From 4639b1870a40ff1c0f97d34b17426674c957f46c Mon Sep 17 00:00:00 2001 From: Federica Agostini Date: Wed, 6 Nov 2024 17:32:38 +0100 Subject: [PATCH 1/3] Support also 'entitlements' claim --- .../storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java b/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java index e09483aa..2ad82225 100644 --- a/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java +++ b/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java @@ -34,7 +34,7 @@ public class GrantedAuthoritiesMapperSupport { protected final Multimap authzMap = ArrayListMultimap.create(); protected final AuthorizationServerProperties authzServerProperties; - public static final String[] OAUTH_GROUP_CLAIM_NAMES = {"groups", "wlcg.groups"}; + public static final String[] OAUTH_GROUP_CLAIM_NAMES = {"groups", "wlcg.groups", "entitlements"}; public static final String SCOPE_CLAIM_NAME = "scope"; protected final Set anonymousGrantedAuthorities = Sets.newHashSet(); From ffa0e7277914b3773a465387527864955c52e57b Mon Sep 17 00:00:00 2001 From: Federica Agostini Date: Wed, 6 Nov 2024 17:52:21 +0100 Subject: [PATCH 2/3] Add test --- .../AuthorizationIntegrationTests.java | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java b/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java index db4c60c4..76a16d8d 100644 --- a/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java +++ b/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java @@ -21,6 +21,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.request; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.italiangrid.storm.webdav.oauth.GrantedAuthoritiesMapperSupport.OAUTH_GROUP_CLAIM_NAMES; import java.net.URI; @@ -275,7 +276,24 @@ void writeAccessWithoutMatchedJWTIsDenied() throws Exception { mvc.perform(put(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter))) .andExpect(status().isForbidden()); + } + + @Test + void readWriteAccessAsJwtWithAllowedGroup() throws Exception { + + for (String groupClaim : OAUTH_GROUP_CLAIM_NAMES) { + Jwt token = Jwt.withTokenValue("test") + .header("kid", "rsa1") + .issuer(EXAMPLE_ISSUER) + .claim(groupClaim, "/example/admins") + .build(); + + mvc.perform(get(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter))) + .andExpect(status().isNotFound()); + mvc.perform(put(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter))) + .andExpect(status().isOk()); + } } @WithMockVOMSUser(vos = "wlcg", saReadPermissions = {"wlcg"}) From d06227c9f6bbaa0d7c8b2a11a5bda34e4186daad Mon Sep 17 00:00:00 2001 From: Enrico Vianello Date: Tue, 10 Dec 2024 12:30:23 +0100 Subject: [PATCH 3/3] Fix sonar issue --- .../storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java | 4 ++-- .../authz/integration/AuthorizationIntegrationTests.java | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java b/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java index 2ad82225..6ff8e74a 100644 --- a/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java +++ b/src/main/java/org/italiangrid/storm/webdav/oauth/GrantedAuthoritiesMapperSupport.java @@ -34,8 +34,8 @@ public class GrantedAuthoritiesMapperSupport { protected final Multimap authzMap = ArrayListMultimap.create(); protected final AuthorizationServerProperties authzServerProperties; - public static final String[] OAUTH_GROUP_CLAIM_NAMES = {"groups", "wlcg.groups", "entitlements"}; - public static final String SCOPE_CLAIM_NAME = "scope"; + protected static final String[] OAUTH_GROUP_CLAIM_NAMES = {"groups", "wlcg.groups", "entitlements"}; + protected static final String SCOPE_CLAIM_NAME = "scope"; protected final Set anonymousGrantedAuthorities = Sets.newHashSet(); diff --git a/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java b/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java index 76a16d8d..eddc1680 100644 --- a/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java +++ b/src/test/java/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java @@ -21,7 +21,6 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.request; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; -import static org.italiangrid.storm.webdav.oauth.GrantedAuthoritiesMapperSupport.OAUTH_GROUP_CLAIM_NAMES; import java.net.URI; @@ -229,7 +228,7 @@ void readAccessWithoutMatchedJWTIsDenied() throws Exception { .andExpect(status().isForbidden()); } - + @Test void writeAccessAsJwtWithAllowedClient() throws Exception { Jwt token = Jwt.withTokenValue("test") @@ -281,6 +280,8 @@ void writeAccessWithoutMatchedJWTIsDenied() throws Exception { @Test void readWriteAccessAsJwtWithAllowedGroup() throws Exception { + final String[] OAUTH_GROUP_CLAIM_NAMES = {"groups", "wlcg.groups", "entitlements"}; + for (String groupClaim : OAUTH_GROUP_CLAIM_NAMES) { Jwt token = Jwt.withTokenValue("test") .header("kid", "rsa1")