List of usage examples for org.springframework.security.ldap.userdetails InetOrgPerson getO
public String getO()
From source file:net.maritimecloud.identityregistry.utils.AccessControlUtil.java
public static boolean isUserSync(String userSyncMRN, String userSyncO, String userSyncOU, String userSyncC) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (auth instanceof PreAuthenticatedAuthenticationToken) { log.debug("Certificate authentication of user sync'er in process"); // Certificate authentication PreAuthenticatedAuthenticationToken token = (PreAuthenticatedAuthenticationToken) auth; // Check that the Organization name of the accessed organization and the organization in the certificate is equal InetOrgPerson person = ((InetOrgPerson) token.getPrincipal()); if (userSyncMRN.equals(person.getUid()) && userSyncO.equals(person.getO()) // Hack alert! There is no country property in this type, so we misuse PostalAddress... && userSyncOU.equals(person.getOu()) && userSyncC.equals(person.getPostalAddress())) { log.debug("User sync'er accepted!"); return true; }/* www .j a v a 2s . c o m*/ log.debug("This was not the user-sync'er! " + userSyncMRN + "~" + person.getUid() + ", " + userSyncO + "~" + person.getO() + ", " + userSyncOU + "~" + person.getOu() + ", " + userSyncC + "~" + person.getPostalAddress()); } return false; }
From source file:net.maritimecloud.identityregistry.utils.AccessControlUtil.java
public static boolean hasAccessToOrg(String orgMrn) { if (orgMrn == null || orgMrn.trim().isEmpty()) { log.debug("The orgMrn was empty!"); return false; }/*from ww w . j av a 2 s . c o m*/ Authentication auth = SecurityContextHolder.getContext().getAuthentication(); // First check if the user is a SITE_ADMIN, in which case he gets access. for (GrantedAuthority authority : auth.getAuthorities()) { String role = authority.getAuthority(); log.debug("User has role: " + role); if ("ROLE_SITE_ADMIN".equals(role)) { return true; } } log.debug("User not a SITE_ADMIN"); // Check if the user is part of the organization if (auth instanceof KeycloakAuthenticationToken) { log.debug("OIDC authentication in process"); // Keycloak authentication KeycloakAuthenticationToken kat = (KeycloakAuthenticationToken) auth; KeycloakSecurityContext ksc = (KeycloakSecurityContext) kat.getCredentials(); Map<String, Object> otherClaims = ksc.getToken().getOtherClaims(); if (otherClaims.containsKey(AccessControlUtil.ORG_PROPERTY_NAME) && ((String) otherClaims.get(AccessControlUtil.ORG_PROPERTY_NAME)).toLowerCase() .equals(orgMrn.toLowerCase())) { log.debug("Entity from org: " + otherClaims.get(AccessControlUtil.ORG_PROPERTY_NAME) + " is in " + orgMrn); return true; } log.debug("Entity from org: " + otherClaims.get(AccessControlUtil.ORG_PROPERTY_NAME) + " is not in " + orgMrn); } else if (auth instanceof PreAuthenticatedAuthenticationToken) { log.debug("Certificate authentication in process"); // Certificate authentication PreAuthenticatedAuthenticationToken token = (PreAuthenticatedAuthenticationToken) auth; // Check that the Organization name of the accessed organization and the organization in the certificate is equal InetOrgPerson person = ((InetOrgPerson) token.getPrincipal()); // The O(rganization) value in the certificate is an MRN String certOrgMrn = person.getO(); if (orgMrn.equals(certOrgMrn)) { log.debug("Entity with O=" + certOrgMrn + " is in " + orgMrn); return true; } log.debug("Entity with O=" + certOrgMrn + " is not in " + orgMrn); } else { log.debug("Unknown authentication method: " + auth.getClass()); } return false; }
From source file:net.maritimecloud.identityregistry.controllers.LogoControllerTest.java
@Test public void deleteLogo() throws Exception { assertNumberOfLogos(0);/* www .java 2 s . co m*/ Organization org = new Organization(); org.setMrn("urn:mrn:mcl:org:dma"); org.setAddress("Carl Jakobsensvej 31, 2500 Valby"); org.setCountry("Denmark"); org.setUrl("http://dma.dk"); org.setEmail("dma@dma.dk"); org.setName("Danish Maritime Authority"); org.setApproved(true); Logo logo = new Logo(); logo.setImage(new byte[] { 1, 2, 3 }); org.setLogo(logo); orgRepo.save(org); // fiddle with security to be able to call the delete method InetOrgPerson person = mock(InetOrgPerson.class); when(person.getO()).then(invocation -> org.getMrn()); Authentication previousAuth = SecurityContextHolder.getContext().getAuthentication(); SecurityContextHolder.getContext().setAuthentication(new PreAuthenticatedAuthenticationToken(person, "", Lists.newArrayList(new SimpleGrantedAuthority("ROLE_ORG_ADMIN")))); try { logoController.deleteLogo(new MockHttpServletRequest("DELETE", "/path"), org.getMrn()); Organization reloaded = orgRepo.findByMrn(org.getMrn()); assertNull("Logo should be deleted", reloaded.getLogo()); assertNumberOfLogos(0); } finally { SecurityContextHolder.getContext().setAuthentication(previousAuth); } }
From source file:net.maritimecloud.identityregistry.security.x509.X509HeaderUserDetailsService.java
@Override public UserDetails loadUserByUsername(String certificateHeader) throws UsernameNotFoundException { if (certificateHeader == null || certificateHeader.length() < 10) { logger.warn("No certificate header found"); throw new UsernameNotFoundException("No certificate header found"); }/*from w w w . ja v a 2 s . co m*/ X509Certificate userCertificate = certUtil.getCertFromString(certificateHeader); if (userCertificate == null) { logger.error("Extracting certificate from header failed"); throw new UsernameNotFoundException("Extracting certificate from header failed"); } // Actually authenticate certificate against root cert. if (!certUtil.verifyCertificate(userCertificate)) { logger.warn("Certificate could not be verified"); throw new UsernameNotFoundException("Certificate could not be verified"); } // Check that the certificate has not been revoked long certId = userCertificate.getSerialNumber().longValue(); Certificate cert = certificateService.getCertificateById(certId); if (cert.isRevoked()) { Calendar cal = Calendar.getInstance(); Date now = cal.getTime(); if (cert.getRevokedAt() == null || cert.getRevokedAt().before(now)) { logger.warn("The certificate has been revoked! Cert #" + certId); throw new UsernameNotFoundException("The certificate has been revoked! Cert #" + certId); } } // Get user details from the certificate UserDetails user = certUtil.getUserFromCert(userCertificate); if (user == null) { logger.warn("Extraction of data from the certificate failed"); throw new UsernameNotFoundException("Extraction of data from the client certificate failed"); } // Convert the permissions extracted from the certificate to authorities in this API InetOrgPerson person = ((InetOrgPerson) user); String certOrg = person.getO(); Organization org = organizationService.getOrganizationByMrn(certOrg); if (org == null) { logger.warn("Unknown Organization '" + certOrg + "' in client certificate"); throw new UsernameNotFoundException("Unknown Organization in client certificate"); } Collection<GrantedAuthority> newRoles = new ArrayList<>(); logger.debug("Looking up roles"); for (GrantedAuthority role : user.getAuthorities()) { logger.debug("Looking up roles"); String auth = role.getAuthority(); String[] auths = auth.split(","); for (String auth2 : auths) { logger.debug("Looking up role: " + auth2); List<Role> foundRoles = roleService.getRolesByIdOrganizationAndPermission(org.getId(), auth2); if (foundRoles != null) { for (Role foundRole : foundRoles) { newRoles.add(new SimpleGrantedAuthority(foundRole.getRoleName())); } } } } // Add ROLE_USER as standard for authenticated users with no other role. if (newRoles.isEmpty()) { newRoles.add(new SimpleGrantedAuthority("ROLE_USER")); } InetOrgPerson.Essence essence = new InetOrgPerson.Essence((InetOrgPerson) user); essence.setAuthorities(newRoles); return essence.createUserDetails(); }