Skip to content

Commit

Permalink
Merge pull request #7 from Ferlab-Ste-Justine/feature/SKFP-11_userid_…
Browse files Browse the repository at this point in the history
…authorizer

SKFP-11: add UseridAuthorizer.javad
  • Loading branch information
aodiogo authored Oct 6, 2021
2 parents ffe3f45 + 97b20ea commit 76fe491
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 13 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,19 @@ Then you can replace all libraries in `${ZEPPELIN_HOME}/lib`
In order to restrict the Zeppelin access only to certain Keycloak usernames, use this authorizer on your *shiro.ini* file as follows:

```
usernameAuthorizer = bio.ferlab.pac4j.UsernameAuthorizer
usernameAuthorizer.elements = username1,username2,username3
useridAuthorizer = bio.ferlab.pac4j.UseridAuthorizer
useridAuthorizer.elements = id1,id2,id3
config = org.pac4j.core.config.Config
config.authorizers = username:$usernameAuthorizer
config.authorizers = id:$useridAuthorizer
oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
oidcSecurityFilter.config = $config
oidcSecurityFilter.clients = oidcClient
oidcSecurityFilter.authorizers = +username
oidcSecurityFilter.authorizers = +id
```

Only usernames mentioned on the *elements* property - *username1, username2 and username3*, for instance - will be able to access the system.
Only users mentioned on the *elements* property - *id1, id2 and id3*, for instance - will be able to access the system.

### Using bio.ferlab.pac4j.ForceDefaultURLCallbackLogic :

Expand Down
29 changes: 29 additions & 0 deletions src/main/java/bio/ferlab/pac4j/UseridAuthorizer.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
package bio.ferlab.pac4j;

import org.pac4j.core.authorization.authorizer.AbstractRequireAnyAuthorizer;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.profile.UserProfile;

import java.util.List;
import java.util.Set;

public final class UseridAuthorizer extends AbstractRequireAnyAuthorizer<String> {

public UseridAuthorizer() { }

public UseridAuthorizer(final String... ids) {
setElements(ids);
}

public UseridAuthorizer(final List<String> ids) {
setElements(ids);
}

public UseridAuthorizer(final Set<String> ids) { setElements(ids); }

@Override
protected boolean check(WebContext context, SessionStore sessionStore, UserProfile profile, String element) {
return element.equals(profile.getId());
}
}
10 changes: 5 additions & 5 deletions src/main/resources/shiro.ini.template
Original file line number Diff line number Diff line change
Expand Up @@ -18,22 +18,22 @@ clients.clients = $oidcClient

#requireRoleAdmin = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer

usernameAuthorizer = bio.ferlab.pac4j.UsernameAuthorizer
usernameAuthorizer.elements = zeppelin,zeppelin1
useridAuthorizer = bio.ferlab.pac4j.UseridAuthorizer
useridAuthorizer.elements = zeppelin-id,zeppelin1-id

config = org.pac4j.core.config.Config
config.clients = $clients
config.authorizers = username:$usernameAuthorizer
config.authorizers = id:$useridAuthorizer

pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jRealm.principalNameAttribute = preferred_username
pac4jRealm.principalNameAttribute = name
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
securityManager.subjectFactory = $pac4jSubjectFactory

oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
oidcSecurityFilter.config = $config
oidcSecurityFilter.clients = oidcClient
oidcSecurityFilter.authorizers = +username
oidcSecurityFilter.authorizers = +id

customCallbackLogic = bio.ferlab.pac4j.ForceDefaultURLCallbackLogic

Expand Down
21 changes: 18 additions & 3 deletions src/test/java/bio/ferlab/UsernameAuthorizerTest.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package bio.ferlab;

import bio.ferlab.pac4j.UseridAuthorizer;
import bio.ferlab.pac4j.UsernameAuthorizer;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.params.ParameterizedTest;
Expand Down Expand Up @@ -27,25 +28,39 @@ public final class UsernameAuthorizerTest {

private CommonProfile profile;

private static Stream<Arguments> provideArguments() {
private static Stream<Arguments> provideNameArguments() {
return Stream.of(
Arguments.of("zeppelin", "zeppelin", true),
Arguments.of("unauthorized", "zeppelin", false)
);
}

private static Stream<Arguments> provideIdArguments() {
return Stream.of(
Arguments.of("123-456", "123-456", true),
Arguments.of("unauthorized", "111", false)
);
}

@BeforeEach
void setup() {
sessionStore = JEESessionStore.INSTANCE;
profile = new CommonProfile();
}

@ParameterizedTest
@MethodSource("provideArguments")
void isAuthorizedTest(final String USER, final String ELEMENT, final boolean EXPECTED_AUTH) {
@MethodSource("provideNameArguments")
void isNameAuthorizedTest(final String USER, final String ELEMENT, final boolean EXPECTED_AUTH) {
profile.addAttribute(Pac4jConstants.USERNAME, USER);
final UsernameAuthorizer usernameAuthorizer = new UsernameAuthorizer(ELEMENT);
assertEquals(EXPECTED_AUTH, usernameAuthorizer.isAuthorized(context, sessionStore, Collections.singletonList(profile)));
}

@ParameterizedTest
@MethodSource("provideIdArguments")
void isIdAuthorizedTest(final String ID, final String ELEMENT, final boolean EXPECTED_AUTH) {
profile.setId(ID);
final UseridAuthorizer useridAuthorizer = new UseridAuthorizer(ELEMENT);
assertEquals(EXPECTED_AUTH, useridAuthorizer.isAuthorized(context, sessionStore, Collections.singletonList(profile)));
}
}

0 comments on commit 76fe491

Please sign in to comment.