegalConfigurationException("Attribute '" +
autoAttr.getName()
+ + "' instance of
"+ getClass().getName()
+ + " named '" +
getName() + "'"
+ + " cannot be
null, as it is mandatory");
+ }
}
}
@@ -2550,6 +2557,13 @@ public abstract class AbstractConfigured
}
}
+ if(autoAttr.isMandatory() &&
autoAttr.getValue(proxyForValidation) == null)
+ {
+ throw new IllegalConfigurationException("Attribute '" +
autoAttr.getName()
+ + "' instance of
"+ getClass().getName()
+ + " named '" +
getName() + "'"
+ + " cannot be
null, as it is mandatory");
+ }
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/AttributeValueConverter.java
Mon Feb 15 16:48:12 2016
@@ -29,6 +29,7 @@ import java.lang.reflect.ParameterizedTy
import java.lang.reflect.Proxy;
import java.lang.reflect.Type;
import java.lang.reflect.TypeVariable;
+import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -105,6 +106,30 @@ abstract class AttributeValueConverter<T
}
};
+ static final AttributeValueConverter<URI> URI_CONVERTER = new
AttributeValueConverter<URI>()
+ {
+ @Override
+ URI convert(final Object value, final ConfiguredObject object)
+ {
+ if(value instanceof URI)
+ {
+ return (URI) value;
+ }
+ else if(value instanceof String)
+ {
+ return URI.create(AbstractConfiguredObject.interpolate(object,
(String) value));
+ }
+ else if(value == null)
+ {
+ return null;
+ }
+ else
+ {
+ throw new IllegalArgumentException("Cannot convert type " +
value.getClass() + " to a URI");
+ }
+ }
+ };
+
static final AttributeValueConverter<byte[]> BINARY_CONVERTER = new
AttributeValueConverter<byte[]>()
{
@Override
@@ -531,6 +556,10 @@ abstract class AttributeValueConverter<T
{
return (AttributeValueConverter<X>) UUID_CONVERTER;
}
+ else if(type == URI.class)
+ {
+ return (AttributeValueConverter<X>) URI_CONVERTER;
+ }
else if(type == byte[].class)
{
return (AttributeValueConverter<X>) BINARY_CONVERTER;
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/BrokerAttributeInjector.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/BrokerAttributeInjector.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/BrokerAttributeInjector.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/BrokerAttributeInjector.java
Mon Feb 15 16:48:12 2016
@@ -39,7 +39,7 @@ import org.apache.qpid.server.logging.me
import org.apache.qpid.server.plugin.ConfiguredObjectAttributeInjector;
import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.access.Operation;
-import org.apache.qpid.server.util.ParameterizedTypeImpl;
+import org.apache.qpid.server.util.ParameterizedTypes;
@PluggableService
public class BrokerAttributeInjector implements
ConfiguredObjectAttributeInjector
@@ -278,10 +278,7 @@ public class BrokerAttributeInjector imp
final OperationParameter[] params =
new OperationParameter[]{new
OperationParameterFromInjection("options",
Map.class,
-
new ParameterizedTypeImpl(
-
Map.class,
-
String.class,
-
String.class),
+
ParameterizedTypes.MAP_OF_STRING_STRING,
"",
"JVM options map",
new String[0])};
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/GroupProvider.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/GroupProvider.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/GroupProvider.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/GroupProvider.java
Mon Feb 15 16:48:12 2016
@@ -25,5 +25,5 @@ import java.util.Set;
@ManagedObject
public interface GroupProvider<X extends GroupProvider<X>> extends
ConfiguredObject<X>
{
- Set<Principal> getGroupPrincipalsForUser(String username);
+ Set<Principal> getGroupPrincipalsForUser(Principal userPrincipal);
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java
Mon Feb 15 16:48:12 2016
@@ -33,7 +33,6 @@ import java.util.UUID;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
-import com.google.common.util.concurrent.SettableFuture;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -313,9 +312,10 @@ public class FileBasedGroupProviderImpl
return Futures.immediateFuture(null);
}
- public Set<Principal> getGroupPrincipalsForUser(String username)
+ @Override
+ public Set<Principal> getGroupPrincipalsForUser(Principal userPrincipal)
{
- Set<String> groups = _groupDatabase == null ?
Collections.<String>emptySet(): _groupDatabase.getGroupsForUser(username);
+ Set<String> groups = _groupDatabase == null ?
Collections.<String>emptySet() :
_groupDatabase.getGroupsForUser(userPrincipal.getName());
if (groups.isEmpty())
{
return Collections.emptySet();
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
Mon Feb 15 16:48:12 2016
@@ -304,7 +304,7 @@ public class SecurityManager
}
}))
{
- throw new AccessControlException("User not authorised for
management");
+ throw new AccessControlException("User is not authorised for
management");
}
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java?rev=1730565&r1=1730564&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
Mon Feb 15 16:48:12 2016
@@ -116,9 +116,7 @@ public class SubjectCreator
AuthenticationResult authenticationResult =
_authenticationProvider.authenticate(server, response);
if(server.isComplete())
{
- String username = server.getAuthorizationID();
-
- return createResultWithGroups(username, authenticationResult);
+ return createResultWithGroups(authenticationResult);
}
else
{
@@ -131,19 +129,20 @@ public class SubjectCreator
if (_authenticationProvider instanceof
UsernamePasswordAuthenticationProvider)
{
final AuthenticationResult authenticationResult =
((UsernamePasswordAuthenticationProvider)_authenticationProvider).authenticate(username,
password);
- return createResultWithGroups(username, authenticationResult);
+ return createResultWithGroups(authenticationResult);
}
return new SubjectAuthenticationResult(new
AuthenticationResult(AuthenticationStatus.ERROR));
}
- public SubjectAuthenticationResult createResultWithGroups(String username,
final AuthenticationResult authenticationResult)
+ public SubjectAuthenticationResult createResultWithGroups(final
AuthenticationResult authenticationResult)
{
if(authenticationResult.getStatus() == AuthenticationStatus.SUCCESS)
{
final Subject authenticationSubject = new Subject();
authenticationSubject.getPrincipals().addAll(authenticationResult.getPrincipals());
-
authenticationSubject.getPrincipals().addAll(getGroupPrincipals(username));
+ final Set<Principal> groupPrincipals =
getGroupPrincipals(authenticationResult.getMainPrincipal());
+ authenticationSubject.getPrincipals().addAll(groupPrincipals);
authenticationSubject.setReadOnly();
@@ -157,23 +156,23 @@ public class SubjectCreator
- public Subject createSubjectWithGroups(Principal principal)
+ public Subject createSubjectWithGroups(Principal userPrincipal)
{
Subject authenticationSubject = new Subject();
- authenticationSubject.getPrincipals().add(principal);
-
authenticationSubject.getPrincipals().addAll(getGroupPrincipals(principal.getName()));
+ authenticationSubject.getPrincipals().add(userPrincipal);
+
authenticationSubject.getPrincipals().addAll(getGroupPrincipals(userPrincipal));
authenticationSubject.setReadOnly();
return authenticationSubject;
}
- Set<Principal> getGroupPrincipals(String username)
+ Set<Principal> getGroupPrincipals(Principal userPrincipal)
{
Set<Principal> principals = new HashSet<Principal>();
for (GroupProvider groupProvider : _groupProviders)
{
- Set<Principal> groups =
groupProvider.getGroupPrincipalsForUser(username);
+ Set<Principal> groups =
groupProvider.getGroupPrincipalsForUser(userPrincipal);
if (groups != null)
{
principals.addAll(groups);
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java?rev=1730565&r1=1729215&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
Mon Feb 15 16:48:12 2016
@@ -23,7 +23,9 @@ import java.net.URI;
import java.util.List;
import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.DerivedAttribute;
import org.apache.qpid.server.model.ManagedAttribute;
+import org.apache.qpid.server.model.ManagedContextDefault;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.security.auth.AuthenticationResult;
@@ -31,20 +33,48 @@ import org.apache.qpid.server.security.a
@ManagedObject( category = false, type = "OAuth2" )
public interface OAuth2AuthenticationProvider<T extends
OAuth2AuthenticationProvider<T>> extends AuthenticationProvider<T>
{
- @ManagedAttribute( description = "Redirect URI to obtain authorization
code grant", mandatory = true )
+ String AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT =
"qpid.authentication.oauth2.connectTimeout";
+ @ManagedContextDefault(name = AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT)
+ int DEFAULT_AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT = 60000;
+
+ String AUTHENTICATION_OAUTH2_READ_TIMEOUT =
"qpid.authentication.oauth2.readTimeout";
+ @ManagedContextDefault(name = AUTHENTICATION_OAUTH2_READ_TIMEOUT)
+ int DEFAULT_AUTHENTICATION_OAUTH2_READ_TIMEOUT = 60000;
+
+ String AUTHENTICATION_OAUTH2_ENABLED_TLS_PROTOCOLS =
"qpid.authentication.oauth2.enabledTlsProtocols";
+ @ManagedContextDefault(name = AUTHENTICATION_OAUTH2_ENABLED_TLS_PROTOCOLS)
+ String DEFAULT_ENABLED_TLS_PROTOCOLS = "[]";
+
+ String AUTHENTICATION_OAUTH2_DISABLED_TLS_PROTOCOLS =
"qpid.authentication.oauth2.disabledTlsProtocols";
+ @ManagedContextDefault(name = AUTHENTICATION_OAUTH2_DISABLED_TLS_PROTOCOLS)
+ String DEFAULT_DISABLED_TLS_PROTOCOLS = "[]";
+
+ String AUTHENTICATION_OAUTH2_ENABLED_CIPHER_SUITES =
"qpid.authentication.oauth2.enabledCipherSuites";
+ @ManagedContextDefault(name = AUTHENTICATION_OAUTH2_ENABLED_CIPHER_SUITES)
+ String DEFAULT_ENABLED_CIPHER_SUITES = "[]";
+
+ String AUTHENTICATION_OAUTH2_DISABLED_CIPHER_SUITES =
"qpid.authentication.oauth2.disabledCipherSuites";
+ @ManagedContextDefault(name = AUTHENTICATION_OAUTH2_DISABLED_CIPHER_SUITES)
+ String DEFAULT_DISABLED_CIPHER_SUITES = "[]";
+
+ @ManagedAttribute( description = "Redirect URI to obtain authorization
code grant", mandatory = true, defaultValue =
"${this:defaultAuthorizationEndpointURI}")
URI getAuthorizationEndpointURI();
- @ManagedAttribute( description = "Token endpoint URI", mandatory = true )
+ @ManagedAttribute( description = "Token endpoint URI", mandatory = true,
defaultValue = "${this:defaultTokenEndpointURI}" )
URI getTokenEndpointURI();
@ManagedAttribute( description = "Whether to use basic authentication when
accessing the token endpoint", defaultValue = "false" )
boolean getTokenEndpointNeedsAuth();
- @ManagedAttribute( description = "Identity resolver endpoint URI",
mandatory = true )
+ @ManagedAttribute( description = "Identity resolver endpoint URI",
mandatory = true, defaultValue = "${this:defaultIdentityResolverEndpointURI}" )
URI getIdentityResolverEndpointURI();
- @ManagedAttribute( description = "The type of the
IdentityResolverFactory", mandatory = true )
- String getIdentityResolverFactoryType();
+ @ManagedAttribute( description = "The type of the IdentityResolver",
mandatory = true,
+ validValues =
{"org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProviderImpl#validIdentityResolvers()"})
+ String getIdentityResolverType();
+
+ @ManagedAttribute( description = "Redirect URI used when the user leaves
the Web Management Console. If not specified, an internal page is used
instead.")
+ URI getPostLogoutURI();
@ManagedAttribute( description = "Client ID to identify qpid to the OAuth
endpoints", mandatory = true )
String getClientId();
@@ -52,7 +82,7 @@ public interface OAuth2AuthenticationPro
@ManagedAttribute( description = "Client secret to identify qpid to the
OAuth endpoints", mandatory = true, secure = true )
String getClientSecret();
- @ManagedAttribute( description = "The OAuth access token scope passed to
the authorization endpoint" )
+ @ManagedAttribute( description = "The OAuth access token scope passed to
the authorization endpoint", defaultValue = "${this:defaultScope}")
String getScope();
@ManagedAttribute( description = "TrustStore to use when contacting OAuth
endpoints" )
@@ -64,4 +94,16 @@ public interface OAuth2AuthenticationPro
AuthenticationResult authenticateViaAuthorizationCode(String
authorizationCode, final String redirectUri);
AuthenticationResult authenticateViaAccessToken(String accessToken);
+
+ @DerivedAttribute( description = "Default redirect URI to obtain
authorization code grant")
+ URI getDefaultAuthorizationEndpointURI();
+
+ @DerivedAttribute( description = "Default token endpoint URI")
+ URI getDefaultTokenEndpointURI();
+
+ @DerivedAttribute( description = "Default identity resolver endpoint URI")
+ URI getDefaultIdentityResolverEndpointURI();
+
+ @DerivedAttribute( description = "Default OAuth access token scope passed
to the authorization endpoint")
+ String getDefaultScope();
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java?rev=1730565&r1=1729215&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
Mon Feb 15 16:48:12 2016
@@ -19,19 +19,24 @@
package org.apache.qpid.server.security.auth.manager.oauth2;
+import static org.apache.qpid.server.util.ParameterizedTypes.LIST_OF_STRINGS;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
import java.security.Principal;
+import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.Set;
-import javax.net.ssl.HttpsURLConnection;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.xml.bind.DatatypeConverter;
@@ -41,13 +46,17 @@ import com.fasterxml.jackson.databind.Ob
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
+import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import
org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager;
+import org.apache.qpid.server.util.ConnectionBuilder;
+import org.apache.qpid.server.util.ServerScopedRuntimeException;
public class OAuth2AuthenticationProviderImpl
extends AbstractAuthenticationManager<OAuth2AuthenticationProviderImpl>
@@ -72,6 +81,9 @@ public class OAuth2AuthenticationProvide
private boolean _tokenEndpointNeedsAuth;
@ManagedAttributeField
+ private URI _postLogoutURI;
+
+ @ManagedAttributeField
private String _clientId;
@ManagedAttributeField
@@ -84,9 +96,11 @@ public class OAuth2AuthenticationProvide
private String _scope;
@ManagedAttributeField
- private String _identityResolverFactoryType;
+ private String _identityResolverType;
private OAuth2IdentityResolverService _identityResolverService;
+ private int _connectTimeout;
+ private int _readTimeout;
@ManagedObjectFactoryConstructor
protected OAuth2AuthenticationProviderImpl(final Map<String, Object>
attributes,
@@ -99,9 +113,72 @@ public class OAuth2AuthenticationProvide
protected void onOpen()
{
super.onOpen();
- String type = getIdentityResolverFactoryType();
- OAuth2IdentityResolverServiceFactory factory =
OAuth2IdentityResolverServiceFactory.FACTORIES.get(type);
- _identityResolverService = factory.createIdentityResolverService(this);
+ String type = getIdentityResolverType();
+ _identityResolverService = new
QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(type);
+ _connectTimeout = getContextValue(Integer.class,
AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT);
+ _readTimeout = getContextValue(Integer.class,
AUTHENTICATION_OAUTH2_READ_TIMEOUT);
+ }
+
+ @Override
+ protected void validateChange(final ConfiguredObject<?>
proxyForValidation, final Set<String> changedAttributes)
+ {
+ super.validateChange(proxyForValidation, changedAttributes);
+ validateResolver((OAuth2AuthenticationProvider<?>)proxyForValidation);
+
validateSecureEndpoints((OAuth2AuthenticationProvider<?>)proxyForValidation);
+ validatePostLogoutURI(this);
+ }
+
+
+ @Override
+ public void onValidate()
+ {
+ super.onValidate();
+ validateResolver(this);
+ validateSecureEndpoints(this);
+ validatePostLogoutURI(this);
+ }
+
+ private void validateSecureEndpoints(final OAuth2AuthenticationProvider<?>
provider)
+ {
+ if
(!"https".equals(provider.getAuthorizationEndpointURI().getScheme()))
+ {
+ throw new
IllegalConfigurationException(String.format("Authorization endpoint is not
secure: '%s'", provider.getAuthorizationEndpointURI()));
+ }
+ if (!"https".equals(provider.getTokenEndpointURI().getScheme()))
+ {
+ throw new IllegalConfigurationException(String.format("Token
endpoint is not secure: '%s'", provider.getTokenEndpointURI()));
+ }
+ if
(!"https".equals(provider.getIdentityResolverEndpointURI().getScheme()))
+ {
+ throw new IllegalConfigurationException(String.format("Identity
resolver endpoint is not secure: '%s'",
provider.getIdentityResolverEndpointURI()));
+ }
+ }
+
+ private void validatePostLogoutURI(final OAuth2AuthenticationProvider<?>
provider)
+ {
+ if (provider.getPostLogoutURI() != null)
+ {
+ String scheme = provider.getPostLogoutURI().getScheme();
+ if (!"https".equals(scheme) && !"http".equals(scheme))
+ {
+ throw new IllegalConfigurationException(String.format("Post
logout URI does not have a http or https scheme: '%s'",
provider.getPostLogoutURI()));
+ }
+ }
+ }
+
+ private void validateResolver(final OAuth2AuthenticationProvider<?>
provider)
+ {
+ final OAuth2IdentityResolverService identityResolverService =
+ new
QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(provider.getIdentityResolverType());
+
+ if(identityResolverService == null)
+ {
+ throw new IllegalConfigurationException("Unknown identity resolver
" + provider.getType());
+ }
+ else
+ {
+ identityResolverService.validate(provider);
+ }
}
@Override
@@ -154,20 +231,32 @@ public class OAuth2AuthenticationProvide
public AuthenticationResult authenticateViaAuthorizationCode(final String
authorizationCode, final String redirectUri)
{
URL tokenEndpoint;
- HttpsURLConnection connection;
+ HttpURLConnection connection;
byte[] body;
try
{
tokenEndpoint = getTokenEndpointURI().toURL();
- LOGGER.debug("About to call token endpoint '{}'", tokenEndpoint);
-
- connection = (HttpsURLConnection) tokenEndpoint.openConnection();
+ ConnectionBuilder connectionBuilder = new
ConnectionBuilder(tokenEndpoint);
+
connectionBuilder.setConnectTimeout(_connectTimeout).setReadTimeout(_readTimeout);
if (getTrustStore() != null)
{
- OAuth2Utils.setTrustedCertificates(connection,
getTrustStore());
+ try
+ {
+
connectionBuilder.setTrustMangers(getTrustStore().getTrustManagers());
+ }
+ catch (GeneralSecurityException e)
+ {
+ throw new ServerScopedRuntimeException("Cannot initialise
TLS", e);
+ }
}
+
connectionBuilder.setEnabledTlsProtocols(getContextValue(List.class,
LIST_OF_STRINGS, AUTHENTICATION_OAUTH2_ENABLED_TLS_PROTOCOLS))
+ .setDisabledTlsProtocols(getContextValue(List.class,
LIST_OF_STRINGS, AUTHENTICATION_OAUTH2_DISABLED_TLS_PROTOCOLS))
+ .setEnabledCipherSuites(getContextValue(List.class,
LIST_OF_STRINGS, AUTHENTICATION_OAUTH2_ENABLED_CIPHER_SUITES))
+ .setDisabledCipherSuites(getContextValue(List.class,
LIST_OF_STRINGS, AUTHENTICATION_OAUTH2_DISABLED_CIPHER_SUITES));
+ LOGGER.debug("About to call token endpoint '{}'", tokenEndpoint);
+ connection = connectionBuilder.build();
connection.setDoOutput(true); // makes sure to use POST
connection.setRequestProperty("Accept-Charset", UTF8);
@@ -189,18 +278,13 @@ public class OAuth2AuthenticationProvide
requestBody.put("response_type", "token");
body = OAuth2Utils.buildRequestQuery(requestBody).getBytes(UTF8);
connection.connect();
- }
- catch (IOException e)
- {
- return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
- }
- try (OutputStream output = connection.getOutputStream())
- {
- output.write(body);
- output.close();
+ try (OutputStream output = connection.getOutputStream())
+ {
+ output.write(body);
+ }
- try (InputStream input = connection.getInputStream())
+ try (InputStream input = OAuth2Utils.getResponseStream(connection))
{
final int responseCode = connection.getResponseCode();
LOGGER.debug("Call to token endpoint '{}' complete, response
code : {}", tokenEndpoint, responseCode);
@@ -212,20 +296,32 @@ public class OAuth2AuthenticationProvide
responseCode,
responseMap.get("error"),
responseMap.get("error_description")));
+ LOGGER.error("Call to token endpoint failed", e);
+ return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
+ }
+
+ Object accessTokenObject = responseMap.get("access_token");
+ if (accessTokenObject == null)
+ {
+ IllegalStateException e = new IllegalStateException("Token
endpoint response did not include 'access_token'");
+ LOGGER.error("Unexpected token endpoint response", e);
return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
}
- return getAuthenticationResult(responseMap);
+ String accessToken = String.valueOf(accessTokenObject);
+
+ return authenticateViaAccessToken(accessToken);
}
catch (JsonProcessingException e)
{
IllegalStateException ise = new
IllegalStateException(String.format("Token endpoint '%s' did not return json",
-
tokenEndpoint),
- e);
+
tokenEndpoint), e);
+ LOGGER.error("Unexpected token endpoint response", e);
return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, ise);
}
}
- catch (IOException | IdentityResolverException e)
+ catch (IOException e)
{
+ LOGGER.error("Call to token endpoint failed", e);
return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
}
}
@@ -235,10 +331,13 @@ public class OAuth2AuthenticationProvide
{
try
{
- return new AuthenticationResult(new
AuthenticatedPrincipal(_identityResolverService.getUserPrincipal(accessToken)));
+ final Principal userPrincipal =
_identityResolverService.getUserPrincipal(this, accessToken);
+ OAuth2UserPrincipal oauthUserPrincipal = new
OAuth2UserPrincipal(userPrincipal.getName(), accessToken);
+ return new AuthenticationResult(oauthUserPrincipal);
}
catch (IOException | IdentityResolverException e)
{
+ LOGGER.error("Call to identity resolver failed", e);
return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
}
}
@@ -262,15 +361,21 @@ public class OAuth2AuthenticationProvide
}
@Override
+ public URI getPostLogoutURI()
+ {
+ return _postLogoutURI;
+ }
+
+ @Override
public boolean getTokenEndpointNeedsAuth()
{
return _tokenEndpointNeedsAuth;
}
@Override
- public String getIdentityResolverFactoryType()
+ public String getIdentityResolverType()
{
- return _identityResolverFactoryType;
+ return _identityResolverType;
}
@Override
@@ -297,18 +402,40 @@ public class OAuth2AuthenticationProvide
return _scope;
}
- private AuthenticationResult getAuthenticationResult(Map<String, Object>
tokenEndpointResponse)
- throws IOException, IdentityResolverException
+ @Override
+ public URI getDefaultAuthorizationEndpointURI()
{
- final Object accessTokenObject =
tokenEndpointResponse.get("access_token");
- if (accessTokenObject == null)
- {
- final IllegalStateException e = new IllegalStateException("Token
endpoint response did not include 'access_token'");
- return new
AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
- }
- String accessToken = String.valueOf(accessTokenObject);
+ final OAuth2IdentityResolverService identityResolverService =
+ new
QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
+ return identityResolverService == null ? null :
identityResolverService.getDefaultAuthorizationEndpointURI(this);
+ }
+
+ @Override
+ public URI getDefaultTokenEndpointURI()
+ {
+ final OAuth2IdentityResolverService identityResolverService =
+ new
QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
+ return identityResolverService == null ? null :
identityResolverService.getDefaultTokenEndpointURI(this);
+ }
- return new AuthenticationResult(new
AuthenticatedPrincipal(_identityResolverService.getUserPrincipal(accessToken)));
+ @Override
+ public URI getDefaultIdentityResolverEndpointURI()
+ {
+ final OAuth2IdentityResolverService identityResolverService =
+ new
QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
+ return identityResolverService == null ? null :
identityResolverService.getDefaultIdentityResolverEndpointURI(this);
}
+ @Override
+ public String getDefaultScope()
+ {
+ final OAuth2IdentityResolverService identityResolverService =
+ new
QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
+ return identityResolverService == null ? null :
identityResolverService.getDefaultScope(this); }
+
+ @SuppressWarnings("unused")
+ public static Collection<String> validIdentityResolvers()
+ {
+ return new
QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).keySet();
+ }
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java?rev=1730565&r1=1729215&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java
Mon Feb 15 16:48:12 2016
@@ -22,9 +22,24 @@
package org.apache.qpid.server.security.auth.manager.oauth2;
import java.io.IOException;
+import java.net.URI;
import java.security.Principal;
-public interface OAuth2IdentityResolverService
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
+import org.apache.qpid.server.plugin.Pluggable;
+
+public interface OAuth2IdentityResolverService extends Pluggable
{
- Principal getUserPrincipal(String accessToken) throws IOException,
IdentityResolverException;
+ void validate(final OAuth2AuthenticationProvider<?> authProvider) throws
IllegalConfigurationException;
+
+ Principal getUserPrincipal(final OAuth2AuthenticationProvider<?>
authProvider,
+ String accessToken) throws IOException,
IdentityResolverException;
+
+ URI getDefaultAuthorizationEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider);
+
+ URI getDefaultTokenEndpointURI(final OAuth2AuthenticationProvider<?>
oAuth2AuthenticationProvider);
+
+ URI getDefaultIdentityResolverEndpointURI(OAuth2AuthenticationProvider<?>
oAuth2AuthenticationProvider);
+
+ String getDefaultScope(OAuth2AuthenticationProvider<?>
oAuth2AuthenticationProvider);
}
Copied:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
(from r1729412,
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java)
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java?p2=qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java&r1=1729412&r2=1730565&rev=1730565&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
Mon Feb 15 16:48:12 2016
@@ -82,4 +82,10 @@ public class OAuth2UserPrincipal impleme
result = 31 * result + _name.hashCode();
return result;
}
+
+ @Override
+ public String toString()
+ {
+ return getName();
+ }
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2Utils.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2Utils.java?rev=1730565&r1=1729215&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2Utils.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2Utils.java
Mon Feb 15 16:48:12 2016
@@ -20,81 +20,24 @@
*/
package org.apache.qpid.server.security.auth.manager.oauth2;
+import java.io.IOException;
+import java.io.InputStream;
import java.io.UnsupportedEncodingException;
+import java.net.HttpURLConnection;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
-import java.security.GeneralSecurityException;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Map;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocketFactory;
-
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
-import org.apache.qpid.transport.TransportException;
-import org.apache.qpid.transport.network.security.ssl.SSLUtil;
public class OAuth2Utils
{
private static final Logger LOGGER =
LoggerFactory.getLogger(OAuth2Utils.class);
- public static void setTrustedCertificates(final HttpsURLConnection
connection,
- final TrustStore trustStore)
- {
- final SSLContext sslContext;
- try
- {
- sslContext = SSLContext.getInstance("TLS");
- sslContext.init(null, trustStore.getTrustManagers(), null);
- }
- catch (GeneralSecurityException e)
- {
- throw new ServerScopedRuntimeException("Cannot initialise TLS", e);
- }
-
- final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
- connection.setSSLSocketFactory(socketFactory);
- connection.setHostnameVerifier(new HostnameVerifier()
- {
- @Override
- public boolean verify(final String hostname, final SSLSession
sslSession)
- {
- try
- {
- final Certificate cert =
sslSession.getPeerCertificates()[0];
- if (cert instanceof X509Certificate)
- {
- final X509Certificate x509Certificate =
(X509Certificate) cert;
- SSLUtil.verifyHostname(hostname, x509Certificate);
- return true;
- }
- else
- {
- LOGGER.warn("Cannot verify peer's hostname as peer
does not present a X509Certificate. "
- + "Presented certificate : {}", cert);
- }
- }
- catch (SSLPeerUnverifiedException | TransportException e)
- {
- LOGGER.warn("Failed to verify peer's hostname (connecting
to host {})", hostname, e);
- }
-
- return false;
- }
- });
- // TODO respect the tls protocols/cipher suite settings
- }
-
public static String buildRequestQuery(final Map<String, String>
requestBodyParameters)
{
try
@@ -120,4 +63,21 @@ public class OAuth2Utils
throw new ServerScopedRuntimeException("Failed to encode as
UTF-8", e);
}
}
+
+ public static InputStream getResponseStream(final HttpURLConnection
connection) throws IOException
+ {
+ try
+ {
+ return connection.getInputStream();
+ }
+ catch (IOException ioe)
+ {
+ InputStream errorStream = connection.getErrorStream();
+ if (errorStream != null)
+ {
+ return errorStream;
+ }
+ throw ioe;
+ }
+ }
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java?rev=1730565&r1=1729215&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java
Mon Feb 15 16:48:12 2016
@@ -20,17 +20,21 @@
*/
package org.apache.qpid.server.security.auth.manager.oauth2.cloudfoundry;
+import static org.apache.qpid.server.util.ParameterizedTypes.LIST_OF_STRINGS;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.Collections;
+import java.util.List;
import java.util.Map;
-import javax.net.ssl.HttpsURLConnection;
import javax.xml.bind.DatatypeConverter;
import com.fasterxml.jackson.core.JsonProcessingException;
@@ -38,54 +42,84 @@ import com.fasterxml.jackson.databind.Ob
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import
org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException;
import
org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import
org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
+import org.apache.qpid.server.util.ConnectionBuilder;
+import org.apache.qpid.server.util.ParameterizedTypes;
+import org.apache.qpid.server.util.ServerScopedRuntimeException;
+@PluggableService
public class CloudFoundryOAuth2IdentityResolverService implements
OAuth2IdentityResolverService
{
private static final Logger LOGGER =
LoggerFactory.getLogger(CloudFoundryOAuth2IdentityResolverService.class);
private static final String UTF8 = StandardCharsets.UTF_8.name();
- private final OAuth2AuthenticationProvider _authenticationProvider;
- private final URI _checkTokenEndpointURI;
- private final TrustStore _trustStore;
- private final String _clientId;
- private final String _clientSecret;
+ public static final String TYPE = "CloudFoundryIdentityResolver";
+
private final ObjectMapper _objectMapper = new ObjectMapper();
- public CloudFoundryOAuth2IdentityResolverService(final
OAuth2AuthenticationProvider authenticationProvider)
+ @Override
+ public String getType()
{
- _authenticationProvider = authenticationProvider;
- _checkTokenEndpointURI =
_authenticationProvider.getIdentityResolverEndpointURI();
- _trustStore = _authenticationProvider.getTrustStore();
- _clientId = _authenticationProvider.getClientId();
- _clientSecret = _authenticationProvider.getClientSecret();
+ return TYPE;
}
@Override
- public Principal getUserPrincipal(final String accessToken) throws
IOException, IdentityResolverException
+ public void validate(final OAuth2AuthenticationProvider<?> authProvider)
throws IllegalConfigurationException
{
- URL checkTokenEndpoint;
- HttpsURLConnection connection;
- checkTokenEndpoint = _checkTokenEndpointURI.toURL();
-
- LOGGER.debug("About to call identity service '{}'",
checkTokenEndpoint);
+ }
- connection = (HttpsURLConnection) checkTokenEndpoint.openConnection();
- if (_trustStore != null)
+ @Override
+ public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?>
authenticationProvider,
+ final String accessToken) throws
IOException, IdentityResolverException
+ {
+ URL checkTokenEndpoint =
authenticationProvider.getIdentityResolverEndpointURI().toURL();
+ TrustStore trustStore = authenticationProvider.getTrustStore();
+ String clientId = authenticationProvider.getClientId();
+ String clientSecret = authenticationProvider.getClientSecret();
+ int connectTimeout =
authenticationProvider.getContextValue(Integer.class,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT);
+ int readTimeout =
authenticationProvider.getContextValue(Integer.class,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_READ_TIMEOUT);
+ List<String> enabledTlsProtocols =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_ENABLED_TLS_PROTOCOLS);
+ List<String> disabledTlsProtocols =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_DISABLED_TLS_PROTOCOLS);
+ List<String> enabledCipherSuites =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_ENABLED_CIPHER_SUITES);
+ List<String> disabledCipherSuites =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_DISABLED_CIPHER_SUITES);
+
+ ConnectionBuilder connectionBuilder = new
ConnectionBuilder(checkTokenEndpoint);
+
connectionBuilder.setConnectTimeout(connectTimeout).setReadTimeout(readTimeout);
+ if (trustStore != null)
{
- OAuth2Utils.setTrustedCertificates(connection, _trustStore);
+ try
+ {
+
connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
+ }
+ catch (GeneralSecurityException e)
+ {
+ throw new ServerScopedRuntimeException("Cannot initialise
TLS", e);
+ }
}
+ connectionBuilder.setEnabledTlsProtocols(enabledTlsProtocols)
+ .setDisabledTlsProtocols(disabledTlsProtocols)
+ .setEnabledCipherSuites(enabledCipherSuites)
+ .setDisabledCipherSuites(disabledCipherSuites);
+
+ LOGGER.debug("About to call identity service '{}'",
checkTokenEndpoint);
+ HttpURLConnection connection = connectionBuilder.build();
connection.setDoOutput(true); // makes sure to use POST
connection.setRequestProperty("Accept-Charset", UTF8);
connection.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded;charset=" + UTF8);
connection.setRequestProperty("Accept", "application/json");
- String encoded = DatatypeConverter.printBase64Binary((_clientId + ":"
+ _clientSecret).getBytes());
+ String encoded = DatatypeConverter.printBase64Binary((clientId + ":" +
clientSecret).getBytes());
connection.setRequestProperty("Authorization", "Basic " + encoded);
final Map<String,String> requestParameters =
Collections.singletonMap("token", accessToken);
@@ -97,7 +131,7 @@ public class CloudFoundryOAuth2IdentityR
output.write(OAuth2Utils.buildRequestQuery(requestParameters).getBytes(UTF8));
output.close();
- try (InputStream input = connection.getInputStream())
+ try (InputStream input = OAuth2Utils.getResponseStream(connection))
{
int responseCode = connection.getResponseCode();
LOGGER.debug("Call to identity service '{}' complete, response
code : {}", checkTokenEndpoint, responseCode);
@@ -129,4 +163,28 @@ public class CloudFoundryOAuth2IdentityR
}
}
}
+
+ @Override
+ public URI getDefaultAuthorizationEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ return null;
+ }
+
+ @Override
+ public URI getDefaultTokenEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ return null;
+ }
+
+ @Override
+ public URI getDefaultIdentityResolverEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ return null;
+ }
+
+ @Override
+ public String getDefaultScope(final OAuth2AuthenticationProvider<?>
oAuth2AuthenticationProvider)
+ {
+ return "";
+ }
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java?rev=1730565&r1=1729406&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java
Mon Feb 15 16:48:12 2016
@@ -21,16 +21,20 @@
package org.apache.qpid.server.security.auth.manager.oauth2.facebook;
+import static org.apache.qpid.server.util.ParameterizedTypes.LIST_OF_STRINGS;
+
import java.io.IOException;
import java.io.InputStream;
+import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URISyntaxException;
+import java.net.URL;
import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
import java.security.Principal;
+import java.util.List;
import java.util.Map;
-import javax.net.ssl.HttpsURLConnection;
-
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
@@ -44,6 +48,8 @@ import org.apache.qpid.server.security.a
import
org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import
org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
+import org.apache.qpid.server.util.ConnectionBuilder;
+import org.apache.qpid.server.util.ServerScopedRuntimeException;
/**
* An identity resolver that calls GitHubs's user API
https://developer.github.com/v3/users/
@@ -76,25 +82,47 @@ public class FacebookIdentityResolverSer
public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?>
authenticationProvider,
String accessToken) throws IOException,
IdentityResolverException
{
- URI userInfoEndpoint =
authenticationProvider.getIdentityResolverEndpointURI();
+ URL userInfoEndpoint =
authenticationProvider.getIdentityResolverEndpointURI().toURL();
+ TrustStore<?> trustStore = authenticationProvider.getTrustStore();
+ int connectTimeout =
authenticationProvider.getContextValue(Integer.class,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT);
+ int readTimeout =
authenticationProvider.getContextValue(Integer.class,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_READ_TIMEOUT);
+ List<String> enabledTlsProtocols =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_ENABLED_TLS_PROTOCOLS);
+ List<String> disabledTlsProtocols =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_DISABLED_TLS_PROTOCOLS);
+ List<String> enabledCipherSuites =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_ENABLED_CIPHER_SUITES);
+ List<String> disabledCipherSuites =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_DISABLED_CIPHER_SUITES);
- LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
-
- TrustStore trustStore = authenticationProvider.getTrustStore();
- HttpsURLConnection connection = (HttpsURLConnection)
userInfoEndpoint.toURL().openConnection();
+ ConnectionBuilder connectionBuilder = new
ConnectionBuilder(userInfoEndpoint);
+
connectionBuilder.setConnectTimeout(connectTimeout).setReadTimeout(readTimeout);
if (trustStore != null)
{
- OAuth2Utils.setTrustedCertificates(connection, trustStore);
+ try
+ {
+
connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
+ }
+ catch (GeneralSecurityException e)
+ {
+ throw new ServerScopedRuntimeException("Cannot initialise
TLS", e);
+ }
}
+ connectionBuilder.setEnabledTlsProtocols(enabledTlsProtocols)
+ .setDisabledTlsProtocols(disabledTlsProtocols)
+ .setEnabledCipherSuites(enabledCipherSuites)
+ .setDisabledCipherSuites(disabledCipherSuites);
+
+ LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
+ HttpURLConnection connection = connectionBuilder.build();
connection.setRequestProperty("Accept-Charset", UTF8);
- connection.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded;charset=" + UTF8);
connection.setRequestProperty("Accept", "application/json");
connection.setRequestProperty("Authorization", "Bearer " +
accessToken);
connection.connect();
- try (InputStream input = connection.getInputStream())
+ try (InputStream input = OAuth2Utils.getResponseStream(connection))
{
int responseCode = connection.getResponseCode();
LOGGER.debug("Call to identity service '{}' complete, response
code : {}",
@@ -127,4 +155,49 @@ public class FacebookIdentityResolverSer
return new UsernamePrincipal(facebookId);
}
}
+
+ @Override
+ public URI getDefaultAuthorizationEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ try
+ {
+ return new URI("https://www.facebook.com/dialog/oauth";);
+ }
+ catch (URISyntaxException e)
+ {
+ return null;
+ }
+ }
+
+ @Override
+ public URI getDefaultTokenEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ try
+ {
+ return new
URI("https://graph.facebook.com/v2.5/oauth/access_token";);
+ }
+ catch (URISyntaxException e)
+ {
+ return null;
+ }
+ }
+
+ @Override
+ public URI getDefaultIdentityResolverEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ try
+ {
+ return new URI("https://graph.facebook.com/v2.5/me";);
+ }
+ catch (URISyntaxException e)
+ {
+ return null;
+ }
+ }
+
+ @Override
+ public String getDefaultScope(final OAuth2AuthenticationProvider<?>
oAuth2AuthenticationProvider)
+ {
+ return "";
+ }
}
Modified:
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java
URL:
http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java?rev=1730565&r1=1729406&r2=1730565&view=diff
==============================================================================
---
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java
(original)
+++
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java
Mon Feb 15 16:48:12 2016
@@ -21,15 +21,20 @@
package org.apache.qpid.server.security.auth.manager.oauth2.github;
+import static org.apache.qpid.server.util.ParameterizedTypes.LIST_OF_STRINGS;
+
import java.io.IOException;
import java.io.InputStream;
+import java.net.HttpURLConnection;
import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
import java.security.Principal;
+import java.util.List;
import java.util.Map;
-import javax.net.ssl.HttpsURLConnection;
-
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Sets;
@@ -44,6 +49,8 @@ import org.apache.qpid.server.security.a
import
org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import
org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
+import org.apache.qpid.server.util.ConnectionBuilder;
+import org.apache.qpid.server.util.ServerScopedRuntimeException;
/**
* An identity resolver that calls GitHubs's user API
https://developer.github.com/v3/users/
@@ -58,7 +65,7 @@ public class GitHubOAuth2IdentityResolve
private static final String UTF8 = StandardCharsets.UTF_8.name();
public static final String TYPE = "GitHubUser";
-
+
private final ObjectMapper _objectMapper = new ObjectMapper();
@Override
@@ -81,25 +88,47 @@ public class GitHubOAuth2IdentityResolve
public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?>
authenticationProvider,
String accessToken) throws IOException,
IdentityResolverException
{
- URI userInfoEndpoint =
authenticationProvider.getIdentityResolverEndpointURI();
+ URL userInfoEndpoint =
authenticationProvider.getIdentityResolverEndpointURI().toURL();
TrustStore trustStore = authenticationProvider.getTrustStore();
+ int connectTimeout =
authenticationProvider.getContextValue(Integer.class,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT);
+ int readTimeout =
authenticationProvider.getContextValue(Integer.class,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_READ_TIMEOUT);
+ List<String> enabledTlsProtocols =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_ENABLED_TLS_PROTOCOLS);
+ List<String> disabledTlsProtocols =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_DISABLED_TLS_PROTOCOLS);
+ List<String> enabledCipherSuites =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_ENABLED_CIPHER_SUITES);
+ List<String> disabledCipherSuites =
+ authenticationProvider.getContextValue(List.class,
LIST_OF_STRINGS,
OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_DISABLED_CIPHER_SUITES);
- LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
-
- HttpsURLConnection connection = (HttpsURLConnection)
userInfoEndpoint.toURL().openConnection();
+ ConnectionBuilder connectionBuilder = new
ConnectionBuilder(userInfoEndpoint);
+
connectionBuilder.setConnectTimeout(connectTimeout).setReadTimeout(readTimeout);
if (trustStore != null)
{
- OAuth2Utils.setTrustedCertificates(connection, trustStore);
+ try
+ {
+
connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
+ }
+ catch (GeneralSecurityException e)
+ {
+ throw new ServerScopedRuntimeException("Cannot initialise
TLS", e);
+ }
}
+ connectionBuilder.setEnabledTlsProtocols(enabledTlsProtocols)
+ .setDisabledTlsProtocols(disabledTlsProtocols)
+ .setEnabledCipherSuites(enabledCipherSuites)
+ .setDisabledCipherSuites(disabledCipherSuites);
+
+ LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
+ HttpURLConnection connection = connectionBuilder.build();
connection.setRequestProperty("Accept-Charset", UTF8);
- connection.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded;charset=" + UTF8);
connection.setRequestProperty("Accept",
"application/vnd.github.v3+json");
connection.setRequestProperty("Authorization", "token " + accessToken);
connection.connect();
- try (InputStream input = connection.getInputStream())
+ try (InputStream input = OAuth2Utils.getResponseStream(connection))
{
int responseCode = connection.getResponseCode();
LOGGER.debug("Call to identity service '{}' complete, response
code : {}",
@@ -132,4 +161,50 @@ public class GitHubOAuth2IdentityResolve
return new UsernamePrincipal(githubId);
}
}
+
+
+ @Override
+ public URI getDefaultAuthorizationEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ try
+ {
+ return new URI("https://github.com/login/oauth/authorize";);
+ }
+ catch (URISyntaxException e)
+ {
+ return null;
+ }
+ }
+
+ @Override
+ public URI getDefaultTokenEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ try
+ {
+ return new URI("https://github.com/login/oauth/access_token";);
+ }
+ catch (URISyntaxException e)
+ {
+ return null;
+ }
+ }
+
+ @Override
+ public URI getDefaultIdentityResolverEndpointURI(final
OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider)
+ {
+ try
+ {
+ return new URI("https://api.github.com/user";);
+ }
+ catch (URISyntaxException e)
+ {
+ return null;
+ }
+ }
+
+ @Override
+ public String getDefaultScope(final OAuth2AuthenticationProvider<?>
oAuth2AuthenticationProvider)
+ {
+ return "user";
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
