[2.21.x] Update policies and interceptors (#5919)

Removed guest role requirements in policy plugins, updated PEP tests and removed blank strings from blueprint values.
codice · Mar 20, 2020 · b820f6f · b820f6f
1 parent 9ca1159
commit b820f6f
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 44 deletions.
diff --git a/...ecurity/catalog-security-policyplugin/src/main/resources/OSGI-INF/blueprint/blueprint.xml b/...ecurity/catalog-security-policyplugin/src/main/resources/OSGI-INF/blueprint/blueprint.xml
@@ -16,24 +16,25 @@
     <bean id="ingestPlugin" class="org.codice.ddf.catalog.security.CatalogPolicy">
         <cm:managed-properties persistent-id="org.codice.ddf.catalog.security.CatalogPolicy"
                                update-strategy="container-managed" />
+        <!-- An empty value on permissions so there are no restrictions on who can perform the operations -->
         <property name="createPermissions">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
         <property name="updatePermissions">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
         <property name="deletePermissions">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
         <property name="readPermissions">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
     </bean>

diff --git a/.../security/catalog-security-policyplugin/src/main/resources/OSGI-INF/metatype/metatype.xml b/.../security/catalog-security-policyplugin/src/main/resources/OSGI-INF/metatype/metatype.xml
@@ -19,19 +19,19 @@
 
         <AD description="Roles/attributes required for the create operations. Example: role=role1,role2"
             name="Create Required Attributes" id="createPermissions" required="true" type="String" cardinality="1000"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
 
         <AD description="Roles/attributes required for the update operation. Example: role=role1,role2"
             name="Update Required Attributes" id="updatePermissions" required="true" type="String" cardinality="1000"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
 
         <AD description="Roles/attributes required for the delete operation. Example: role=role1,role2"
             name="Delete Required Attributes" id="deletePermissions" required="true" type="String" cardinality="1000"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
 
         <AD description="Roles/attributes required for the read operations (query and resource). Example: role=role1,role2"
             name="Read Required Attributes" id="readPermissions" required="true" type="String" cardinality="1000"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
     </OCD>
 
     <Designate pid="org.codice.ddf.catalog.security.CatalogPolicy">

diff --git a/...urity/catalog-security-resourceplugin/src/main/resources/OSGI-INF/blueprint/blueprint.xml b/...urity/catalog-security-resourceplugin/src/main/resources/OSGI-INF/blueprint/blueprint.xml
@@ -18,14 +18,15 @@
         <cm:managed-properties
                 persistent-id="org.codice.ddf.catalog.security.ResourceUriPolicy"
                 update-strategy="container-managed"/>
+        <!-- An empty value on permissions so there are no restrictions on who can perform the operations -->
         <property name="createPermissions">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
         <property name="updatePermissions">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
     </bean>

diff --git a/...ecurity/catalog-security-resourceplugin/src/main/resources/OSGI-INF/metatype/metatype.xml b/...ecurity/catalog-security-resourceplugin/src/main/resources/OSGI-INF/metatype/metatype.xml
@@ -20,12 +20,12 @@
         <AD description="Allow users to provide a resource URI when creating a metacard"
             name="Permit Resource URI on Creation" id="createPermissions" required="true"
             type="String" cardinality="1000"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>/>
+            default=""/>
 
         <AD description="Allow users to provide a resource URI when updating a metacard"
             name="Permit Resource URI on Update" id="updatePermissions" required="true"
             type="String" cardinality="1000"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>/>
+            default=""/>
     </OCD>
 
     <Designate pid="org.codice.ddf.catalog.security.ResourceUriPolicy">

diff --git a/...atial/registry/registry-policy-plugin/src/main/resources/OSGI-INF/blueprint/blueprint.xml b/...atial/registry/registry-policy-plugin/src/main/resources/OSGI-INF/blueprint/blueprint.xml
@@ -24,24 +24,25 @@
                 </value>
             </array>
         </property>
+        <!-- An empty value on access policies so there are no restrictions on who can perform the operations -->
         <property name="createAccessPolicyStrings">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
         <property name="updateAccessPolicyStrings">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
         <property name="deleteAccessPolicyStrings">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
         <property name="readAccessPolicyStrings">
             <array>
-                <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest</value>
+                <value></value>
             </array>
         </property>
     </bean>

diff --git a/...spatial/registry/registry-policy-plugin/src/main/resources/OSGI-INF/metatype/metatype.xml b/...spatial/registry/registry-policy-plugin/src/main/resources/OSGI-INF/metatype/metatype.xml
@@ -20,22 +20,22 @@
         <AD description="Roles/attributes required for create operations on registry entries. Example: {role=role1;type=type1}"
             name="Registry Create Attributes" id="createAccessPolicyStrings" required="true"
             type="String" cardinality="100"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
 
         <AD description="Roles/attributes required for update operations on registry entries. Example: {role=role1;type=type1}"
             name="Registry Update Attributes" id="updateAccessPolicyStrings" required="true"
             type="String" cardinality="100"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
 
         <AD description="Roles/attributes required for delete operations on registry entries. Example: {role=role1;type=type1}"
             name="Registry Delete Attributes" id="deleteAccessPolicyStrings" required="true"
             type="String" cardinality="100"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
 
         <AD description="Roles/attributes required for reading registry entries. Example: {role=role1;type=type1}"
             name="Registry Read Attributes" id="readAccessPolicyStrings" required="true"
             type="String" cardinality="100"
-            default="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role=guest"/>
+            default=""/>
 
         <AD description="Roles/attributes required for an admin to bypass all filtering/access controls. Example: {role=role1;type=type1}"
             name="Registry Admin Attributes" id="registryBypassPolicyStrings" required="true"

diff --git a/...pep-interceptor/src/main/java/ddf/security/pep/interceptor/PEPAuthorizingInterceptor.java b/...pep-interceptor/src/main/java/ddf/security/pep/interceptor/PEPAuthorizingInterceptor.java
@@ -36,8 +36,10 @@
 import org.apache.cxf.service.model.MessageInfo;
 import org.apache.cxf.ws.addressing.JAXWSAConstants;
 import org.apache.cxf.ws.addressing.Names;
+import org.apache.shiro.subject.SimplePrincipalCollection;
 import org.apache.shiro.util.ThreadContext;
 import org.codice.ddf.platform.util.XMLUtils;
+import org.codice.ddf.security.handler.api.SessionToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Element;
@@ -83,19 +85,21 @@ public void setSecurityManager(SecurityManager securityManager) {
   @Override
   public void handleMessage(Message message) throws Fault {
     if (message != null) {
-      // grab the SAML assertion associated with this Message from the
-      // token store
+      // grab the SAML assertion associated with this Message from the token store
       SecurityAssertion assertion = assertionRetriever.apply(message);
       boolean isPermitted = false;
 
       if ((assertion != null) && (assertion.getToken() != null)) {
         Subject user = null;
         CollectionPermission action = null;
-
         String actionURI = getActionUri(message);
 
+        SimplePrincipalCollection principalCollection = new SimplePrincipalCollection();
+        principalCollection.add(assertion, "security");
+        SessionToken token = new SessionToken(principalCollection);
+
         try {
-          user = securityManager.getSubject(assertion.getToken());
+          user = securityManager.getSubject(token);
           if (user == null) {
             throw new AccessDeniedException("Unauthorized");
           }

diff --git a/...pep-interceptor/src/test/java/ddf/security/pep/interceptor/PepInterceptorActionsTest.java b/...pep-interceptor/src/test/java/ddf/security/pep/interceptor/PepInterceptorActionsTest.java
@@ -15,6 +15,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.isA;
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.mock;
@@ -63,9 +64,7 @@ public void testMessageWithDefaultUriAction() throws SecurityServiceException {
 
     // SecurityLogger is already stubbed out
     when(mockSecurityAssertion.getToken()).thenReturn(mockSecurityToken);
-    when(mockSecurityToken.getToken()).thenReturn(null);
-
-    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
+    when(mockSecurityManager.getSubject(any())).thenReturn(mockSubject);
 
     QName op = new QName("urn:catalog:query", "search", "ns1");
     QName port = new QName("urn:catalog:query", "query-port", "ns1");
@@ -106,9 +105,7 @@ public void testMessageWithDefaultUrlAction() throws SecurityServiceException {
 
     // SecurityLogger is already stubbed out
     when(mockSecurityAssertion.getToken()).thenReturn(mockSecurityToken);
-    when(mockSecurityToken.getToken()).thenReturn(null);
-
-    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
+    when(mockSecurityManager.getSubject(any())).thenReturn(mockSubject);
 
     QName op = new QName("http://catalog/query/", "Search", "ns1");
     QName port = new QName("http://catalog/query/", "QueryPort", "ns1");
@@ -149,9 +146,7 @@ public void testMessageWithMessageAction() throws SecurityServiceException {
 
     // SecurityLogger is already stubbed out
     when(mockSecurityAssertion.getToken()).thenReturn(mockSecurityToken);
-    when(mockSecurityToken.getToken()).thenReturn(null);
-
-    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
+    when(mockSecurityManager.getSubject(any())).thenReturn(mockSubject);
 
     MessageInfo mockMessageInfo = mock(MessageInfo.class);
     when(messageWithAction.get(MessageInfo.class.getName())).thenReturn(mockMessageInfo);
@@ -187,9 +182,7 @@ public void testMessageWithOperationAction() throws SecurityServiceException {
 
     // SecurityLogger is already stubbed out
     when(mockSecurityAssertion.getToken()).thenReturn(mockSecurityToken);
-    when(mockSecurityToken.getToken()).thenReturn(null);
-
-    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
+    when(mockSecurityManager.getSubject(any())).thenReturn(mockSubject);
 
     Exchange mockExchange = mock(Exchange.class);
     BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
@@ -227,9 +220,7 @@ public void testMessageWithNoAction() throws SecurityServiceException {
 
     // SecurityLogger is already stubbed out
     when(mockSecurityAssertion.getToken()).thenReturn(mockSecurityToken);
-    when(mockSecurityToken.getToken()).thenReturn(null);
-
-    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
+    when(mockSecurityManager.getSubject(any())).thenReturn(mockSubject);
 
     Exchange mockExchange = mock(Exchange.class);
     BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);

diff --git a/...nterceptor/src/test/java/ddf/security/pep/interceptor/PepInterceptorValidSubjectTest.java b/...nterceptor/src/test/java/ddf/security/pep/interceptor/PepInterceptorValidSubjectTest.java
@@ -14,6 +14,7 @@
 package ddf.security.pep.interceptor;
 
 import static org.junit.Assert.assertNotNull;
+import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.isA;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
@@ -29,7 +30,7 @@
 import org.apache.cxf.message.Exchange;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.service.model.BindingOperationInfo;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.codice.ddf.security.handler.api.SessionToken;
 import org.junit.Test;
 
 public class PepInterceptorValidSubjectTest {
@@ -44,15 +45,13 @@ public void testMessageValidSecurityAssertionToken() throws SecurityServiceExcep
     interceptor.setSecurityManager(mockSecurityManager);
 
     Message messageWithValidSecurityAssertion = mock(Message.class);
-    SecurityToken mockSecurityToken = mock(SecurityToken.class);
+    SessionToken mockSecurityToken = mock(SessionToken.class);
     Subject mockSubject = mock(Subject.class);
     assertNotNull(mockSecurityAssertion);
 
     // SecurityLogger is already stubbed out
     when(mockSecurityAssertion.getToken()).thenReturn(mockSecurityToken);
-    when(mockSecurityToken.getToken()).thenReturn(null);
-
-    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
+    when(mockSecurityManager.getSubject(any())).thenReturn(mockSubject);
 
     QName op = new QName("urn:catalog:query", "search", "ns1");
     QName port = new QName("urn:catalog:query", "query-port", "ns1");