Mercurial > hg > thermostat-ng > web-gateway
changeset 214:d9afe9c11b06
Use space as delimiter for X-Thermostat-Realms-Header
Review-thread: jerboaa
Reviewed-by: http://icedtea.classpath.org/pipermail/thermostat/2017-July/024302.html
| author | Jie Kang <jkang@redhat.com> |
|---|---|
| date | Tue, 25 Jul 2017 11:21:41 -0400 |
| parents | cf039006fb0c |
| children | 554b822def15 |
| files | common/core/src/main/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RealmAuthorizer.java common/core/src/main/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/Role.java common/core/src/test/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RealmAuthorizerTest.java common/core/src/test/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RoleFactoryTest.java services/jvm-gc/src/main/resources/jvm-gc-swagger.yaml |
| diffstat | 5 files changed, 12 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/common/core/src/main/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RealmAuthorizer.java Tue Jul 25 10:48:10 2017 -0400 +++ b/common/core/src/main/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RealmAuthorizer.java Tue Jul 25 11:21:41 2017 -0400 @@ -49,6 +49,7 @@ public class RealmAuthorizer { public static final String REALMS_HEADER = "X-Thermostat-Realms"; + private static final String REALMS_HEADER_DELIMITER_REGEX = " +"; private final Set<Role> clientRoles; private final RoleFactory roleFactory = new RoleFactory(); @@ -148,8 +149,8 @@ * @throws ServletException If realms header contains realms the client does not have or no valid realms */ private Set<Role> buildClientPreferredRoles(Set<Role> trustedRoles, String realmsHeader) throws ServletException { - realmsHeader = realmsHeader.replaceAll("\\s+", ""); - Set<String> preferredRealms = new HashSet<>(Arrays.asList(realmsHeader.split(","))); + realmsHeader = realmsHeader.trim(); + Set<String> preferredRealms = new HashSet<>(Arrays.asList(realmsHeader.split(REALMS_HEADER_DELIMITER_REGEX))); Set<Role> selectedRoles = new HashSet<>(); for (String preferredRealm : preferredRealms) {
--- a/common/core/src/main/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/Role.java Tue Jul 25 10:48:10 2017 -0400 +++ b/common/core/src/main/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/Role.java Tue Jul 25 11:21:41 2017 -0400 @@ -40,7 +40,7 @@ public class Role { public static final String ROLE_DELIMITER = "-"; - public static final String[] RESTRICTED_CHARACTERS = new String[]{","}; + public static final String[] RESTRICTED_CHARACTERS = new String[]{" "}; private final String actions; private final String realm;
--- a/common/core/src/test/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RealmAuthorizerTest.java Tue Jul 25 10:48:10 2017 -0400 +++ b/common/core/src/test/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RealmAuthorizerTest.java Tue Jul 25 11:21:41 2017 -0400 @@ -242,7 +242,7 @@ String[] roles = new String[]{"w-write", "r-read", "u-update"}; when(access.getRoles()).thenReturn(new HashSet<>(Arrays.asList(roles))); - when(request.getHeader(eq("X-Thermostat-Realms"))).thenReturn("read,update"); + when(request.getHeader(eq("X-Thermostat-Realms"))).thenReturn("read update"); RealmAuthorizer realmAuthorizer = new RealmAuthorizer(request); assertEquals(1, realmAuthorizer.getReadableRealms().size()); @@ -257,7 +257,7 @@ String[] roles = new String[]{"r-read,","u-update"}; when(access.getRoles()).thenReturn(new HashSet<>(Arrays.asList(roles))); - when(request.getHeader(eq("X-Thermostat-Realms"))).thenReturn("read,update,other"); + when(request.getHeader(eq("X-Thermostat-Realms"))).thenReturn("read update other"); new RealmAuthorizer(request); } @@ -267,7 +267,7 @@ String[] roles = new String[]{"w-write", "r-read", "u-update"}; when(access.getRoles()).thenReturn(new HashSet<>(Arrays.asList(roles))); - when(request.getHeader(eq("X-Thermostat-Realms"))).thenReturn(" read, update , write"); + when(request.getHeader(eq("X-Thermostat-Realms"))).thenReturn(" read update write "); RealmAuthorizer realmAuthorizer = new RealmAuthorizer(request); assertEquals(1, realmAuthorizer.getReadableRealms().size());
--- a/common/core/src/test/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RoleFactoryTest.java Tue Jul 25 10:48:10 2017 -0400 +++ b/common/core/src/test/java/com/redhat/thermostat/gateway/common/core/auth/keycloak/RoleFactoryTest.java Tue Jul 25 11:21:41 2017 -0400 @@ -54,11 +54,11 @@ @Test public void testValidRole() { - String role = "a-role"; + String role = "a-valid,role"; assertTrue(roleFactory.isValidRole(role)); Role r = roleFactory.buildRole(role); - verifyRole(r, "a", "role"); + verifyRole(r, "a", "valid,role"); } @Test @@ -93,8 +93,8 @@ } @Test - public void testRealmWithCommaIsInvalid() { - String role = "a-invalid,realm"; + public void testRealmWithSpaceIsInvalid() { + String role = "a-invalid realm"; assertFalse(roleFactory.isValidRole(role)); }
--- a/services/jvm-gc/src/main/resources/jvm-gc-swagger.yaml Tue Jul 25 10:48:10 2017 -0400 +++ b/services/jvm-gc/src/main/resources/jvm-gc-swagger.yaml Tue Jul 25 11:21:41 2017 -0400 @@ -192,4 +192,4 @@ name: X-Thermostat-Realms type: string in: header - description: "Realms Header used to specify a subset of roles to use for Keycloak authorization. Attempts to specify realms that the client does not have, or no valid realms at all will result in a 400 Bad Request response. Expects a comma separated list of realms Example 'X-Thermostat-Realms: realm-one, realm-two'" \ No newline at end of file + description: "Realms Header used to specify a subset of roles to use for Keycloak authorization. Attempts to specify realms that the client does not have, or no valid realms at all will result in a 400 Bad Request response. Expects a space separated list of realms. Example 'X-Thermostat-Realms: realm-one realm-two'" \ No newline at end of file