From 97b20eaf8953ba7595c22c02150cbb786d66dd1d Mon Sep 17 00:00:00 2001 From: Diogo Oliveira Date: Wed, 6 Oct 2021 15:30:58 -0400 Subject: [PATCH] SKFP-11: add UseridAuthorizer.javad --- README.md | 10 +++---- .../bio/ferlab/pac4j/UseridAuthorizer.java | 29 +++++++++++++++++++ src/main/resources/shiro.ini.template | 10 +++---- .../bio/ferlab/UsernameAuthorizerTest.java | 21 ++++++++++++-- 4 files changed, 57 insertions(+), 13 deletions(-) create mode 100644 src/main/java/bio/ferlab/pac4j/UseridAuthorizer.java diff --git a/README.md b/README.md index efe8aa4..6a05751 100644 --- a/README.md +++ b/README.md @@ -22,19 +22,19 @@ Then you can replace all libraries in `${ZEPPELIN_HOME}/lib` In order to restrict the Zeppelin access only to certain Keycloak usernames, use this authorizer on your *shiro.ini* file as follows: ``` -usernameAuthorizer = bio.ferlab.pac4j.UsernameAuthorizer -usernameAuthorizer.elements = username1,username2,username3 +useridAuthorizer = bio.ferlab.pac4j.UseridAuthorizer +useridAuthorizer.elements = id1,id2,id3 config = org.pac4j.core.config.Config -config.authorizers = username:$usernameAuthorizer +config.authorizers = id:$useridAuthorizer oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter oidcSecurityFilter.config = $config oidcSecurityFilter.clients = oidcClient -oidcSecurityFilter.authorizers = +username +oidcSecurityFilter.authorizers = +id ``` -Only usernames mentioned on the *elements* property - *username1, username2 and username3*, for instance - will be able to access the system. +Only users mentioned on the *elements* property - *id1, id2 and id3*, for instance - will be able to access the system. ### Using bio.ferlab.pac4j.ForceDefaultURLCallbackLogic : diff --git a/src/main/java/bio/ferlab/pac4j/UseridAuthorizer.java b/src/main/java/bio/ferlab/pac4j/UseridAuthorizer.java new file mode 100644 index 0000000..e42c313 --- /dev/null +++ b/src/main/java/bio/ferlab/pac4j/UseridAuthorizer.java @@ -0,0 +1,29 @@ +package bio.ferlab.pac4j; + +import org.pac4j.core.authorization.authorizer.AbstractRequireAnyAuthorizer; +import org.pac4j.core.context.WebContext; +import org.pac4j.core.context.session.SessionStore; +import org.pac4j.core.profile.UserProfile; + +import java.util.List; +import java.util.Set; + +public final class UseridAuthorizer extends AbstractRequireAnyAuthorizer { + + public UseridAuthorizer() { } + + public UseridAuthorizer(final String... ids) { + setElements(ids); + } + + public UseridAuthorizer(final List ids) { + setElements(ids); + } + + public UseridAuthorizer(final Set ids) { setElements(ids); } + + @Override + protected boolean check(WebContext context, SessionStore sessionStore, UserProfile profile, String element) { + return element.equals(profile.getId()); + } +} diff --git a/src/main/resources/shiro.ini.template b/src/main/resources/shiro.ini.template index 07c166e..e017770 100644 --- a/src/main/resources/shiro.ini.template +++ b/src/main/resources/shiro.ini.template @@ -18,22 +18,22 @@ clients.clients = $oidcClient #requireRoleAdmin = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer -usernameAuthorizer = bio.ferlab.pac4j.UsernameAuthorizer -usernameAuthorizer.elements = zeppelin,zeppelin1 +useridAuthorizer = bio.ferlab.pac4j.UseridAuthorizer +useridAuthorizer.elements = zeppelin-id,zeppelin1-id config = org.pac4j.core.config.Config config.clients = $clients -config.authorizers = username:$usernameAuthorizer +config.authorizers = id:$useridAuthorizer pac4jRealm = io.buji.pac4j.realm.Pac4jRealm -pac4jRealm.principalNameAttribute = preferred_username +pac4jRealm.principalNameAttribute = name pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory securityManager.subjectFactory = $pac4jSubjectFactory oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter oidcSecurityFilter.config = $config oidcSecurityFilter.clients = oidcClient -oidcSecurityFilter.authorizers = +username +oidcSecurityFilter.authorizers = +id customCallbackLogic = bio.ferlab.pac4j.ForceDefaultURLCallbackLogic diff --git a/src/test/java/bio/ferlab/UsernameAuthorizerTest.java b/src/test/java/bio/ferlab/UsernameAuthorizerTest.java index 8237303..fd35aa2 100644 --- a/src/test/java/bio/ferlab/UsernameAuthorizerTest.java +++ b/src/test/java/bio/ferlab/UsernameAuthorizerTest.java @@ -1,5 +1,6 @@ package bio.ferlab; +import bio.ferlab.pac4j.UseridAuthorizer; import bio.ferlab.pac4j.UsernameAuthorizer; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.params.ParameterizedTest; @@ -27,13 +28,20 @@ public final class UsernameAuthorizerTest { private CommonProfile profile; - private static Stream provideArguments() { + private static Stream provideNameArguments() { return Stream.of( Arguments.of("zeppelin", "zeppelin", true), Arguments.of("unauthorized", "zeppelin", false) ); } + private static Stream provideIdArguments() { + return Stream.of( + Arguments.of("123-456", "123-456", true), + Arguments.of("unauthorized", "111", false) + ); + } + @BeforeEach void setup() { sessionStore = JEESessionStore.INSTANCE; @@ -41,11 +49,18 @@ void setup() { } @ParameterizedTest - @MethodSource("provideArguments") - void isAuthorizedTest(final String USER, final String ELEMENT, final boolean EXPECTED_AUTH) { + @MethodSource("provideNameArguments") + void isNameAuthorizedTest(final String USER, final String ELEMENT, final boolean EXPECTED_AUTH) { profile.addAttribute(Pac4jConstants.USERNAME, USER); final UsernameAuthorizer usernameAuthorizer = new UsernameAuthorizer(ELEMENT); assertEquals(EXPECTED_AUTH, usernameAuthorizer.isAuthorized(context, sessionStore, Collections.singletonList(profile))); } + @ParameterizedTest + @MethodSource("provideIdArguments") + void isIdAuthorizedTest(final String ID, final String ELEMENT, final boolean EXPECTED_AUTH) { + profile.setId(ID); + final UseridAuthorizer useridAuthorizer = new UseridAuthorizer(ELEMENT); + assertEquals(EXPECTED_AUTH, useridAuthorizer.isAuthorized(context, sessionStore, Collections.singletonList(profile))); + } }