argus-authz · marcocaberletti · Dec 13, 2017 · Jan 16, 2018 · Jun 27, 2019 · CnafSonarBot
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -0,0 +1,114 @@
+#!/usr/bin/env groovy
+
+@Library('sd')_
+def kubeLabel = getKubeLabel()
+
+pipeline {
+
+  agent {
+    kubernetes {
+      label "${kubeLabel}"
+      cloud 'Kube mwdevel'
+      defaultContainer 'runner'
+      inheritFrom 'ci-template'
+    }
+  }
+
+  options {
+    timeout(time: 1, unit: 'HOURS')
+    buildDiscarder(logRotator(numToKeepStr: '5'))
+  }
+
+  stages {
+    stage('build') {
+      steps {
+        sh 'mvn -U -B clean compile'
+      }
+    }
+
+    stage('test') {
+      steps {
+        sh 'mvn -U -B clean test'
+      }
+
+      post {
+        always {
+          junit '**/target/surefire-reports/TEST-*.xml'
+          jacoco()
+        }
+      }
+    }
+
+    stage('PR analysis') {
+      when {
+        not {
+          environment name: 'CHANGE_URL', value: ''
+        }
+      }
+      steps {
+        script {
+          def tokens = "${env.CHANGE_URL}".tokenize('/')
+          def organization = tokens[tokens.size()-4]
+          def repo = tokens[tokens.size()-3]
+
+          withCredentials([string(credentialsId: '630f8e6c-0d31-4f96-8d82-a1ef536ef059', variable: 'GITHUB_ACCESS_TOKEN')]) {
+            withSonarQubeEnv{
+              sh """
+                mvn -B -U clean compile sonar:sonar \\
+                  -Dsonar.analysis.mode=preview \\
+                  -Dsonar.github.pullRequest=${env.CHANGE_ID} \\
+                  -Dsonar.github.repository=${organization}/${repo} \\
+                  -Dsonar.github.oauth=${GITHUB_ACCESS_TOKEN} \\
+                  -Dsonar.host.url=${SONAR_HOST_URL} \\
+                  -Dsonar.login=${SONAR_AUTH_TOKEN}
+              """
+            }
+          }
+        }
+      }
+    }
+
+    stage('analysis') {
+      when{
+        anyOf { branch 'master'; branch 'develop' }
+        environment name: 'CHANGE_URL', value: ''
+      }
+      steps {
+        script{
+          def opts = '-Dmaven.test.failure.ignore -DfailIfNoTests=false'
+          def checkstyle_opts = 'checkstyle:check -Dcheckstyle.config.location=google_checks.xml'
+
+          withSonarQubeEnv{
+            sh "mvn clean compile -U ${opts} ${checkstyle_opts} ${SONAR_MAVEN_GOAL} -Dsonar.host.url=${SONAR_HOST_URL} -Dsonar.login=${SONAR_AUTH_TOKEN}"
+          }
+        }
+      }
+    }
+
+    stage('deploy') { 
+      steps {
+       sh 'mvn -B -U clean deploy'
+      }
+    }
+
+    stage('result') {
+      steps {
+        script { currentBuild.result = 'SUCCESS' }
+      }
+    }
+  }
+
+  post {
+    failure {
+      slackSend color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)"
+    }
+
+    changed {
+      script {
+        if ('SUCCESS'.equals(currentBuild.result)) {
+          slackSend color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Back to normal (<${env.BUILD_URL}|Open>)"
+        }
+      }
+    }
+  }
+}
diff --git a/pom.xml b/pom.xml
@@ -22,13 +22,12 @@ limitations under the License.
     <parent>
         <groupId>org.glite.authz</groupId>
         <artifactId>argus-parent</artifactId>
-        <version>1.7.0</version>
+        <version>1.7.2-SNAPSHOT</version>
     </parent>
 
     <name>Argus PEP client Java library</name>
-    <groupId>org.glite.authz</groupId>
     <artifactId>pep-java</artifactId>
-    <version>2.3.0</version>
+    <version>2.4.0-SNAPSHOT</version>
     <packaging>jar</packaging>
 
     <description>Argus PEP client API for the Argus Authorization Service</description>

diff --git a/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java b/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) Members of the EGEE Collaboration. 2006-2010. See http://www.eu-egee.org/partners/
+ * for details on the copyright holders.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ * $Id$
+ */
+package org.glite.authz.common.profile;
+
+public class OidcProfileConstants {
+
+  protected static final char SEPARATOR = '/';
+
+  protected static final String NS_PREFIX = "http://glite.org/xacml";
+
+  public static final String NS_ATTRIBUTE = NS_PREFIX + SEPARATOR + "attribute";
+
+  public static final String NS_ACTION = NS_PREFIX + SEPARATOR + "action";
+
+  public static final String NS_PROFILE = NS_PREFIX + SEPARATOR + "profile";
+
+  public static final String NS_OBLIGATION = NS_PREFIX + SEPARATOR + "obligation";
+
+  public static final String ID_ATTRIBUTE_PROFILE_ID = NS_ATTRIBUTE + SEPARATOR + "profile-id";
+
+  public static final String ID_ATTRIBUTE_OIDC_ACCESS_TOKEN =
+      NS_ATTRIBUTE + SEPARATOR + "oidc-access-token";
+
+  public static final String ID_ATTRIBUTE_OIDC_ORGANISATION =
+      NS_ATTRIBUTE + SEPARATOR + "oidc-organisation";
+
+  public static final String ID_ATTRIBUTE_OIDC_ISSUER = NS_ATTRIBUTE + SEPARATOR + "oidc-issuer";
+
+  public static final String ID_ATTRIBUTE_OIDC_SUBJECT = NS_ATTRIBUTE + SEPARATOR + "oidc-subject";
+
+  public static final String ID_ATTRIBUTE_OIDC_GROUP = NS_ATTRIBUTE + SEPARATOR + "oidc-group";
+
+  public static final String ID_ATTRIBUTE_OIDC_SCOPE = NS_ATTRIBUTE + SEPARATOR + "oidc-scope";
+
+  public static final String ID_ATTRIBUTE_OIDC_USER_NAME =
+      NS_ATTRIBUTE + SEPARATOR + "oidc-user-name";
+
+  public static final String ID_ATTRIBUTE_OIDC_USER_ID = NS_ATTRIBUTE + SEPARATOR + "oidc-user-id";
+
+  public static final String ID_ATTRIBUTE_OIDC_CLIENTID =
+      NS_ATTRIBUTE + SEPARATOR + "oidc-client-id";
+
+  public static final String ID_ATTRIBUTE_SUBJECT_ID =
+      "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
+
+  public static final String ID_ATTRIBUTE_RESOURCE_ID =
+      "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
+
+  public static final String ID_ATTRIBUTE_ACTION_ID =
+      "urn:oasis:names:tc:xacml:1.0:action:action-id";
+
+  /** The datatype #anyURI: {@value} */
+  public static final String DATATYPE_ANY_URI = "http://www.w3.org/2001/XMLSchema#anyURI";
+
+  /** The datatype #string: {@value} */
+  public static final String DATATYPE_STRING = "http://www.w3.org/2001/XMLSchema#string";
+
+  /** Common XACML Authorization Profile version: {@value} */
+  public static final String OIDC_XACML_AUTHZ_V1_0_PROFILE_VERSION = "1.0";
+
+  /** Common XACML Authorization Profile identifier: {@value} */
+  public static final String OIDC_XACML_AUTHZ_V1_0_PROFILE_ID =
+      NS_PROFILE + SEPARATOR + "oidc-authz" + SEPARATOR + OIDC_XACML_AUTHZ_V1_0_PROFILE_VERSION;
+
+}
diff --git a/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java b/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) Members of the EGEE Collaboration. 2006-2010. See http://www.eu-egee.org/partners/
+ * for details on the copyright holders.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ * $Id$
+ */
+
+package org.glite.authz.pep.profile;
+
+import org.glite.authz.common.model.Action;
+import org.glite.authz.common.model.Attribute;
+import org.glite.authz.common.model.Environment;
+import org.glite.authz.common.model.Request;
+import org.glite.authz.common.model.Resource;
+import org.glite.authz.common.model.Subject;
+import org.glite.authz.common.profile.OidcProfileConstants;
+
+public class OidcAuthorizationProfile extends AbstractAuthorizationProfile
+    implements AuthorizationProfile {
+
+  private static OidcAuthorizationProfile singleton = null;
+
+  public OidcAuthorizationProfile() {
+    super(OidcProfileConstants.OIDC_XACML_AUTHZ_V1_0_PROFILE_ID);
+  }
+
+  public static synchronized OidcAuthorizationProfile getInstance() {
+    if (singleton == null) {
+      singleton = new OidcAuthorizationProfile();
+    }
+    return singleton;
+  }
+
+  public Request createRequest(String accessToken, String resourceId, String actionId) {
+    Request request = new Request();
+    request.setEnvironment(createEnvironment());
+
+    Subject subj = new Subject();
+    subj.getAttributes().add(createOidcAccessTokenAttribute(accessToken));
+    request.getSubjects().add(subj);
+
+    Resource resource = new Resource();
+    resource.getAttributes()
+      .add(createAttribute(OidcProfileConstants.ID_ATTRIBUTE_RESOURCE_ID, resourceId));
+    request.getResources().add(resource);
+
+    Action action = new Action();
+    action.getAttributes()
+      .add(createAttribute(OidcProfileConstants.ID_ATTRIBUTE_ACTION_ID, actionId));
+    request.setAction(action);
+
+    return request;
+  }
+
+  protected Environment createEnvironment() {
+    Environment env = new Environment();
+    env.getAttributes().add(createOidcProfileAttribute());
+    return env;
+  }
+
+  protected Attribute createOidcAccessTokenAttribute(String accessToken) {
+    return createAttribute(OidcProfileConstants.ID_ATTRIBUTE_OIDC_ACCESS_TOKEN, accessToken);
+  }
+
+  protected Attribute createOidcProfileAttribute() {
+    return createAttribute(OidcProfileConstants.ID_ATTRIBUTE_PROFILE_ID, getProfileId());
+  }
+
+  @Override
+  protected String getSubjectKeyInfoAttributeDatatype() {
+    return null;
+  }
+
+  @Override
+  protected String getProfileIdAttributeIdentifer() {
+    return OidcProfileConstants.ID_ATTRIBUTE_PROFILE_ID;
+  }
+
+  @Override
+  protected String getMapUserToPOSIXEnvironmentObligationIdentifier() {
+    return null;
+  }
+
+  @Override
+  protected String getUserIdAttributeAssignmentIdentifier() {
+    return null;
+  }
+
+  @Override
+  protected String getGroupIdAttributeAssignmentIdentifier() {
+    return null;
+  }
+
+  @Override
+  protected String getPrimaryGroupIdAttributeAssignmentIdentifier() {
+    return null;
+  }
+
+  private Attribute createAttribute(String id, String value) {
+    Attribute attr = new Attribute(id);
+    attr.getValues().add(value);
+    return attr;
+  }
+
+}