diff --git a/compose_files/sql/users.sql b/compose_files/sql/users.sql index e8bacf1e3..e9d8329a9 100644 --- a/compose_files/sql/users.sql +++ b/compose_files/sql/users.sql @@ -19,6 +19,7 @@ begin cwms_sec.add_cwms_user('m5hectest', null, 'SWT'); cwms_sec.add_user_to_group('m5hectest', 'All Users', 'SWT'); cwms_sec.add_user_to_group('m5hectest', 'CWMS Users', 'SWT'); + cwms_sec.add_user_to_group('m5hectest', 'TS ID Creator', 'SWT'); cwms_sec.add_cwms_user('q0hectest', null, 'SWT'); cwms_sec.add_user_to_group('q0hectest', 'All Users', 'SWT'); cwms_sec.add_user_to_group('q0hectest', 'CWMS Users', 'SWT'); @@ -50,6 +51,7 @@ begin cwms_sec.add_cwms_user('m5hectest',NULL,'SWT'); cwms_sec.add_user_to_group('m5hectest','All Users', 'SWT'); cwms_sec.add_user_to_group('m5hectest','CWMS Users', 'SWT'); + cwms_sec.add_user_to_group('m5hectest','TS ID Creator', 'SWT'); execute immediate 'grant execute on cwms_20.cwms_upass to web_user'; @@ -60,4 +62,4 @@ begin end; / -quit; \ No newline at end of file +quit; diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java index 3e967aed0..44fe78f28 100644 --- a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java +++ b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java @@ -56,25 +56,28 @@ public URL getJwksUrl() { return jwksUrl; } - public SecurityScheme getScheme() { - - + static SecurityScheme buildScheme(String wellKnownUrl, String clientId, String idpHint) { SecurityScheme scheme = new SecurityScheme().type(Type.OPENIDCONNECT) - .openIdConnectUrl(wellKnown.toString()) - .scheme("openid"); - if (idp_hint != null) + .openIdConnectUrl(wellKnownUrl); + if (idpHint != null) { Map hint = new HashMap<>(); hint.put("query-parameter", "kc_idp_hint"); ArrayList values = new ArrayList<>(); - for (String value: idp_hint.split(",")) { + for (String value: idpHint.split(",")) { values.add(value.trim()); } hint.put("values", values); scheme.addExtension("x-kc_idp_hint", hint); } - scheme.addExtension("x-oidc-client-id", client_id); + scheme.addExtension("x-oidc-client-id", clientId); + return scheme; + } + + public SecurityScheme getScheme() { + + SecurityScheme scheme = buildScheme(wellKnown.toString(), client_id, idp_hint); return scheme; } } diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIdConnectIdentitityProvider.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIdConnectIdentitityProvider.java index 7287c8aa8..48d1c8940 100644 --- a/cwms-data-api/src/main/java/cwms/cda/security/OpenIdConnectIdentitityProvider.java +++ b/cwms-data-api/src/main/java/cwms/cda/security/OpenIdConnectIdentitityProvider.java @@ -115,6 +115,10 @@ private DataApiPrincipal getUserFromToken(Context ctx) throws CwmsAuthException throw new CwmsAuthException("Not Authorized",HttpServletResponse.SC_UNAUTHORIZED); } } catch (NumberFormatException | JwtException ex) { + log.atFine().withCause(ex).log( + "JWT validation failed for bearer token from issuer configuration '%s'", + System.getProperty(ISSUER_PROPERTY, System.getenv(ISSUER_PROPERTY)) + ); throw new CwmsAuthException("JWT not valid",ex,HttpServletResponse.SC_UNAUTHORIZED); } } diff --git a/cwms-data-api/src/test/java/cwms/cda/security/OpenIDConfigTest.java b/cwms-data-api/src/test/java/cwms/cda/security/OpenIDConfigTest.java new file mode 100644 index 000000000..cdce8c504 --- /dev/null +++ b/cwms-data-api/src/test/java/cwms/cda/security/OpenIDConfigTest.java @@ -0,0 +1,42 @@ +package cwms.cda.security; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import io.swagger.v3.oas.models.security.SecurityScheme; +import java.util.List; +import java.util.Map; +import org.junit.jupiter.api.Test; + +class OpenIDConfigTest { + + @Test + void buildSchemeUsesWellKnownDiscoveryUrlWithoutHttpAuthScheme() { + SecurityScheme scheme = OpenIDConfig.buildScheme( + "https://identityc.sec.usace.army.mil/auth/realms/cwbi/.well-known/openid-configuration", + "cwms", + "federation-eams, login.gov" + ); + + assertEquals(SecurityScheme.Type.OPENIDCONNECT, scheme.getType()); + assertEquals( + "https://identityc.sec.usace.army.mil/auth/realms/cwbi/.well-known/openid-configuration", + scheme.getOpenIdConnectUrl() + ); + assertTrue(scheme.getScheme() == null || scheme.getScheme().isEmpty()); + assertNotNull(scheme.getExtensions()); + assertEquals("cwms", scheme.getExtensions().get("x-oidc-client-id")); + + @SuppressWarnings("unchecked") + Map hint = (Map) scheme.getExtensions().get("x-kc_idp_hint"); + assertNotNull(hint); + assertEquals("kc_idp_hint", hint.get("query-parameter")); + + @SuppressWarnings("unchecked") + List values = (List) hint.get("values"); + assertEquals(List.of("federation-eams", "login.gov"), values); + assertFalse(scheme.getExtensions().containsKey("flows")); + } +}