-
Notifications
You must be signed in to change notification settings - Fork 27
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #430 from peissing/main
Rebase and added all changes for Cognito support
- Loading branch information
Showing
17 changed files
with
489 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,5 +16,6 @@ The following people have contributed to this repository: | |
* Aggarwal Sahil, Robert Bosch GmbH, [email protected] | ||
* Tunahan Cicek, Robert Bosch GmbH, [email protected] | ||
* Istvan Zoltan Nagy, Robert Bosch GmbH, [email protected] | ||
* Anton Peissinger, Draexlmaier Group, [email protected] | ||
|
||
Please add yourself to this list, if you contribute to the content. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
75 changes: 75 additions & 0 deletions
75
.../java/org/eclipse/tractusx/semantics/registry/security/CognitoAuthorizationEvaluator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
/******************************************************************************* | ||
* Copyright (c) 2024 Contributors to the Eclipse Foundation | ||
* Copyright (c) 2024 Draexlmaier Group | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information regarding copyright ownership. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0. | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
******************************************************************************/ | ||
|
||
package org.eclipse.tractusx.semantics.registry.security; | ||
|
||
import java.util.Map; | ||
|
||
import org.apache.commons.lang3.StringUtils; | ||
import org.eclipse.tractusx.semantics.RegistryProperties; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.core.context.SecurityContextHolder; | ||
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken; | ||
|
||
/** | ||
* Conito Authenticator We have two client_ids This is necessary because we have | ||
* two clients, one for reading data and one for full access | ||
*/ | ||
public final class CognitoAuthorizationEvaluator extends AuthorizationEvaluator { | ||
private static final Logger log = LoggerFactory.getLogger(CognitoAuthorizationEvaluator.class); | ||
|
||
private final String internalClientId; | ||
|
||
public CognitoAuthorizationEvaluator(final RegistryProperties.Idm idm) { | ||
super(idm.getPublicClientId()); | ||
this.internalClientId = idm.getInternalClientId(); | ||
} | ||
|
||
@Override | ||
protected boolean containsRole(final String role) { | ||
CognitoAuthorizationEvaluator.log.debug("Checking if token contains role {}", role); | ||
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); | ||
if (!(authentication instanceof JwtAuthenticationToken)) { | ||
return false; | ||
} | ||
|
||
final JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) (authentication); | ||
final Map<String, Object> claims = jwtAuthenticationToken.getToken().getClaims(); | ||
|
||
final Object claimClientId = claims.get("client_id"); | ||
|
||
if (StringUtils.equals(this.internalClientId, (String) claimClientId) || StringUtils.equals(this.getClientId(), (String) claimClientId)) { | ||
final Object scope = claims.get("scope"); | ||
if (scope instanceof final String scopeString) { | ||
final String[] split = StringUtils.split(scopeString, ' '); | ||
for (final String tokenRole : split) { | ||
if (StringUtils.contains(tokenRole, role)) { | ||
CognitoAuthorizationEvaluator.log.debug("Role {} found in token", role); | ||
return true; | ||
} | ||
} | ||
} | ||
} | ||
CognitoAuthorizationEvaluator.log.debug("Role {} NOT found in token", role); | ||
return false; | ||
} | ||
} |
70 changes: 70 additions & 0 deletions
70
...java/org/eclipse/tractusx/semantics/registry/security/KeycloakAuthorizationEvaluator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
/******************************************************************************* | ||
* Copyright (c) 2024 Contributors to the Eclipse Foundation | ||
* Copyright (c) 2024 Draexlmaier Group | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information regarding copyright ownership. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0. | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
******************************************************************************/ | ||
|
||
package org.eclipse.tractusx.semantics.registry.security; | ||
|
||
import java.util.Collection; | ||
import java.util.Map; | ||
|
||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.core.context.SecurityContextHolder; | ||
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken; | ||
|
||
/** | ||
* Keycloak Authorization Evaluator | ||
*/ | ||
public final class KeycloakAuthorizationEvaluator extends AuthorizationEvaluator { | ||
|
||
/** | ||
* Constructor | ||
* @param clientId clientId | ||
*/ | ||
public KeycloakAuthorizationEvaluator(String clientId) { | ||
super(clientId); | ||
} | ||
|
||
protected boolean containsRole( String role ) { | ||
Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); | ||
if ( !(authentication instanceof JwtAuthenticationToken) ) { | ||
return false; | ||
} | ||
|
||
JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) (authentication); | ||
Map<String, Object> claims = jwtAuthenticationToken.getToken().getClaims(); | ||
|
||
Object resourceAccess = claims.get( "resource_access" ); | ||
if ( !(resourceAccess instanceof Map) ) { | ||
return false; | ||
} | ||
|
||
Object resource = ((Map<String, Object>) resourceAccess).get( this.getClientId() ); | ||
if ( !(resource instanceof Map) ) { | ||
return false; | ||
} | ||
|
||
Object roles = ((Map<String, Object>) resource).get( "roles" ); | ||
if ( !(roles instanceof Collection) ) { | ||
return false; | ||
} | ||
|
||
Collection<String> rolesList = (Collection<String>) roles; | ||
return rolesList.contains( role ); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.