diff --git a/compose_files/keycloak/realm.json b/compose_files/keycloak/realm.json index 933544ece..03f3e35a5 100644 --- a/compose_files/keycloak/realm.json +++ b/compose_files/keycloak/realm.json @@ -2263,7 +2263,7 @@ }, "users": [ { - "username": "l2hectest", + "username": "l2hectest.1234567890", "enabled": true, "credentials": [ { diff --git a/compose_files/pki/certs/main.conf b/compose_files/pki/certs/main.conf index 72b16169e..661e9c3c9 100644 --- a/compose_files/pki/certs/main.conf +++ b/compose_files/pki/certs/main.conf @@ -7,3 +7,6 @@ subjectAltName = @alt_names DNS.1 = mike-virtual-machine DNS.2 = auth.test DNS.3 = cwms-data.test +DNS.1 = mike-virtual-machine +DNS.2 = auth.test +DNS.3 = cwms-data.test diff --git a/compose_files/pki/certs/main.crt b/compose_files/pki/certs/main.crt index 3bc203207..c75850d5a 100644 --- a/compose_files/pki/certs/main.crt +++ b/compose_files/pki/certs/main.crt @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIID2jCCAsKgAwIBAgIUPQCM5cpWxsqeP70zLv2W97C51DMwDQYJKoZIhvcNAQEL +MIID0DCCArigAwIBAgIUcTwoVnCdoURSpjzfy9bMqcWOGPcwDQYJKoZIhvcNAQEL BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ4wDAYDVQQHDAVEYXZpczEP -MA0GA1UECgwGSEVDTEFCMRMwEQYDVQQDDApIRUMgTEFCIENBMB4XDTIzMDUwNDE3 -MjUzNloXDTM0MDcyMTE3MjUzNlowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB +MA0GA1UECgwGSEVDTEFCMRMwEQYDVQQDDApIRUMgTEFCIENBMB4XDTI0MDExMTIx +NDc0MFoXDTM1MDMzMDIxNDc0MFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB MQ4wDAYDVQQHDAVEYXZpczEPMA0GA1UECgwGSEVDTEFCMR0wGwYDVQQDDBRtaWtl LXZpcnR1YWwtbWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AOyvH8CVTaVm6C1qoAhIKQmOQwlRr2bHuxvtvfVkrDEjZvirZrkEqNdXmQr4qK0h -AHFkqtEG0MYmlgQJeJ4ZM9O+UnzTgleORJASqgyY9psTaXkHahnPFV9W8aP89PZI -CfWHRBM+dH/Y+4y9X/wIrIfLG09tULLNkJb7hummSYO9kTPs/luxcBIZouoSndUL -6ktXfw2AszdRaTkU6Ge21VsgtntZfTzB1GQlyj2RPlBCNW/XlBAvbR+CWloUbUCJ -g9YlVshbopxklEZ0aJRp95PfUBfKCFMD/PBBu0HOb6kfs1Btq1HFj8T5HFVJgjkU -rW0uwKKGdd6DXegjzJLrNI0CAwEAAaOBoTCBnjAfBgNVHSMEGDAWgBQpAvFOgbVA -o1svtQM78HA6htjj3zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DBEBgNVHREEPTA7 -ghRtaWtlLXZpcnR1YWwtbWFjaGluZYIOYXV0aC5sb2NhbGhvc3SCE2N3bXMtZGF0 -YS5sb2NhbGhvc3QwHQYDVR0OBBYEFIPcwaJkhidzsAU3oiiMfPdV7vMSMA0GCSqG -SIb3DQEBCwUAA4IBAQDBWiV/fJNKwGjCHloDzyWZMRZ4PHibJQhZkMHeqMxXTvhZ -u1KQigQ70q+9IgR3DaTRKTX7pbEyShQmAyHBw6e9hj+Ojtc1aJDTV4qig3nHOGlb -C9iDCS66gPVvvAVre6QdyF2TBrtgyj9iksrCMTB6iacLAMJVrVY/xvaYghh9fwVM -89LrkbxwawN3tLNQA+WFSIwXi35tAu0NuxH5DAYH9RFUcQnalhv876GBP1Hujxu7 -gNr6M9QLySuAZf7I+x3El52XvN1UOighYUdrxdP0ISi4eJ4hlRIWIhrx/DD5e6dn -KZ9Mmhh6q5nnqObugg5US6b3K6Ax5/0uvodOKZJy +AIyO0f4NwycBqQYNUBIn+j94KJN2HlUdWUtCZTIEZhvF54ET7tSYNNNnUJv67RFz +W1BPHamuvJigRAZlCQD1O9DgaSJl9JGB1dy1QYLBjf6GOYmRg5P5BsaxERYNDpqb +lXnsi/yb+mnU9NDykCcI/exZIq76FJbw7mfsghu2M0OMpZyhA5AWxHTOZ/78vU33 +MQC8nsUqNygMVT65IdWtgVhq/jPed41LxBjue18cmLZyhi0xA65GygVqgHHSOw2x +5CeuIWY6GPnHORKup7PIaZDq8/UrU1OwM2eLFNWQZ0cBP0UeDzy2DL2feU+kex1K +cPArGdn1ezxFKAAk27lrbL0CAwEAAaOBlzCBlDAfBgNVHSMEGDAWgBQpAvFOgbVA +o1svtQM78HA6htjj3zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DA6BgNVHREEMzAx +ghRtaWtlLXZpcnR1YWwtbWFjaGluZYIJYXV0aC50ZXN0gg5jd21zLWRhdGEudGVz +dDAdBgNVHQ4EFgQUjxrqi0C4iJjAOqGvDynbP9f+UQIwDQYJKoZIhvcNAQELBQAD +ggEBAA/NqiRmH1Bvy1f5oUm8QRVP/U5OWIxAHzYUgI7cnpMuhYP8DFIKRYI/p3F1 +exz1ARp3SQxDdwLWeQf8aiWeSmAhcLofDm32aUeQZDkFHTPsO4xtYSd3QVsVa2pb +RovEgyX8PvoBt5IsUl5FgGUwr7GxbHs2NLHwpZIExJ92PHmn4XmOWd/0uaOo5RvY +Y1xIhVycjhm8vd12ldTqn7fFurRSuSEpHD6LB8PL5FJ2bSYu47aZJIcdnQzRxktG +pljHQORRn8+fncWxWFNkMS2sK3Vf2F7c/wdzj6MC+I4Xg4SJVKd8T25G4BklVXmy +HuYh6nk3sNVDKUn8BndPeLUkozQ= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDgTCCAmmgAwIBAgIUJtV2MBA9pzIs8IldHcYVQ1KQBvYwDQYJKoZIhvcNAQEL diff --git a/compose_files/pki/certs/main.csr b/compose_files/pki/certs/main.csr index 017c7c9e5..9daa1fcca 100644 --- a/compose_files/pki/certs/main.csr +++ b/compose_files/pki/certs/main.csr @@ -1,17 +1,17 @@ -----BEGIN CERTIFICATE REQUEST----- MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ4wDAYDVQQH DAVEYXZpczEPMA0GA1UECgwGSEVDTEFCMR0wGwYDVQQDDBRtaWtlLXZpcnR1YWwt -bWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOyvH8CVTaVm -6C1qoAhIKQmOQwlRr2bHuxvtvfVkrDEjZvirZrkEqNdXmQr4qK0hAHFkqtEG0MYm -lgQJeJ4ZM9O+UnzTgleORJASqgyY9psTaXkHahnPFV9W8aP89PZICfWHRBM+dH/Y -+4y9X/wIrIfLG09tULLNkJb7hummSYO9kTPs/luxcBIZouoSndUL6ktXfw2AszdR -aTkU6Ge21VsgtntZfTzB1GQlyj2RPlBCNW/XlBAvbR+CWloUbUCJg9YlVshbopxk -lEZ0aJRp95PfUBfKCFMD/PBBu0HOb6kfs1Btq1HFj8T5HFVJgjkUrW0uwKKGdd6D -XegjzJLrNI0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBtkXU4B7BtcGBLOo6V -zH4u5TbtAHLK66nmfzGeURaXmHTJVcQ8bceABoIoZ2OaXCiy+dVv+yD9AClfbzNZ -5dUDxUFaNm6Dt+RRRAVAsQM26Dua8s9hx3ZDGv6VOXOyebRAVHduQLXsTbjqovWj -M04RRwxN/6H1sIRm8lBgFAXIkc9K9qOdllrlS+i3egrjh0Nr+efS8/19Q9tpM1gW -CY36bHnd6O9v+d1ZizhcfFr29SPfVK43EOjrljPAmctrtDCZppmnhajk3bGRNHS8 -bUPzxV/SpTiXPyEYD/uiykJdymzk6pG8K7leEZ56371Voc7fIrkyOsnaI9cdZ/oK -7tQH +bWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIyO0f4NwycB +qQYNUBIn+j94KJN2HlUdWUtCZTIEZhvF54ET7tSYNNNnUJv67RFzW1BPHamuvJig +RAZlCQD1O9DgaSJl9JGB1dy1QYLBjf6GOYmRg5P5BsaxERYNDpqblXnsi/yb+mnU +9NDykCcI/exZIq76FJbw7mfsghu2M0OMpZyhA5AWxHTOZ/78vU33MQC8nsUqNygM +VT65IdWtgVhq/jPed41LxBjue18cmLZyhi0xA65GygVqgHHSOw2x5CeuIWY6GPnH +ORKup7PIaZDq8/UrU1OwM2eLFNWQZ0cBP0UeDzy2DL2feU+kex1KcPArGdn1ezxF +KAAk27lrbL0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBr9QeUbXiOQ9eX6N3I +C9qkSpNxSTz6Io1McDjpPn6PTcCx9zGQG9CLMi5U33uvT5X6i6W3VzLSUkHcVYAB +QFKIix0PknignCImoS9bjGliKelhLmQpQTuhF2zUaGLnt4OVbIOFK+ge9wUmZEcI +p7KoUzDuNX+rfYmiwY2BfM9uEdRY9jHXvKCuxxygpUVjgBPxEo/VgmIvlqrzrn8p +C2s+XN+TBpMq1oOkFQpmMRpsz6CGFlq0geS6mPtxb5S0tXMJpAPZ7TH6w/sNSZbs +MSvZmSnlfGWbTSZC7uo4BTCeb8NrwoUqVucLD2Gu3jKY45ImBGw0WToadWZABbX1 +pAi3 -----END CERTIFICATE REQUEST----- diff --git a/compose_files/pki/certs/main.key b/compose_files/pki/certs/main.key index fedab4f01..91debe2d7 100644 --- a/compose_files/pki/certs/main.key +++ b/compose_files/pki/certs/main.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDsrx/AlU2lZugt -aqAISCkJjkMJUa9mx7sb7b31ZKwxI2b4q2a5BKjXV5kK+KitIQBxZKrRBtDGJpYE -CXieGTPTvlJ804JXjkSQEqoMmPabE2l5B2oZzxVfVvGj/PT2SAn1h0QTPnR/2PuM -vV/8CKyHyxtPbVCyzZCW+4bppkmDvZEz7P5bsXASGaLqEp3VC+pLV38NgLM3UWk5 -FOhnttVbILZ7WX08wdRkJco9kT5QQjVv15QQL20fglpaFG1AiYPWJVbIW6KcZJRG -dGiUafeT31AXyghTA/zwQbtBzm+pH7NQbatRxY/E+RxVSYI5FK1tLsCihnXeg13o -I8yS6zSNAgMBAAECggEAIOqoHVYGYvMBZlOWZyB2CJyu6QxhuwcbGCLD0O2L3xef -2gSoeCHUQ4Ksx7BWcSGOWLbZ5NEwVuaF5ZDVpBM4OIIXIcIetgOUuH7IBJF/dojI -Get0j5tTyxsh5x8miFvzeqCx0IVWmXM5ZNTvlPM133rZVP4Mg5mAOudHV5ZnUflW -URACRxOuf1B+2gMJblwlVmhkk9tlXPcYTW08ocEK360tWwqiLbsMNFbE8pcoK6az -OJ/xOn7hv1jQ6H9knLC6TUJdWOKJgztFvbV87eYKWEranDt20MfSXahIqfUzE+AQ -aQdswt01vLWv8ieZWCPRQRKbV4CK48f0hYs0LROXEQKBgQD1rXm6NzJa1YjO1kNc -C4/A3R/hVJB7dmZ8aYah0QrgwGGTCWn49akfK+/DimhtD7/Oegfnyy7k5SEssstk -H0GF4woEfHjQnA4VQwNrU9v5ii1Kvfab5ViARHsOK5k82BWqruhJcDcHeV7uL7Sk -KI8Wh2BdOL0nvxhNzNPDw9ZjaQKBgQD2oOnIxHtUzD7dlaxqoOzQTwGI5yDbxa37 -hx403agwL2Vw/MjZPrv3T84RVbJWr2o8n7EItLrBxals3mXV/r0Sxs8FE/Qqv8Hx -tSuRbc3JDmT3dZoYrgcTMMAUprSvVrOoZuE4FE+dSu4oBztsjswFVtxZm5aKbkNa -cHPPq/43hQKBgQCWUoL88fEZqzZ+eJPWqixXcfWjxj5xjMzAq0D5mhLx2kTZ1xTE -hGvq6tNV7kZfFRfjmr9jkOssmxZlZzEUHhvVdEoY3KB/5DypvctFzJX4Zhe4d+uB -EB/KvBwfW4XzuLPpMARpiwPgyt7PFtmM6FRFEKhh4em7fC2+zOl2C0oOoQKBgDcY -0cGha3ARRQYZtvAHTYBn9g7Qm72dVvX3RJ9I2ZcSL5ZjUrd91V41vPKQc4v8Gj66 -6kDop0Q81VHWCWgaRcEZGwymXYjjV/+YmsgdgLim95V0910GG9yEqpSyfXEibHZ1 -rWDq4LJiF/xnSTZCXH/g3M9D/AinA3MD5kuBwARFAoGAUBlDUu7Dv9ZI96jkhJr4 -i02mAseYDIRR7wxCH/ZdtMT9bIQwI5Fhd9+CDYK91xvuNoaUpuuoeKMam7+MgC/1 -ayRp/TqigJA5z0gm/14o+zBVydW2oyzXzL32NYWV26bCj2L0aOnL7joQCCQqhr4p -uQqiSBRNkj0FmBd0I+wwzO0= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCMjtH+DcMnAakG +DVASJ/o/eCiTdh5VHVlLQmUyBGYbxeeBE+7UmDTTZ1Cb+u0Rc1tQTx2prryYoEQG +ZQkA9TvQ4GkiZfSRgdXctUGCwY3+hjmJkYOT+QbGsREWDQ6am5V57Iv8m/pp1PTQ +8pAnCP3sWSKu+hSW8O5n7IIbtjNDjKWcoQOQFsR0zmf+/L1N9zEAvJ7FKjcoDFU+ +uSHVrYFYav4z3neNS8QY7ntfHJi2coYtMQOuRsoFaoBx0jsNseQnriFmOhj5xzkS +rqezyGmQ6vP1K1NTsDNnixTVkGdHAT9FHg88tgy9n3lPpHsdSnDwKxnZ9Xs8RSgA +JNu5a2y9AgMBAAECggEAHDqt4ZaNgHbEpdbEI1VcnOUqzwzsxB7oGWWdEdnQ0Rii +6WlhsNhd2ax5A862UKgoqX0uQa86qPOdHeSqVYMrL4T2kIZGA3g+RbywisyJUlpO +UXsEYFJmIj8bJaDbM0F2mJ1hswr3lMxEm/dvbKuRZeez/8zxmCwM0ZnuOpcR/imD +we6DVx2vLXdY/7eEfjcDdu77eETiXseuC4qsJufIj18O4wJmxhqLe7nK1VyLhian +jDxVR9IqzxFUHY8OSwtZTsNG9JmPc2FOqH53y9sgucI7ZruPrfmThHQaZ1s+gwNe +iGxf30tbzftj8DROqww1XvT+k0IHEmf7fW7EJPOlCQKBgQC/EmhPhTB8z28VCefe +9zJBkgKijJHWKHt4DqVWRLMxRDMB0Wgjn6cilGceVHpiV+i4Iz2WdeVxDlFM9Aw8 +9wvsSlT0+tLxdXGuQ50rsncRrombPE8qOBTP63XviFqEabJNH1RxO3GUSEd1Fcf6 +tIVV0Yo/9x7TglpM4uu9hE176QKBgQC8UiIn7OhnZPvtgJfIx4mnhg6qaA4Uf/7G +4nMsDJm3nGC/RJZCLjMgX0hIUeTzb0aqe3r0qznggTFJLgRjvVpEvyB+RUMVi/QP +bfgBMv0RFxCpbIQuo/o8C5a+6342QlslDRfhoLcg7v89k3mrzxT3qO1Tf9GbQWgo +KQ7cwWaptQKBgEOCCm7GHRqL47BoPo9NgWkfYGT0C3bB+NWzPwFa5oDqmqbyyLuF +ZfTWwBQ8Pr1OV//vG4x0fStTpq/srgJAOusyXA/uKud62j56zyYoON97bkz1ovbE +t726cIHACFMuUPvkrN4Q5ZFBdFXO60gNzepDTXhKJI8QSD1QE4BzJTk5AoGAMooI +SJa3uCfNxGtiUKvcMW00ul66iJ3hDhbvub6X8kKxZCNP/+rOJb3sdBwmSX5vhIkm +8kqRecKyK2WCIBJNC24PllOYMUwh75IfoJLCf7ek7RMGVk4DdeHWTt58PKuKMmNV +KWQsQVZigW/2kzk780sOhf4jjnr7LOv35R6yIpECgYBBRSQ0OZI8/gvsqRIK56LA +I5MimNA6KLjXOm0jImX+y68oksofOrw9HgAheL7rGY/SMOEOg+3MH6suj6CUevV/ +OG9aJlW/H/oN7v3CUG2DLndLTvMLcl0mrdcCgB04aEQveymkHTp5U/DuxpDpU69F +tAIBuq1aPmyfMzlLqF+Zzw== -----END PRIVATE KEY----- diff --git a/compose_files/pki/certs/main.ks b/compose_files/pki/certs/main.ks index 8025acb4a..cd55da74b 100644 Binary files a/compose_files/pki/certs/main.ks and b/compose_files/pki/certs/main.ks differ diff --git a/compose_files/pki/certs/main.p12 b/compose_files/pki/certs/main.p12 index ca04ba66e..d5c2ff38d 100644 Binary files a/compose_files/pki/certs/main.p12 and b/compose_files/pki/certs/main.p12 differ diff --git a/compose_files/sql/users.sql b/compose_files/sql/users.sql index c3bcb3e13..bd8c0fe4c 100644 --- a/compose_files/sql/users.sql +++ b/compose_files/sql/users.sql @@ -9,6 +9,7 @@ begin cwms_sec.add_cwms_user('l2hectest',NULL,'SPK'); + cwms_sec.update_edipi('l2hectest',1234567890); cwms_sec.add_user_to_group('l2hectest','All Users', 'SPK'); cwms_sec.add_user_to_group('l2hectest','CWMS Users', 'SPK'); cwms_sec.add_user_to_group('l2hectest','TS ID Creator','SPK'); diff --git a/cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java b/cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java index 94b9619e6..77764b5c4 100644 --- a/cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java +++ b/cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java @@ -21,7 +21,6 @@ import java.util.Set; import java.util.TimeZone; import java.util.concurrent.TimeUnit; -import java.util.logging.Level; import javax.sql.DataSource; @@ -64,6 +63,9 @@ public class AuthDao extends Dao{ private static final String CHECK_API_KEY = "select userid from cwms_20.at_api_keys where apikey = ?"; + private static final String USER_FOR_EDIPI = + "select userid from cwms_20.at_sec_cwms_users where edipi = ?"; + public static final String CREATE_API_KEY = "insert into cwms_20.at_api_keys(userid,key_name,apikey,created,expires) values(UPPER(?),?,?,?,?)"; public static final String REMOVE_API_KEY = "delete from cwms_20.at_api_keys where UPPER(userid) = UPPER(?) and key_name = ?"; public static final String LIST_KEYS = "select userid,key_name,created,expires from cwms_20.at_api_keys where UPPER(userid) = UPPER(?) order by created desc"; @@ -206,6 +208,49 @@ private String checkKey(String key) throws CwmsAuthException { } } + /** + * + * @param edipi + * @return + * @throws CwmsAuthException + */ + private String userForEdipi(long edipi) throws CwmsAuthException { + try { + return dsl.connectionResult(c-> { + setSessionForAuthCheck(c); + try (PreparedStatement userForEdipi = c.prepareStatement(USER_FOR_EDIPI)) { + userForEdipi.setLong(1, edipi); + try (ResultSet rs = userForEdipi.executeQuery()) { + if (rs.next()) { + return rs.getString(1); + } else { + // TODO: add user to database, queue email admins to assign groups appropriately + throw new CwmsAuthException("User not in database."); + } + } + } + }); + } catch (DataAccessException ex) { + Throwable t = ex.getCause(); + if (t instanceof CwmsAuthException) { + throw (CwmsAuthException)t; + } else { + throw ex; + } + } + } + + /** + * Build a DataApiPrincipal from a given EDIPI value. + * @param edipi the Edipi value to look up. + * @return + */ + public DataApiPrincipal getPrincipalFromEdipi(Long edipi) throws CwmsAuthException { + String username = userForEdipi(edipi); + Set roles = this.getRolesForUser(username); + return new DataApiPrincipal(username, roles); + } + /** * Retrieve roles a user has. * @param user diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManager.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManager.java index 96819f0dc..3b11fee38 100644 --- a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManager.java +++ b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManager.java @@ -29,7 +29,7 @@ import cwms.cda.spi.CdaAccessManager; import cwms.cda.ApiServlet; import cwms.cda.data.dao.AuthDao; - +import cwms.cda.data.dao.JooqDao; import io.javalin.core.security.RouteRole; import io.javalin.http.Context; import io.javalin.http.Handler; @@ -52,9 +52,9 @@ public class OpenIDAccessManager extends CdaAccessManager { private DataSource dataSource = null; - public OpenIDAccessManager(String wellKnownUrl, String issuer, int realmKeyTimeout) { + public OpenIDAccessManager(String wellKnownUrl, String issuer, int realmKeyTimeout, String authUrl) { try { - config = new OpenIDConfig(new URL(wellKnownUrl)); + config = new OpenIDConfig(new URL(wellKnownUrl), authUrl); jwtParser = Jwts.parserBuilder() .requireIssuer(issuer) .setSigningKeyResolver(new UrlResolver(config.getJwksUrl(),realmKeyTimeout)) @@ -72,15 +72,15 @@ public void manage(Handler handler, Context ctx, Set routeRoles) thro handler.handle(ctx); } - - private DataApiPrincipal getUserFromToken(Context ctx) throws CwmsAuthException { try { Jws token = jwtParser.parseClaimsJws(getToken(ctx)); String username = token.getBody().get("preferred_username",String.class); - // TODO: get roles from JWT and DB - return new DataApiPrincipal(username, new HashSet()); - } catch (JwtException ex) { + AuthDao dao = AuthDao.getInstance(JooqDao.getDslContext(ctx),ctx.attribute(ApiServlet.OFFICE_ID)); + String edipiStr = username.substring(username.lastIndexOf(".")+1); + long edipi = Long.parseLong(edipiStr); + return dao.getPrincipalFromEdipi(edipi); + } catch (NumberFormatException | JwtException ex) { throw new CwmsAuthException("JWT not valid",ex,HttpServletResponse.SC_UNAUTHORIZED); } } diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManagerProvider.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManagerProvider.java index d563278bc..3e4df1685 100644 --- a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManagerProvider.java +++ b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManagerProvider.java @@ -5,6 +5,7 @@ public class OpenIDAccessManagerProvider implements AccessManagerProvider { public static final String WELL_KNOWN_PROPERTY = "cwms.dataapi.access.openid.wellKnownUrl"; + public static final String ALT_AUTH_URL = "cwms.dataapi.access.openid.altAuthUrl"; public static final String ISSUER_PROPERTY = "cwms.dataapi.access.openid.issuer"; public static final String TIMEOUT_PROPERTY = "cwms.dataapi.access.openid.timeout"; @@ -18,11 +19,12 @@ public CdaAccessManager create() { String wellKnownUrl = System.getProperty(WELL_KNOWN_PROPERTY,System.getenv(WELL_KNOWN_PROPERTY)); String issuer = System.getProperty(ISSUER_PROPERTY,System.getenv(ISSUER_PROPERTY)); String timeoutStr = System.getProperty(TIMEOUT_PROPERTY,System.getenv(TIMEOUT_PROPERTY)); + String altAuthUrl = System.getProperty(ALT_AUTH_URL, System.getenv(ALT_AUTH_URL)); int timeout = 3600; if (timeoutStr != null && !timeoutStr.isEmpty()) { timeout = Integer.parseInt(timeoutStr); } - return new OpenIDAccessManager(wellKnownUrl,issuer,timeout); + return new OpenIDAccessManager(wellKnownUrl,issuer,timeout,altAuthUrl); } } diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java index aa51c51df..4438be023 100644 --- a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java +++ b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java @@ -2,6 +2,7 @@ import java.io.IOException; import java.net.HttpURLConnection; +import java.net.MalformedURLException; import java.net.URL; import com.fasterxml.jackson.databind.JsonNode; @@ -28,7 +29,7 @@ public class OpenIDConfig { private Scopes scopes = new Scopes(); private OAuthFlows flows = new OAuthFlows(); - public OpenIDConfig(URL wellKnown) throws IOException { + public OpenIDConfig(URL wellKnown, String altAuthUrl) throws IOException { this.wellKnown = wellKnown; HttpURLConnection http = null; try @@ -42,10 +43,10 @@ public OpenIDConfig(URL wellKnown) throws IOException { JsonNode node = mapper.readTree(http.getInputStream()); jwksUrl = new URL(node.get("jwks_uri").asText()); issuer = node.get("issuer").asText(); - tokenUrl = new URL(node.get("token_endpoint").asText()); - userInfoUrl = new URL(node.get("userinfo_endpoint").asText()); - logoutUrl = new URL(node.get("end_session_endpoint").asText()); - authUrl = new URL(node.get("authorization_endpoint").asText()); + tokenUrl = substituteBase(new URL(node.get("token_endpoint").asText()),altAuthUrl); + userInfoUrl = substituteBase(new URL(node.get("userinfo_endpoint").asText()),altAuthUrl); + logoutUrl = substituteBase(new URL(node.get("end_session_endpoint").asText()),altAuthUrl); + authUrl = substituteBase(new URL(node.get("authorization_endpoint").asText()),altAuthUrl); JsonNode scopes = node.get("scopes_supported"); for(JsonNode scope: scopes) { this.scopes.addString(scope.asText(), ""); @@ -80,6 +81,15 @@ public OpenIDConfig(URL wellKnown) throws IOException { } } + private URL substituteBase(URL endPoint, String altAuthUrl) throws MalformedURLException { + if (altAuthUrl == null || altAuthUrl.isEmpty()) { + return endPoint; + } + String originalPath = endPoint.getPath(); + + return new URL(altAuthUrl+"/"+originalPath); + } + public URL getJwksUrl() { return jwksUrl; } diff --git a/docker-compose.README.md b/docker-compose.README.md index 44a160f40..1291167a7 100644 --- a/docker-compose.README.md +++ b/docker-compose.README.md @@ -29,11 +29,11 @@ can be verified correctly. The following users and permissions are available: -| User | Password | Office | Permissions | -| ----------- | ----------- | ------ | ------------ | -| l2hectest | l2hectest | SPK | General User | -| l1hectest | l1hectest | SPL | No permissions | -| m5hectest | m5hectest | SWT | General User | +| User | Password | Office | Permissions | +| --------------------- | ----------- | ------ | ------------ | +| l2hectest.1234567890 | l2hectest | SPK | General User | +| l1hectest | l1hectest | SPL | No permissions | +| m5hectest | m5hectest | SWT | General User | ## Inventory of services @@ -47,5 +47,3 @@ The following users and permissions are available: |[auth](./compose_files/keycloak/Dockerfile)||8080|authentication-token service (keycloak)| |db_install|||connects to db and installs CWMS schema| |db_webuser_ permissions|||connects to db and sets permissions | - -