There is a security vulnerability in SSH key-generation using GitKraken < v8.0.1. If you used this tool to create SSH keys, please update GitKraken and regenerate. If you need help with this, contact forum-support@opengroup.org

Commit 1fd77123 authored by Dania Kodeih (Microsoft)'s avatar Dania Kodeih (Microsoft)
Browse files

Merge branch 'support_non_aad_token' into 'master'

Support non aad token

See merge request !23
parents b8aa1b74 924a89e1
Pipeline #10199 passed with stages
in 18 minutes and 9 seconds
......@@ -34,6 +34,7 @@ import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import java.util.*;
import java.util.regex.Matcher;
......@@ -263,6 +264,9 @@ public class EntitlementsAzure
} else if (type == UserType.SERVICE_PRINCIPAL){
groups.setDesId(authenticationContext.getUid());
groups.setMemberEmail(authenticationContext.getUid());
} else if (type == UserType.OTHER){
groups.setDesId(authenticationContext.getUid());
groups.setMemberEmail(authenticationContext.getUid());
}
return groups;
}
......@@ -400,8 +404,10 @@ public class EntitlementsAzure
type = UserType.REGULAR_USER;
else if (u.getUniqueName() != null)
type = UserType.GUEST_USER;
else
else if (!StringUtils.isEmpty(u.getClaim("appid")))
type = UserType.SERVICE_PRINCIPAL;
else
type = UserType.OTHER;
return type;
}
......@@ -455,6 +461,11 @@ public class EntitlementsAzure
} else if (type == UserType.SERVICE_PRINCIPAL){
context.setUid(userPrincipal.getClaim("appid").toString());
context.setOid(userPrincipal.getClaim("oid").toString());
} else if (type == UserType.OTHER){
// non-AAD tokens
context.setOid(userPrincipal.getClaim("email").toString());
context.setUid(userPrincipal.getClaim("email").toString());
}
return context;
}
......@@ -466,6 +477,11 @@ public class EntitlementsAzure
*/
public String getObjectIdForInputId(String inputId)
{
// return inputId as-is for non-AAD tokens
UserPrincipal userPrincipal = getUserPrincipal();
UserType type = getType(userPrincipal);
if(type == UserType.OTHER)
return inputId;
return graphService.getObjectIdForInputId(inputId);
}
......
......@@ -20,14 +20,11 @@ import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jwt.JWTClaimsSet;
import net.minidev.json.JSONArray;
import org.apache.http.HttpStatus;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.mockito.junit.MockitoJUnitRunner;
import org.opengroup.osdu.azure.entitlements.dto.CreateGroupRequest;
import org.opengroup.osdu.azure.entitlements.graph.IGraphService;
......@@ -48,7 +45,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
import static org.junit.Assert.assertEquals;
import static org.mockito.AdditionalMatchers.aryEq;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.*;
import static org.springframework.test.util.ReflectionTestUtils.setField;
......@@ -79,19 +75,7 @@ public class EntitlementsAzureTests {
@InjectMocks
private EntitlementsAzure sut;
private UserPrincipal createAADUserPrincipal(String claimName, String claimValue) {
final JSONArray claims = new JSONArray();
final JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder()
//.subject("subject")
.claim(claimName, claimValue)
.build();
final JWSObject jwsObject = new JWSObject(new JWSHeader.Builder(JWSAlgorithm.RS256).build(),
new Payload(jwtClaimsSet.toString()));
return new UserPrincipal(jwsObject, jwtClaimsSet);
}
private UserPrincipal createAADUserPrincipal(String claimName1, String claimValue1, String claimName2, String claimValue2) {
final JSONArray claims = new JSONArray();
private UserPrincipal createUserPrincipal(String claimName1, String claimValue1, String claimName2, String claimValue2) {
final JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder()
.claim(claimName1, claimValue1)
.claim(claimName2, claimValue2)
......@@ -101,16 +85,8 @@ public class EntitlementsAzureTests {
return new UserPrincipal(jwsObject, jwtClaimsSet);
}
private UserPrincipal createAADUserPrincipalSetSecurityContext(String claimName1, String claimValue1, String claimName2, String claimValue2) {
UserPrincipal dummyAADPrincipal = createAADUserPrincipal(claimName1, claimValue1, claimName2, claimValue2);
SecurityContextHolder.setContext(securityContext);
when(securityContext.getAuthentication()).thenReturn(auth);
when(auth.getPrincipal()).thenReturn(dummyAADPrincipal);
return dummyAADPrincipal;
}
private UserPrincipal createAADUserPrincipalSetSecurityContext(String claimName, String claimValue) {
UserPrincipal dummyAADPrincipal = createAADUserPrincipal(claimName, claimValue);
private UserPrincipal createUserPrincipalSetSecurityContext(String claimName1, String claimValue1, String claimName2, String claimValue2) {
UserPrincipal dummyAADPrincipal = createUserPrincipal(claimName1, claimValue1, claimName2, claimValue2);
SecurityContextHolder.setContext(securityContext);
when(securityContext.getAuthentication()).thenReturn(auth);
when(auth.getPrincipal()).thenReturn(dummyAADPrincipal);
......@@ -120,7 +96,7 @@ public class EntitlementsAzureTests {
@Test
public void givenSameUpnInHeaderAndJwt_whenGetGroups_thenReturnGroups() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
when(userInfoRepository.getTenantGroups(TestUtils.getOid(), TestUtils.getTenantName())).thenReturn(new String[]{TestUtils.getGroup()});
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUpn());
......@@ -133,11 +109,26 @@ public class EntitlementsAzureTests {
assertEquals(groups.getGroup(TestUtils.getGroup()).getEmail(), String.format("%s@%s.%s", TestUtils.getGroup(), TestUtils.getTenantName(), TestUtils.getDomain()));
}
@Test
public void givenServicePrincipalInHeaderAndJwt_whenGetGroups_thenReturnGroups() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createUserPrincipalSetSecurityContext(TestUtils.USERID, TestUtils.getUserId(), TestUtils.EMAIL, TestUtils.getUserEmail());
when(userInfoRepository.getTenantGroups(TestUtils.getUserEmail(), TestUtils.getTenantName())).thenReturn(new String[]{TestUtils.getGroup()});
//upn in header
when(dpsHeaders.getPartitionId()).thenReturn(TestUtils.getTenantName());
Groups groups = sut.getGroups();
assertEquals(groups.getDesId(), TestUtils.getUserEmail());
assertEquals(groups.getGroups().size(), 1);
assertEquals(groups.getGroup(TestUtils.getGroup()).getName(), TestUtils.getGroup());
assertEquals(groups.getGroup(TestUtils.getGroup()).getEmail(), String.format("%s@%s.%s", TestUtils.getGroup(), TestUtils.getTenantName(), TestUtils.getDomain()));
}
@Test
public void givenNoUpnInHeader_whenGetGroups_thenReturnGroups() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
when(userInfoRepository.getTenantGroups(TestUtils.getOid(), TestUtils.getTenantName())).thenReturn(new String[]{TestUtils.getGroup()});
//upn in header
......@@ -154,7 +145,7 @@ public class EntitlementsAzureTests {
public void givenMismatchUpnInHeaderAndJwt_whenGetGroups_thenError() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUserEmail());
......@@ -172,7 +163,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
when(userInfoRepository.getTenantGroups(TestUtils.getOid(), TestUtils.getTenantName())).thenReturn(new String[]{TestUtils.getGroup()});
//no email in header
......@@ -190,7 +181,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//upn and oid in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUserEmail());
......@@ -209,7 +200,7 @@ public class EntitlementsAzureTests {
public void givenServicePrincipalInJwtAndProfileExists_whenCreateProfile_thenConflict() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
UserInfoDoc userInfoDoc = new UserInfoDoc();
userInfoDoc.setUid(TestUtils.getAppId());
......@@ -230,7 +221,7 @@ public class EntitlementsAzureTests {
public void givenServicePrincipalInJwtAndGetObjectIdException_whenCreateProfile_thenInternalServerError() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
UserInfoDoc userInfoDoc = new UserInfoDoc();
......@@ -250,7 +241,7 @@ public class EntitlementsAzureTests {
@Test
public void givenSameUpnInHeaderAndJwt_whenCreateProfile_thenReturnProfile() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUpn());
......@@ -267,7 +258,7 @@ public class EntitlementsAzureTests {
@Test
public void givenNoUpnInHeader_whenCreateProfile_thenReturnProfile() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
UserInfoDoc userInfoDoc = new UserInfoDoc();
userInfoDoc.setUid(TestUtils.getAppId());
......@@ -284,7 +275,7 @@ public class EntitlementsAzureTests {
public void givenServicePrincipalInJwt_whenCreateProfile_thenReturnProfile() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
UserInfoDoc userInfoDoc = new UserInfoDoc();
......@@ -420,7 +411,7 @@ public class EntitlementsAzureTests {
public void givenAdminUser_whenCreateGroups_thenGroupCreated() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
when(userInfoRepository.getTenantGroups(TestUtils.getOid(), TestUtils.getTenantName())).thenReturn(new String[]{TestUtils.getGroup()});
//upn in header
when(dpsHeaders.getPartitionId()).thenReturn(TestUtils.getTenantName());
......@@ -442,7 +433,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//upn and oid in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUserEmail());
......@@ -460,7 +451,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//upn and oid in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUpn());
......@@ -475,7 +466,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//upn and oid in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//no upn in header
......@@ -491,7 +482,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
......@@ -506,7 +497,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
......@@ -527,7 +518,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
......@@ -547,7 +538,7 @@ public class EntitlementsAzureTests {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//upn and oid in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUserEmail());
......@@ -568,7 +559,7 @@ public class EntitlementsAzureTests {
public void givenServicePrincipalInJwtAndProfileDoesNotExist_whenUpdateProfile_thenNotFound() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
UserInfoDoc userInfoDoc = new UserInfoDoc();
......@@ -590,7 +581,7 @@ public class EntitlementsAzureTests {
public void givenServicePrincipalInJwtAndGetObjectIdException_whenUpdateProfile_thenInternalServerError() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
UserInfoDoc userInfoDoc = new UserInfoDoc();
......@@ -609,7 +600,7 @@ public class EntitlementsAzureTests {
@Test
public void givenSameUpnInHeaderAndJwt_whenUpdateProfile_thenReturnProfile() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
//upn in header
when(dpsHeaders.getUserEmail()).thenReturn(TestUtils.getUpn());
......@@ -628,7 +619,7 @@ public class EntitlementsAzureTests {
@Test
public void givenNoUpnInHeader_whenUpdateProfile_thenReturnProfile() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
createAADUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.UPN, TestUtils.getUpn(), TestUtils.OID, TestUtils.getOid());
UserInfoDoc userInfoDoc = new UserInfoDoc();
userInfoDoc.setUid(TestUtils.getAppId());
......@@ -646,7 +637,7 @@ public class EntitlementsAzureTests {
public void givenServicePrincipalInJwt_whenUpdateProfile_thenReturnProfile() {
setField(sut, TestUtils.SERVICE_DOMAIN_NAME, TestUtils.getDomain());
//serviceprincipal in JWT
createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
//no email in header
UserInfoDoc userInfoDoc = new UserInfoDoc();
......@@ -661,4 +652,19 @@ public class EntitlementsAzureTests {
assertEquals(oid, updatedUserInfoDoc.getId());
}
@Test
public void getOidFromGraphService_whenGivenAADUserPrincipal() {
createUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.OID, TestUtils.getOid());
when(graphService.getObjectIdForInputId(TestUtils.getAppId())).thenReturn(TestUtils.getOid());
String oid = sut.getObjectIdForInputId(TestUtils.getAppId());
assertEquals(oid, TestUtils.getOid());
}
@Test
public void getOidFromInput_whenGivenOtherUserPrincipal() {
createUserPrincipalSetSecurityContext(TestUtils.USERID, TestUtils.getUserId(), TestUtils.EMAIL, TestUtils.getUserEmail());
String oid = sut.getObjectIdForInputId(TestUtils.getOid());
assertEquals(oid, TestUtils.getOid());
}
}
......@@ -27,11 +27,14 @@ public class TestUtils {
private static final String appId = "18e7cc2c-5dde-4f01-801a-16eb54b04217";
private static final String oid = "18e7cc2c-5dde-4f01-801a-16eb54b04218";
private static final String description = "Some description";
private static final String userId = "user123";
public static final String SERVICE_DOMAIN_NAME = "serviceDomainName";
public static final String APPID = "appid";
public static final String UPN = "upn";
public static final String OID = "oid";
public static final String EMAIL = "email";
public static final String USERID = "userid";
public static String getDomain() { return domain; }
public static String getTenantName() { return tenantName;}
......@@ -41,4 +44,6 @@ public class TestUtils {
public static String getAppId() {return appId; }
public static String getOid() {return oid; }
public static String getDescription() { return description; }
public static String getUserId() { return userId; }
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment