io.vertx.ext.auth.authorization.PermissionBasedAuthorization Java Examples

public void example40(AuthorizationProvider authProvider, Router router) {
  // Need "list_products" authorization to list products
  router.route("/listproducts/*").handler(
    // create the handler that will perform the attestation
    AuthorizationHandler.create(
      // what to attest
      PermissionBasedAuthorization.create("list_products"))
      // where to lookup the authorizations for the user
      .addAuthorizationProvider(authProvider));

  // Only "admin" has access to /private/settings
  router.route("/private/settings/*").handler(
    // create the handler that will perform the attestation
    AuthorizationHandler.create(
      // what to attest
      RoleBasedAuthorization.create("admin"))
      .addAuthorizationProvider(authProvider));
}
 

/**
 * Token scopes are checked and scopeX is missing.
 * Scopes are retrieved from the JWT itself.
 * JWT generated in HS256 with vertx as shared secret.
 */
@Test
public void tokenIsNotValid() {
  config = new JsonObject()
    .put("token_type", "Bearer")
    .put("access_token", JWT)
    .put("token", JWT);

  oauthConfig
    .addPubSecKey(new PubSecKeyOptions().setAlgorithm("HS256").setBuffer("vertx").setSymmetric(true))
    .setJWTOptions(new JWTOptions().addScope("scopeX").addScope("scopeB"));

  oauth2 = OAuth2Auth.create(vertx, oauthConfig);

  oauth2.authenticate(config, res -> {
    assertTrue(res.succeeded());
    ScopeAuthorization.create(" ").getAuthorizations(res.result(), call -> {
      assertTrue(call.succeeded());
      // the scopes are missing
      assertFalse(PermissionBasedAuthorization.create("scopeX").match(res.result()));
      assertFalse(PermissionBasedAuthorization.create("scopeB").match(res.result()));
      testComplete();
    });
  });
  await();
}
 

@Test
public void shouldGetPermissionsFromTokenButPermissionIsNotAllowed(TestContext should) {
  final Async test = should.async();

  keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), authn -> {
    should.assertTrue(authn.succeeded());
    should.assertNotNull(authn.result());

    // generate a access token from the user
    User token = authn.result();

    KeycloakAuthorization.create().getAuthorizations(token, authz -> {
      should.assertTrue(authz.succeeded());
      should.assertFalse(PermissionBasedAuthorization.create("sudo").match(token));
      test.complete();
    });
  });
}
 

@Override
public boolean verify(Authorization otherAuthorization) {
  if (otherAuthorization instanceof WildcardPermissionBasedAuthorizationImpl) {
    WildcardPermissionBasedAuthorizationImpl otherWildcardPermission = (WildcardPermissionBasedAuthorizationImpl) otherAuthorization;
    if (wildcardPermission.implies((otherWildcardPermission).wildcardPermission)) {
      if (getResource() == null) {
        return true;
      }
      return getResource().equals(otherWildcardPermission.getResource());
    }
  }
  else if (otherAuthorization instanceof PermissionBasedAuthorization) {
    PermissionBasedAuthorization otherPermission = (PermissionBasedAuthorization) otherAuthorization;
    if (this.permission.equals(otherPermission.getPermission())) {
      if (getResource() == null) {
        return true;
      }
      return getResource().equals(otherPermission.getResource());
    }
  }
  return false;
}
 

@Override
public void getAuthorizations(User user, Handler<AsyncResult<Void>> handler) {
  String scopes = user.principal().getString("scope");

  final Set<Authorization> authorizations = new HashSet<>();

  // avoid the case when scope is the literal "null" value.
  if (scopes != null) {
    String sep = user.attributes().getString("scope_separator", scopeSeparator);
    for (String scope : scopes.split(Pattern.quote(sep))) {
      authorizations.add(PermissionBasedAuthorization.create(scope));
    }
  }
  user.authorizations().add(getId(), authorizations);
  // return
  handler.handle(Future.succeededFuture());
}
 

@Override
public boolean verify(Authorization otherAuthorization) {
  Objects.requireNonNull(otherAuthorization);

  if (otherAuthorization instanceof PermissionBasedAuthorization) {
    PermissionBasedAuthorization otherPermissionBasedAuthorization = (PermissionBasedAuthorization) otherAuthorization;
    if (permission.equals(otherPermissionBasedAuthorization.getPermission())) {
      if (getResource() == null) {
        return otherPermissionBasedAuthorization.getResource() == null;
      }
      return getResource().equals(otherPermissionBasedAuthorization.getResource());
    }
  }
  else if (otherAuthorization instanceof WildcardPermissionBasedAuthorization) {
    WildcardPermissionBasedAuthorization otherWildcardPermissionBasedAuthorization = (WildcardPermissionBasedAuthorization) otherAuthorization;
    if (permission.equals(otherWildcardPermissionBasedAuthorization.getPermission())) {
      if (getResource() == null) {
        return otherWildcardPermissionBasedAuthorization.getResource() == null;
      }
      return getResource().equals(otherWildcardPermissionBasedAuthorization.getResource());
    }
  }
  return false;
}
 

public static JsonObject encode(Authorization value) throws IllegalArgumentException {
  Objects.requireNonNull(value);

  // decide which JsonCodec we should use
  if (value instanceof AndAuthorization) {
    return AndAuthorizationConverter.encode((AndAuthorization) value);
  } else if (value instanceof NotAuthorization) {
    return NotAuthorizationConverter.encode((NotAuthorization) value);
  } else if (value instanceof OrAuthorization) {
    return OrAuthorizationConverter.encode((OrAuthorization) value);
  } else if (value instanceof PermissionBasedAuthorization) {
    return PermissionBasedAuthorizationConverter.encode((PermissionBasedAuthorization) value);
  } else if (value instanceof RoleBasedAuthorization) {
    return RoleBasedAuthorizationConverter.encode((RoleBasedAuthorization) value);
  } else if (value instanceof WildcardPermissionBasedAuthorization) {
    return WildcardPermissionBasedAuthorizationConverter.encode((WildcardPermissionBasedAuthorization) value);
  } else {
    throw new IllegalArgumentException("Unsupported authorization " + value.getClass());
  }
}
 

@Test
public void testAuthoriseNotHasPermission(TestContext should) {
  final Async test = should.async();

  JsonObject authInfo = new JsonObject();
  authInfo.put("username", "lopus").put("password", "secret");

  AuthenticationProvider authn = SqlAuthentication.create(mysql);

  authn.authenticate(authInfo, authenticate -> {
    should.assertTrue(authenticate.succeeded());
    final User user = authenticate.result();
    should.assertNotNull(user);
    AuthorizationProvider authz = SqlAuthorization.create(mysql);
    authz.getAuthorizations(user, getAuthorizations -> {
      should.assertTrue(getAuthorizations.succeeded());
      // attest
      should.assertFalse(PermissionBasedAuthorization.create("eat_sandwich").match(user));
      test.complete();
    });
  });
}
 

@Test
public void testAuthoriseHasPermission(TestContext should) {
  final Async test = should.async();

  JsonObject authInfo = new JsonObject();
  authInfo.put("username", "lopus").put("password", "secret");

  AuthenticationProvider authn = SqlAuthentication.create(mysql);

  authn.authenticate(authInfo, authenticate -> {
    should.assertTrue(authenticate.succeeded());
    final User user = authenticate.result();
    should.assertNotNull(user);
    AuthorizationProvider authz = SqlAuthorization.create(mysql);
    authz.getAuthorizations(user, getAuthorizations -> {
      should.assertTrue(getAuthorizations.succeeded());
      // attest
      should.assertTrue(PermissionBasedAuthorization.create("commit_code").match(user));
      test.complete();
    });
  });
}
 

private void getPermissions(String username, Handler<AsyncResult<Set<Authorization>>> resultHandler) {
  if (options.getPermissionsQuery() != null) {
    client.preparedQuery(options.getPermissionsQuery()).execute(Tuple.of(username), preparedQuery -> {
      if (preparedQuery.succeeded()) {
        RowSet<Row> rows = preparedQuery.result();
        Set<Authorization> authorizations = new HashSet<>();
        for (Row row : rows) {
          String permission = row.getString(0);
          authorizations.add(PermissionBasedAuthorization.create(permission));
        }
        resultHandler.handle(Future.succeededFuture(authorizations));
      } else {
        resultHandler.handle(Future.failedFuture(preparedQuery.cause()));
      }
    });
  } else {
    resultHandler.handle(Future.succeededFuture(Collections.emptySet()));
  }
}
 

@Test
public void testMatch1(TestContext should) {
  final Async test = should.async();

  final HttpServer server = rule.vertx().createHttpServer();
  server.requestHandler(request -> {
    User user = User.create(new JsonObject().put("username", "dummy user"));
    user.authorizations().add("providerId", PermissionBasedAuthorization.create("p1").setResource("r1"));
    AuthorizationContext context = new AuthorizationContextImpl(user, request.params());
    should.assertEquals(true, PermissionBasedAuthorization.create("p1").setResource("{variable1}").match(context));
    request.response().end();
  }).listen(0, "localhost", listen -> {
    if (listen.failed()) {
      should.fail(listen.cause());
      return;
    }

    rule.vertx().createHttpClient().get(listen.result().actualPort(), "localhost", "/?variable1=r1", res -> {
      if (res.failed()) {
        should.fail(res.cause());
        return;
      }
      server.close(close -> test.complete());
    });
  });
}
 

private User createUser(JsonObject json) {
  User user = new UserImpl(json);
  json.put(PROPERTY_FIELD_SALT, getSaltField());
  json.put(PROPERTY_FIELD_PASSWORD, getPasswordField());
  JsonArray roles = json.getJsonArray(mongoAuthorizationOptions.getRoleField());
  if (roles!=null) {
    for (int i=0; i<roles.size(); i++) {
      String role = roles.getString(i);
      user.authorizations().add(PROVIDER_ID, RoleBasedAuthorization.create(role));
    }
  }
  JsonArray permissions = json.getJsonArray(mongoAuthorizationOptions.getPermissionField());
  if (permissions!=null) {
    for (int i=0; i<permissions.size(); i++) {
      String permission = permissions.getString(i);
      user.authorizations().add(PROVIDER_ID, PermissionBasedAuthorization.create(permission));
    }
  }
  user.setAuthProvider(this);
  return user;
}
 

public void secure(Vertx vertx) {
  // Create an instance of your service implementation
  SomeDatabaseService service = new SomeDatabaseServiceImpl();
  // Register the handler
  new ServiceBinder(vertx)
    .setAddress("database-service-address")
    // Secure the messages in transit
    .addInterceptor(
      new ServiceAuthInterceptor()
        // Tokens will be validated using JWT authentication
        .setAuthenticationProvider(JWTAuth.create(vertx, new JWTAuthOptions()))
        // optionally we can secure permissions too:

        // an admin
        .addAuthorization(RoleBasedAuthorization.create("admin"))
        // that can print
        .addAuthorization(PermissionBasedAuthorization.create("print"))

        // where the authorizations are loaded, let's assume from the token
        // but they could be loaded from a database or a file if needed
        .setAuthorizationProvider(
          JWTAuthorization.create("permissions")))

    .register(SomeDatabaseService.class, service);
}
 

@Test
public void testMatch2(TestContext should) {
  final Async test = should.async();

  final HttpServer server = rule.vertx().createHttpServer();
  server.requestHandler(request -> {
    User user = User.create(new JsonObject().put("username", "dummy user"));
    user.authorizations().add("providerId", PermissionBasedAuthorization.create("p1").setResource("r1"));
    AuthorizationContext context = new AuthorizationContextImpl(user, request.params());
    should.assertEquals(false, PermissionBasedAuthorization.create("p1").setResource("{variable1}").match(context));
    request.response().end();
  }).listen(0, "localhost", listen -> {
    if (listen.failed()) {
      should.fail(listen.cause());
      return;
    }

    rule.vertx().createHttpClient().get(listen.result().actualPort(), "localhost", "/?variable1=r2", res -> {
      if (res.failed()) {
        should.fail(res.cause());
        return;
      }
      server.close(close -> test.complete());
    });
  });
}
 

public static PermissionBasedAuthorization decode(JsonObject json) throws IllegalArgumentException {
  Objects.requireNonNull(json);

  if (TYPE_PERMISSION_BASED_AUTHORIZATION.equals(json.getString(FIELD_TYPE))) {
    PermissionBasedAuthorization result = PermissionBasedAuthorization.create(json.getString(FIELD_PERMISSION));
    if (json.getString(FIELD_RESOURCE) != null) {
      result.setResource(json.getString(FIELD_RESOURCE));
    }
    return result;
  }
  return null;
}
 

@Test
public void createUserAndPermissionsTest() throws Throwable {
  MongoClient mongoClient = this.getMongoClient();
  MongoAuthentication authnProvider = MongoAuthentication.create(mongoClient, new MongoAuthenticationOptions());
  MongoAuthorization authzProvider = MongoAuthorization.create("abc", mongoClient, new MongoAuthorizationOptions());
  MongoUserUtil userUtil = MongoUserUtil.create(mongoClient);
  List<String> roles = Arrays.asList("a", "b");
  List<String> perms = Arrays.asList("c", "d");
  JsonObject credentials = new JsonObject()
    .put("username", "fizz")
    .put("password", "buzz");
  userUtil
    .createUser("fizz", "buzz")
    .flatMap(id -> userUtil.createUserRolesAndPermissions("fizz", roles, perms))
    .flatMap(id -> authnProvider.authenticate(credentials))
    .flatMap(user -> authzProvider.getAuthorizations(user).map(v -> user))
    .onFailure(this::fail)
    .onSuccess(user -> {
      Set<Authorization> auths = user.authorizations().get("abc");
      assertTrue(auths.contains(RoleBasedAuthorization.create("a")));
      assertTrue(auths.contains(RoleBasedAuthorization.create("b")));
      assertFalse(auths.contains(RoleBasedAuthorization.create("c")));
      assertTrue(auths.contains(PermissionBasedAuthorization.create("c")));
      assertTrue(auths.contains(PermissionBasedAuthorization.create("d")));
      assertFalse(auths.contains(PermissionBasedAuthorization.create("e")));
      this.complete();
    });
  await();
}
 

public void example7(User user, SqlAuthorization sqlAuthZ) {
  sqlAuthZ.getAuthorizations(user)
    .onSuccess(v -> {
      if (PermissionBasedAuthorization.create("commit_code").match(user)) {
        // Has permission!
      }
    });
}
 

@Test
public void testJWTInvalidPermission() {
  TokenCredentials authInfo = new TokenCredentials(JWT_VALID);
  authProvider.authenticate(authInfo, onSuccess(user -> {
    assertNotNull(user);
    JWTAuthorization.create("permissions").getAuthorizations(user, res -> {
      assertTrue(res.succeeded());
      assertFalse(PermissionBasedAuthorization.create("drop").match(user));
      testComplete();
    });
  }));
  await();
}
 

@Test
public void authzFalse() {
  UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("md5", "myPassword");

  authProviderUsersAreAuthorizedForNothing.authenticate(credentials, onSuccess(user -> {
    assertNotNull(user);
    assertFalse(PermissionBasedAuthorization.create("something").match(user));
    testComplete();
  }));
  await();
}
 

public void example2(User user, AuthorizationProvider authorizationProvider) {
  // load the authorization for the given user:
  authorizationProvider.getAuthorizations(user, res -> {
    if (res.succeeded()) {
      // cache is populated, perform query
      if (PermissionBasedAuthorization.create("printer1234").match(user)) {
        System.out.println("User has the authority");
      } else {
        System.out.println("User does not have the authority");
      }
    }
  });
}
 

public void example40_a(AuthorizationProvider authProvider, Router router) {
  // attest that all requests on the route match the required authorization
  router.route().handler(
    // create the handler that will perform the attestation
    AuthorizationHandler.create(
      // what to attest
      PermissionBasedAuthorization.create("can-do-work"))
      // where to lookup the authorizations for the user
      .addAuthorizationProvider(authProvider));
}
 

@Test
public void testJWTValidPermission() {
  TokenCredentials authInfo = new TokenCredentials(JWT_VALID);
  authProvider.authenticate(authInfo, onSuccess(user -> {
    assertNotNull(user);
    JWTAuthorization.create("permissions").getAuthorizations(user, res -> {
      assertTrue(res.succeeded());
      assertTrue(PermissionBasedAuthorization.create("write").match(user));
      testComplete();
    });
  }));
  await();
}
 

private User createUser(JsonObject jwtToken, String permissionsClaimKey) {
  User result = User.create(jwtToken);
  JsonArray jsonPermissions = getJsonPermissions(jwtToken, permissionsClaimKey);
  if (jsonPermissions != null) {
    for (Object item : jsonPermissions) {
      if (item instanceof String) {
        String permission = (String) item;
        result.authorizations().add("jwt-authentication", PermissionBasedAuthorization.create(permission));
      }
    }
  }
  return result;
}
 

public static JsonObject encode(PermissionBasedAuthorization value) throws IllegalArgumentException {
  Objects.requireNonNull(value);

  JsonObject result = new JsonObject();
  result.put(FIELD_TYPE, TYPE_PERMISSION_BASED_AUTHORIZATION);
  result.put(FIELD_PERMISSION, value.getPermission());
  if (value.getResource() != null) {
    result.put(FIELD_RESOURCE, value.getResource());
  }
  return result;
}
 

public void example13(User user) {
  AuthorizationProvider authz = MicroProfileAuthorization.create();

  authz.getAuthorizations(user)
    .onSuccess(v -> {
      // and now we can perform checks as needed
      if (PermissionBasedAuthorization.create("create-report").match(user)) {
        // Yes the user can create reports
      }
    });
}
 

@Test
public void testImpliesOk3() {
  Assert.assertEquals(true,
      AndAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))
          .addAuthorization(PermissionBasedAuthorization.create("p2"))
          .verify(AndAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))
              .addAuthorization(PermissionBasedAuthorization.create("p2"))));
}
 

@Test
public void testImpliesOk4() {
  Assert.assertEquals(true,
      AndAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))
          .addAuthorization(PermissionBasedAuthorization.create("p2"))
          .verify(AndAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))));
}
 

@Test
public void testImpliesKo3() {
  Assert.assertEquals(false,
      OrAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))
          .addAuthorization(PermissionBasedAuthorization.create("p2"))
          .verify(OrAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))));
}
 

@Test
public void testImpliesOk3() {
  Assert.assertEquals(true,
      OrAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))
          .addAuthorization(PermissionBasedAuthorization.create("p2"))
          .verify(OrAuthorization.create().addAuthorization(PermissionBasedAuthorization.create("p1"))
              .addAuthorization(PermissionBasedAuthorization.create("p2"))));
}
 

@Test
public void testConverter() {
  TestUtils.testJsonCodec(PermissionBasedAuthorization.create("p1"), PermissionBasedAuthorizationConverter::encode,
      PermissionBasedAuthorizationConverter::decode);
  TestUtils.testJsonCodec(PermissionBasedAuthorization.create("p1").setResource("resource"),
      PermissionBasedAuthorizationConverter::encode, PermissionBasedAuthorizationConverter::decode);
}