Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Devops/tweak openid for different access url #510

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion compose_files/keycloak/realm.json
Original file line number Diff line number Diff line change
Expand Up @@ -2263,7 +2263,7 @@
},
"users": [
{
"username": "l2hectest",
"username": "l2hectest.1234567890",
"enabled": true,
"credentials": [
{
Expand Down
3 changes: 3 additions & 0 deletions compose_files/pki/certs/main.conf
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,6 @@ subjectAltName = @alt_names
DNS.1 = mike-virtual-machine
DNS.2 = auth.test
DNS.3 = cwms-data.test
DNS.1 = mike-virtual-machine
DNS.2 = auth.test
DNS.3 = cwms-data.test
ktarbet marked this conversation as resolved.
Show resolved Hide resolved
36 changes: 18 additions & 18 deletions compose_files/pki/certs/main.crt
Original file line number Diff line number Diff line change
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIUPQCM5cpWxsqeP70zLv2W97C51DMwDQYJKoZIhvcNAQEL
MIID0DCCArigAwIBAgIUcTwoVnCdoURSpjzfy9bMqcWOGPcwDQYJKoZIhvcNAQEL
BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ4wDAYDVQQHDAVEYXZpczEP
MA0GA1UECgwGSEVDTEFCMRMwEQYDVQQDDApIRUMgTEFCIENBMB4XDTIzMDUwNDE3
MjUzNloXDTM0MDcyMTE3MjUzNlowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
MA0GA1UECgwGSEVDTEFCMRMwEQYDVQQDDApIRUMgTEFCIENBMB4XDTI0MDExMTIx
NDc0MFoXDTM1MDMzMDIxNDc0MFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
MQ4wDAYDVQQHDAVEYXZpczEPMA0GA1UECgwGSEVDTEFCMR0wGwYDVQQDDBRtaWtl
LXZpcnR1YWwtbWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AOyvH8CVTaVm6C1qoAhIKQmOQwlRr2bHuxvtvfVkrDEjZvirZrkEqNdXmQr4qK0h
AHFkqtEG0MYmlgQJeJ4ZM9O+UnzTgleORJASqgyY9psTaXkHahnPFV9W8aP89PZI
CfWHRBM+dH/Y+4y9X/wIrIfLG09tULLNkJb7hummSYO9kTPs/luxcBIZouoSndUL
6ktXfw2AszdRaTkU6Ge21VsgtntZfTzB1GQlyj2RPlBCNW/XlBAvbR+CWloUbUCJ
g9YlVshbopxklEZ0aJRp95PfUBfKCFMD/PBBu0HOb6kfs1Btq1HFj8T5HFVJgjkU
rW0uwKKGdd6DXegjzJLrNI0CAwEAAaOBoTCBnjAfBgNVHSMEGDAWgBQpAvFOgbVA
o1svtQM78HA6htjj3zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DBEBgNVHREEPTA7
ghRtaWtlLXZpcnR1YWwtbWFjaGluZYIOYXV0aC5sb2NhbGhvc3SCE2N3bXMtZGF0
YS5sb2NhbGhvc3QwHQYDVR0OBBYEFIPcwaJkhidzsAU3oiiMfPdV7vMSMA0GCSqG
SIb3DQEBCwUAA4IBAQDBWiV/fJNKwGjCHloDzyWZMRZ4PHibJQhZkMHeqMxXTvhZ
u1KQigQ70q+9IgR3DaTRKTX7pbEyShQmAyHBw6e9hj+Ojtc1aJDTV4qig3nHOGlb
C9iDCS66gPVvvAVre6QdyF2TBrtgyj9iksrCMTB6iacLAMJVrVY/xvaYghh9fwVM
89LrkbxwawN3tLNQA+WFSIwXi35tAu0NuxH5DAYH9RFUcQnalhv876GBP1Hujxu7
gNr6M9QLySuAZf7I+x3El52XvN1UOighYUdrxdP0ISi4eJ4hlRIWIhrx/DD5e6dn
KZ9Mmhh6q5nnqObugg5US6b3K6Ax5/0uvodOKZJy
AIyO0f4NwycBqQYNUBIn+j94KJN2HlUdWUtCZTIEZhvF54ET7tSYNNNnUJv67RFz
W1BPHamuvJigRAZlCQD1O9DgaSJl9JGB1dy1QYLBjf6GOYmRg5P5BsaxERYNDpqb
lXnsi/yb+mnU9NDykCcI/exZIq76FJbw7mfsghu2M0OMpZyhA5AWxHTOZ/78vU33
MQC8nsUqNygMVT65IdWtgVhq/jPed41LxBjue18cmLZyhi0xA65GygVqgHHSOw2x
5CeuIWY6GPnHORKup7PIaZDq8/UrU1OwM2eLFNWQZ0cBP0UeDzy2DL2feU+kex1K
cPArGdn1ezxFKAAk27lrbL0CAwEAAaOBlzCBlDAfBgNVHSMEGDAWgBQpAvFOgbVA
o1svtQM78HA6htjj3zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DA6BgNVHREEMzAx
ghRtaWtlLXZpcnR1YWwtbWFjaGluZYIJYXV0aC50ZXN0gg5jd21zLWRhdGEudGVz
dDAdBgNVHQ4EFgQUjxrqi0C4iJjAOqGvDynbP9f+UQIwDQYJKoZIhvcNAQELBQAD
ggEBAA/NqiRmH1Bvy1f5oUm8QRVP/U5OWIxAHzYUgI7cnpMuhYP8DFIKRYI/p3F1
exz1ARp3SQxDdwLWeQf8aiWeSmAhcLofDm32aUeQZDkFHTPsO4xtYSd3QVsVa2pb
RovEgyX8PvoBt5IsUl5FgGUwr7GxbHs2NLHwpZIExJ92PHmn4XmOWd/0uaOo5RvY
Y1xIhVycjhm8vd12ldTqn7fFurRSuSEpHD6LB8PL5FJ2bSYu47aZJIcdnQzRxktG
pljHQORRn8+fncWxWFNkMS2sK3Vf2F7c/wdzj6MC+I4Xg4SJVKd8T25G4BklVXmy
HuYh6nk3sNVDKUn8BndPeLUkozQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDgTCCAmmgAwIBAgIUJtV2MBA9pzIs8IldHcYVQ1KQBvYwDQYJKoZIhvcNAQEL
Expand Down
26 changes: 13 additions & 13 deletions compose_files/pki/certs/main.csr
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ4wDAYDVQQH
DAVEYXZpczEPMA0GA1UECgwGSEVDTEFCMR0wGwYDVQQDDBRtaWtlLXZpcnR1YWwt
bWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOyvH8CVTaVm
6C1qoAhIKQmOQwlRr2bHuxvtvfVkrDEjZvirZrkEqNdXmQr4qK0hAHFkqtEG0MYm
lgQJeJ4ZM9O+UnzTgleORJASqgyY9psTaXkHahnPFV9W8aP89PZICfWHRBM+dH/Y
+4y9X/wIrIfLG09tULLNkJb7hummSYO9kTPs/luxcBIZouoSndUL6ktXfw2AszdR
aTkU6Ge21VsgtntZfTzB1GQlyj2RPlBCNW/XlBAvbR+CWloUbUCJg9YlVshbopxk
lEZ0aJRp95PfUBfKCFMD/PBBu0HOb6kfs1Btq1HFj8T5HFVJgjkUrW0uwKKGdd6D
XegjzJLrNI0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBtkXU4B7BtcGBLOo6V
zH4u5TbtAHLK66nmfzGeURaXmHTJVcQ8bceABoIoZ2OaXCiy+dVv+yD9AClfbzNZ
5dUDxUFaNm6Dt+RRRAVAsQM26Dua8s9hx3ZDGv6VOXOyebRAVHduQLXsTbjqovWj
M04RRwxN/6H1sIRm8lBgFAXIkc9K9qOdllrlS+i3egrjh0Nr+efS8/19Q9tpM1gW
CY36bHnd6O9v+d1ZizhcfFr29SPfVK43EOjrljPAmctrtDCZppmnhajk3bGRNHS8
bUPzxV/SpTiXPyEYD/uiykJdymzk6pG8K7leEZ56371Voc7fIrkyOsnaI9cdZ/oK
7tQH
bWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIyO0f4NwycB
qQYNUBIn+j94KJN2HlUdWUtCZTIEZhvF54ET7tSYNNNnUJv67RFzW1BPHamuvJig
RAZlCQD1O9DgaSJl9JGB1dy1QYLBjf6GOYmRg5P5BsaxERYNDpqblXnsi/yb+mnU
9NDykCcI/exZIq76FJbw7mfsghu2M0OMpZyhA5AWxHTOZ/78vU33MQC8nsUqNygM
VT65IdWtgVhq/jPed41LxBjue18cmLZyhi0xA65GygVqgHHSOw2x5CeuIWY6GPnH
ORKup7PIaZDq8/UrU1OwM2eLFNWQZ0cBP0UeDzy2DL2feU+kex1KcPArGdn1ezxF
KAAk27lrbL0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBr9QeUbXiOQ9eX6N3I
C9qkSpNxSTz6Io1McDjpPn6PTcCx9zGQG9CLMi5U33uvT5X6i6W3VzLSUkHcVYAB
QFKIix0PknignCImoS9bjGliKelhLmQpQTuhF2zUaGLnt4OVbIOFK+ge9wUmZEcI
p7KoUzDuNX+rfYmiwY2BfM9uEdRY9jHXvKCuxxygpUVjgBPxEo/VgmIvlqrzrn8p
C2s+XN+TBpMq1oOkFQpmMRpsz6CGFlq0geS6mPtxb5S0tXMJpAPZ7TH6w/sNSZbs
MSvZmSnlfGWbTSZC7uo4BTCeb8NrwoUqVucLD2Gu3jKY45ImBGw0WToadWZABbX1
pAi3
-----END CERTIFICATE REQUEST-----
52 changes: 26 additions & 26 deletions compose_files/pki/certs/main.key
Original file line number Diff line number Diff line change
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDsrx/AlU2lZugt
aqAISCkJjkMJUa9mx7sb7b31ZKwxI2b4q2a5BKjXV5kK+KitIQBxZKrRBtDGJpYE
CXieGTPTvlJ804JXjkSQEqoMmPabE2l5B2oZzxVfVvGj/PT2SAn1h0QTPnR/2PuM
vV/8CKyHyxtPbVCyzZCW+4bppkmDvZEz7P5bsXASGaLqEp3VC+pLV38NgLM3UWk5
FOhnttVbILZ7WX08wdRkJco9kT5QQjVv15QQL20fglpaFG1AiYPWJVbIW6KcZJRG
dGiUafeT31AXyghTA/zwQbtBzm+pH7NQbatRxY/E+RxVSYI5FK1tLsCihnXeg13o
I8yS6zSNAgMBAAECggEAIOqoHVYGYvMBZlOWZyB2CJyu6QxhuwcbGCLD0O2L3xef
2gSoeCHUQ4Ksx7BWcSGOWLbZ5NEwVuaF5ZDVpBM4OIIXIcIetgOUuH7IBJF/dojI
Get0j5tTyxsh5x8miFvzeqCx0IVWmXM5ZNTvlPM133rZVP4Mg5mAOudHV5ZnUflW
URACRxOuf1B+2gMJblwlVmhkk9tlXPcYTW08ocEK360tWwqiLbsMNFbE8pcoK6az
OJ/xOn7hv1jQ6H9knLC6TUJdWOKJgztFvbV87eYKWEranDt20MfSXahIqfUzE+AQ
aQdswt01vLWv8ieZWCPRQRKbV4CK48f0hYs0LROXEQKBgQD1rXm6NzJa1YjO1kNc
C4/A3R/hVJB7dmZ8aYah0QrgwGGTCWn49akfK+/DimhtD7/Oegfnyy7k5SEssstk
H0GF4woEfHjQnA4VQwNrU9v5ii1Kvfab5ViARHsOK5k82BWqruhJcDcHeV7uL7Sk
KI8Wh2BdOL0nvxhNzNPDw9ZjaQKBgQD2oOnIxHtUzD7dlaxqoOzQTwGI5yDbxa37
hx403agwL2Vw/MjZPrv3T84RVbJWr2o8n7EItLrBxals3mXV/r0Sxs8FE/Qqv8Hx
tSuRbc3JDmT3dZoYrgcTMMAUprSvVrOoZuE4FE+dSu4oBztsjswFVtxZm5aKbkNa
cHPPq/43hQKBgQCWUoL88fEZqzZ+eJPWqixXcfWjxj5xjMzAq0D5mhLx2kTZ1xTE
hGvq6tNV7kZfFRfjmr9jkOssmxZlZzEUHhvVdEoY3KB/5DypvctFzJX4Zhe4d+uB
EB/KvBwfW4XzuLPpMARpiwPgyt7PFtmM6FRFEKhh4em7fC2+zOl2C0oOoQKBgDcY
0cGha3ARRQYZtvAHTYBn9g7Qm72dVvX3RJ9I2ZcSL5ZjUrd91V41vPKQc4v8Gj66
6kDop0Q81VHWCWgaRcEZGwymXYjjV/+YmsgdgLim95V0910GG9yEqpSyfXEibHZ1
rWDq4LJiF/xnSTZCXH/g3M9D/AinA3MD5kuBwARFAoGAUBlDUu7Dv9ZI96jkhJr4
i02mAseYDIRR7wxCH/ZdtMT9bIQwI5Fhd9+CDYK91xvuNoaUpuuoeKMam7+MgC/1
ayRp/TqigJA5z0gm/14o+zBVydW2oyzXzL32NYWV26bCj2L0aOnL7joQCCQqhr4p
uQqiSBRNkj0FmBd0I+wwzO0=
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCMjtH+DcMnAakG
DVASJ/o/eCiTdh5VHVlLQmUyBGYbxeeBE+7UmDTTZ1Cb+u0Rc1tQTx2prryYoEQG
ZQkA9TvQ4GkiZfSRgdXctUGCwY3+hjmJkYOT+QbGsREWDQ6am5V57Iv8m/pp1PTQ
8pAnCP3sWSKu+hSW8O5n7IIbtjNDjKWcoQOQFsR0zmf+/L1N9zEAvJ7FKjcoDFU+
uSHVrYFYav4z3neNS8QY7ntfHJi2coYtMQOuRsoFaoBx0jsNseQnriFmOhj5xzkS
rqezyGmQ6vP1K1NTsDNnixTVkGdHAT9FHg88tgy9n3lPpHsdSnDwKxnZ9Xs8RSgA
JNu5a2y9AgMBAAECggEAHDqt4ZaNgHbEpdbEI1VcnOUqzwzsxB7oGWWdEdnQ0Rii
6WlhsNhd2ax5A862UKgoqX0uQa86qPOdHeSqVYMrL4T2kIZGA3g+RbywisyJUlpO
UXsEYFJmIj8bJaDbM0F2mJ1hswr3lMxEm/dvbKuRZeez/8zxmCwM0ZnuOpcR/imD
we6DVx2vLXdY/7eEfjcDdu77eETiXseuC4qsJufIj18O4wJmxhqLe7nK1VyLhian
jDxVR9IqzxFUHY8OSwtZTsNG9JmPc2FOqH53y9sgucI7ZruPrfmThHQaZ1s+gwNe
iGxf30tbzftj8DROqww1XvT+k0IHEmf7fW7EJPOlCQKBgQC/EmhPhTB8z28VCefe
9zJBkgKijJHWKHt4DqVWRLMxRDMB0Wgjn6cilGceVHpiV+i4Iz2WdeVxDlFM9Aw8
9wvsSlT0+tLxdXGuQ50rsncRrombPE8qOBTP63XviFqEabJNH1RxO3GUSEd1Fcf6
tIVV0Yo/9x7TglpM4uu9hE176QKBgQC8UiIn7OhnZPvtgJfIx4mnhg6qaA4Uf/7G
4nMsDJm3nGC/RJZCLjMgX0hIUeTzb0aqe3r0qznggTFJLgRjvVpEvyB+RUMVi/QP
bfgBMv0RFxCpbIQuo/o8C5a+6342QlslDRfhoLcg7v89k3mrzxT3qO1Tf9GbQWgo
KQ7cwWaptQKBgEOCCm7GHRqL47BoPo9NgWkfYGT0C3bB+NWzPwFa5oDqmqbyyLuF
ZfTWwBQ8Pr1OV//vG4x0fStTpq/srgJAOusyXA/uKud62j56zyYoON97bkz1ovbE
t726cIHACFMuUPvkrN4Q5ZFBdFXO60gNzepDTXhKJI8QSD1QE4BzJTk5AoGAMooI
SJa3uCfNxGtiUKvcMW00ul66iJ3hDhbvub6X8kKxZCNP/+rOJb3sdBwmSX5vhIkm
8kqRecKyK2WCIBJNC24PllOYMUwh75IfoJLCf7ek7RMGVk4DdeHWTt58PKuKMmNV
KWQsQVZigW/2kzk780sOhf4jjnr7LOv35R6yIpECgYBBRSQ0OZI8/gvsqRIK56LA
I5MimNA6KLjXOm0jImX+y68oksofOrw9HgAheL7rGY/SMOEOg+3MH6suj6CUevV/
OG9aJlW/H/oN7v3CUG2DLndLTvMLcl0mrdcCgB04aEQveymkHTp5U/DuxpDpU69F
tAIBuq1aPmyfMzlLqF+Zzw==
-----END PRIVATE KEY-----
Binary file modified compose_files/pki/certs/main.ks
Binary file not shown.
Binary file modified compose_files/pki/certs/main.p12
Binary file not shown.
1 change: 1 addition & 0 deletions compose_files/sql/users.sql
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ begin


cwms_sec.add_cwms_user('l2hectest',NULL,'SPK');
cwms_sec.update_edipi('l2hectest',1234567890);
cwms_sec.add_user_to_group('l2hectest','All Users', 'SPK');
cwms_sec.add_user_to_group('l2hectest','CWMS Users', 'SPK');
cwms_sec.add_user_to_group('l2hectest','TS ID Creator','SPK');
Expand Down
47 changes: 46 additions & 1 deletion cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
import java.util.Set;
import java.util.TimeZone;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;

import javax.sql.DataSource;

Expand Down Expand Up @@ -64,6 +63,9 @@ public class AuthDao extends Dao<DataApiPrincipal>{
private static final String CHECK_API_KEY =
"select userid from cwms_20.at_api_keys where apikey = ?";

private static final String USER_FOR_EDIPI =
"select userid from cwms_20.at_sec_cwms_users where edipi = ?";

public static final String CREATE_API_KEY = "insert into cwms_20.at_api_keys(userid,key_name,apikey,created,expires) values(UPPER(?),?,?,?,?)";
public static final String REMOVE_API_KEY = "delete from cwms_20.at_api_keys where UPPER(userid) = UPPER(?) and key_name = ?";
public static final String LIST_KEYS = "select userid,key_name,created,expires from cwms_20.at_api_keys where UPPER(userid) = UPPER(?) order by created desc";
Expand Down Expand Up @@ -206,6 +208,49 @@ private String checkKey(String key) throws CwmsAuthException {
}
}

/**
*
* @param edipi
* @return
* @throws CwmsAuthException
*/
private String userForEdipi(long edipi) throws CwmsAuthException {
try {
return dsl.connectionResult(c-> {
setSessionForAuthCheck(c);
try (PreparedStatement userForEdipi = c.prepareStatement(USER_FOR_EDIPI)) {
userForEdipi.setLong(1, edipi);
adamkorynta marked this conversation as resolved.
Show resolved Hide resolved
try (ResultSet rs = userForEdipi.executeQuery()) {
if (rs.next()) {
return rs.getString(1);
} else {
// TODO: add user to database, queue email admins to assign groups appropriately
throw new CwmsAuthException("User not in database.");
}
}
}
});
} catch (DataAccessException ex) {
Throwable t = ex.getCause();
if (t instanceof CwmsAuthException) {
throw (CwmsAuthException)t;
} else {
throw ex;
}
}
}

/**
* Build a DataApiPrincipal from a given EDIPI value.
* @param edipi the Edipi value to look up.
* @return
*/
public DataApiPrincipal getPrincipalFromEdipi(Long edipi) throws CwmsAuthException {
String username = userForEdipi(edipi);
Set<RouteRole> roles = this.getRolesForUser(username);
return new DataApiPrincipal(username, roles);
}

/**
* Retrieve roles a user has.
* @param user
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
import cwms.cda.spi.CdaAccessManager;
import cwms.cda.ApiServlet;
import cwms.cda.data.dao.AuthDao;

import cwms.cda.data.dao.JooqDao;
import io.javalin.core.security.RouteRole;
import io.javalin.http.Context;
import io.javalin.http.Handler;
Expand All @@ -52,9 +52,9 @@ public class OpenIDAccessManager extends CdaAccessManager {
private DataSource dataSource = null;


public OpenIDAccessManager(String wellKnownUrl, String issuer, int realmKeyTimeout) {
public OpenIDAccessManager(String wellKnownUrl, String issuer, int realmKeyTimeout, String authUrl) {
try {
config = new OpenIDConfig(new URL(wellKnownUrl));
config = new OpenIDConfig(new URL(wellKnownUrl), authUrl);
jwtParser = Jwts.parserBuilder()
.requireIssuer(issuer)
.setSigningKeyResolver(new UrlResolver(config.getJwksUrl(),realmKeyTimeout))
Expand All @@ -72,15 +72,15 @@ public void manage(Handler handler, Context ctx, Set<RouteRole> routeRoles) thro
handler.handle(ctx);
}



private DataApiPrincipal getUserFromToken(Context ctx) throws CwmsAuthException {
try {
Jws<Claims> token = jwtParser.parseClaimsJws(getToken(ctx));
String username = token.getBody().get("preferred_username",String.class);
// TODO: get roles from JWT and DB
return new DataApiPrincipal(username, new HashSet<RouteRole>());
} catch (JwtException ex) {
AuthDao dao = AuthDao.getInstance(JooqDao.getDslContext(ctx),ctx.attribute(ApiServlet.OFFICE_ID));
String edipiStr = username.substring(username.lastIndexOf(".")+1);
long edipi = Long.parseLong(edipiStr);
return dao.getPrincipalFromEdipi(edipi);
} catch (NumberFormatException | JwtException ex) {
throw new CwmsAuthException("JWT not valid",ex,HttpServletResponse.SC_UNAUTHORIZED);
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

public class OpenIDAccessManagerProvider implements AccessManagerProvider {
public static final String WELL_KNOWN_PROPERTY = "cwms.dataapi.access.openid.wellKnownUrl";
public static final String ALT_AUTH_URL = "cwms.dataapi.access.openid.altAuthUrl";
public static final String ISSUER_PROPERTY = "cwms.dataapi.access.openid.issuer";
public static final String TIMEOUT_PROPERTY = "cwms.dataapi.access.openid.timeout";

Expand All @@ -18,11 +19,12 @@ public CdaAccessManager create() {
String wellKnownUrl = System.getProperty(WELL_KNOWN_PROPERTY,System.getenv(WELL_KNOWN_PROPERTY));
String issuer = System.getProperty(ISSUER_PROPERTY,System.getenv(ISSUER_PROPERTY));
String timeoutStr = System.getProperty(TIMEOUT_PROPERTY,System.getenv(TIMEOUT_PROPERTY));
String altAuthUrl = System.getProperty(ALT_AUTH_URL, System.getenv(ALT_AUTH_URL));
int timeout = 3600;
if (timeoutStr != null && !timeoutStr.isEmpty()) {
timeout = Integer.parseInt(timeoutStr);
}
return new OpenIDAccessManager(wellKnownUrl,issuer,timeout);
return new OpenIDAccessManager(wellKnownUrl,issuer,timeout,altAuthUrl);
}

}
20 changes: 15 additions & 5 deletions cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;

import com.fasterxml.jackson.databind.JsonNode;
Expand All @@ -28,7 +29,7 @@ public class OpenIDConfig {
private Scopes scopes = new Scopes();
private OAuthFlows flows = new OAuthFlows();

public OpenIDConfig(URL wellKnown) throws IOException {
public OpenIDConfig(URL wellKnown, String altAuthUrl) throws IOException {
this.wellKnown = wellKnown;
HttpURLConnection http = null;
try
Expand All @@ -42,10 +43,10 @@ public OpenIDConfig(URL wellKnown) throws IOException {
JsonNode node = mapper.readTree(http.getInputStream());
jwksUrl = new URL(node.get("jwks_uri").asText());
issuer = node.get("issuer").asText();
tokenUrl = new URL(node.get("token_endpoint").asText());
userInfoUrl = new URL(node.get("userinfo_endpoint").asText());
logoutUrl = new URL(node.get("end_session_endpoint").asText());
authUrl = new URL(node.get("authorization_endpoint").asText());
tokenUrl = substituteBase(new URL(node.get("token_endpoint").asText()),altAuthUrl);
userInfoUrl = substituteBase(new URL(node.get("userinfo_endpoint").asText()),altAuthUrl);
logoutUrl = substituteBase(new URL(node.get("end_session_endpoint").asText()),altAuthUrl);
authUrl = substituteBase(new URL(node.get("authorization_endpoint").asText()),altAuthUrl);
JsonNode scopes = node.get("scopes_supported");
for(JsonNode scope: scopes) {
this.scopes.addString(scope.asText(), "");
Expand Down Expand Up @@ -80,6 +81,15 @@ public OpenIDConfig(URL wellKnown) throws IOException {
}
}

private URL substituteBase(URL endPoint, String altAuthUrl) throws MalformedURLException {
if (altAuthUrl == null || altAuthUrl.isEmpty()) {
return endPoint;
}
String originalPath = endPoint.getPath();

return new URL(altAuthUrl+"/"+originalPath);
}

public URL getJwksUrl() {
return jwksUrl;
}
Expand Down
12 changes: 5 additions & 7 deletions docker-compose.README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,11 @@ can be verified correctly.

The following users and permissions are available:

| User | Password | Office | Permissions |
| ----------- | ----------- | ------ | ------------ |
| l2hectest | l2hectest | SPK | General User |
| l1hectest | l1hectest | SPL | No permissions |
| m5hectest | m5hectest | SWT | General User |
| User | Password | Office | Permissions |
| --------------------- | ----------- | ------ | ------------ |
| l2hectest.1234567890 | l2hectest | SPK | General User |
ktarbet marked this conversation as resolved.
Show resolved Hide resolved
| l1hectest | l1hectest | SPL | No permissions |
| m5hectest | m5hectest | SWT | General User |


## Inventory of services
Expand All @@ -47,5 +47,3 @@ The following users and permissions are available:
|[auth](./compose_files/keycloak/Dockerfile)||8080|authentication-token service (keycloak)|
|db_install|||connects to db and installs CWMS schema|
|db_webuser_ permissions|||connects to db and sets permissions |


Loading