org.wildfly.security.auth.server.SecurityDomain Java Examples

@Test
public void testKeepMappedRoleMapper() throws Exception {
    init("TestDomain2");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain2");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertTrue(roles.contains("firstGroup"));
    Assert.assertFalse(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 

@Override
protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException {
    final String securityDomain = SECURITY_DOMAIN.resolveModelAttribute(context, model).asString();
    final ServiceBuilder<?> sb = context.getServiceTarget().addService(MANAGEMENT_IDENTITY_RUNTIME_CAPABILITY.getCapabilityServiceName());
    final Supplier<SecurityDomain> sdSupplier = sb.requires(context.getCapabilityServiceName(RuntimeCapability.buildDynamicCapabilityName(SECURITY_DOMAIN_CAPABILITY, securityDomain), SecurityDomain.class));
    sb.setInstance(new IdentityService(sdSupplier, securityIdentitySupplier));
    sb.install();
    //Let's verify that the IdentityService is correctly started.
    context.addStep((OperationContext context1, ModelNode operation1) -> {
        try {
            ServiceController<?> controller = context1.getServiceRegistry(false).getRequiredService(MANAGEMENT_IDENTITY_RUNTIME_CAPABILITY.getCapabilityServiceName());
            if (controller == null || State.UP != controller.getState()) {
                context.setRollbackOnly();
            }
        } catch (ServiceNotFoundException ex) {
            context.setRollbackOnly();
        }
    }, OperationContext.Stage.VERIFY);
}
 

@Test
public void testAggregateEvidenceDecoder() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("AggregateEvidenceDecoderDomain");
    SecurityDomain securityDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityDomain);

    // evidence will be decoded using a subject alternative name
    X509PeerCertificateChainEvidence evidence = new X509PeerCertificateChainEvidence(populateCertificateChain(true ));
    ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext();
    sac.setDecodedEvidencePrincipal(evidence);
    Assert.assertEquals("[email protected]", evidence.getDecodedPrincipal().getName());
    sac.setAuthenticationPrincipal(evidence.getDecodedPrincipal());
    Assert.assertEquals("bob0", sac.getAuthenticationPrincipal().getName());

    // evidence will be decoded using the subject
    evidence = new X509PeerCertificateChainEvidence(populateCertificateChain(false));
    sac = securityDomain.createNewAuthenticationContext();
    sac.setDecodedEvidencePrincipal(evidence);
    Assert.assertEquals("CN=bob0", evidence.getDecodedPrincipal().getName());
    sac.setAuthenticationPrincipal(evidence.getDecodedPrincipal());
    Assert.assertEquals("0", sac.getAuthenticationPrincipal().getName());
}
 

@Test
public void testPermissionMappers() throws Exception {
    init();

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain myDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    SecurityIdentity firstUser = getIdentityFromDomain(myDomain, "firstUser");
    Roles roles = Roles.fromSet(new HashSet<>(Arrays.asList(new String[]{"role1", "role2"})));

    serviceName = Capabilities.PERMISSION_MAPPER_RUNTIME_CAPABILITY.getCapabilityServiceName("SimplePermissionMapperRole");
    PermissionMapper mapper = (PermissionMapper) services.getContainer().getService(serviceName).getValue();
    PermissionVerifier verifier = mapper.mapPermissions(firstUser, roles);
    Assert.assertTrue(verifier.implies(new LoginPermission()));
    Assert.assertFalse(verifier.implies(new FilePermission("aaa", "read")));

    serviceName = Capabilities.PERMISSION_MAPPER_RUNTIME_CAPABILITY.getCapabilityServiceName("SimplePermissionMapperPrincipal");
    mapper = (PermissionMapper) services.getContainer().getService(serviceName).getValue();
    verifier = mapper.mapPermissions(firstUser, roles);
    Assert.assertTrue(verifier.implies(new LoginPermission()));
    Assert.assertFalse(verifier.implies(new FilePermission("aaa", "read")));
}
 

@Test
public void testTrustedSecurityDomains() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain myDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(myDomain);

    serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("X500Domain");
    SecurityDomain x500Domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(x500Domain);

    serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("AnotherDomain");
    SecurityDomain anotherDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(anotherDomain);

    SecurityIdentity establishedIdentity = getIdentityFromDomain(myDomain, "firstUser");
    ServerAuthenticationContext authenticationContext = anotherDomain.createNewAuthenticationContext();

    // AnotherDomain trusts MyDomain
    Assert.assertTrue(authenticationContext.importIdentity(establishedIdentity));

    establishedIdentity = getIdentityFromDomain(anotherDomain, "firstUser");
    authenticationContext = x500Domain.createNewAuthenticationContext();
    // X500Domain does not trust AnotherDomain
    Assert.assertFalse(authenticationContext.importIdentity(establishedIdentity));
}
 

@Test
public void testNonDefaultRealmIdentity() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    MechanismConfiguration mechConf = MechanismConfiguration.builder()
            .addMechanismRealm(MechanismRealmConfiguration.builder().setRealmName("FileRealm").build())
            .addMechanismRealm(MechanismRealmConfiguration.builder().setRealmName("PropRealm").build())
            .build();
    ServerAuthenticationContext context = domain.createNewAuthenticationContext(MechanismConfigurationSelector.constantSelector(mechConf));

    context.setMechanismRealmName("PropRealm");
    context.setAuthenticationName("xser1@PropRealm");
    Assert.assertTrue(context.exists());
    context.authorize();
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();
    Assert.assertEquals("yser1@PropRealm", identity.getPrincipal().getName()); // after pre-realm-name-rewriter only
}
 

@Test
public void testDefaultRealmIdentity() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("firstUser"); // from FileRealm
    Assert.assertTrue(context.exists());
    context.authorize();
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();
    Assert.assertEquals("John", identity.getAttributes().get("firstName").get(0));
    Assert.assertEquals("Smith", identity.getAttributes().get("lastName").get(0));

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("prefixEmployeesuffix"));
    Assert.assertTrue(roles.contains("prefixManagersuffix"));
    Assert.assertTrue(roles.contains("prefixAdminsuffix"));
    Assert.assertEquals("firstUser", identity.getPrincipal().getName());

    Assert.assertTrue(identity.implies(new FilePermission("test", "read")));
    Assert.assertFalse(identity.implies(new FilePermission("test", "write")));
}
 

@Test
public void testRegexRoleMapper3() throws Exception {
    init("TestDomain7");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain7");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user3");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("admin"));
    Assert.assertTrue(roles.contains("user"));
    Assert.assertTrue(roles.contains("joe"));
    Assert.assertFalse(roles.contains("application-user"));
    Assert.assertFalse(roles.contains("123-admin-123"));
    Assert.assertFalse(roles.contains("aa-user-aa"));
    Assert.assertEquals("user3", identity.getPrincipal().getName());
}
 

@Test
public void testRegexRoleMapper2() throws Exception {
    init("TestDomain6");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain6");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user3");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("admin"));
    Assert.assertTrue(roles.contains("user"));
    Assert.assertFalse(roles.contains("joe"));
    Assert.assertFalse(roles.contains("application-user"));
    Assert.assertFalse(roles.contains("123-admin-123"));
    Assert.assertFalse(roles.contains("aa-user-aa"));
    Assert.assertEquals("user3", identity.getPrincipal().getName());
}
 

@Test
public void testRegexRoleMapper() throws Exception {
    init("TestDomain5");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain5");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user2");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("application-user"));
    Assert.assertFalse(roles.contains("123-user"));
    Assert.assertFalse(roles.contains("joe"));
    Assert.assertEquals("user2", identity.getPrincipal().getName());
}
 

@Test
public void testKeepBothMappedRoleMapper() throws Exception {
    init("TestDomain4");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain4");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertTrue(roles.contains("firstGroup"));
    Assert.assertTrue(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 

@Test
public void testKeepNonMappedRoleMapper() throws Exception {
    init("TestDomain3");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain3");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertFalse(roles.contains("firstGroup"));
    Assert.assertTrue(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 

@Test
public void testMappedRoleMapper() throws Exception {
    init("TestDomain1");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain1");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertFalse(roles.contains("firstGroup"));
    Assert.assertFalse(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 

private static SecurityIdentity[] performOutflow(SecurityIdentity identity, boolean outflowAnonymous, Set<SecurityDomain> outflowDomains) {
    List<SecurityIdentity> outflowIdentities = new ArrayList<>(outflowDomains.size());
    for (SecurityDomain d : outflowDomains) {
        ServerAuthenticationContext sac = d.createNewAuthenticationContext();
        try {
            if (sac.importIdentity(identity)) {
                outflowIdentities.add(sac.getAuthorizedIdentity());
            } else if (outflowAnonymous) {
                outflowIdentities.add(d.getAnonymousSecurityIdentity());
            }
        } catch (RealmUnavailableException e) {
            throw ROOT_LOGGER.unableToPerformOutflow(identity.getPrincipal().getName(), e);
        }
    }

    return outflowIdentities.toArray(new SecurityIdentity[outflowIdentities.size()]);
}
 

/**
 * Create the deployment SecurityDomain using the SecurityRealm build items that have been created.
 *
 * @param recorder - the runtime recorder class used to access runtime behaviors
 * @param realms - the previously created SecurityRealm runtime values
 * @return the SecurityDomain runtime value build item
 * @throws Exception
 */
@BuildStep
@Record(ExecutionTime.RUNTIME_INIT)
SecurityDomainBuildItem build(ElytronRecorder recorder, List<SecurityRealmBuildItem> realms)
        throws Exception {
    if (realms.size() > 0) {
        // Configure the SecurityDomain.Builder from the main realm
        SecurityRealmBuildItem realmBuildItem = realms.get(0);
        RuntimeValue<SecurityDomain.Builder> securityDomainBuilder = recorder
                .configureDomainBuilder(realmBuildItem.getName(), realmBuildItem.getRealm());
        // Add any additional SecurityRealms
        for (int n = 1; n < realms.size(); n++) {
            realmBuildItem = realms.get(n);
            RuntimeValue<SecurityRealm> realm = realmBuildItem.getRealm();
            recorder.addRealm(securityDomainBuilder, realmBuildItem.getName(), realm);
        }
        // Actually build the runtime value for the SecurityDomain
        RuntimeValue<SecurityDomain> securityDomain = recorder.buildDomain(securityDomainBuilder);

        // Return the build item for the SecurityDomain runtime value
        return new SecurityDomainBuildItem(securityDomain);
    }
    return null;
}
 

@Override
public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException {
    DeploymentUnit deploymentUnit = phaseContext.getDeploymentUnit();
    if (deploymentUnit.getParent() != null || !isVirtualDomainRequired(deploymentUnit)) {
        return;  // Only interested in installation if this is really the root deployment.
    }

    ServiceName virtualDomainName = virtualDomainName(deploymentUnit);
    ServiceTarget serviceTarget = phaseContext.getServiceTarget();

    ServiceBuilder<?> serviceBuilder = serviceTarget.addService(virtualDomainName);

    final SecurityDomain virtualDomain = SecurityDomain.builder().build();
    final Consumer<SecurityDomain> consumer = serviceBuilder.provides(virtualDomainName);

    serviceBuilder.setInstance(Service.newInstance(consumer, virtualDomain));
    serviceBuilder.setInitialMode(Mode.ON_DEMAND);
    serviceBuilder.install();
}
 

private SecurityIdentity getSecurityIdentity() {
  SecurityDomain current = SecurityDomain.getCurrent();
  if (current != null) {
    return current.getCurrentSecurityIdentity();
  }
  return null;
}
 

@Test
public void testSubjectEvidenceDecoder() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("SubjectEvidenceDecoderDomain");
    SecurityDomain securityDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityDomain);

    X509PeerCertificateChainEvidence evidence = new X509PeerCertificateChainEvidence(populateCertificateChain(false));
    ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext();
    sac.setDecodedEvidencePrincipal(evidence);
    Assert.assertEquals("CN=bob0", evidence.getDecodedPrincipal().getName());
    sac.setAuthenticationPrincipal(evidence.getDecodedPrincipal());
    Assert.assertEquals("0", sac.getAuthenticationPrincipal().getName());
}
 

@Test
public void testSubjectAltNameEvidenceDecoder() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("SubjectAltNameEvidenceDecoderDomain");
    SecurityDomain securityDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityDomain);

    X509PeerCertificateChainEvidence evidence = new X509PeerCertificateChainEvidence(populateCertificateChain(true ));
    ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext();
    sac.setDecodedEvidencePrincipal(evidence);
    Assert.assertEquals("[email protected]", evidence.getDecodedPrincipal().getName());
    sac.setAuthenticationPrincipal(evidence.getDecodedPrincipal());
    Assert.assertEquals("bob0", sac.getAuthenticationPrincipal().getName());
}
 

@Test
public void testNamePrincipalMapping() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    Assert.assertFalse(domain.getIdentity("wrong").exists());
    Assert.assertFalse(domain.getIdentity("firstUser@wrongRealm").exists());
    Assert.assertTrue(domain.getIdentity("firstUser").exists());
    Assert.assertTrue(domain.getIdentity("user1@PropRealm").exists());
    Assert.assertTrue(domain.getIdentity(new NamePrincipal("user1@PropRealm")).exists());
}
 

@Test
public void testSourceAddressRoleDecoderWithMatch() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("SourceAddressRoleDecoderDomain");
    SecurityDomain securityDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityDomain);

    ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext();
    sac.setAuthenticationName("user2");
    Assert.assertFalse(sac.authorize()); // based on the security realm alone, user2 does not have "admin" role

    // make use of the runtime source IP address attribute
    sac = securityDomain.createNewAuthenticationContext();
    sac.addRuntimeAttributes(createRuntimeAttributes("10.12.14.16"));
    sac.setAuthenticationName("user2");
    Assert.assertTrue(sac.authorize());

    // runtime source IP address attribute not specified
    sac = securityDomain.createNewAuthenticationContext();
    sac.addRuntimeAttributes(createRuntimeAttributes(null));
    sac.setAuthenticationName("user2");
    Assert.assertFalse(sac.authorize());

    sac = securityDomain.createNewAuthenticationContext();
    sac.setAuthenticationName("user1");
    Assert.assertTrue(sac.authorize()); // based on the security realm alone, user1 already has "admin" role

    // make use of the runtime source IP address attribute, make sure user1 still has "admin" role
    sac = securityDomain.createNewAuthenticationContext();
    sac.addRuntimeAttributes(createRuntimeAttributes("10.12.14.16"));
    sac.setAuthenticationName("user1");
    Assert.assertTrue(sac.authorize());

    // make use of the runtime source IP address attribute, make sure user1 still has "admin" role
    sac = securityDomain.createNewAuthenticationContext();
    sac.addRuntimeAttributes(createRuntimeAttributes(null));
    sac.setAuthenticationName("user1");
    Assert.assertTrue(sac.authorize());
}
 

/**
 * Create a {@linkplain SecurityDomain.Builder} for the given default {@linkplain SecurityRealm}.
 *
 * @param realmName - the default realm name
 * @param realm - the default SecurityRealm
 * @return a runtime value for the SecurityDomain.Builder
 * @throws Exception on any error
 */
public RuntimeValue<SecurityDomain.Builder> configureDomainBuilder(String realmName, RuntimeValue<SecurityRealm> realm)
        throws Exception {
    log.debugf("buildDomain, realm=%s", realm.getValue());

    SecurityDomain.Builder domain = SecurityDomain.builder()

            .addRealm(realmName, realm.getValue())

            .setRoleDecoder(new RoleDecoder() {
                @Override
                public Roles decodeRoles(AuthorizationIdentity authorizationIdentity) {
                    return CDI.current().select(DefaultRoleDecoder.class).get().decodeRoles(authorizationIdentity);
                }
            })
            .build()
            .setDefaultRealmName(realmName)
            .setPermissionMapper(new PermissionMapper() {
                @Override
                public PermissionVerifier mapPermissions(PermissionMappable permissionMappable, Roles roles) {
                    return new PermissionVerifier() {
                        @Override
                        public boolean implies(Permission permission) {
                            return true;
                        }
                    };
                }
            });

    return new RuntimeValue<>(domain);
}
 

@Test
public void testAddRegexRoleMapperAggregate() throws Exception {
    init("TestDomain10");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain10");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user5");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();
    Assert.assertEquals("user5", identity.getPrincipal().getName());

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("admin"));
    Assert.assertTrue(roles.contains("guest"));
    Assert.assertFalse(roles.contains("1-user"));
    Assert.assertFalse(roles.contains("user"));

    context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user6");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    identity = context.getAuthorizedIdentity();
    Assert.assertEquals("user6", identity.getPrincipal().getName());

    roles = identity.getRoles();
    Assert.assertFalse(roles.contains("admin"));
    Assert.assertFalse(roles.contains("random"));
}
 

@Test
public void testAddRegexRoleMapperWithRegexBoundaries() throws Exception {
    init("TestDomain9");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain9");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user4");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();
    Assert.assertEquals("user4", identity.getPrincipal().getName());

    Roles roles = identity.getRoles();
    Assert.assertFalse(roles.contains("app-user"));
    Assert.assertFalse(roles.contains("app-user-first-time-user"));
    Assert.assertFalse(roles.contains("app-admin-first-time-user"));
    Assert.assertFalse(roles.contains("app-user-first-time-admin"));
    Assert.assertFalse(roles.contains("joe"));
    Assert.assertFalse(roles.contains("app-admin"));
    Assert.assertFalse(roles.contains("app-admin-first-time-admin"));

    context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user7");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    identity = context.getAuthorizedIdentity();
    Assert.assertEquals("user7", identity.getPrincipal().getName());

    roles = identity.getRoles();
    Assert.assertTrue(roles.contains("admin"));
    Assert.assertFalse(roles.contains("user"));
}
 

@Test
public void testAddRegexRoleMapperReplaceAll() throws Exception {
    init("TestDomain8");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain8");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user4");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();
    Assert.assertEquals("user4", identity.getPrincipal().getName());

    Roles roles = identity.getRoles();
    Assert.assertFalse(roles.contains("app-user"));
    Assert.assertFalse(roles.contains("app-user-first-time-user"));
    Assert.assertFalse(roles.contains("app-admin-first-time-user"));
    Assert.assertFalse(roles.contains("app-user-first-time-admin"));
    Assert.assertFalse(roles.contains("joe"));

    Assert.assertTrue(roles.contains("app-admin"));
    Assert.assertTrue(roles.contains("app-admin-first-time-admin"));

    context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user7");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    identity = context.getAuthorizedIdentity();
    Assert.assertEquals("user7", identity.getPrincipal().getName());
    roles = identity.getRoles();
    Assert.assertTrue(roles.contains("admin"));
    Assert.assertFalse(roles.contains("user"));
}
 

@Test
public void testSourceAddressRoleDecoderWithMismatch() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("SourceAddressRoleDecoderDomain");
    SecurityDomain securityDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(securityDomain);

    ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext();
    sac.setAuthenticationName("user2");
    Assert.assertFalse(sac.authorize()); // based on the security realm alone, user2 does not have "admin" role

    // make use of the runtime source IP address attribute
    sac = securityDomain.createNewAuthenticationContext();
    sac.addRuntimeAttributes(createRuntimeAttributes("10.12.16.16"));
    sac.setAuthenticationName("user2");
    Assert.assertFalse(sac.authorize());

    sac = securityDomain.createNewAuthenticationContext();
    sac.setAuthenticationName("user1");
    Assert.assertTrue(sac.authorize()); // based on the security realm alone, user1 already has "admin" role

    // make use of the runtime source IP address attribute, make sure user1 still has "admin" role
    sac = securityDomain.createNewAuthenticationContext();
    sac.addRuntimeAttributes(createRuntimeAttributes("10.12.16.16"));
    sac.setAuthenticationName("user1");
    Assert.assertTrue(sac.authorize());
}
 

private SecurityIdentity getIdentityFromDomain(final SecurityDomain securityDomain, final String userName) throws Exception {
    final ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext();
    authenticationContext.setAuthenticationName(userName);
    authenticationContext.authorize();
    authenticationContext.succeed();
    return authenticationContext.getAuthorizedIdentity();
}
 

private SecurityIdentity getSecurityIdentity() {
  SecurityDomain current = SecurityDomain.getCurrent();
  if (current != null) {
    return current.getCurrentSecurityIdentity();
  }
  return null;
}
 

public static ChannelServer create(final Configuration configuration) throws IOException {
    if (configuration == null) {
        throw new IllegalArgumentException("Null configuration");
    }
    configuration.validate();

    // Hack WFCORE-3302/REM3-303 workaround
    if (firstCreate) {
        firstCreate = false;
    } else {
        try {
            // wait in case the previous socket has not closed
            Thread.sleep(100);
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
            throw new RuntimeException(e);
        }
    }

    // TODO WFCORE-3302 -- Endpoint.getCurrent() should be ok
    final Endpoint endpoint = Endpoint.builder().setEndpointName(configuration.getEndpointName()).build();

    final NetworkServerProvider networkServerProvider = endpoint.getConnectionProviderInterface(configuration.getUriScheme(), NetworkServerProvider.class);
    final SecurityDomain.Builder domainBuilder = SecurityDomain.builder();
    final SimpleMapBackedSecurityRealm realm = new SimpleMapBackedSecurityRealm();
    domainBuilder.addRealm("default", realm).build();
    domainBuilder.setDefaultRealmName("default");
    domainBuilder.setPermissionMapper((permissionMappable, roles) -> PermissionVerifier.ALL);
    SecurityDomain testDomain = domainBuilder.build();
    SaslAuthenticationFactory saslAuthenticationFactory = SaslAuthenticationFactory.builder()
        .setSecurityDomain(testDomain)
        .setMechanismConfigurationSelector(mechanismInformation -> "ANONYMOUS".equals(mechanismInformation.getMechanismName()) ? MechanismConfiguration.EMPTY : null)
        .setFactory(new AnonymousServerFactory())
        .build();
    System.out.println(configuration.getBindAddress());
    AcceptingChannel<StreamConnection> streamServer = networkServerProvider.createServer(configuration.getBindAddress(), OptionMap.EMPTY, saslAuthenticationFactory, null);

    return new ChannelServer(endpoint, null, streamServer);
}
 

@BeforeClass
public static void setupDomain() {
    Map<String, SimpleRealmEntry> entries = new HashMap<>(StandardRole.values().length);
    for (StandardRole role : StandardRole.values()) {
        entries.put(roleToUserName(role), new SimpleRealmEntry(Collections.emptyList()));
    }
    SimpleMapBackedSecurityRealm securityRealm = new SimpleMapBackedSecurityRealm();
    securityRealm.setPasswordMap(entries);
    testDomain = SecurityDomain.builder()
            .setDefaultRealmName("Default")
            .addRealm("Default", securityRealm).build()
            .setPermissionMapper((p,r) -> new LoginPermission())
            .build();
}