inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-09-17 14:21:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

ACS-9416 Backport ACS-9414 Enhance the Identity Provider configuration ( #3263) (#3342)

Browse Source
This commit is contained in:
Damian Ujma
2025-05-14 15:25:45 +02:00
committed by GitHub
parent c755cb5d6f
commit 2b38242eba
28 changed files with 3262 additions and 2639 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
.github/workflows/ci.yml vendored
View File

@@ -44,14 +44,10 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- id: changed-files - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.16.0
uses: Alfresco/alfresco-build-tools/.github/actions/github-list-changes@v8.13.0
with:
write-list-to-env: true
- uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.13.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Prepare maven cache and check compilation" - name: "Prepare maven cache and check compilation"
@@ -69,12 +65,12 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.16.0
continue-on-error: true continue-on-error: true
with: with:
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }} srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
@@ -92,10 +88,10 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.16.0
with: with:
token: ${{ secrets.BOT_GITHUB_TOKEN }} token: ${{ secrets.BOT_GITHUB_TOKEN }}
repository: "Alfresco/veracode-baseline-archive" repository: "Alfresco/veracode-baseline-archive"
@@ -148,10 +144,10 @@ jobs:
!contains(github.event.head_commit.message, '[skip tests]') && !contains(github.event.head_commit.message, '[skip tests]') &&
!contains(github.event.head_commit.message, '[force]') !contains(github.event.head_commit.message, '[force]')
steps: steps:
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- uses: Alfresco/ya-pmd-scan@v4.1.0 - uses: Alfresco/ya-pmd-scan@v4.3.0
with: with:
classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\"" classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\""
@@ -181,14 +177,14 @@ jobs:
testAttributes: "-Dtest=AllMmtUnitTestSuite" testAttributes: "-Dtest=AllMmtUnitTestSuite"
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testModule }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testModule }}
@@ -219,7 +215,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -261,9 +257,9 @@ jobs:
REQUIRES_INSTALLED_ARTIFACTS: true REQUIRES_INSTALLED_ARTIFACTS: true
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build" - name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: | run: |
@@ -276,7 +272,7 @@ jobs:
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }}
@@ -307,7 +303,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -340,9 +336,9 @@ jobs:
version: ['10.5', '10.6'] version: ['10.5', '10.6']
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: Run MariaDB ${{ matrix.version }} database - name: Run MariaDB ${{ matrix.version }} database
@@ -351,7 +347,7 @@ jobs:
MARIADB_VERSION: ${{ matrix.version }} MARIADB_VERSION: ${{ matrix.version }}
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.version }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.version }}
@@ -382,7 +378,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -411,9 +407,9 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Run MariaDB 10.11 database" - name: "Run MariaDB 10.11 database"
@@ -422,7 +418,7 @@ jobs:
MARIADB_VERSION: 10.11 MARIADB_VERSION: 10.11
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -453,7 +449,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -482,9 +478,9 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Run MySQL 8 database" - name: "Run MySQL 8 database"
@@ -493,7 +489,7 @@ jobs:
MYSQL_VERSION: 8 MYSQL_VERSION: 8
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -524,7 +520,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -552,9 +548,9 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Run PostgreSQL 14.15 database" - name: "Run PostgreSQL 14.15 database"
@@ -563,7 +559,7 @@ jobs:
POSTGRES_VERSION: 14.15 POSTGRES_VERSION: 14.15
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -594,7 +590,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -622,9 +618,9 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Run PostgreSQL 15.10 database" - name: "Run PostgreSQL 15.10 database"
@@ -633,7 +629,7 @@ jobs:
POSTGRES_VERSION: 15.10 POSTGRES_VERSION: 15.10
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -664,7 +660,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -692,9 +688,9 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Run PostgreSQL 16.6 database" - name: "Run PostgreSQL 16.6 database"
@@ -703,7 +699,7 @@ jobs:
POSTGRES_VERSION: 16.6 POSTGRES_VERSION: 16.6
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -734,7 +730,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -760,16 +756,16 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Run ActiveMQ" - name: "Run ActiveMQ"
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile activemq up -d run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile activemq up -d
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -800,7 +796,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -860,9 +856,9 @@ jobs:
mvn-options: '-Dencryption.ssl.keystore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.keystore -Dencryption.ssl.truststore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.truststore' mvn-options: '-Dencryption.ssl.keystore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.keystore -Dencryption.ssl.truststore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.truststore'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Set transformers tag" - name: "Set transformers tag"
@@ -885,7 +881,7 @@ jobs:
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }} ${{ matrix.idp }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }} ${{ matrix.idp }}
@@ -916,7 +912,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -974,9 +970,9 @@ jobs:
REQUIRES_LOCAL_IMAGES: true REQUIRES_LOCAL_IMAGES: true
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build" - name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: | run: |
@@ -992,7 +988,7 @@ jobs:
run: mvn install -pl :alfresco-community-repo-integration-test -am -DskipTests -Pall-tas-tests run: mvn install -pl :alfresco-community-repo-integration-test -am -DskipTests -Pall-tas-tests
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.test-name }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.test-name }}
@@ -1030,7 +1026,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.tests.outcome }} tests-outcome: ${{ steps.tests.outcome }}
@@ -1056,16 +1052,16 @@ jobs:
!contains(github.event.head_commit.message, '[force') !contains(github.event.head_commit.message, '[force')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init" - name: "Init"
run: bash ./scripts/ci/init.sh run: bash ./scripts/ci/init.sh
- name: "Run Postgres 16.6 database" - name: "Run Postgres 16.6 database"
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile postgres up -d run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile postgres up -d
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -1096,7 +1092,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -1130,9 +1126,9 @@ jobs:
REQUIRES_INSTALLED_ARTIFACTS: true REQUIRES_INSTALLED_ARTIFACTS: true
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build" - name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: | run: |
@@ -1140,7 +1136,7 @@ jobs:
bash ./scripts/ci/build.sh bash ./scripts/ci/build.sh
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (PostgreSQL) ${{ matrix.test-name }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (PostgreSQL) ${{ matrix.test-name }}
@@ -1176,9 +1172,9 @@ jobs:
REQUIRES_INSTALLED_ARTIFACTS: true REQUIRES_INSTALLED_ARTIFACTS: true
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build" - name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: | run: |
@@ -1186,7 +1182,7 @@ jobs:
bash ./scripts/ci/build.sh bash ./scripts/ci/build.sh
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (MySQL) ${{ matrix.test-name }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (MySQL) ${{ matrix.test-name }}
@@ -1218,9 +1214,9 @@ jobs:
REQUIRES_LOCAL_IMAGES: true REQUIRES_LOCAL_IMAGES: true
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build" - name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: | run: |
@@ -1234,7 +1230,7 @@ jobs:
mvn -B install -pl :alfresco-governance-services-automation-community-rest-api -am -Pags -Pall-tas-tests -DskipTests mvn -B install -pl :alfresco-governance-services-automation-community-rest-api -am -Pags -Pall-tas-tests -DskipTests
- name: "Prepare Report Portal" - name: "Prepare Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare id: rp-prepare
with: with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -1266,7 +1262,7 @@ jobs:
continue-on-error: true continue-on-error: true
- name: "Summarize Report Portal" - name: "Summarize Report Portal"
if: github.ref_name == 'master' if: github.ref_name == 'master'
uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0 uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize id: rp-summarize
with: with:
tests-outcome: ${{ steps.run-tests.outcome }} tests-outcome: ${{ steps.run-tests.outcome }}
@@ -1308,9 +1304,9 @@ jobs:
!contains(github.event.head_commit.message, '[force]') !contains(github.event.head_commit.message, '[force]')
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0 - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build" - name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: | run: |

10
.secrets.baseline
View File

@@ -133,21 +133,21 @@
"filename": ".github/workflows/ci.yml", "filename": ".github/workflows/ci.yml",
"hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572", "hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572",
"is_verified": false, "is_verified": false,
"line_number": 299 "line_number": 295
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": ".github/workflows/ci.yml", "filename": ".github/workflows/ci.yml",
"hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966", "hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966",
"is_verified": false, "is_verified": false,
"line_number": 374 "line_number": 370
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": ".github/workflows/ci.yml", "filename": ".github/workflows/ci.yml",
"hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39", "hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39",
"is_verified": false, "is_verified": false,
"line_number": 908 "line_number": 904
} }
], ],
".github/workflows/master_release.yml": [ ".github/workflows/master_release.yml": [
@@ -1607,7 +1607,7 @@
"filename": "repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacadeUnitTest.java", "filename": "repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacadeUnitTest.java",
"hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"is_verified": false, "is_verified": false,
"line_number": 46, "line_number": 48,
"is_secret": false "is_secret": false
} }
], ],
@@ -1868,5 +1868,5 @@
} }
] ]
}, },
"generated_at": "2025-02-26T15:13:52Z" "generated_at": "2025-05-13T13:17:41Z"
} }

244
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java
View File

@@ -1,123 +1,121 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2023 Alfresco Software Limited * Copyright (C) 2005 - 2023 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice;
import org.alfresco.repo.management.subsystems.ActivateableBean; import org.apache.commons.logging.Log;
import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent; import org.apache.commons.logging.LogFactory;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant; import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException; import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
import org.apache.commons.logging.Log; import org.alfresco.repo.security.authentication.AuthenticationException;
import org.apache.commons.logging.LogFactory; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
/** import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
*
* Authenticates a user against Identity Service (Keycloak/Authorization Server). /**
* {@link IdentityServiceFacade} is used to verify provided user credentials. User is set as the current user if the *
* user credentials are valid. * Authenticates a user against Identity Service (Keycloak/Authorization Server). {@link IdentityServiceFacade} is used to verify provided user credentials. User is set as the current user if the user credentials are valid. <br>
* <br> * The {@link IdentityServiceAuthenticationComponent#identityServiceFacade} can be null in which case this authenticator will just fall through to the next one in the chain.
* The {@link IdentityServiceAuthenticationComponent#identityServiceFacade} can be null in which case this authenticator *
* will just fall through to the next one in the chain. */
* public class IdentityServiceAuthenticationComponent extends AbstractAuthenticationComponent implements ActivateableBean
*/ {
public class IdentityServiceAuthenticationComponent extends AbstractAuthenticationComponent implements ActivateableBean private final Log LOGGER = LogFactory.getLog(IdentityServiceAuthenticationComponent.class);
{ /** client used to authenticate user credentials against Authorization Server **/
private final Log LOGGER = LogFactory.getLog(IdentityServiceAuthenticationComponent.class); private IdentityServiceFacade identityServiceFacade;
/** client used to authenticate user credentials against Authorization Server **/ /** enabled flag for the identity service subsystem **/
private IdentityServiceFacade identityServiceFacade; private boolean active;
/** enabled flag for the identity service subsystem**/
private boolean active; private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
private IdentityServiceJITProvisioningHandler jitProvisioningHandler; private boolean allowGuestLogin;
private boolean allowGuestLogin; public void setIdentityServiceFacade(IdentityServiceFacade identityServiceFacade)
{
public void setIdentityServiceFacade(IdentityServiceFacade identityServiceFacade) this.identityServiceFacade = identityServiceFacade;
{ }
this.identityServiceFacade = identityServiceFacade;
} public void setAllowGuestLogin(boolean allowGuestLogin)
{
public void setAllowGuestLogin(boolean allowGuestLogin) this.allowGuestLogin = allowGuestLogin;
{ }
this.allowGuestLogin = allowGuestLogin;
} public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler)
{
public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler) this.jitProvisioningHandler = jitProvisioningHandler;
{ }
this.jitProvisioningHandler = jitProvisioningHandler;
} @Override
public void authenticateImpl(String userName, char[] password) throws AuthenticationException
@Override {
public void authenticateImpl(String userName, char[] password) throws AuthenticationException if (identityServiceFacade == null)
{ {
if (identityServiceFacade == null) if (LOGGER.isDebugEnabled())
{ {
if (LOGGER.isDebugEnabled()) LOGGER.debug("IdentityServiceFacade was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property.");
{ }
LOGGER.debug("IdentityServiceFacade was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property.");
} throw new AuthenticationException("User not authenticated because IdentityServiceFacade was not set.");
}
throw new AuthenticationException("User not authenticated because IdentityServiceFacade was not set.");
} try
{
try // Attempt to verify user credentials
{ IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(AuthorizationGrant.password(userName, String.valueOf(password)));
// Attempt to verify user credentials
IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(AuthorizationGrant.password(userName, String.valueOf(password))); String normalizedUsername = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(accessTokenAuthorization.getAccessToken().getTokenValue())
.map(OIDCUserInfo::username)
String normalizedUsername = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(accessTokenAuthorization.getAccessToken().getTokenValue()) .orElseThrow(() -> new AuthenticationException("Failed to extract username from token and user info endpoint."));
.map(OIDCUserInfo::username) // Verification was successful so treat as authenticated user
.orElseThrow(() -> new AuthenticationException("Failed to extract username from token and user info endpoint.")); setCurrentUser(normalizedUsername);
// Verification was successful so treat as authenticated user }
setCurrentUser(normalizedUsername); catch (IdentityServiceFacadeException e)
} {
catch (IdentityServiceFacadeException e) throw new AuthenticationException("Failed to verify user credentials against the OAuth2 Authorization Server.", e);
{ }
throw new AuthenticationException("Failed to verify user credentials against the OAuth2 Authorization Server.", e); catch (RuntimeException e)
} {
catch (RuntimeException e) throw new AuthenticationException("Failed to verify user credentials.", e);
{ }
throw new AuthenticationException("Failed to verify user credentials.", e); }
}
} public void setActive(boolean active)
{
public void setActive(boolean active) this.active = active;
{ }
this.active = active;
} @Override
public boolean isActive()
@Override {
public boolean isActive() return active;
{ }
return active;
} @Override
protected boolean implementationAllowsGuestLogin()
@Override {
protected boolean implementationAllowsGuestLogin() return allowGuestLogin;
{ }
return allowGuestLogin; }
}
}

743
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java
View File

@@ -1,330 +1,413 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited * Copyright (C) 2005 - 2025 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice;
import java.util.Objects; import java.util.Objects;
import java.util.Optional; import java.util.Optional;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import java.util.stream.Stream; import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.web.util.UriComponentsBuilder; import org.springframework.web.util.UriComponentsBuilder;
/** /**
* Class to hold configuration for the Identity Service. * Class to hold configuration for the Identity Service.
* *
* @author Gavin Cornwell * @author Gavin Cornwell
*/ */
@SuppressWarnings("PMD.ExcessivePublicCount") @SuppressWarnings("PMD.ExcessivePublicCount")
public class IdentityServiceConfig public class IdentityServiceConfig
{ {
private static final String REALMS = "realms"; private static final String REALMS = "realms";
private int clientConnectionTimeout; private int clientConnectionTimeout;
private int clientSocketTimeout; private int clientSocketTimeout;
private String issuerUrl; private String issuerUrl;
private String audience; private String audience;
// client id // client id
private String resource; private String resource;
private String clientSecret; private String clientSecret;
private String authServerUrl; private String authServerUrl;
private String realm; private String realm;
private int connectionPoolSize; private int connectionPoolSize;
private boolean allowAnyHostname; private boolean allowAnyHostname;
private boolean disableTrustManager; private boolean disableTrustManager;
private String truststore; private String truststore;
private String truststorePassword; private String truststorePassword;
private String clientKeystore; private String clientKeystore;
private String clientKeystorePassword; private String clientKeystorePassword;
private String clientKeyPassword; private String clientKeyPassword;
private String realmKey; private String realmKey;
private int publicKeyCacheTtl; private int publicKeyCacheTtl;
private boolean publicClient; private boolean publicClient;
private String principalAttribute; private String principalAttribute;
private boolean clientIdValidationDisabled; private boolean clientIdValidationDisabled;
private String adminConsoleRedirectPath; private String adminConsoleRedirectPath;
private String signatureAlgorithms; private String signatureAlgorithms;
private String adminConsoleScopes;
/** private String passwordGrantScopes;
* private String issuerAttribute;
* @return Client connection timeout in milliseconds. private String firstNameAttribute;
*/ private String lastNameAttribute;
public int getClientConnectionTimeout() private String emailAttribute;
{ private long jwtClockSkewMs;
return clientConnectionTimeout;
} /**
*
/** * @return Client connection timeout in milliseconds.
* */
* @param clientConnectionTimeout Client connection timeout in milliseconds. public int getClientConnectionTimeout()
*/ {
public void setClientConnectionTimeout(int clientConnectionTimeout) return clientConnectionTimeout;
{ }
this.clientConnectionTimeout = clientConnectionTimeout;
} /**
*
/** * @param clientConnectionTimeout
* * Client connection timeout in milliseconds.
* @return Client socket timeout in milliseconds.s */
*/ public void setClientConnectionTimeout(int clientConnectionTimeout)
public int getClientSocketTimeout() {
{ this.clientConnectionTimeout = clientConnectionTimeout;
return clientSocketTimeout; }
}
/**
/** *
* * @return Client socket timeout in milliseconds.s
* @param clientSocketTimeout Client socket timeout in milliseconds. */
*/ public int getClientSocketTimeout()
public void setClientSocketTimeout(int clientSocketTimeout) {
{ return clientSocketTimeout;
this.clientSocketTimeout = clientSocketTimeout; }
}
/**
public void setConnectionPoolSize(int connectionPoolSize) *
{ * @param clientSocketTimeout
this.connectionPoolSize = connectionPoolSize; * Client socket timeout in milliseconds.
} */
public void setClientSocketTimeout(int clientSocketTimeout)
public int getConnectionPoolSize() {
{ this.clientSocketTimeout = clientSocketTimeout;
return connectionPoolSize; }
}
public void setConnectionPoolSize(int connectionPoolSize)
public String getIssuerUrl() {
{ this.connectionPoolSize = connectionPoolSize;
return issuerUrl; }
}
public int getConnectionPoolSize()
public void setIssuerUrl(String issuerUrl) {
{ return connectionPoolSize;
this.issuerUrl = issuerUrl; }
}
public String getIssuerUrl()
public String getAudience() {
{ return issuerUrl;
return audience; }
}
public void setIssuerUrl(String issuerUrl)
public void setAudience(String audience) {
{ this.issuerUrl = issuerUrl;
this.audience = audience; }
}
public String getAudience()
public String getAuthServerUrl() {
{ return audience;
return Optional.ofNullable(realm) }
.filter(StringUtils::isNotBlank)
.filter(realm -> StringUtils.isNotBlank(authServerUrl)) public void setAudience(String audience)
.map(realm -> UriComponentsBuilder.fromUriString(authServerUrl) {
.pathSegment(REALMS, realm) this.audience = audience;
.build() }
.toString())
.orElse(authServerUrl); public String getAuthServerUrl()
} {
return Optional.ofNullable(realm)
public void setAuthServerUrl(String authServerUrl) .filter(StringUtils::isNotBlank)
{ .filter(realm -> StringUtils.isNotBlank(authServerUrl))
this.authServerUrl = authServerUrl; .map(realm -> UriComponentsBuilder.fromUriString(authServerUrl)
} .pathSegment(REALMS, realm)
.build()
public String getRealm() .toString())
{ .orElse(authServerUrl);
return realm; }
}
public void setAuthServerUrl(String authServerUrl)
public void setRealm(String realm) {
{ this.authServerUrl = authServerUrl;
this.realm = realm; }
}
public String getRealm()
public String getResource() {
{ return realm;
return resource; }
}
public void setRealm(String realm)
public void setResource(String resource) {
{ this.realm = realm;
this.resource = resource; }
}
public String getResource()
public void setClientSecret(String clientSecret) {
{ return resource;
this.clientSecret = clientSecret; }
}
public void setResource(String resource)
public String getClientSecret() {
{ this.resource = resource;
return Optional.ofNullable(clientSecret) }
.orElse("");
} public void setClientSecret(String clientSecret)
{
public void setAllowAnyHostname(boolean allowAnyHostname) this.clientSecret = clientSecret;
{ }
this.allowAnyHostname = allowAnyHostname;
} public String getClientSecret()
{
public boolean isAllowAnyHostname() return Optional.ofNullable(clientSecret)
{ .orElse("");
return allowAnyHostname; }
}
public void setAllowAnyHostname(boolean allowAnyHostname)
public void setDisableTrustManager(boolean disableTrustManager) {
{ this.allowAnyHostname = allowAnyHostname;
this.disableTrustManager = disableTrustManager; }
}
public boolean isAllowAnyHostname()
public boolean isDisableTrustManager() {
{ return allowAnyHostname;
return disableTrustManager; }
}
public void setDisableTrustManager(boolean disableTrustManager)
public void setTruststore(String truststore) {
{ this.disableTrustManager = disableTrustManager;
this.truststore = truststore; }
}
public boolean isDisableTrustManager()
public String getTruststore() {
{ return disableTrustManager;
return truststore; }
}
public void setTruststore(String truststore)
public void setTruststorePassword(String truststorePassword) {
{ this.truststore = truststore;
this.truststorePassword = truststorePassword; }
}
public String getTruststore()
public String getTruststorePassword() {
{ return truststore;
return truststorePassword; }
}
public void setTruststorePassword(String truststorePassword)
public void setClientKeystore(String clientKeystore) {
{ this.truststorePassword = truststorePassword;
this.clientKeystore = clientKeystore; }
}
public String getTruststorePassword()
public String getClientKeystore() {
{ return truststorePassword;
return clientKeystore; }
}
public void setClientKeystore(String clientKeystore)
public void setClientKeystorePassword(String clientKeystorePassword) {
{ this.clientKeystore = clientKeystore;
this.clientKeystorePassword = clientKeystorePassword; }
}
public String getClientKeystore()
public String getClientKeystorePassword() {
{ return clientKeystore;
return clientKeystorePassword; }
}
public void setClientKeystorePassword(String clientKeystorePassword)
public void setClientKeyPassword(String clientKeyPassword) {
{ this.clientKeystorePassword = clientKeystorePassword;
this.clientKeyPassword = clientKeyPassword; }
}
public String getClientKeystorePassword()
public String getClientKeyPassword() {
{ return clientKeystorePassword;
return clientKeyPassword; }
}
public void setClientKeyPassword(String clientKeyPassword)
public void setRealmKey(String realmKey) {
{ this.clientKeyPassword = clientKeyPassword;
this.realmKey = realmKey; }
}
public String getClientKeyPassword()
public String getRealmKey() {
{ return clientKeyPassword;
return realmKey; }
}
public void setRealmKey(String realmKey)
public void setPublicKeyCacheTtl(int publicKeyCacheTtl) {
{ this.realmKey = realmKey;
this.publicKeyCacheTtl = publicKeyCacheTtl; }
}
public String getRealmKey()
public int getPublicKeyCacheTtl() {
{ return realmKey;
return publicKeyCacheTtl; }
}
public void setPublicKeyCacheTtl(int publicKeyCacheTtl)
public void setPublicClient(boolean publicClient) {
{ this.publicKeyCacheTtl = publicKeyCacheTtl;
this.publicClient = publicClient; }
}
public int getPublicKeyCacheTtl()
public boolean isPublicClient() {
{ return publicKeyCacheTtl;
return publicClient; }
}
public void setPublicClient(boolean publicClient)
public String getPrincipalAttribute() {
{ this.publicClient = publicClient;
return principalAttribute; }
}
public boolean isPublicClient()
public void setPrincipalAttribute(String principalAttribute) {
{ return publicClient;
this.principalAttribute = principalAttribute; }
}
public String getPrincipalAttribute()
public boolean isClientIdValidationDisabled() {
{ return principalAttribute;
return clientIdValidationDisabled; }
}
public void setPrincipalAttribute(String principalAttribute)
public void setClientIdValidationDisabled(boolean clientIdValidationDisabled) {
{ this.principalAttribute = principalAttribute;
this.clientIdValidationDisabled = clientIdValidationDisabled; }
}
public boolean isClientIdValidationDisabled()
public String getAdminConsoleRedirectPath() {
{ return clientIdValidationDisabled;
return adminConsoleRedirectPath; }
}
public void setClientIdValidationDisabled(boolean clientIdValidationDisabled)
public void setAdminConsoleRedirectPath(String adminConsoleRedirectPath) {
{ this.clientIdValidationDisabled = clientIdValidationDisabled;
this.adminConsoleRedirectPath = adminConsoleRedirectPath; }
}
public String getAdminConsoleRedirectPath()
public Set<SignatureAlgorithm> getSignatureAlgorithms() {
{ return adminConsoleRedirectPath;
return Stream.of(signatureAlgorithms.split(",")) }
.map(String::trim)
.map(SignatureAlgorithm::from) public void setAdminConsoleRedirectPath(String adminConsoleRedirectPath)
.filter(Objects::nonNull) {
.collect(Collectors.toUnmodifiableSet()); this.adminConsoleRedirectPath = adminConsoleRedirectPath;
} }
public void setSignatureAlgorithms(String signatureAlgorithms) public Set<SignatureAlgorithm> getSignatureAlgorithms()
{ {
this.signatureAlgorithms = signatureAlgorithms; return Stream.of(signatureAlgorithms.split(","))
} .map(String::trim)
} .map(SignatureAlgorithm::from)
.filter(Objects::nonNull)
.collect(Collectors.toUnmodifiableSet());
}
public void setSignatureAlgorithms(String signatureAlgorithms)
{
this.signatureAlgorithms = signatureAlgorithms;
}
public String getIssuerAttribute()
{
return issuerAttribute;
}
public void setIssuerAttribute(String issuerAttribute)
{
this.issuerAttribute = issuerAttribute;
}
public Set<String> getAdminConsoleScopes()
{
return Stream.of(adminConsoleScopes.split(","))
.map(String::trim)
.collect(Collectors.toUnmodifiableSet());
}
public void setAdminConsoleScopes(String adminConsoleScopes)
{
this.adminConsoleScopes = adminConsoleScopes;
}
public Set<String> getPasswordGrantScopes()
{
return Stream.of(passwordGrantScopes.split(","))
.map(String::trim)
.collect(Collectors.toUnmodifiableSet());
}
public void setPasswordGrantScopes(String passwordGrantScopes)
{
this.passwordGrantScopes = passwordGrantScopes;
}
public void setFirstNameAttribute(String firstNameAttribute)
{
this.firstNameAttribute = firstNameAttribute;
}
public void setLastNameAttribute(String lastNameAttribute)
{
this.lastNameAttribute = lastNameAttribute;
}
public void setEmailAttribute(String emailAttribute)
{
this.emailAttribute = emailAttribute;
}
public void setJwtClockSkewMs(long jwtClockSkewMs)
{
this.jwtClockSkewMs = jwtClockSkewMs;
}
public String getFirstNameAttribute()
{
return firstNameAttribute;
}
public String getLastNameAttribute()
{
return lastNameAttribute;
}
public String getEmailAttribute()
{
return emailAttribute;
}
public long getJwtClockSkewMs()
{
return jwtClockSkewMs;
}
}

514
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacade.java
View File

@@ -1,249 +1,265 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited * Copyright (C) 2005 - 2025 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice;
import static java.util.Objects.nonNull; import static java.util.Objects.nonNull;
import static java.util.Objects.requireNonNull; import static java.util.Objects.requireNonNull;
import java.time.Instant; import java.time.Instant;
import java.util.Objects; import java.util.Objects;
import java.util.Optional; import java.util.Optional;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistration;
/** import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
* Allows to interact with the Identity Service import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
*/
public interface IdentityServiceFacade /**
{ * Allows to interact with the Identity Service
/** */
* Returns {@link AccessToken} based authorization for provided {@link AuthorizationGrant}. public interface IdentityServiceFacade
* @param grant the OAuth2 grant provided by the Resource Owner. {
* @return {@link AccessTokenAuthorization} containing access token and optional refresh token. /**
* @throws {@link AuthorizationException} when provided grant cannot be exchanged for the access token. * Returns {@link AccessToken} based authorization for provided {@link AuthorizationGrant}.
*/ *
AccessTokenAuthorization authorize(AuthorizationGrant grant) throws AuthorizationException; * @param grant
* the OAuth2 grant provided by the Resource Owner.
/** * @return {@link AccessTokenAuthorization} containing access token and optional refresh token.
* Decodes the access token into the {@link DecodedAccessToken} which contains claims connected with a given token. * @throws {@link
* @param token {@link String} with encoded access token value. * AuthorizationException} when provided grant cannot be exchanged for the access token.
* @return {@link DecodedAccessToken} containing decoded claims. */
* @throws {@link TokenDecodingException} when token decoding failed. AccessTokenAuthorization authorize(AuthorizationGrant grant) throws AuthorizationException;
*/
DecodedAccessToken decodeToken(String token) throws TokenDecodingException; /**
* Decodes the access token into the {@link DecodedAccessToken} which contains claims connected with a given token.
/** *
* Gets claims about the authenticated user, * @param token
* such as name and email address, via the UserInfo endpoint of the OpenID provider. * {@link String} with encoded access token value.
* @param token {@link String} with encoded access token value. * @return {@link DecodedAccessToken} containing decoded claims.
* @param principalAttribute {@link String} the attribute name used to access the user's name from the user info response. * @throws {@link
* @return {@link OIDCUserInfo} containing user claims. * TokenDecodingException} when token decoding failed.
*/ */
Optional<OIDCUserInfo> getUserInfo(String token, String principalAttribute); DecodedAccessToken decodeToken(String token) throws TokenDecodingException;
/** /**
* Gets a client registration * Gets claims about the authenticated user, such as name and email address, via the UserInfo endpoint of the OpenID provider.
*/ *
ClientRegistration getClientRegistration(); * @param token
* {@link String} with encoded access token value.
class IdentityServiceFacadeException extends RuntimeException * @param userInfoAttrMapping
{ * {@link UserInfoAttrMapping} containing the mapping of claims.
public IdentityServiceFacadeException(String message) * @return {@link DecodedTokenUser} containing user claims or {@link Optional#empty()} if the token does not contain a username claim.
{ */
super(message); Optional<DecodedTokenUser> getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping);
}
/**
IdentityServiceFacadeException(String message, Throwable cause) * Gets a client registration
{ */
super(message, cause); ClientRegistration getClientRegistration();
}
} class IdentityServiceFacadeException extends RuntimeException
{
class AuthorizationException extends IdentityServiceFacadeException public IdentityServiceFacadeException(String message)
{ {
AuthorizationException(String message) super(message);
{ }
super(message);
} IdentityServiceFacadeException(String message, Throwable cause)
{
AuthorizationException(String message, Throwable cause) super(message, cause);
{ }
super(message, cause); }
}
} class AuthorizationException extends IdentityServiceFacadeException
{
class UserInfoException extends IdentityServiceFacadeException AuthorizationException(String message)
{ {
super(message);
UserInfoException(String message) }
{
super(message); AuthorizationException(String message, Throwable cause)
} {
super(message, cause);
UserInfoException(String message, Throwable cause) }
{ }
super(message, cause);
} class UserInfoException extends IdentityServiceFacadeException
} {
class TokenDecodingException extends IdentityServiceFacadeException UserInfoException(String message)
{ {
TokenDecodingException(String message) super(message);
{ }
super(message);
} UserInfoException(String message, Throwable cause)
{
TokenDecodingException(String message, Throwable cause) super(message, cause);
{ }
super(message, cause); }
}
} class TokenDecodingException extends IdentityServiceFacadeException
{
/** TokenDecodingException(String message)
* Represents access token authorization with optional refresh token. {
*/ super(message);
interface AccessTokenAuthorization }
{
/** TokenDecodingException(String message, Throwable cause)
* Required {@link AccessToken} {
* @return {@link AccessToken} super(message, cause);
*/ }
AccessToken getAccessToken(); }
/** /**
* Optional refresh token. * Represents access token authorization with optional refresh token.
* @return Refresh token or {@code null} */
*/ interface AccessTokenAuthorization
String getRefreshTokenValue(); {
} /**
* Required {@link AccessToken}
interface AccessToken { *
String getTokenValue(); * @return {@link AccessToken}
Instant getExpiresAt(); */
} AccessToken getAccessToken();
interface DecodedAccessToken extends AccessToken /**
{ * Optional refresh token.
Object getClaim(String claim); *
} * @return Refresh token or {@code null}
*/
class AuthorizationGrant { String getRefreshTokenValue();
private final String username; }
private final String password;
private final String refreshToken; interface AccessToken
private final String authorizationCode; {
private final String redirectUri; String getTokenValue();
private AuthorizationGrant(String username, String password, String refreshToken, String authorizationCode, String redirectUri) Instant getExpiresAt();
{ }
this.username = username;
this.password = password; interface DecodedAccessToken extends AccessToken
this.refreshToken = refreshToken; {
this.authorizationCode = authorizationCode; Object getClaim(String claim);
this.redirectUri = redirectUri; }
}
class AuthorizationGrant
public static AuthorizationGrant password(String username, String password) {
{ private final String username;
return new AuthorizationGrant(requireNonNull(username), requireNonNull(password), null, null, null); private final String password;
} private final String refreshToken;
private final String authorizationCode;
public static AuthorizationGrant refreshToken(String refreshToken) private final String redirectUri;
{
return new AuthorizationGrant(null, null, requireNonNull(refreshToken), null, null); private AuthorizationGrant(String username, String password, String refreshToken, String authorizationCode, String redirectUri)
} {
this.username = username;
public static AuthorizationGrant authorizationCode(String authorizationCode, String redirectUri) this.password = password;
{ this.refreshToken = refreshToken;
return new AuthorizationGrant(null, null, null, requireNonNull(authorizationCode), requireNonNull(redirectUri)); this.authorizationCode = authorizationCode;
} this.redirectUri = redirectUri;
}
boolean isPassword()
{ public static AuthorizationGrant password(String username, String password)
return nonNull(username); {
} return new AuthorizationGrant(requireNonNull(username), requireNonNull(password), null, null, null);
}
boolean isRefreshToken()
{ public static AuthorizationGrant refreshToken(String refreshToken)
return nonNull(refreshToken); {
} return new AuthorizationGrant(null, null, requireNonNull(refreshToken), null, null);
}
boolean isAuthorizationCode()
{ public static AuthorizationGrant authorizationCode(String authorizationCode, String redirectUri)
return nonNull(authorizationCode); {
} return new AuthorizationGrant(null, null, null, requireNonNull(authorizationCode), requireNonNull(redirectUri));
}
String getUsername()
{ boolean isPassword()
return username; {
} return nonNull(username);
}
String getPassword()
{ boolean isRefreshToken()
return password; {
} return nonNull(refreshToken);
}
String getRefreshToken()
{ boolean isAuthorizationCode()
return refreshToken; {
} return nonNull(authorizationCode);
}
String getAuthorizationCode()
{ String getUsername()
return authorizationCode; {
} return username;
}
String getRedirectUri()
{ String getPassword()
return redirectUri; {
} return password;
}
@Override
public boolean equals(Object o) String getRefreshToken()
{ {
if (this == o) return refreshToken;
{ }
return true;
} String getAuthorizationCode()
if (o == null || getClass() != o.getClass()) {
{ return authorizationCode;
return false; }
}
AuthorizationGrant that = (AuthorizationGrant) o; String getRedirectUri()
return Objects.equals(username, that.username) && {
Objects.equals(password, that.password) && return redirectUri;
Objects.equals(refreshToken, that.refreshToken) && }
Objects.equals(authorizationCode, that.authorizationCode) &&
Objects.equals(redirectUri, that.redirectUri); @Override
} public boolean equals(Object o)
{
@Override if (this == o)
public int hashCode() {
{ return true;
return Objects.hash(username, password, refreshToken, authorizationCode, redirectUri); }
} if (o == null || getClass() != o.getClass())
} {
} return false;
}
AuthorizationGrant that = (AuthorizationGrant) o;
return Objects.equals(username, that.username) &&
Objects.equals(password, that.password) &&
Objects.equals(refreshToken, that.refreshToken) &&
Objects.equals(authorizationCode, that.authorizationCode) &&
Objects.equals(redirectUri, that.redirectUri);
}
@Override
public int hashCode()
{
return Objects.hash(username, password, refreshToken, authorizationCode, redirectUri);
}
}
}

1650
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java
View File

File diff suppressed because it is too large Load Diff

174
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandler.java
View File

@@ -30,59 +30,38 @@ import java.io.Serializable;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import java.util.function.BiFunction;
import java.util.function.Predicate; import java.util.function.Predicate;
import com.nimbusds.openid.connect.sdk.claims.PersonClaims; import org.apache.commons.lang3.StringUtils;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import org.alfresco.model.ContentModel; import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.DecodedAccessToken; import org.alfresco.repo.security.authentication.identityservice.user.AccessTokenToDecodedTokenUserMapper;
import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
import org.alfresco.repo.security.authentication.identityservice.user.TokenUserToOIDCUserMapper;
import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
import org.alfresco.service.cmr.security.PersonService; import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;
import org.alfresco.service.transaction.TransactionService; import org.alfresco.service.transaction.TransactionService;
import org.apache.commons.lang3.StringUtils;
/** /**
* This class handles Just in Time user provisioning. It extracts {@link OIDCUserInfo} * This class handles Just in Time user provisioning. It extracts {@link OIDCUserInfo} from the given bearer token and creates a new user if it does not exist in the repository.
* from {@link IdentityServiceFacade.DecodedAccessToken} or {@link UserInfo}
* and creates a new user if it does not exist in the repository.
*/ */
public class IdentityServiceJITProvisioningHandler public class IdentityServiceJITProvisioningHandler
{ {
private final IdentityServiceConfig identityServiceConfig;
private final IdentityServiceFacade identityServiceFacade; private final IdentityServiceFacade identityServiceFacade;
private final PersonService personService; private final PersonService personService;
private final TransactionService transactionService; private final TransactionService transactionService;
private final IdentityServiceConfig identityServiceConfig;
private final BiFunction<DecodedAccessToken, String, Optional<? extends OIDCUserInfo>> mapTokenToUserInfoResponse = (token, usernameMappingClaim) -> { private UserInfoAttrMapping userInfoAttrMapping;
Optional<String> firstName = Optional.ofNullable(token) private TokenUserToOIDCUserMapper tokenUserToOIDCUserMapper;
.map(jwtToken -> jwtToken.getClaim(PersonClaims.GIVEN_NAME_CLAIM_NAME)) private AccessTokenToDecodedTokenUserMapper tokenToDecodedTokenUserMapper;
.filter(String.class::isInstance)
.map(String.class::cast);
Optional<String> lastName = Optional.ofNullable(token)
.map(jwtToken -> jwtToken.getClaim(PersonClaims.FAMILY_NAME_CLAIM_NAME))
.filter(String.class::isInstance)
.map(String.class::cast);
Optional<String> email = Optional.ofNullable(token)
.map(jwtToken -> jwtToken.getClaim(PersonClaims.EMAIL_CLAIM_NAME))
.filter(String.class::isInstance)
.map(String.class::cast);
return Optional.ofNullable(token.getClaim(Optional.ofNullable(usernameMappingClaim)
.filter(StringUtils::isNotBlank)
.orElse(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)))
.filter(String.class::isInstance)
.map(String.class::cast)
.map(this::normalizeUserId)
.map(username -> new OIDCUserInfo(username, firstName.orElse(""), lastName.orElse(""), email.orElse("")));
};
public IdentityServiceJITProvisioningHandler(IdentityServiceFacade identityServiceFacade, public IdentityServiceJITProvisioningHandler(IdentityServiceFacade identityServiceFacade,
PersonService personService, PersonService personService,
TransactionService transactionService, TransactionService transactionService,
IdentityServiceConfig identityServiceConfig) IdentityServiceConfig identityServiceConfig)
{ {
this.identityServiceFacade = identityServiceFacade; this.identityServiceFacade = identityServiceFacade;
this.personService = personService; this.personService = personService;
@@ -90,94 +69,95 @@ public class IdentityServiceJITProvisioningHandler
this.identityServiceConfig = identityServiceConfig; this.identityServiceConfig = identityServiceConfig;
} }
/**
* Extracts {@link OIDCUserInfo} from the given bearer token and creates a new user if it does not exist in the repository. Call to the UserInfo endpoint is made only if the token does not contain a username claim or if user needs to be created and some of the {@link OIDCUserInfo} fields are empty.
*/
public Optional<OIDCUserInfo> extractUserInfoAndCreateUserIfNeeded(String bearerToken) public Optional<OIDCUserInfo> extractUserInfoAndCreateUserIfNeeded(String bearerToken)
{ {
Optional<OIDCUserInfo> userInfoResponse = Optional.ofNullable(bearerToken) if (userInfoAttrMapping == null)
.filter(Predicate.not(String::isEmpty))
.flatMap(token -> extractUserInfoResponseFromAccessToken(token)
.filter(userInfo -> StringUtils.isNotEmpty(userInfo.username()))
.or(() -> extractUserInfoResponseFromEndpoint(token)));
if (transactionService.isReadOnly() || userInfoResponse.isEmpty())
{ {
return userInfoResponse; initMappers(identityServiceConfig);
} }
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Optional<OIDCUserInfo>>()
Optional<OIDCUserInfo> oidcUserInfo = Optional.ofNullable(bearerToken)
.filter(Predicate.not(String::isEmpty))
.flatMap(token -> extractUserInfoResponseFromAccessToken(token).filter(decodedTokenUser -> StringUtils.isNotEmpty(decodedTokenUser.username()))
.or(() -> extractUserInfoResponseFromEndpoint(token, userInfoAttrMapping)))
.map(tokenUserToOIDCUserMapper::toOIDCUser);
if (transactionService.isReadOnly() || oidcUserInfo.isEmpty())
{ {
return oidcUserInfo;
}
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<>() {
@Override @Override
public Optional<OIDCUserInfo> doWork() throws Exception public Optional<OIDCUserInfo> doWork() throws Exception
{ {
return userInfoResponse.map(userInfo -> { return oidcUserInfo.map(oidcUser -> {
if (userInfo.username() != null && personService.createMissingPeople() if (userDoesNotExistsAndCanBeCreated(oidcUser))
&& !personService.personExists(userInfo.username()))
{ {
if (!userInfo.allFieldsNotEmpty()) if (!oidcUser.allFieldsNotEmpty())
{ {
userInfo = extractUserInfoResponseFromEndpoint(bearerToken).orElse(userInfo); oidcUser = extractUserInfoResponseFromEndpoint(bearerToken, userInfoAttrMapping)
.map(tokenUserToOIDCUserMapper::toOIDCUser)
.orElse(oidcUser);
} }
Map<QName, Serializable> properties = new HashMap<>(); createPerson(oidcUser);
properties.put(ContentModel.PROP_USERNAME, userInfo.username());
properties.put(ContentModel.PROP_FIRSTNAME, userInfo.firstName());
properties.put(ContentModel.PROP_LASTNAME, userInfo.lastName());
properties.put(ContentModel.PROP_EMAIL, userInfo.email());
properties.put(ContentModel.PROP_ORGID, "");
properties.put(ContentModel.PROP_HOME_FOLDER_PROVIDER, null);
properties.put(ContentModel.PROP_SIZE_CURRENT, 0L);
properties.put(ContentModel.PROP_SIZE_QUOTA, -1L); // no quota
personService.createPerson(properties);
} }
return userInfo; return oidcUser;
}); });
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
private Optional<OIDCUserInfo> extractUserInfoResponseFromAccessToken(String bearerToken) private void initMappers(IdentityServiceConfig identityServiceConfig)
{
this.userInfoAttrMapping = initUserInfoAttrMapping(identityServiceConfig);
this.tokenUserToOIDCUserMapper = new TokenUserToOIDCUserMapper(personService);
this.tokenToDecodedTokenUserMapper = new AccessTokenToDecodedTokenUserMapper(userInfoAttrMapping);
}
private boolean userDoesNotExistsAndCanBeCreated(OIDCUserInfo userInfo)
{
return userInfo.username() != null && personService.createMissingPeople()
&& !personService.personExists(userInfo.username());
}
private Optional<DecodedTokenUser> extractUserInfoResponseFromAccessToken(String bearerToken)
{ {
return Optional.ofNullable(bearerToken) return Optional.ofNullable(bearerToken)
.map(identityServiceFacade::decodeToken) .map(identityServiceFacade::decodeToken)
.flatMap(decodedToken -> mapTokenToUserInfoResponse.apply(decodedToken, .flatMap(tokenToDecodedTokenUserMapper::toDecodedTokenUser);
identityServiceConfig.getPrincipalAttribute()));
} }
private Optional<OIDCUserInfo> extractUserInfoResponseFromEndpoint(String bearerToken) private Optional<DecodedTokenUser> extractUserInfoResponseFromEndpoint(String bearerToken, UserInfoAttrMapping userInfoAttrMapping)
{ {
return identityServiceFacade.getUserInfo(bearerToken, return identityServiceFacade.getUserInfo(bearerToken, userInfoAttrMapping)
StringUtils.isNotBlank(identityServiceConfig.getPrincipalAttribute()) ? .filter(userInfo -> userInfo.username() != null && !userInfo.username().isEmpty());
identityServiceConfig.getPrincipalAttribute() : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)
.filter(userInfo -> userInfo.username() != null && !userInfo.username().isEmpty())
.map(userInfo -> new OIDCUserInfo(normalizeUserId(userInfo.username()),
Optional.ofNullable(userInfo.firstName()).orElse(""),
Optional.ofNullable(userInfo.lastName()).orElse(""),
Optional.ofNullable(userInfo.email()).orElse("")));
} }
/** private void createPerson(OIDCUserInfo userInfo)
* Normalizes a user id, taking into account existing user accounts and case sensitivity settings.
*
* @param userId the user id
* @return the string
*/
private String normalizeUserId(final String userId)
{ {
if (userId == null) Map<QName, Serializable> properties = new HashMap<>();
{ properties.put(ContentModel.PROP_USERNAME, userInfo.username());
return null; properties.put(ContentModel.PROP_FIRSTNAME, userInfo.firstName());
} properties.put(ContentModel.PROP_LASTNAME, userInfo.lastName());
properties.put(ContentModel.PROP_EMAIL, userInfo.email());
properties.put(ContentModel.PROP_ORGID, "");
properties.put(ContentModel.PROP_HOME_FOLDER_PROVIDER, null);
properties.put(ContentModel.PROP_SIZE_CURRENT, 0L);
properties.put(ContentModel.PROP_SIZE_QUOTA, -1L); // no quota
String normalized = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<String>() personService.createPerson(properties);
{
@Override
public String doWork() throws Exception
{
return personService.getUserIdentifier(userId);
}
}, AuthenticationUtil.getSystemUserName());
return normalized == null ? userId : normalized;
} }
} private UserInfoAttrMapping initUserInfoAttrMapping(IdentityServiceConfig identityServiceConfig)
{
return new UserInfoAttrMapping(identityServiceFacade.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName(),
identityServiceConfig.getFirstNameAttribute(),
identityServiceConfig.getLastNameAttribute(),
identityServiceConfig.getEmailAttribute());
}
}

362
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.java
View File

@@ -1,181 +1,181 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2023 Alfresco Software Limited * Copyright (C) 2005 - 2025 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice;
import jakarta.servlet.http.HttpServletRequest; import java.util.Optional;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Optional;
import org.apache.commons.logging.Log;
import org.alfresco.repo.management.subsystems.ActivateableBean; import org.apache.commons.logging.LogFactory;
import org.alfresco.repo.security.authentication.AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException; import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.apache.commons.logging.Log; import org.alfresco.repo.security.authentication.AuthenticationException;
import org.apache.commons.logging.LogFactory; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
/**
* A {@link RemoteUserMapper} implementation that detects and validates JWTs /**
* issued by the Alfresco Identity Service. * A {@link RemoteUserMapper} implementation that detects and validates JWTs issued by the Alfresco Identity Service.
* *
* @author Gavin Cornwell * @author Gavin Cornwell
*/ */
public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, ActivateableBean public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, ActivateableBean
{ {
private static final Log LOGGER = LogFactory.getLog(IdentityServiceRemoteUserMapper.class); private static final Log LOGGER = LogFactory.getLog(IdentityServiceRemoteUserMapper.class);
/** Is the mapper enabled */ /** Is the mapper enabled */
private boolean isEnabled; private boolean isEnabled;
/** Are token validation failures handled silently? */ /** Are token validation failures handled silently? */
private boolean isValidationFailureSilent; private boolean isValidationFailureSilent;
private BearerTokenResolver bearerTokenResolver; private BearerTokenResolver bearerTokenResolver;
private IdentityServiceJITProvisioningHandler jitProvisioningHandler; private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
/** /**
* Sets the active flag * Sets the active flag
* *
* @param isEnabled true to enable the subsystem * @param isEnabled
*/ * true to enable the subsystem
public void setActive(boolean isEnabled) */
{ public void setActive(boolean isEnabled)
this.isEnabled = isEnabled; {
} this.isEnabled = isEnabled;
}
/**
* Determines whether token validation failures are silent /**
* * Determines whether token validation failures are silent
* @param silent true to silently fail, false to throw an exception *
*/ * @param silent
public void setValidationFailureSilent(boolean silent) * true to silently fail, false to throw an exception
{ */
this.isValidationFailureSilent = silent; public void setValidationFailureSilent(boolean silent)
} {
this.isValidationFailureSilent = silent;
public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver) }
{
this.bearerTokenResolver = bearerTokenResolver; public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver)
} {
this.bearerTokenResolver = bearerTokenResolver;
public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler) }
{
this.jitProvisioningHandler = jitProvisioningHandler; public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler)
} {
this.jitProvisioningHandler = jitProvisioningHandler;
/* }
* (non-Javadoc)
* @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(jakarta.servlet.http.HttpServletRequest) /* (non-Javadoc)
*/ *
@Override * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(jakarta.servlet.http.HttpServletRequest) */
public String getRemoteUser(HttpServletRequest request) @Override
{ public String getRemoteUser(HttpServletRequest request)
LOGGER.trace("Retrieving username from http request..."); {
LOGGER.trace("Retrieving username from http request...");
if (!this.isEnabled)
{ if (!this.isEnabled)
LOGGER.debug("IdentityServiceRemoteUserMapper is disabled, returning null."); {
return null; LOGGER.debug("IdentityServiceRemoteUserMapper is disabled, returning null.");
} return null;
try }
{ try
String normalizedUserId = extractUserFromHeader(request); {
String normalizedUserId = extractUserFromHeader(request);
if (normalizedUserId != null) if (normalizedUserId != null)
{ {
// Normalize the user ID taking into account case sensitivity settings // Normalize the user ID taking into account case sensitivity settings
LOGGER.trace("Returning userId: " + AuthenticationUtil.maskUsername(normalizedUserId)); LOGGER.trace("Returning userId: " + AuthenticationUtil.maskUsername(normalizedUserId));
return normalizedUserId; return normalizedUserId;
} }
} }
catch (IdentityServiceFacadeException e) catch (IdentityServiceFacadeException e)
{ {
if (!isValidationFailureSilent) if (!isValidationFailureSilent)
{ {
throw new AuthenticationException("Failed to extract username from token: " + e.getMessage(), e); throw new AuthenticationException("Failed to extract username from token: " + e.getMessage(), e);
} }
LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e); LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e);
} }
catch (RuntimeException e) catch (RuntimeException e)
{ {
LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e); LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e);
} }
LOGGER.trace("Could not identify a userId. Returning null."); LOGGER.trace("Could not identify a userId. Returning null.");
return null; return null;
} }
/* /* (non-Javadoc)
* (non-Javadoc) *
* @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive() * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive() */
*/ public boolean isActive()
public boolean isActive() {
{ return this.isEnabled;
return this.isEnabled; }
}
/**
/** * Extracts the user name from the JWT in the given request.
* Extracts the user name from the JWT in the given request. *
* * @param request
* @param request The request containing the JWT * The request containing the JWT
* @return The username or null if it can not be determined * @return The username or null if it can not be determined
*/ */
private String extractUserFromHeader(HttpServletRequest request) private String extractUserFromHeader(HttpServletRequest request)
{ {
// try authenticating with bearer token first // try authenticating with bearer token first
LOGGER.debug("Trying bearer token..."); LOGGER.debug("Trying bearer token...");
final String bearerToken; final String bearerToken;
try try
{ {
bearerToken = bearerTokenResolver.resolve(request); bearerToken = bearerTokenResolver.resolve(request);
} }
catch (OAuth2AuthenticationException e) catch (OAuth2AuthenticationException e)
{ {
LOGGER.debug("Failed to resolve Bearer token.", e); LOGGER.debug("Failed to resolve Bearer token.", e);
return null; return null;
} }
final Optional<String> possibleUsername = jitProvisioningHandler final Optional<String> possibleUsername = jitProvisioningHandler
.extractUserInfoAndCreateUserIfNeeded(bearerToken) .extractUserInfoAndCreateUserIfNeeded(bearerToken)
.map(OIDCUserInfo::username); .map(OIDCUserInfo::username);
if (possibleUsername.isEmpty()) if (possibleUsername.isEmpty())
{ {
LOGGER.debug("User could not be authenticated by IdentityServiceRemoteUserMapper."); LOGGER.debug("User could not be authenticated by IdentityServiceRemoteUserMapper.");
return null; return null;
} }
String normalizedUsername = possibleUsername.get(); String normalizedUsername = possibleUsername.get();
LOGGER.trace("Extracted username: " + AuthenticationUtil.maskUsername(normalizedUsername)); LOGGER.trace("Extracted username: " + AuthenticationUtil.maskUsername(normalizedUsername));
return normalizedUsername; return normalizedUsername;
} }
} }

113
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade.java
View File

@@ -30,21 +30,12 @@ import static java.util.Objects.requireNonNull;
import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.AUDIENCE; import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.AUDIENCE;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.Instant; import java.time.Instant;
import java.util.Map; import java.util.Map;
import java.util.Optional; import java.util.Optional;
import java.util.function.Predicate;
import com.nimbusds.oauth2.sdk.ErrorObject; import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
import com.nimbusds.oauth2.sdk.ParseException; import org.apache.commons.lang3.StringUtils;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.core.convert.converter.Converter; import org.springframework.core.convert.converter.Converter;
@@ -59,27 +50,35 @@ import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRe
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest; import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails; import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.core.AbstractOAuth2Token; import org.springframework.security.oauth2.core.AbstractOAuth2Token;
import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType; import org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException; import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2RefreshToken; import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.jwt.Jwt; import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap; import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestOperations; import org.springframework.web.client.RestOperations;
import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
class SpringBasedIdentityServiceFacade implements IdentityServiceFacade class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
{ {
private static final Log LOGGER = LogFactory.getLog(SpringBasedIdentityServiceFacade.class); private static final Log LOGGER = LogFactory.getLog(SpringBasedIdentityServiceFacade.class);
private static final Instant SOME_INSIGNIFICANT_DATE_IN_THE_PAST = Instant.MIN.plusSeconds(12345); private static final Instant SOME_INSIGNIFICANT_DATE_IN_THE_PAST = Instant.MIN.plusSeconds(12345);
private final Map<AuthorizationGrantType, OAuth2AccessTokenResponseClient> clients; private final Map<AuthorizationGrantType, OAuth2AccessTokenResponseClient> clients;
private final DefaultOAuth2UserService defaultOAuth2UserService;
private final ClientRegistration clientRegistration; private final ClientRegistration clientRegistration;
private final JwtDecoder jwtDecoder; private final JwtDecoder jwtDecoder;
@@ -93,6 +92,7 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
AuthorizationGrantType.AUTHORIZATION_CODE, createAuthorizationCodeClient(restOperations), AuthorizationGrantType.AUTHORIZATION_CODE, createAuthorizationCodeClient(restOperations),
AuthorizationGrantType.REFRESH_TOKEN, createRefreshTokenClient(restOperations), AuthorizationGrantType.REFRESH_TOKEN, createRefreshTokenClient(restOperations),
AuthorizationGrantType.PASSWORD, createPasswordClient(restOperations, clientRegistration)); AuthorizationGrantType.PASSWORD, createPasswordClient(restOperations, clientRegistration));
this.defaultOAuth2UserService = createOAuth2UserService(restOperations);
} }
@Override @Override
@@ -121,51 +121,18 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
} }
@Override @Override
public Optional<OIDCUserInfo> getUserInfo(String tokenParameter, String principalAttribute) public Optional<DecodedTokenUser> getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping)
{ {
return Optional.ofNullable(tokenParameter) try
.filter(Predicate.not(String::isEmpty)) {
.flatMap(token -> Optional.ofNullable(clientRegistration) return Optional.ofNullable(defaultOAuth2UserService.loadUser(new OAuth2UserRequest(clientRegistration, getSpringAccessToken(token))))
.map(ClientRegistration::getProviderDetails) .flatMap(oAuth2User -> mapOAuth2UserToDecodedTokenUser(oAuth2User, userInfoAttrMapping));
.map(ClientRegistration.ProviderDetails::getUserInfoEndpoint) }
.map(ClientRegistration.ProviderDetails.UserInfoEndpoint::getUri) catch (OAuth2AuthenticationException exception)
.flatMap(uri -> { {
try LOGGER.warn("User Info Request failed: " + exception.getMessage());
{ return Optional.empty();
return Optional.of( }
new UserInfoRequest(new URI(uri), new BearerAccessToken(token)).toHTTPRequest().send());
}
catch (IOException | URISyntaxException e)
{
LOGGER.warn("Failed to get user information. Reason: " + e.getMessage());
return Optional.empty();
}
})
.flatMap(httpResponse -> {
try
{
UserInfoResponse userInfoResponse = UserInfoResponse.parse(httpResponse);
if (userInfoResponse instanceof UserInfoErrorResponse userInfoErrorResponse)
{
String errorMessage = Optional.ofNullable(userInfoErrorResponse.getErrorObject())
.map(ErrorObject::getDescription)
.orElse("No error description found");
LOGGER.warn("User Info Request failed: " + errorMessage);
throw new UserInfoException(errorMessage);
}
return Optional.of(userInfoResponse);
}
catch (ParseException e)
{
LOGGER.warn("Failed to parse user info response. Reason: " + e.getMessage());
return Optional.empty();
}
})
.map(UserInfoResponse::toSuccessResponse)
.map(UserInfoSuccessResponse::getUserInfo))
.map(userInfo -> new OIDCUserInfo(userInfo.getStringClaim(principalAttribute), userInfo.getGivenName(),
userInfo.getFamilyName(), userInfo.getEmailAddress()));
} }
@Override @Override
@@ -202,11 +169,7 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
if (grant.isRefreshToken()) if (grant.isRefreshToken())
{ {
final OAuth2AccessToken expiredAccessToken = new OAuth2AccessToken( final OAuth2AccessToken expiredAccessToken = getSpringAccessToken("JUST_FOR_FULFILLING_THE_SPRING_API");
TokenType.BEARER,
"JUST_FOR_FULFILLING_THE_SPRING_API",
SOME_INSIGNIFICANT_DATE_IN_THE_PAST,
SOME_INSIGNIFICANT_DATE_IN_THE_PAST.plusSeconds(1));
final OAuth2RefreshToken refreshToken = new OAuth2RefreshToken(grant.getRefreshToken(), null); final OAuth2RefreshToken refreshToken = new OAuth2RefreshToken(grant.getRefreshToken(), null);
return new OAuth2RefreshTokenGrantRequest(clientRegistration, expiredAccessToken, refreshToken, return new OAuth2RefreshTokenGrantRequest(clientRegistration, expiredAccessToken, refreshToken,
@@ -258,6 +221,26 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
return client; return client;
} }
private static DefaultOAuth2UserService createOAuth2UserService(RestOperations rest)
{
final DefaultOAuth2UserService userService = new DefaultOAuth2UserService();
userService.setRestOperations(rest);
return userService;
}
private Optional<DecodedTokenUser> mapOAuth2UserToDecodedTokenUser(OAuth2User oAuth2User, UserInfoAttrMapping userInfoAttrMapping)
{
var preferredUsername = Optional.ofNullable(oAuth2User.getAttribute(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME))
.filter(String.class::isInstance)
.map(String.class::cast)
.filter(StringUtils::isNotEmpty);
var userName = Optional.ofNullable(oAuth2User.getName()).filter(username -> !username.isEmpty()).or(() -> preferredUsername);
return userName.map(name -> DecodedTokenUser.validateAndCreate(name,
oAuth2User.getAttribute(userInfoAttrMapping.firstNameClaim()),
oAuth2User.getAttribute(userInfoAttrMapping.lastNameClaim()),
oAuth2User.getAttribute(userInfoAttrMapping.emailClaim())));
}
private static OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> createPasswordClient(RestOperations rest, private static OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> createPasswordClient(RestOperations rest,
ClientRegistration clientRegistration) ClientRegistration clientRegistration)
{ {
@@ -288,6 +271,16 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
}; };
} }
private static OAuth2AccessToken getSpringAccessToken(String token)
{
// Just for fulfilling the Spring API
return new OAuth2AccessToken(
TokenType.BEARER,
token,
SOME_INSIGNIFICANT_DATE_IN_THE_PAST,
SOME_INSIGNIFICANT_DATE_IN_THE_PAST.plusSeconds(1));
}
private static class SpringAccessTokenAuthorization implements AccessTokenAuthorization private static class SpringAccessTokenAuthorization implements AccessTokenAuthorization
{ {
private final OAuth2AccessTokenResponse tokenResponse; private final OAuth2AccessTokenResponse tokenResponse;

73
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java
View File

@@ -37,13 +37,19 @@ import java.util.Map;
import java.util.Optional; import java.util.Optional;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import com.nimbusds.oauth2.sdk.Scope; import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.Identifier; import com.nimbusds.oauth2.sdk.id.Identifier;
import com.nimbusds.oauth2.sdk.id.State; import com.nimbusds.oauth2.sdk.id.State;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
import org.springframework.web.util.UriComponentsBuilder;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.alfresco.repo.management.subsystems.ActivateableBean; import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.external.AdminConsoleAuthenticator; import org.alfresco.repo.security.authentication.external.AdminConsoleAuthenticator;
@@ -53,16 +59,9 @@ import org.alfresco.repo.security.authentication.identityservice.IdentityService
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
import org.springframework.web.util.UriComponentsBuilder;
/** /**
* An {@link AdminConsoleAuthenticator} implementation to extract an externally authenticated user ID * An {@link AdminConsoleAuthenticator} implementation to extract an externally authenticated user ID or to initiate the OIDC authorization code flow.
* or to initiate the OIDC authorization code flow.
*/ */
public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAuthenticator, ActivateableBean public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAuthenticator, ActivateableBean
{ {
@@ -71,7 +70,6 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
private static final String ALFRESCO_ACCESS_TOKEN = "ALFRESCO_ACCESS_TOKEN"; private static final String ALFRESCO_ACCESS_TOKEN = "ALFRESCO_ACCESS_TOKEN";
private static final String ALFRESCO_REFRESH_TOKEN = "ALFRESCO_REFRESH_TOKEN"; private static final String ALFRESCO_REFRESH_TOKEN = "ALFRESCO_REFRESH_TOKEN";
private static final String ALFRESCO_TOKEN_EXPIRATION = "ALFRESCO_TOKEN_EXPIRATION"; private static final String ALFRESCO_TOKEN_EXPIRATION = "ALFRESCO_TOKEN_EXPIRATION";
private static final Set<String> SCOPES = Set.of("openid", "profile", "email", "offline_access");
private IdentityServiceConfig identityServiceConfig; private IdentityServiceConfig identityServiceConfig;
private IdentityServiceFacade identityServiceFacade; private IdentityServiceFacade identityServiceFacade;
@@ -145,7 +143,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
try try
{ {
AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize( AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
authorizationCode(code, request.getRequestURL().toString())); authorizationCode(code, request.getRequestURL().toString()));
addCookies(response, accessTokenAuthorization); addCookies(response, accessTokenAuthorization);
bearerToken = accessTokenAuthorization.getAccessToken().getTokenValue(); bearerToken = accessTokenAuthorization.getAccessToken().getTokenValue();
} }
@@ -154,8 +152,8 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
if (LOGGER.isWarnEnabled()) if (LOGGER.isWarnEnabled())
{ {
LOGGER.warn( LOGGER.warn(
"Error while trying to retrieve a response using the Authorization Code at the Token Endpoint: {}", "Error while trying to retrieve a response using the Authorization Code at the Token Endpoint: {}",
exception.getMessage()); exception.getMessage());
} }
} }
return bearerToken; return bearerToken;
@@ -188,7 +186,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
{ {
cookiesService.addCookie(ALFRESCO_ACCESS_TOKEN, accessTokenAuthorization.getAccessToken().getTokenValue(), response); cookiesService.addCookie(ALFRESCO_ACCESS_TOKEN, accessTokenAuthorization.getAccessToken().getTokenValue(), response);
cookiesService.addCookie(ALFRESCO_TOKEN_EXPIRATION, String.valueOf( cookiesService.addCookie(ALFRESCO_TOKEN_EXPIRATION, String.valueOf(
accessTokenAuthorization.getAccessToken().getExpiresAt().toEpochMilli()), response); accessTokenAuthorization.getAccessToken().getExpiresAt().toEpochMilli()), response);
cookiesService.addCookie(ALFRESCO_REFRESH_TOKEN, accessTokenAuthorization.getRefreshTokenValue(), response); cookiesService.addCookie(ALFRESCO_REFRESH_TOKEN, accessTokenAuthorization.getRefreshTokenValue(), response);
} }
@@ -198,13 +196,13 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
State state = new State(); State state = new State();
UriComponentsBuilder authRequestBuilder = UriComponentsBuilder.fromUriString(clientRegistration.getProviderDetails().getAuthorizationUri()) UriComponentsBuilder authRequestBuilder = UriComponentsBuilder.fromUriString(clientRegistration.getProviderDetails().getAuthorizationUri())
.queryParam("client_id", clientRegistration.getClientId()) .queryParam("client_id", clientRegistration.getClientId())
.queryParam("redirect_uri", getRedirectUri(request.getRequestURL().toString())) .queryParam("redirect_uri", getRedirectUri(request.getRequestURL().toString()))
.queryParam("response_type", "code") .queryParam("response_type", "code")
.queryParam("scope", String.join("+", getScopes(clientRegistration))) .queryParam("scope", String.join("+", getScopes(clientRegistration)))
.queryParam("state", state.toString()); .queryParam("state", state.toString());
if(StringUtils.isNotBlank(identityServiceConfig.getAudience())) if (StringUtils.isNotBlank(identityServiceConfig.getAudience()))
{ {
authRequestBuilder.queryParam("audience", identityServiceConfig.getAudience()); authRequestBuilder.queryParam("audience", identityServiceConfig.getAudience());
} }
@@ -215,20 +213,25 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
private Set<String> getScopes(ClientRegistration clientRegistration) private Set<String> getScopes(ClientRegistration clientRegistration)
{ {
return Optional.ofNullable(clientRegistration.getProviderDetails()) return Optional.ofNullable(clientRegistration.getProviderDetails())
.map(ProviderDetails::getConfigurationMetadata) .map(ProviderDetails::getConfigurationMetadata)
.map(metadata -> metadata.get(SCOPES_SUPPORTED.getValue())) .map(metadata -> metadata.get(SCOPES_SUPPORTED.getValue()))
.filter(Scope.class::isInstance) .filter(Scope.class::isInstance)
.map(Scope.class::cast) .map(Scope.class::cast)
.map(this::getSupportedScopes) .map(this::getSupportedScopes)
.orElse(clientRegistration.getScopes()); .orElse(clientRegistration.getScopes());
} }
private Set<String> getSupportedScopes(Scope scopes) private Set<String> getSupportedScopes(Scope scopes)
{ {
return scopes.stream() return scopes.stream()
.filter(scope -> SCOPES.contains(scope.getValue())) .filter(this::hasAdminConsoleScope)
.map(Identifier::getValue) .map(Identifier::getValue)
.collect(Collectors.toSet()); .collect(Collectors.toSet());
}
private boolean hasAdminConsoleScope(Scope.Value scope)
{
return identityServiceConfig.getAdminConsoleScopes().contains(scope.getValue());
} }
private String getRedirectUri(String requestURL) private String getRedirectUri(String requestURL)
@@ -263,7 +266,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
private AccessTokenAuthorization doRefreshAuthToken(String refreshToken) private AccessTokenAuthorization doRefreshAuthToken(String refreshToken)
{ {
AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize( AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
AuthorizationGrant.refreshToken(refreshToken)); AuthorizationGrant.refreshToken(refreshToken));
if (accessTokenAuthorization == null || accessTokenAuthorization.getAccessToken() == null) if (accessTokenAuthorization == null || accessTokenAuthorization.getAccessToken() == null)
{ {
throw new AuthenticationException("AccessTokenResponse is null or empty"); throw new AuthenticationException("AccessTokenResponse is null or empty");
@@ -284,7 +287,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
} }
public void setIdentityServiceFacade( public void setIdentityServiceFacade(
IdentityServiceFacade identityServiceFacade) IdentityServiceFacade identityServiceFacade)
{ {
this.identityServiceFacade = identityServiceFacade; this.identityServiceFacade = identityServiceFacade;
} }
@@ -295,13 +298,13 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
} }
public void setCookiesService( public void setCookiesService(
AdminConsoleAuthenticationCookiesService cookiesService) AdminConsoleAuthenticationCookiesService cookiesService)
{ {
this.cookiesService = cookiesService; this.cookiesService = cookiesService;
} }
public void setIdentityServiceConfig( public void setIdentityServiceConfig(
IdentityServiceConfig identityServiceConfig) IdentityServiceConfig identityServiceConfig)
{ {
this.identityServiceConfig = identityServiceConfig; this.identityServiceConfig = identityServiceConfig;
} }
@@ -316,4 +319,4 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
{ {
this.isEnabled = isEnabled; this.isEnabled = isEnabled;
} }
} }

66
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapper.java Normal file
View File

@@ -0,0 +1,66 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.identityservice.user;
import java.util.Optional;
import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
import org.apache.commons.lang3.StringUtils;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
public class AccessTokenToDecodedTokenUserMapper
{
private static final String DEFAULT_USERNAME_CLAIM = PersonClaims.PREFERRED_USERNAME_CLAIM_NAME;
private final UserInfoAttrMapping userInfoAttrMapping;
public AccessTokenToDecodedTokenUserMapper(UserInfoAttrMapping userInfoAttrMapping)
{
this.userInfoAttrMapping = userInfoAttrMapping;
}
/**
* Maps the given {@link IdentityServiceFacade.DecodedAccessToken} to a {@link DecodedTokenUser}.
*
* @param token
* the token to map
* @return the mapped {@link DecodedTokenUser} or {@link Optional#empty()} if the token does not contain a username claim
*/
public Optional<DecodedTokenUser> toDecodedTokenUser(IdentityServiceFacade.DecodedAccessToken token)
{
Object firstName = token.getClaim(userInfoAttrMapping.firstNameClaim());
Object lastName = token.getClaim(userInfoAttrMapping.lastNameClaim());
Object email = token.getClaim(userInfoAttrMapping.emailClaim());
return Optional.ofNullable(token.getClaim(Optional.ofNullable(userInfoAttrMapping.usernameClaim())
.filter(StringUtils::isNotBlank)
.orElse(DEFAULT_USERNAME_CLAIM)))
.filter(String.class::isInstance)
.map(String.class::cast)
.map(username -> DecodedTokenUser.validateAndCreate(username, firstName, lastName, email));
}
}

44
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/DecodedTokenUser.java Normal file
View File

@@ -0,0 +1,44 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.identityservice.user;
import java.util.Optional;
public record DecodedTokenUser(String username, String firstName, String lastName, String email)
{
private static final String EMPTY_STRING = "";
public static DecodedTokenUser validateAndCreate(String username, Object firstName, Object lastName, Object email)
{
return new DecodedTokenUser(username, getStringVal(firstName), getStringVal(lastName), getStringVal(email));
}
private static String getStringVal(Object firstName)
{
return Optional.ofNullable(firstName).filter(String.class::isInstance).map(String.class::cast).orElse(EMPTY_STRING);
}
}

2
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/OIDCUserInfo.java → repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/OIDCUserInfo.java
View File

@@ -23,7 +23,7 @@
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice.user;
import java.util.stream.Stream; import java.util.stream.Stream;

76
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapper.java Normal file
View File

@@ -0,0 +1,76 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.identityservice.user;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.cmr.security.PersonService;
public class TokenUserToOIDCUserMapper
{
private final PersonService personService;
public TokenUserToOIDCUserMapper(PersonService personService)
{
this.personService = personService;
}
/**
* Maps a decoded token user to an OIDC user where the user id (username) is normalized.
*
* @param decodedTokenUser
* the decoded token user
* @return the OIDC user
*/
public OIDCUserInfo toOIDCUser(DecodedTokenUser decodedTokenUser)
{
return new OIDCUserInfo(usernameToUserId(decodedTokenUser.username()), decodedTokenUser.firstName(), decodedTokenUser.lastName(), decodedTokenUser.email());
}
/**
* Normalizes a username, taking into account existing user accounts and case sensitivity settings.
*
* @param caseSensitiveUserName
* the case-sensitive username
* @return the string
*/
private String usernameToUserId(final String caseSensitiveUserName)
{
if (caseSensitiveUserName == null)
{
return null;
}
String normalized = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<String>() {
@Override
public String doWork() throws Exception
{
return personService.getUserIdentifier(caseSensitiveUserName);
}
}, AuthenticationUtil.getSystemUserName());
return normalized == null ? caseSensitiveUserName : normalized;
}
}

41
repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/UserInfoAttrMapping.java Normal file
View File

@@ -0,0 +1,41 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.identityservice.user;
/**
* The UserInfoAttrMapping record represents the mapping of claims fetched from the UserInfo endpoint to create an Alfresco user.
*
* @param usernameClaim
* the claim that represents the username
* @param firstNameClaim
* the claim that represents the first name
* @param lastNameClaim
* the claim that represents the last name
* @param emailClaim
* the claim that represents the email
*/
public record UserInfoAttrMapping(String usernameClaim, String firstNameClaim, String lastNameClaim, String emailClaim)
{}

23
repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml
View File

@@ -149,6 +149,15 @@
<property name="principalAttribute"> <property name="principalAttribute">
<value>${identity-service.principal-attribute:preferred_username}</value> <value>${identity-service.principal-attribute:preferred_username}</value>
</property> </property>
<property name="firstNameAttribute">
<value>${identity-service.first-name-attribute:given_name}</value>
</property>
<property name="lastNameAttribute">
<value>${identity-service.last-name-attribute:family_name}</value>
</property>
<property name="emailAttribute">
<value>${identity-service.email-attribute:email}</value>
</property>
<property name="clientIdValidationDisabled"> <property name="clientIdValidationDisabled">
<value>${identity-service.client-id.validation.disabled:true}</value> <value>${identity-service.client-id.validation.disabled:true}</value>
</property> </property>
@@ -158,6 +167,18 @@
<property name="signatureAlgorithms"> <property name="signatureAlgorithms">
<value>${identity-service.signature-algorithms:RS256,PS256}</value> <value>${identity-service.signature-algorithms:RS256,PS256}</value>
</property> </property>
<property name="adminConsoleScopes">
<value>${identity-service.admin-console.scopes:openid,profile,email,offline_access}</value>
</property>
<property name="passwordGrantScopes">
<value>${identity-service.password-grant.scopes:openid,profile,email}</value>
</property>
<property name="issuerAttribute">
<value>${identity-service.issuer-attribute:issuer}</value>
</property>
<property name="jwtClockSkewMs">
<value>${identity-service.jwt-clock-skew-ms:0}</value>
</property>
</bean> </bean>
<!-- Enable control over mapping between request and user ID --> <!-- Enable control over mapping between request and user ID -->
@@ -219,4 +240,4 @@
<ref bean="transactionService" /> <ref bean="transactionService" />
</property> </property>
</bean> </bean>
</beans> </beans>

9
repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication.properties
View File

@@ -12,4 +12,11 @@ identity-service.resource=alfresco
identity-service.credentials.secret= identity-service.credentials.secret=
identity-service.public-client=true identity-service.public-client=true
identity-service.admin-console.redirect-path=/alfresco/s/admin/admin-communitysummary identity-service.admin-console.redirect-path=/alfresco/s/admin/admin-communitysummary
identity-service.signature-algorithms=RS256,PS256 identity-service.signature-algorithms=RS256,PS256
identity-service.first-name-attribute=given_name
identity-service.last-name-attribute=family_name
identity-service.email-attribute=email
identity-service.admin-console.scopes=openid,profile,email,offline_access
identity-service.password-grant.scopes=openid,profile,email
identity-service.issuer-attribute=issuer
identity-service.jwt-clock-skew-ms=0

447
repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
View File

@@ -4,27 +4,31 @@
* %% * %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited * Copyright (C) 2005 - 2025 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco; package org.alfresco;
import org.junit.experimental.categories.Categories;
import org.junit.runner.RunWith;
import org.junit.runners.Suite;
import org.alfresco.repo.security.authentication.identityservice.ClientRegistrationProviderUnitTest; import org.alfresco.repo.security.authentication.identityservice.ClientRegistrationProviderUnitTest;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBeanTest; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBeanTest;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceJITProvisioningHandlerUnitTest; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceJITProvisioningHandlerUnitTest;
@@ -33,237 +37,236 @@ import org.alfresco.repo.security.authentication.identityservice.SpringBasedIden
import org.alfresco.repo.security.authentication.identityservice.admin.AdminConsoleAuthenticationCookiesServiceUnitTest; import org.alfresco.repo.security.authentication.identityservice.admin.AdminConsoleAuthenticationCookiesServiceUnitTest;
import org.alfresco.repo.security.authentication.identityservice.admin.AdminConsoleHttpServletRequestWrapperUnitTest; import org.alfresco.repo.security.authentication.identityservice.admin.AdminConsoleHttpServletRequestWrapperUnitTest;
import org.alfresco.repo.security.authentication.identityservice.admin.IdentityServiceAdminConsoleAuthenticatorUnitTest; import org.alfresco.repo.security.authentication.identityservice.admin.IdentityServiceAdminConsoleAuthenticatorUnitTest;
import org.alfresco.repo.security.authentication.identityservice.user.AccessTokenToDecodedTokenUserMapperUnitTest;
import org.alfresco.repo.security.authentication.identityservice.user.TokenUserToOIDCUserMapperUnitTest;
import org.alfresco.util.testing.category.DBTests; import org.alfresco.util.testing.category.DBTests;
import org.alfresco.util.testing.category.NonBuildTests; import org.alfresco.util.testing.category.NonBuildTests;
import org.junit.experimental.categories.Categories;
import org.junit.runner.RunWith;
import org.junit.runners.Suite;
/** /**
* All Repository project UNIT test classes (no application context) should be added to this test suite. * All Repository project UNIT test classes (no application context) should be added to this test suite. Tests marked as DBTests are automatically excluded and are run as part of {@link AllDBTestsTestSuite}.
* Tests marked as DBTests are automatically excluded and are run as part of {@link AllDBTestsTestSuite}.
*/ */
@RunWith(Categories.class) @RunWith(Categories.class)
@Categories.ExcludeCategory({DBTests.class, NonBuildTests.class}) @Categories.ExcludeCategory({DBTests.class, NonBuildTests.class})
@Suite.SuiteClasses({ @Suite.SuiteClasses(value = {
org.alfresco.repo.site.SiteMembershipTest.class, org.alfresco.repo.site.SiteMembershipTest.class,
org.alfresco.encryption.EncryptorTest.class, org.alfresco.encryption.EncryptorTest.class,
org.alfresco.encryption.KeyStoreKeyProviderTest.class, org.alfresco.encryption.KeyStoreKeyProviderTest.class,
org.alfresco.filesys.config.ServerConfigurationBeanTest.class, org.alfresco.filesys.config.ServerConfigurationBeanTest.class,
org.alfresco.filesys.repo.rules.ShuffleTest.class, org.alfresco.filesys.repo.rules.ShuffleTest.class,
org.alfresco.opencmis.AlfrescoCmisExceptionInterceptorTest.class, org.alfresco.opencmis.AlfrescoCmisExceptionInterceptorTest.class,
org.alfresco.repo.admin.Log4JHierarchyInitTest.class, org.alfresco.repo.admin.Log4JHierarchyInitTest.class,
org.alfresco.repo.attributes.PropTablesCleanupJobTest.class, org.alfresco.repo.attributes.PropTablesCleanupJobTest.class,
org.alfresco.repo.cache.AbstractCacheFactoryTest.class, org.alfresco.repo.cache.AbstractCacheFactoryTest.class,
org.alfresco.repo.cache.DefaultCacheFactoryTest.class, org.alfresco.repo.cache.DefaultCacheFactoryTest.class,
org.alfresco.repo.cache.DefaultSimpleCacheTest.class, org.alfresco.repo.cache.DefaultSimpleCacheTest.class,
org.alfresco.repo.cache.InMemoryCacheStatisticsTest.class, org.alfresco.repo.cache.InMemoryCacheStatisticsTest.class,
org.alfresco.repo.cache.TransactionStatsTest.class, org.alfresco.repo.cache.TransactionStatsTest.class,
org.alfresco.repo.cache.lookup.EntityLookupCacheTest.class, org.alfresco.repo.cache.lookup.EntityLookupCacheTest.class,
org.alfresco.repo.calendar.CalendarHelpersTest.class, org.alfresco.repo.calendar.CalendarHelpersTest.class,
org.alfresco.repo.copy.CopyServiceImplUnitTest.class, org.alfresco.repo.copy.CopyServiceImplUnitTest.class,
org.alfresco.repo.dictionary.RepoDictionaryDAOTest.class, org.alfresco.repo.dictionary.RepoDictionaryDAOTest.class,
org.alfresco.repo.forms.processor.node.FieldProcessorTest.class, org.alfresco.repo.forms.processor.node.FieldProcessorTest.class,
org.alfresco.repo.forms.processor.workflow.TaskFormProcessorTest.class, org.alfresco.repo.forms.processor.workflow.TaskFormProcessorTest.class,
org.alfresco.repo.forms.processor.workflow.WorkflowFormProcessorTest.class, org.alfresco.repo.forms.processor.workflow.WorkflowFormProcessorTest.class,
org.alfresco.repo.invitation.site.InviteSenderTest.class, org.alfresco.repo.invitation.site.InviteSenderTest.class,
org.alfresco.repo.invitation.site.InviteModeratedSenderTest.class, org.alfresco.repo.invitation.site.InviteModeratedSenderTest.class,
org.alfresco.repo.jscript.ScriptSearchTest.class, org.alfresco.repo.jscript.ScriptSearchTest.class,
org.alfresco.repo.lock.LockUtilsTest.class, org.alfresco.repo.lock.LockUtilsTest.class,
org.alfresco.repo.lock.mem.LockStoreImplTest.class, org.alfresco.repo.lock.mem.LockStoreImplTest.class,
org.alfresco.repo.management.CheckRequiredClassesForLoggingConsoleUnitTest.class, org.alfresco.repo.management.CheckRequiredClassesForLoggingConsoleUnitTest.class,
org.alfresco.repo.management.subsystems.CryptodocSwitchableApplicationContextFactoryTest.class, org.alfresco.repo.management.subsystems.CryptodocSwitchableApplicationContextFactoryTest.class,
org.alfresco.repo.module.ModuleDetailsImplTest.class, org.alfresco.repo.module.ModuleDetailsImplTest.class,
org.alfresco.repo.module.ModuleVersionNumberTest.class, org.alfresco.repo.module.ModuleVersionNumberTest.class,
org.alfresco.repo.module.DeprecatedModulesValidatorTest.class, org.alfresco.repo.module.DeprecatedModulesValidatorTest.class,
org.alfresco.repo.node.integrity.IntegrityEventTest.class, org.alfresco.repo.node.integrity.IntegrityEventTest.class,
org.alfresco.repo.policy.MTPolicyComponentTest.class, org.alfresco.repo.policy.MTPolicyComponentTest.class,
org.alfresco.repo.policy.PolicyComponentTest.class, org.alfresco.repo.policy.PolicyComponentTest.class,
org.alfresco.repo.rendition.RenditionNodeManagerTest.class, org.alfresco.repo.rendition.RenditionNodeManagerTest.class,
org.alfresco.repo.rendition.RenditionServiceImplTest.class, org.alfresco.repo.rendition.RenditionServiceImplTest.class,
org.alfresco.repo.replication.ReplicationServiceImplTest.class, org.alfresco.repo.replication.ReplicationServiceImplTest.class,
org.alfresco.repo.rule.RuleServiceImplUnitTest.class, org.alfresco.repo.rule.RuleServiceImplUnitTest.class,
org.alfresco.repo.service.StoreRedirectorProxyFactoryTest.class, org.alfresco.repo.service.StoreRedirectorProxyFactoryTest.class,
org.alfresco.repo.site.RoleComparatorImplTest.class, org.alfresco.repo.site.RoleComparatorImplTest.class,
org.alfresco.repo.template.UnsafeMethodsTest.class, org.alfresco.repo.template.UnsafeMethodsTest.class,
org.alfresco.repo.tenant.MultiTAdminServiceImplTest.class, org.alfresco.repo.tenant.MultiTAdminServiceImplTest.class,
org.alfresco.repo.thumbnail.ThumbnailServiceImplParameterTest.class, org.alfresco.repo.thumbnail.ThumbnailServiceImplParameterTest.class,
org.alfresco.repo.transfer.ContentChunkerImplTest.class, org.alfresco.repo.transfer.ContentChunkerImplTest.class,
org.alfresco.repo.transfer.HttpClientTransmitterImplTest.class, org.alfresco.repo.transfer.HttpClientTransmitterImplTest.class,
org.alfresco.repo.transfer.manifest.TransferManifestTest.class, org.alfresco.repo.transfer.manifest.TransferManifestTest.class,
org.alfresco.repo.transfer.TransferVersionCheckerImplTest.class, org.alfresco.repo.transfer.TransferVersionCheckerImplTest.class,
org.alfresco.service.cmr.calendar.CalendarRecurrenceHelperTest.class, org.alfresco.service.cmr.calendar.CalendarRecurrenceHelperTest.class,
org.alfresco.service.cmr.calendar.CalendarTimezoneHelperTest.class, org.alfresco.service.cmr.calendar.CalendarTimezoneHelperTest.class,
org.alfresco.tools.RenameUserTest.class, org.alfresco.tools.RenameUserTest.class,
org.alfresco.util.VersionNumberTest.class, org.alfresco.util.VersionNumberTest.class,
org.alfresco.util.FileNameValidatorTest.class, org.alfresco.util.FileNameValidatorTest.class,
org.alfresco.util.HttpClientHelperTest.class, org.alfresco.util.HttpClientHelperTest.class,
org.alfresco.util.JSONtoFmModelTest.class, org.alfresco.util.JSONtoFmModelTest.class,
org.alfresco.util.ModelUtilTest.class, org.alfresco.util.ModelUtilTest.class,
org.alfresco.util.PropertyMapTest.class, org.alfresco.util.PropertyMapTest.class,
org.alfresco.util.ValueProtectingMapTest.class, org.alfresco.util.ValueProtectingMapTest.class,
org.alfresco.util.json.ExceptionJsonSerializerTest.class, org.alfresco.util.json.ExceptionJsonSerializerTest.class,
org.alfresco.util.collections.CollectionUtilsTest.class, org.alfresco.util.collections.CollectionUtilsTest.class,
org.alfresco.util.schemacomp.DbObjectXMLTransformerTest.class, org.alfresco.util.schemacomp.DbObjectXMLTransformerTest.class,
org.alfresco.util.schemacomp.DbPropertyTest.class, org.alfresco.util.schemacomp.DbPropertyTest.class,
org.alfresco.util.schemacomp.DefaultComparisonUtilsTest.class, org.alfresco.util.schemacomp.DefaultComparisonUtilsTest.class,
org.alfresco.util.schemacomp.DifferenceTest.class, org.alfresco.util.schemacomp.DifferenceTest.class,
org.alfresco.util.schemacomp.MultiFileDumperTest.class, org.alfresco.util.schemacomp.MultiFileDumperTest.class,
org.alfresco.util.schemacomp.RedundantDbObjectTest.class, org.alfresco.util.schemacomp.RedundantDbObjectTest.class,
org.alfresco.util.schemacomp.SchemaComparatorTest.class, org.alfresco.util.schemacomp.SchemaComparatorTest.class,
org.alfresco.util.schemacomp.SchemaToXMLTest.class, org.alfresco.util.schemacomp.SchemaToXMLTest.class,
org.alfresco.util.schemacomp.ValidatingVisitorTest.class, org.alfresco.util.schemacomp.ValidatingVisitorTest.class,
org.alfresco.util.schemacomp.ValidationResultTest.class, org.alfresco.util.schemacomp.ValidationResultTest.class,
org.alfresco.util.schemacomp.XMLToSchemaTest.class, org.alfresco.util.schemacomp.XMLToSchemaTest.class,
org.alfresco.util.schemacomp.model.ColumnTest.class, org.alfresco.util.schemacomp.model.ColumnTest.class,
org.alfresco.util.schemacomp.model.ForeignKeyTest.class, org.alfresco.util.schemacomp.model.ForeignKeyTest.class,
org.alfresco.util.schemacomp.model.IndexTest.class, org.alfresco.util.schemacomp.model.IndexTest.class,
org.alfresco.util.schemacomp.model.PrimaryKeyTest.class, org.alfresco.util.schemacomp.model.PrimaryKeyTest.class,
org.alfresco.util.schemacomp.model.SchemaTest.class, org.alfresco.util.schemacomp.model.SchemaTest.class,
org.alfresco.util.schemacomp.model.SequenceTest.class, org.alfresco.util.schemacomp.model.SequenceTest.class,
org.alfresco.util.schemacomp.model.TableTest.class, org.alfresco.util.schemacomp.model.TableTest.class,
org.alfresco.util.schemacomp.validator.IndexColumnsValidatorTest.class, org.alfresco.util.schemacomp.validator.IndexColumnsValidatorTest.class,
org.alfresco.util.schemacomp.validator.NameValidatorTest.class, org.alfresco.util.schemacomp.validator.NameValidatorTest.class,
org.alfresco.util.schemacomp.validator.SchemaVersionValidatorTest.class, org.alfresco.util.schemacomp.validator.SchemaVersionValidatorTest.class,
org.alfresco.util.schemacomp.validator.TypeNameOnlyValidatorTest.class, org.alfresco.util.schemacomp.validator.TypeNameOnlyValidatorTest.class,
org.alfresco.util.test.OmittedTestClassFinderUnitTest.class, org.alfresco.util.test.OmittedTestClassFinderUnitTest.class,
org.alfresco.util.test.junitrules.RetryAtMostRuleTest.class, org.alfresco.util.test.junitrules.RetryAtMostRuleTest.class,
org.alfresco.util.test.junitrules.TemporaryMockOverrideTest.class, org.alfresco.util.test.junitrules.TemporaryMockOverrideTest.class,
org.alfresco.repo.search.impl.solr.AbstractSolrQueryHTTPClientTest.class, org.alfresco.repo.search.impl.solr.AbstractSolrQueryHTTPClientTest.class,
org.alfresco.repo.search.impl.solr.SpellCheckDecisionManagerTest.class, org.alfresco.repo.search.impl.solr.SpellCheckDecisionManagerTest.class,
org.alfresco.repo.search.impl.solr.SolrStoreMappingWrapperTest.class, org.alfresco.repo.search.impl.solr.SolrStoreMappingWrapperTest.class,
org.alfresco.repo.search.impl.querymodel.impl.db.DBQueryEngineTest.class, org.alfresco.repo.search.impl.querymodel.impl.db.DBQueryEngineTest.class,
org.alfresco.repo.search.impl.querymodel.impl.db.NodePermissionAssessorLimitsTest.class, org.alfresco.repo.search.impl.querymodel.impl.db.NodePermissionAssessorLimitsTest.class,
org.alfresco.repo.search.impl.querymodel.impl.db.NodePermissionAssessorPermissionsTest.class, org.alfresco.repo.search.impl.querymodel.impl.db.NodePermissionAssessorPermissionsTest.class,
org.alfresco.repo.search.impl.solr.DbOrIndexSwitchingQueryLanguageTest.class, org.alfresco.repo.search.impl.solr.DbOrIndexSwitchingQueryLanguageTest.class,
org.alfresco.repo.search.impl.solr.SolrQueryHTTPClientTest.class, org.alfresco.repo.search.impl.solr.SolrQueryHTTPClientTest.class,
org.alfresco.repo.search.impl.solr.SolrSQLHttpClientTest.class, org.alfresco.repo.search.impl.solr.SolrSQLHttpClientTest.class,
org.alfresco.repo.search.impl.solr.SolrStatsResultTest.class, org.alfresco.repo.search.impl.solr.SolrStatsResultTest.class,
org.alfresco.repo.search.impl.solr.SolrJSONResultTest.class, org.alfresco.repo.search.impl.solr.SolrJSONResultTest.class,
org.alfresco.repo.search.impl.solr.SolrSQLJSONResultMetadataSetTest.class, org.alfresco.repo.search.impl.solr.SolrSQLJSONResultMetadataSetTest.class,
org.alfresco.repo.search.impl.solr.facet.SolrFacetComparatorTest.class, org.alfresco.repo.search.impl.solr.facet.SolrFacetComparatorTest.class,
org.alfresco.repo.search.impl.solr.facet.FacetQNameUtilsTest.class, org.alfresco.repo.search.impl.solr.facet.FacetQNameUtilsTest.class,
org.alfresco.util.BeanExtenderUnitTest.class, org.alfresco.util.BeanExtenderUnitTest.class,
org.alfresco.repo.solr.SOLRTrackingComponentUnitTest.class, org.alfresco.repo.solr.SOLRTrackingComponentUnitTest.class,
IdentityServiceFacadeFactoryBeanTest.class, IdentityServiceFacadeFactoryBeanTest.class,
LazyInstantiatingIdentityServiceFacadeUnitTest.class, LazyInstantiatingIdentityServiceFacadeUnitTest.class,
SpringBasedIdentityServiceFacadeUnitTest.class, SpringBasedIdentityServiceFacadeUnitTest.class,
IdentityServiceJITProvisioningHandlerUnitTest.class, IdentityServiceJITProvisioningHandlerUnitTest.class,
AdminConsoleAuthenticationCookiesServiceUnitTest.class, AccessTokenToDecodedTokenUserMapperUnitTest.class,
AdminConsoleHttpServletRequestWrapperUnitTest.class, TokenUserToOIDCUserMapperUnitTest.class,
IdentityServiceAdminConsoleAuthenticatorUnitTest.class, AdminConsoleAuthenticationCookiesServiceUnitTest.class,
ClientRegistrationProviderUnitTest.class, AdminConsoleHttpServletRequestWrapperUnitTest.class,
org.alfresco.repo.security.authentication.CompositePasswordEncoderTest.class, IdentityServiceAdminConsoleAuthenticatorUnitTest.class,
org.alfresco.repo.security.authentication.PasswordHashingTest.class, ClientRegistrationProviderUnitTest.class,
org.alfresco.repo.security.authority.script.ScriptAuthorityService_RegExTest.class, org.alfresco.repo.security.authentication.CompositePasswordEncoderTest.class,
org.alfresco.repo.security.permissions.PermissionCheckCollectionTest.class, org.alfresco.repo.security.authentication.PasswordHashingTest.class,
org.alfresco.repo.security.sync.LDAPUserRegistryTest.class, org.alfresco.repo.security.authority.script.ScriptAuthorityService_RegExTest.class,
org.alfresco.traitextender.TraitExtenderIntegrationTest.class, org.alfresco.repo.security.permissions.PermissionCheckCollectionTest.class,
org.alfresco.traitextender.AJExtensionsCompileTest.class, org.alfresco.repo.security.sync.LDAPUserRegistryTest.class,
org.alfresco.traitextender.TraitExtenderIntegrationTest.class,
org.alfresco.traitextender.AJExtensionsCompileTest.class,
org.alfresco.repo.virtual.page.PageCollatorTest.class, org.alfresco.repo.virtual.page.PageCollatorTest.class,
org.alfresco.repo.virtual.ref.GetChildByIdMethodTest.class, org.alfresco.repo.virtual.ref.GetChildByIdMethodTest.class,
org.alfresco.repo.virtual.ref.GetParentReferenceMethodTest.class, org.alfresco.repo.virtual.ref.GetParentReferenceMethodTest.class,
org.alfresco.repo.virtual.ref.NewVirtualReferenceMethodTest.class, org.alfresco.repo.virtual.ref.NewVirtualReferenceMethodTest.class,
org.alfresco.repo.virtual.ref.PlainReferenceParserTest.class, org.alfresco.repo.virtual.ref.PlainReferenceParserTest.class,
org.alfresco.repo.virtual.ref.PlainStringifierTest.class, org.alfresco.repo.virtual.ref.PlainStringifierTest.class,
org.alfresco.repo.virtual.ref.ProtocolTest.class, org.alfresco.repo.virtual.ref.ProtocolTest.class,
org.alfresco.repo.virtual.ref.ReferenceTest.class, org.alfresco.repo.virtual.ref.ReferenceTest.class,
org.alfresco.repo.virtual.ref.ResourceParameterTest.class, org.alfresco.repo.virtual.ref.ResourceParameterTest.class,
org.alfresco.repo.virtual.ref.StringParameterTest.class, org.alfresco.repo.virtual.ref.StringParameterTest.class,
org.alfresco.repo.virtual.ref.VirtualProtocolTest.class, org.alfresco.repo.virtual.ref.VirtualProtocolTest.class,
org.alfresco.repo.virtual.store.ReferenceComparatorTest.class, org.alfresco.repo.virtual.store.ReferenceComparatorTest.class,
org.alfresco.repo.virtual.ref.ZeroReferenceParserTest.class, org.alfresco.repo.virtual.ref.ZeroReferenceParserTest.class,
org.alfresco.repo.virtual.ref.ZeroStringifierTest.class, org.alfresco.repo.virtual.ref.ZeroStringifierTest.class,
org.alfresco.repo.virtual.ref.HashStringifierTest.class, org.alfresco.repo.virtual.ref.HashStringifierTest.class,
org.alfresco.repo.virtual.ref.NodeRefRadixHasherTest.class, org.alfresco.repo.virtual.ref.NodeRefRadixHasherTest.class,
org.alfresco.repo.virtual.ref.NumericPathHasherTest.class, org.alfresco.repo.virtual.ref.NumericPathHasherTest.class,
org.alfresco.repo.virtual.ref.StoredPathHasherTest.class, org.alfresco.repo.virtual.ref.StoredPathHasherTest.class,
org.alfresco.repo.virtual.template.VirtualQueryImplTest.class, org.alfresco.repo.virtual.template.VirtualQueryImplTest.class,
org.alfresco.repo.virtual.store.TypeVirtualizationMethodUnitTest.class, org.alfresco.repo.virtual.store.TypeVirtualizationMethodUnitTest.class,
org.alfresco.repo.security.authentication.AuthenticationServiceImplTest.class, org.alfresco.repo.security.authentication.AuthenticationServiceImplTest.class,
org.alfresco.util.EmailHelperTest.class, org.alfresco.util.EmailHelperTest.class,
org.alfresco.repo.action.ParameterDefinitionImplTest.class, org.alfresco.repo.action.ParameterDefinitionImplTest.class,
org.alfresco.repo.action.ActionDefinitionImplTest.class, org.alfresco.repo.action.ActionDefinitionImplTest.class,
org.alfresco.repo.action.ActionConditionDefinitionImplTest.class, org.alfresco.repo.action.ActionConditionDefinitionImplTest.class,
org.alfresco.repo.action.ActionImplTest.class, org.alfresco.repo.action.ActionImplTest.class,
org.alfresco.repo.action.ActionConditionImplTest.class, org.alfresco.repo.action.ActionConditionImplTest.class,
org.alfresco.repo.action.CompositeActionImplTest.class, org.alfresco.repo.action.CompositeActionImplTest.class,
org.alfresco.repo.action.CompositeActionConditionImplTest.class, org.alfresco.repo.action.CompositeActionConditionImplTest.class,
org.alfresco.repo.action.executer.TransformActionExecuterTest.class, org.alfresco.repo.action.executer.TransformActionExecuterTest.class,
org.alfresco.repo.action.executer.ImporterActionExecutorUnitTest.class, org.alfresco.repo.action.executer.ImporterActionExecutorUnitTest.class,
org.alfresco.repo.audit.AuditableAnnotationTest.class, org.alfresco.repo.audit.AuditableAnnotationTest.class,
org.alfresco.repo.audit.PropertyAuditFilterTest.class, org.alfresco.repo.audit.PropertyAuditFilterTest.class,
org.alfresco.repo.audit.access.NodeChangeTest.class, org.alfresco.repo.audit.access.NodeChangeTest.class,
org.alfresco.repo.content.ContentServiceImplUnitTest.class, org.alfresco.repo.content.ContentServiceImplUnitTest.class,
org.alfresco.repo.content.directurl.SystemWideDirectUrlConfigUnitTest.class, org.alfresco.repo.content.directurl.SystemWideDirectUrlConfigUnitTest.class,
org.alfresco.repo.content.directurl.ContentStoreDirectUrlConfigUnitTest.class, org.alfresco.repo.content.directurl.ContentStoreDirectUrlConfigUnitTest.class,
org.alfresco.repo.content.LimitedStreamCopierTest.class, org.alfresco.repo.content.LimitedStreamCopierTest.class,
org.alfresco.repo.content.filestore.FileIOTest.class, org.alfresco.repo.content.filestore.FileIOTest.class,
org.alfresco.repo.content.filestore.SpoofedTextContentReaderTest.class, org.alfresco.repo.content.filestore.SpoofedTextContentReaderTest.class,
org.alfresco.repo.content.ContentDataTest.class, org.alfresco.repo.content.ContentDataTest.class,
org.alfresco.repo.content.replication.AggregatingContentStoreUnitTest.class, org.alfresco.repo.content.replication.AggregatingContentStoreUnitTest.class,
org.alfresco.service.cmr.repository.TransformationOptionLimitsTest.class, org.alfresco.service.cmr.repository.TransformationOptionLimitsTest.class,
org.alfresco.service.cmr.repository.TransformationOptionPairTest.class, org.alfresco.service.cmr.repository.TransformationOptionPairTest.class,
org.alfresco.repo.content.transform.TransformerConfigTestSuite.class, org.alfresco.repo.content.transform.TransformerConfigTestSuite.class,
org.alfresco.repo.content.transform.TransformerDebugTest.class, org.alfresco.repo.content.transform.TransformerDebugTest.class,
org.alfresco.service.cmr.repository.TemporalSourceOptionsTest.class, org.alfresco.service.cmr.repository.TemporalSourceOptionsTest.class,
org.alfresco.repo.content.metadata.MetadataExtracterLimitsTest.class, org.alfresco.repo.content.metadata.MetadataExtracterLimitsTest.class,
org.alfresco.repo.content.caching.quota.StandardQuotaStrategyMockTest.class, org.alfresco.repo.content.caching.quota.StandardQuotaStrategyMockTest.class,
org.alfresco.repo.content.caching.quota.UnlimitedQuotaStrategyTest.class, org.alfresco.repo.content.caching.quota.UnlimitedQuotaStrategyTest.class,
org.alfresco.repo.content.caching.CachingContentStoreTest.class, org.alfresco.repo.content.caching.CachingContentStoreTest.class,
org.alfresco.repo.content.caching.ContentCacheImplTest.class, org.alfresco.repo.content.caching.ContentCacheImplTest.class,
org.alfresco.repo.domain.permissions.FixedAclUpdaterUnitTest.class, org.alfresco.repo.domain.permissions.FixedAclUpdaterUnitTest.class,
org.alfresco.repo.domain.propval.PropertyTypeConverterTest.class, org.alfresco.repo.domain.propval.PropertyTypeConverterTest.class,
org.alfresco.repo.domain.schema.script.ScriptBundleExecutorImplTest.class, org.alfresco.repo.domain.schema.script.ScriptBundleExecutorImplTest.class,
org.alfresco.repo.search.MLAnaysisModeExpansionTest.class, org.alfresco.repo.search.MLAnaysisModeExpansionTest.class,
org.alfresco.repo.search.DocumentNavigatorTest.class, org.alfresco.repo.search.DocumentNavigatorTest.class,
org.alfresco.util.NumericEncodingTest.class, org.alfresco.util.NumericEncodingTest.class,
org.alfresco.repo.search.impl.parsers.CMIS_FTSTest.class, org.alfresco.repo.search.impl.parsers.CMIS_FTSTest.class,
org.alfresco.repo.search.impl.parsers.CMISTest.class, org.alfresco.repo.search.impl.parsers.CMISTest.class,
org.alfresco.repo.search.impl.parsers.FTSTest.class, org.alfresco.repo.search.impl.parsers.FTSTest.class,
org.alfresco.repo.security.authentication.AlfrescoSSLSocketFactoryTest.class, org.alfresco.repo.security.authentication.AlfrescoSSLSocketFactoryTest.class,
org.alfresco.repo.security.authentication.AuthorizationTest.class, org.alfresco.repo.security.authentication.AuthorizationTest.class,
org.alfresco.repo.security.permissions.PermissionCheckedCollectionTest.class, org.alfresco.repo.security.permissions.PermissionCheckedCollectionTest.class,
org.alfresco.repo.security.permissions.impl.acegi.FilteringResultSetTest.class, org.alfresco.repo.security.permissions.impl.acegi.FilteringResultSetTest.class,
org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtilsTest.class, org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterUtilsTest.class,
org.alfresco.repo.security.authentication.ChainingAuthenticationServiceTest.class, org.alfresco.repo.security.authentication.ChainingAuthenticationServiceTest.class,
org.alfresco.repo.security.authentication.NameBasedUserNameGeneratorTest.class, org.alfresco.repo.security.authentication.NameBasedUserNameGeneratorTest.class,
org.alfresco.repo.version.common.VersionImplTest.class, org.alfresco.repo.version.common.VersionImplTest.class,
org.alfresco.repo.version.common.VersionHistoryImplTest.class, org.alfresco.repo.version.common.VersionHistoryImplTest.class,
org.alfresco.repo.version.common.versionlabel.SerialVersionLabelPolicyTest.class, org.alfresco.repo.version.common.versionlabel.SerialVersionLabelPolicyTest.class,
org.alfresco.repo.workflow.activiti.WorklfowObjectFactoryTest.class, org.alfresco.repo.workflow.activiti.WorklfowObjectFactoryTest.class,
org.alfresco.repo.workflow.activiti.properties.ActivitiPriorityPropertyHandlerTest.class, org.alfresco.repo.workflow.activiti.properties.ActivitiPriorityPropertyHandlerTest.class,
org.alfresco.repo.workflow.WorkflowSuiteContextShutdownTest.class, org.alfresco.repo.workflow.WorkflowSuiteContextShutdownTest.class,
org.alfresco.repo.search.LuceneUtilsTest.class, org.alfresco.repo.search.LuceneUtilsTest.class,
org.alfresco.heartbeat.HBDataCollectorServiceImplTest.class, org.alfresco.heartbeat.HBDataCollectorServiceImplTest.class,
org.alfresco.heartbeat.jobs.LockingJobTest.class, org.alfresco.heartbeat.jobs.LockingJobTest.class,
org.alfresco.heartbeat.jobs.QuartzJobSchedulerTest.class, org.alfresco.heartbeat.jobs.QuartzJobSchedulerTest.class,
org.alfresco.heartbeat.AuthoritiesDataCollectorTest.class, org.alfresco.heartbeat.AuthoritiesDataCollectorTest.class,
org.alfresco.heartbeat.ConfigurationDataCollectorTest.class, org.alfresco.heartbeat.ConfigurationDataCollectorTest.class,
org.alfresco.heartbeat.InfoDataCollectorTest.class, org.alfresco.heartbeat.InfoDataCollectorTest.class,
org.alfresco.heartbeat.ModelUsageDataCollectorTest.class, org.alfresco.heartbeat.ModelUsageDataCollectorTest.class,
org.alfresco.heartbeat.SessionsUsageDataCollectorTest.class, org.alfresco.heartbeat.SessionsUsageDataCollectorTest.class,
org.alfresco.heartbeat.SystemUsageDataCollectorTest.class, org.alfresco.heartbeat.SystemUsageDataCollectorTest.class,
org.alfresco.util.BeanExtenderUnitTest.class, org.alfresco.util.BeanExtenderUnitTest.class,
org.alfresco.util.bean.HierarchicalBeanLoaderTest.class, org.alfresco.util.bean.HierarchicalBeanLoaderTest.class,
org.alfresco.util.resource.HierarchicalResourceLoaderTest.class, org.alfresco.util.resource.HierarchicalResourceLoaderTest.class,
org.alfresco.repo.events.ClientUtilTest.class, org.alfresco.repo.events.ClientUtilTest.class,
org.alfresco.repo.rendition2.RenditionService2Test.class, org.alfresco.repo.rendition2.RenditionService2Test.class,
org.alfresco.repo.rendition2.TransformationOptionsConverterTest.class, org.alfresco.repo.rendition2.TransformationOptionsConverterTest.class,
org.alfresco.repo.event2.RepoEvent2UnitSuite.class, org.alfresco.repo.event2.RepoEvent2UnitSuite.class,
org.alfresco.util.schemacomp.SchemaDifferenceHelperUnitTest.class, org.alfresco.util.schemacomp.SchemaDifferenceHelperUnitTest.class,
org.alfresco.repo.tagging.TaggingServiceImplUnitTest.class, org.alfresco.repo.tagging.TaggingServiceImplUnitTest.class,
org.alfresco.repo.serviceaccount.ServiceAccountRegistryImplTest.class org.alfresco.repo.serviceaccount.ServiceAccountRegistryImplTest.class
}) })
public class AllUnitTestsSuite public class AllUnitTestsSuite
{ {}
}

83
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/ClientRegistrationProviderUnitTest.java
View File

@@ -38,8 +38,7 @@ import java.util.Set;
import com.nimbusds.oauth2.sdk.ParseException; import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.Scope; import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import net.minidev.json.JSONObject;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBean.ClientRegistrationProvider;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.ArgumentCaptor; import org.mockito.ArgumentCaptor;
@@ -51,12 +50,17 @@ import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.web.client.RestTemplate; import org.springframework.web.client.RestTemplate;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBean.ClientRegistrationProvider;
public class ClientRegistrationProviderUnitTest public class ClientRegistrationProviderUnitTest
{ {
private static final String CLIENT_ID = "alfresco"; private static final String CLIENT_ID = "alfresco";
private static final String OPENID_CONFIGURATION = "{\"token_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/token\",\"token_endpoint_auth_methods_supported\":[\"client_secret_post\",\"private_key_jwt\",\"client_secret_basic\"],\"jwks_uri\":\"https://login.serviceonline.alfresco/common/discovery/v2.0/keys\",\"response_modes_supported\":[\"query\",\"fragment\",\"form_post\"],\"subject_types_supported\":[\"pairwise\"],\"id_token_signing_alg_values_supported\":[\"RS256\"],\"response_types_supported\":[\"code\",\"id_token\",\"code id_token\",\"id_token token\"],\"scopes_supported\":[\"openid\",\"profile\",\"email\",\"offline_access\"],\"issuer\":\"https://login.serviceonline.alfresco/alfresco/v2.0\",\"request_uri_parameter_supported\":false,\"userinfo_endpoint\":\"https://graph.service.alfresco/oidc/userinfo\",\"authorization_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/authorize\",\"device_authorization_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/devicecode\",\"http_logout_supported\":true,\"frontchannel_logout_supported\":true,\"end_session_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/logout\",\"claims_supported\":[\"sub\",\"iss\",\"cloud_instance_name\",\"cloud_instance_host_name\",\"cloud_graph_host_name\",\"msgraph_host\",\"aud\",\"exp\",\"iat\",\"auth_time\",\"acr\",\"nonce\",\"preferred_username\",\"name\",\"tid\",\"ver\",\"at_hash\",\"c_hash\",\"email\"],\"kerberos_endpoint\":\"https://login.serviceonline.alfresco/common/kerberos\",\"tenant_region_scope\":null,\"cloud_instance_name\":\"serviceonline.alfresco\",\"cloud_graph_host_name\":\"graph.oidc.net\",\"msgraph_host\":\"graph.service.alfresco\",\"rbac_url\":\"https://pas.oidc.alfresco\"}"; private static final String OPENID_CONFIGURATION = "{\"token_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/token\",\"token_endpoint_auth_methods_supported\":[\"client_secret_post\",\"private_key_jwt\",\"client_secret_basic\"],\"jwks_uri\":\"https://login.serviceonline.alfresco/common/discovery/v2.0/keys\",\"response_modes_supported\":[\"query\",\"fragment\",\"form_post\"],\"subject_types_supported\":[\"pairwise\"],\"id_token_signing_alg_values_supported\":[\"RS256\"],\"response_types_supported\":[\"code\",\"id_token\",\"code id_token\",\"id_token token\"],\"scopes_supported\":[\"openid\",\"profile\",\"email\",\"offline_access\"],\"issuer\":\"https://login.serviceonline.alfresco/alfresco/v2.0\",\"request_uri_parameter_supported\":false,\"userinfo_endpoint\":\"https://graph.service.alfresco/oidc/userinfo\",\"authorization_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/authorize\",\"device_authorization_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/devicecode\",\"http_logout_supported\":true,\"frontchannel_logout_supported\":true,\"end_session_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/logout\",\"claims_supported\":[\"sub\",\"iss\",\"cloud_instance_name\",\"cloud_instance_host_name\",\"cloud_graph_host_name\",\"msgraph_host\",\"aud\",\"exp\",\"iat\",\"auth_time\",\"acr\",\"nonce\",\"preferred_username\",\"name\",\"tid\",\"ver\",\"at_hash\",\"c_hash\",\"email\"],\"kerberos_endpoint\":\"https://login.serviceonline.alfresco/common/kerberos\",\"tenant_region_scope\":null,\"cloud_instance_name\":\"serviceonline.alfresco\",\"cloud_graph_host_name\":\"graph.oidc.net\",\"msgraph_host\":\"graph.service.alfresco\",\"rbac_url\":\"https://pas.oidc.alfresco\"}";
private static final String DISCOVERY_PATH_SEGMENTS = "/.well-known/openid-configuration"; private static final String DISCOVERY_PATH_SEGMENTS = "/.well-known/openid-configuration";
private static final String AUTH_SERVER = "https://login.serviceonline.alfresco"; private static final String AUTH_SERVER = "https://login.serviceonline.alfresco";
private static final String ADMIN_CONSOLE_SCOPES = "openid,email,profile,offline_access";
private static final String PSSWD_GRANT_SCOPES = "openid,email,profile";
private static final String ISSUER_ATRR = "issuer";
private IdentityServiceConfig config; private IdentityServiceConfig config;
private RestTemplate restTemplate; private RestTemplate restTemplate;
@@ -70,6 +74,9 @@ public class ClientRegistrationProviderUnitTest
config = new IdentityServiceConfig(); config = new IdentityServiceConfig();
config.setAuthServerUrl(AUTH_SERVER); config.setAuthServerUrl(AUTH_SERVER);
config.setResource(CLIENT_ID); config.setResource(CLIENT_ID);
config.setAdminConsoleScopes(ADMIN_CONSOLE_SCOPES);
config.setPasswordGrantScopes(PSSWD_GRANT_SCOPES);
config.setIssuerAttribute(ISSUER_ATRR);
restTemplate = mock(RestTemplate.class); restTemplate = mock(RestTemplate.class);
ResponseEntity responseEntity = mock(ResponseEntity.class); ResponseEntity responseEntity = mock(ResponseEntity.class);
@@ -90,7 +97,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration( ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
restTemplate); restTemplate);
assertThat(clientRegistration).isNotNull(); assertThat(clientRegistration).isNotNull();
assertThat(clientRegistration.getClientId()).isNotNull(); assertThat(clientRegistration.getClientId()).isNotNull();
assertThat(clientRegistration.getProviderDetails().getAuthorizationUri()).isNotNull(); assertThat(clientRegistration.getProviderDetails().getAuthorizationUri()).isNotNull();
@@ -99,7 +106,7 @@ public class ClientRegistrationProviderUnitTest
assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint()).isNotNull(); assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint()).isNotNull();
assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isNotNull(); assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isNotNull();
assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo( assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo(
AUTH_SERVER + DISCOVERY_PATH_SEGMENTS); AUTH_SERVER + DISCOVERY_PATH_SEGMENTS);
} }
} }
@@ -112,7 +119,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration( ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
restTemplate); restTemplate);
assertThat(clientRegistration).isNotNull(); assertThat(clientRegistration).isNotNull();
assertThat(clientRegistration.getClientId()).isNotNull(); assertThat(clientRegistration.getClientId()).isNotNull();
assertThat(clientRegistration.getProviderDetails().getAuthorizationUri()).isNotNull(); assertThat(clientRegistration.getProviderDetails().getAuthorizationUri()).isNotNull();
@@ -121,7 +128,7 @@ public class ClientRegistrationProviderUnitTest
assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint()).isNotNull(); assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint()).isNotNull();
assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isNotNull(); assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isNotNull();
assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo( assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo(
AUTH_SERVER + DISCOVERY_PATH_SEGMENTS); AUTH_SERVER + DISCOVERY_PATH_SEGMENTS);
} }
} }
@@ -134,7 +141,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
assertThrows(IdentityServiceException.class, assertThrows(IdentityServiceException.class,
() -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate)); () -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate));
} }
} }
@@ -148,7 +155,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
assertThrows(IdentityServiceException.class, assertThrows(IdentityServiceException.class,
() -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate)); () -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate));
} }
} }
@@ -161,7 +168,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
assertThrows(IdentityServiceException.class, assertThrows(IdentityServiceException.class,
() -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate)); () -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate));
} }
} }
@@ -174,7 +181,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
assertThrows(IdentityServiceException.class, assertThrows(IdentityServiceException.class,
() -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate)); () -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate));
} }
} }
@@ -187,7 +194,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
assertThrows(IdentityServiceException.class, assertThrows(IdentityServiceException.class,
() -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate)); () -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate));
} }
} }
@@ -200,7 +207,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
assertThrows(IdentityServiceException.class, assertThrows(IdentityServiceException.class,
() -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate)); () -> new ClientRegistrationProvider(config).createClientRegistration(restTemplate));
} }
} }
@@ -215,7 +222,7 @@ public class ClientRegistrationProviderUnitTest
new ClientRegistrationProvider(config).createClientRegistration(restTemplate); new ClientRegistrationProvider(config).createClientRegistration(restTemplate);
assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo( assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo(
AUTH_SERVER + "/realms/alfresco" + DISCOVERY_PATH_SEGMENTS); AUTH_SERVER + "/realms/alfresco" + DISCOVERY_PATH_SEGMENTS);
} }
} }
@@ -227,10 +234,10 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration( ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
restTemplate); restTemplate);
assertThat( assertThat(
clientRegistration.getScopes().containsAll( clientRegistration.getScopes().containsAll(
Set.of("openid", "profile", "email"))).isTrue(); Set.of("openid", "profile", "email"))).isTrue();
} }
} }
@@ -243,7 +250,7 @@ public class ClientRegistrationProviderUnitTest
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse); providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration( ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
restTemplate); restTemplate);
assertThat(clientRegistration.getScopes().size()).isEqualTo(1); assertThat(clientRegistration.getScopes().size()).isEqualTo(1);
assertThat(clientRegistration.getScopes().stream().findFirst().get()).isEqualTo("openid"); assertThat(clientRegistration.getScopes().stream().findFirst().get()).isEqualTo("openid");
} }
@@ -260,7 +267,45 @@ public class ClientRegistrationProviderUnitTest
new ClientRegistrationProvider(config).createClientRegistration(restTemplate); new ClientRegistrationProvider(config).createClientRegistration(restTemplate);
assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo( assertThat(requestEntityCaptor.getValue().getUrl().toASCIIString()).isEqualTo(
"https://login.serviceonline.alfresco/alfresco/v2.0" + DISCOVERY_PATH_SEGMENTS); "https://login.serviceonline.alfresco/alfresco/v2.0" + DISCOVERY_PATH_SEGMENTS);
} }
} }
}
@Test
public void shouldUseDefaultIssuerAttribute()
{
config.setIssuerUrl(null);
try (MockedStatic<OIDCProviderMetadata> providerMetadata = Mockito.mockStatic(OIDCProviderMetadata.class))
{
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
restTemplate);
assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isEqualTo("https://login.serviceonline.alfresco/alfresco/v2.0");
}
}
@Test
public void shouldUseCustomIssuerAttribute()
{
try (MockedStatic<OIDCProviderMetadata> providerMetadata = Mockito.mockStatic(OIDCProviderMetadata.class))
{
config.setIssuerAttribute("access_token_issuer");
when(oidcResponse.getCustomParameters()).thenReturn(createJSONObject("access_token_issuer", "https://login.serviceonline.alfresco/alfresco/v2.0/at_trust"));
providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
restTemplate);
assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isEqualTo("https://login.serviceonline.alfresco/alfresco/v2.0/at_trust");
}
}
private static JSONObject createJSONObject(String fieldName, String fieldValue)
{
JSONObject jsonObject = new JSONObject();
jsonObject.appendField(fieldName, fieldValue);
return jsonObject;
}
}

345
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java
View File

@@ -1,172 +1,173 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2023 Alfresco Software Limited * Copyright (C) 2005 - 2025 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice;
import static org.mockito.Mockito.doThrow; import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import java.net.ConnectException; import java.net.ConnectException;
import java.util.Optional; import java.util.Optional;
import org.alfresco.error.ExceptionStackUtil; import org.junit.After;
import org.alfresco.repo.security.authentication.AuthenticationContext; import org.junit.Before;
import org.alfresco.repo.security.authentication.AuthenticationException; import org.junit.Test;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization; import org.springframework.beans.factory.annotation.Autowired;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant; import org.alfresco.error.ExceptionStackUtil;
import org.alfresco.repo.security.sync.UserRegistrySynchronizer; import org.alfresco.repo.security.authentication.AuthenticationContext;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.service.cmr.security.PersonService; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
import org.alfresco.service.transaction.TransactionService; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
import org.alfresco.util.BaseSpringTest; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
import org.junit.After; import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
import org.junit.Before; import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
import org.junit.Test; import org.alfresco.service.cmr.repository.NodeService;
import org.springframework.beans.factory.annotation.Autowired; import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest import org.alfresco.util.BaseSpringTest;
{
private final IdentityServiceAuthenticationComponent authComponent = new IdentityServiceAuthenticationComponent(); public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
{
@Autowired private final IdentityServiceAuthenticationComponent authComponent = new IdentityServiceAuthenticationComponent();
private AuthenticationContext authenticationContext;
@Autowired
@Autowired private AuthenticationContext authenticationContext;
private TransactionService transactionService;
@Autowired
@Autowired private TransactionService transactionService;
private UserRegistrySynchronizer userRegistrySynchronizer;
@Autowired
@Autowired private UserRegistrySynchronizer userRegistrySynchronizer;
private NodeService nodeService;
@Autowired
@Autowired private NodeService nodeService;
private PersonService personService;
@Autowired
private PersonService personService;
private IdentityServiceJITProvisioningHandler jitProvisioning;
private IdentityServiceFacade mockIdentityServiceFacade; private IdentityServiceJITProvisioningHandler jitProvisioning;
private IdentityServiceFacade mockIdentityServiceFacade;
@Before
public void setUp() @Before
{ public void setUp()
authComponent.setAuthenticationContext(authenticationContext); {
authComponent.setTransactionService(transactionService); authComponent.setAuthenticationContext(authenticationContext);
authComponent.setUserRegistrySynchronizer(userRegistrySynchronizer); authComponent.setTransactionService(transactionService);
authComponent.setNodeService(nodeService); authComponent.setUserRegistrySynchronizer(userRegistrySynchronizer);
authComponent.setPersonService(personService); authComponent.setNodeService(nodeService);
authComponent.setPersonService(personService);
jitProvisioning = mock(IdentityServiceJITProvisioningHandler.class);
mockIdentityServiceFacade = mock(IdentityServiceFacade.class); jitProvisioning = mock(IdentityServiceJITProvisioningHandler.class);
authComponent.setJitProvisioningHandler(jitProvisioning); mockIdentityServiceFacade = mock(IdentityServiceFacade.class);
authComponent.setIdentityServiceFacade(mockIdentityServiceFacade); authComponent.setJitProvisioningHandler(jitProvisioning);
} authComponent.setIdentityServiceFacade(mockIdentityServiceFacade);
}
@After
public void tearDown() @After
{ public void tearDown()
authenticationContext.clearCurrentSecurityContext(); {
} authenticationContext.clearCurrentSecurityContext();
}
@Test (expected=AuthenticationException.class)
public void testAuthenticationFail() @Test(expected = AuthenticationException.class)
{ public void testAuthenticationFail()
final AuthorizationGrant grant = AuthorizationGrant.password("username", "password"); {
final AuthorizationGrant grant = AuthorizationGrant.password("username", "password");
doThrow(new AuthorizationException("Failed")).when(mockIdentityServiceFacade).authorize(grant);
doThrow(new AuthorizationException("Failed")).when(mockIdentityServiceFacade).authorize(grant);
authComponent.authenticateImpl("username", "password".toCharArray());
} authComponent.authenticateImpl("username", "password".toCharArray());
}
@Test(expected = AuthenticationException.class)
public void testAuthenticationFail_connectionException() @Test(expected = AuthenticationException.class)
{ public void testAuthenticationFail_connectionException()
final AuthorizationGrant grant = AuthorizationGrant.password("username", "password"); {
final AuthorizationGrant grant = AuthorizationGrant.password("username", "password");
doThrow(new AuthorizationException("Couldn't connect to server", new ConnectException("ConnectionRefused")))
.when(mockIdentityServiceFacade).authorize(grant); doThrow(new AuthorizationException("Couldn't connect to server", new ConnectException("ConnectionRefused")))
.when(mockIdentityServiceFacade).authorize(grant);
try
{ try
authComponent.authenticateImpl("username", "password".toCharArray()); {
} authComponent.authenticateImpl("username", "password".toCharArray());
catch (RuntimeException ex) }
{ catch (RuntimeException ex)
Throwable cause = ExceptionStackUtil.getCause(ex, ConnectException.class); {
assertNotNull(cause); Throwable cause = ExceptionStackUtil.getCause(ex, ConnectException.class);
throw ex; assertNotNull(cause);
} throw ex;
} }
}
@Test (expected=AuthenticationException.class)
public void testAuthenticationFail_otherException() @Test(expected = AuthenticationException.class)
{ public void testAuthenticationFail_otherException()
final AuthorizationGrant grant = AuthorizationGrant.password("username", "password"); {
final AuthorizationGrant grant = AuthorizationGrant.password("username", "password");
doThrow(new RuntimeException("Some other errors!"))
.when(mockIdentityServiceFacade) doThrow(new RuntimeException("Some other errors!"))
.authorize(grant); .when(mockIdentityServiceFacade)
.authorize(grant);
authComponent.authenticateImpl("username", "password".toCharArray());
} authComponent.authenticateImpl("username", "password".toCharArray());
}
@Test
public void testAuthenticationPass() @Test
{ public void testAuthenticationPass()
final AuthorizationGrant grant = AuthorizationGrant.password("username", "password"); {
AccessTokenAuthorization authorization = mock(AccessTokenAuthorization.class); final AuthorizationGrant grant = AuthorizationGrant.password("username", "password");
IdentityServiceFacade.AccessToken accessToken = mock(IdentityServiceFacade.AccessToken.class); AccessTokenAuthorization authorization = mock(AccessTokenAuthorization.class);
IdentityServiceFacade.AccessToken accessToken = mock(IdentityServiceFacade.AccessToken.class);
when(authorization.getAccessToken()).thenReturn(accessToken);
when(accessToken.getTokenValue()).thenReturn("JWT_TOKEN"); when(authorization.getAccessToken()).thenReturn(accessToken);
when(mockIdentityServiceFacade.authorize(grant)).thenReturn(authorization); when(accessToken.getTokenValue()).thenReturn("JWT_TOKEN");
when(jitProvisioning.extractUserInfoAndCreateUserIfNeeded("JWT_TOKEN")) when(mockIdentityServiceFacade.authorize(grant)).thenReturn(authorization);
.thenReturn(Optional.of(new OIDCUserInfo("username", "", "", ""))); when(jitProvisioning.extractUserInfoAndCreateUserIfNeeded("JWT_TOKEN"))
.thenReturn(Optional.of(new OIDCUserInfo("username", "", "", "")));
authComponent.authenticateImpl("username", "password".toCharArray());
authComponent.authenticateImpl("username", "password".toCharArray());
// Check that the authenticated user has been set
assertEquals("User has not been set as expected.","username", authenticationContext.getCurrentUserName()); // Check that the authenticated user has been set
} assertEquals("User has not been set as expected.", "username", authenticationContext.getCurrentUserName());
}
@Test (expected= AuthenticationException.class)
public void testFallthroughWhenIdentityServiceFacadeIsNull() @Test(expected = AuthenticationException.class)
{ public void testFallthroughWhenIdentityServiceFacadeIsNull()
authComponent.setIdentityServiceFacade(null); {
authComponent.authenticateImpl("username", "password".toCharArray()); authComponent.setIdentityServiceFacade(null);
} authComponent.authenticateImpl("username", "password".toCharArray());
}
@Test
public void testSettingAllowGuestUser() @Test
{ public void testSettingAllowGuestUser()
authComponent.setAllowGuestLogin(true); {
assertTrue(authComponent.guestUserAuthenticationAllowed()); authComponent.setAllowGuestLogin(true);
assertTrue(authComponent.guestUserAuthenticationAllowed());
authComponent.setAllowGuestLogin(false);
assertFalse(authComponent.guestUserAuthenticationAllowed()); authComponent.setAllowGuestLogin(false);
} assertFalse(authComponent.guestUserAuthenticationAllowed());
} }
}

65
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandlerTest.java
View File

@@ -25,29 +25,29 @@
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice;
import static org.mockito.Mockito.atLeast; import static org.mockito.Mockito.*;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import java.lang.reflect.Field; import java.lang.reflect.Field;
import java.util.Optional; import java.util.Optional;
import com.nimbusds.openid.connect.sdk.claims.PersonClaims; import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.alfresco.model.ContentModel; import org.alfresco.model.ContentModel;
import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory; import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager; import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback; import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.PersonService; import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService; import org.alfresco.service.transaction.TransactionService;
import org.alfresco.util.BaseSpringTest; import org.alfresco.util.BaseSpringTest;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@SuppressWarnings("PMD.AvoidAccessibilityAlteration") @SuppressWarnings("PMD.AvoidAccessibilityAlteration")
public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
@@ -61,12 +61,12 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
private IdentityServiceJITProvisioningHandler jitProvisioningHandler; private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
private final boolean isAuth0Enabled = Optional.ofNullable(System.getProperty("auth0.enabled")) private final boolean isAuth0Enabled = Optional.ofNullable(System.getProperty("auth0.enabled"))
.map(Boolean::valueOf) .map(Boolean::valueOf)
.orElse(false); .orElse(false);
private final String userPassword = Optional.ofNullable(System.getProperty("admin.password")) private final String userPassword = Optional.ofNullable(System.getProperty("admin.password"))
.filter(password -> isAuth0Enabled) .filter(password -> isAuth0Enabled)
.orElse("password"); .orElse("password");
@Before @Before
public void setup() public void setup()
@@ -75,16 +75,16 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
nodeService = (NodeService) applicationContext.getBean("nodeService"); nodeService = (NodeService) applicationContext.getBean("nodeService");
transactionService = (TransactionService) applicationContext.getBean("transactionService"); transactionService = (TransactionService) applicationContext.getBean("transactionService");
DefaultChildApplicationContextManager childApplicationContextManager = (DefaultChildApplicationContextManager) applicationContext DefaultChildApplicationContextManager childApplicationContextManager = (DefaultChildApplicationContextManager) applicationContext
.getBean("Authentication"); .getBean("Authentication");
ChildApplicationContextFactory childApplicationContextFactory = childApplicationContextManager.getChildApplicationContextFactory( ChildApplicationContextFactory childApplicationContextFactory = childApplicationContextManager.getChildApplicationContextFactory(
"identity-service1"); "identity-service1");
identityServiceFacade = (IdentityServiceFacade) childApplicationContextFactory.getApplicationContext() identityServiceFacade = (IdentityServiceFacade) childApplicationContextFactory.getApplicationContext()
.getBean("identityServiceFacade"); .getBean("identityServiceFacade");
jitProvisioningHandler = (IdentityServiceJITProvisioningHandler) childApplicationContextFactory.getApplicationContext() jitProvisioningHandler = (IdentityServiceJITProvisioningHandler) childApplicationContextFactory.getApplicationContext()
.getBean("jitProvisioningHandler"); .getBean("jitProvisioningHandler");
IdentityServiceConfig identityServiceConfig = (IdentityServiceConfig) childApplicationContextFactory.getApplicationContext() IdentityServiceConfig identityServiceConfig = (IdentityServiceConfig) childApplicationContextFactory.getApplicationContext()
.getBean("identityServiceConfig"); .getBean("identityServiceConfig");
identityServiceConfig.setAllowAnyHostname(true); identityServiceConfig.setAllowAnyHostname(true);
identityServiceConfig.setClientKeystore(null); identityServiceConfig.setClientKeystore(null);
identityServiceConfig.setDisableTrustManager(true); identityServiceConfig.setDisableTrustManager(true);
@@ -95,12 +95,11 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
{ {
assertFalse(personService.personExists(IDS_USERNAME)); assertFalse(personService.personExists(IDS_USERNAME));
IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
identityServiceFacade.authorize(
IdentityServiceFacade.AuthorizationGrant.password(IDS_USERNAME, userPassword)); IdentityServiceFacade.AuthorizationGrant.password(IDS_USERNAME, userPassword));
Optional<OIDCUserInfo> userInfoOptional = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> userInfoOptional = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
accessTokenAuthorization.getAccessToken().getTokenValue()); accessTokenAuthorization.getAccessToken().getTokenValue());
NodeRef person = personService.getPerson(IDS_USERNAME); NodeRef person = personService.getPerson(IDS_USERNAME);
@@ -125,23 +124,26 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
assertFalse(personService.personExists(IDS_USERNAME)); assertFalse(personService.personExists(IDS_USERNAME));
String principalAttribute = isAuth0Enabled ? PersonClaims.NICKNAME_CLAIM_NAME : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME; String principalAttribute = isAuth0Enabled ? PersonClaims.NICKNAME_CLAIM_NAME : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME;
IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
identityServiceFacade.authorize(
IdentityServiceFacade.AuthorizationGrant.password(IDS_USERNAME, userPassword)); IdentityServiceFacade.AuthorizationGrant.password(IDS_USERNAME, userPassword));
UserInfoAttrMapping userInfoAttrMapping = new UserInfoAttrMapping(principalAttribute, "given_name", "family_name", "email");
String accessToken = accessTokenAuthorization.getAccessToken().getTokenValue(); String accessToken = accessTokenAuthorization.getAccessToken().getTokenValue();
ClientRegistration clientRegistration = mock(ClientRegistration.class, RETURNS_DEEP_STUBS);
when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(principalAttribute);
IdentityServiceFacade idsServiceFacadeMock = mock(IdentityServiceFacade.class); IdentityServiceFacade idsServiceFacadeMock = mock(IdentityServiceFacade.class);
when(idsServiceFacadeMock.decodeToken(accessToken)).thenReturn(null); when(idsServiceFacadeMock.decodeToken(accessToken)).thenReturn(null);
when(idsServiceFacadeMock.getUserInfo(accessToken, principalAttribute)).thenReturn(identityServiceFacade.getUserInfo(accessToken, principalAttribute)); when(idsServiceFacadeMock.getUserInfo(accessToken, userInfoAttrMapping)).thenReturn(identityServiceFacade.getUserInfo(accessToken, userInfoAttrMapping));
when(idsServiceFacadeMock.getClientRegistration()).thenReturn(clientRegistration);
// Replace the original facade with a mocked one to prevent user information from being extracted from the access token. // Replace the original facade with a mocked one to prevent user information from being extracted from the access token.
Field declaredField = jitProvisioningHandler.getClass() Field declaredField = jitProvisioningHandler.getClass()
.getDeclaredField("identityServiceFacade"); .getDeclaredField("identityServiceFacade");
declaredField.setAccessible(true); declaredField.setAccessible(true);
declaredField.set(jitProvisioningHandler, idsServiceFacadeMock); declaredField.set(jitProvisioningHandler, idsServiceFacadeMock);
Optional<OIDCUserInfo> userInfoOptional = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> userInfoOptional = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
accessToken); accessToken);
declaredField.set(jitProvisioningHandler, identityServiceFacade); declaredField.set(jitProvisioningHandler, identityServiceFacade);
@@ -153,7 +155,7 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
assertEquals("johndoe123@alfresco.com", userInfoOptional.get().email()); assertEquals("johndoe123@alfresco.com", userInfoOptional.get().email());
assertEquals("johndoe123@alfresco.com", nodeService.getProperty(person, ContentModel.PROP_EMAIL)); assertEquals("johndoe123@alfresco.com", nodeService.getProperty(person, ContentModel.PROP_EMAIL));
verify(idsServiceFacadeMock).decodeToken(accessToken); verify(idsServiceFacadeMock).decodeToken(accessToken);
verify(idsServiceFacadeMock, atLeast(1)).getUserInfo(accessToken, principalAttribute); verify(idsServiceFacadeMock, atLeast(1)).getUserInfo(accessToken, userInfoAttrMapping);
if (!isAuth0Enabled) if (!isAuth0Enabled)
{ {
assertEquals("John", userInfoOptional.get().firstName()); assertEquals("John", userInfoOptional.get().firstName());
@@ -166,18 +168,17 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
@After @After
public void tearDown() public void tearDown()
{ {
AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Void>() AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Void>() {
{
@Override @Override
public Void doWork() throws Exception public Void doWork() throws Exception
{ {
transactionService.getRetryingTransactionHelper() transactionService.getRetryingTransactionHelper()
.doInTransaction((RetryingTransactionCallback<Void>) () -> { .doInTransaction((RetryingTransactionCallback<Void>) () -> {
personService.deletePerson(IDS_USERNAME); personService.deletePerson(IDS_USERNAME);
return null; return null;
}); });
return null; return null;
} }
}); });
} }
} }

157
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandlerUnitTest.java
View File

@@ -38,12 +38,17 @@ import static org.mockito.MockitoAnnotations.initMocks;
import java.util.Optional; import java.util.Optional;
import com.nimbusds.openid.connect.sdk.claims.PersonClaims; import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.Answers;
import org.mockito.Mock; import org.mockito.Mock;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
public class IdentityServiceJITProvisioningHandlerUnitTest public class IdentityServiceJITProvisioningHandlerUnitTest
{ {
@@ -51,6 +56,9 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
@Mock @Mock
private IdentityServiceFacade identityServiceFacade; private IdentityServiceFacade identityServiceFacade;
@Mock(answer = Answers.RETURNS_DEEP_STUBS)
private ClientRegistration clientRegistration;
@Mock @Mock
private PersonService personService; private PersonService personService;
@@ -64,11 +72,22 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
private IdentityServiceConfig identityServiceConfig; private IdentityServiceConfig identityServiceConfig;
@Mock @Mock
private OIDCUserInfo userInfo; private DecodedTokenUser decodedTokenUser;
private IdentityServiceJITProvisioningHandler jitProvisioningHandler; private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
private UserInfoAttrMapping expectedMapping;
private static final String JWT_TOKEN = "myToken"; private static final String JWT_TOKEN = "myToken";
private static final String USERNAME = "johny123";
private static final String FIRST_NAME = "John";
private static final String LAST_NAME = "Doe";
private static final String EMAIL = "johny123@email.com";
public static final String USERNAME_CLAIM = "nickname";
public static final String EMAIL_CLAIM = "email";
public static final String FIRST_NAME_CLAIM = "given_name";
public static final String LAST_NAME_CLAIM = "family_name";
@Before @Before
public void setup() public void setup()
@@ -78,149 +97,147 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
when(transactionService.isReadOnly()).thenReturn(false); when(transactionService.isReadOnly()).thenReturn(false);
when(identityServiceFacade.decodeToken(JWT_TOKEN)).thenReturn(decodedAccessToken); when(identityServiceFacade.decodeToken(JWT_TOKEN)).thenReturn(decodedAccessToken);
when(personService.createMissingPeople()).thenReturn(true); when(personService.createMissingPeople()).thenReturn(true);
jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade, when(identityServiceFacade.getClientRegistration()).thenReturn(clientRegistration);
personService, transactionService, identityServiceConfig); when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(USERNAME_CLAIM);
when(identityServiceConfig.getEmailAttribute()).thenReturn(EMAIL_CLAIM);
when(identityServiceConfig.getFirstNameAttribute()).thenReturn(FIRST_NAME_CLAIM);
when(identityServiceConfig.getLastNameAttribute()).thenReturn(LAST_NAME_CLAIM);
expectedMapping = new UserInfoAttrMapping(USERNAME_CLAIM, FIRST_NAME_CLAIM, LAST_NAME_CLAIM, EMAIL_CLAIM);
jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade, personService, transactionService, identityServiceConfig);
} }
@Test @Test
public void shouldExtractUserInfoForExistingUser() public void shouldExtractUserInfoForExistingUser()
{ {
when(personService.personExists("johny123")).thenReturn(true); when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("johny123"); when(personService.personExists(USERNAME)).thenReturn(true);
when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(USERNAME);
jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade, personService, transactionService, identityServiceConfig);
Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
JWT_TOKEN); JWT_TOKEN);
assertTrue(result.isPresent()); assertTrue(result.isPresent());
assertEquals("johny123", result.get().username()); assertEquals(USERNAME, result.get().username());
assertFalse(result.get().allFieldsNotEmpty()); assertFalse(result.get().allFieldsNotEmpty());
verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME); verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, expectedMapping);
} }
@Test @Test
public void shouldExtractUserInfoForExistingUserWithProviderPrincipalAttribute() public void shouldExtractUserInfoForExistingUserWithProviderPrincipalAttribute()
{ {
when(identityServiceConfig.getPrincipalAttribute()).thenReturn("nickname"); when(identityServiceConfig.getPrincipalAttribute()).thenReturn(USERNAME_CLAIM);
when(personService.personExists("johny123")).thenReturn(true); when(personService.personExists(USERNAME)).thenReturn(true);
when(decodedAccessToken.getClaim("nickname")).thenReturn("johny123"); when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn(USERNAME);
Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
JWT_TOKEN); JWT_TOKEN);
assertTrue(result.isPresent()); assertTrue(result.isPresent());
assertEquals("johny123", result.get().username()); assertEquals(USERNAME, result.get().username());
assertFalse(result.get().allFieldsNotEmpty()); assertFalse(result.get().allFieldsNotEmpty());
verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, "nickname"); verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, expectedMapping);
} }
@Test @Test
public void shouldExtractUserInfoFromAccessTokenAndCreateUser() public void shouldExtractUserInfoFromAccessTokenAndCreateUser()
{ {
when(personService.personExists("johny123")).thenReturn(false); when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
when(personService.personExists(USERNAME)).thenReturn(false);
when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("johny123"); when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(USERNAME);
when(decodedAccessToken.getClaim(PersonClaims.GIVEN_NAME_CLAIM_NAME)).thenReturn("John"); when(decodedAccessToken.getClaim(PersonClaims.GIVEN_NAME_CLAIM_NAME)).thenReturn(FIRST_NAME);
when(decodedAccessToken.getClaim(PersonClaims.FAMILY_NAME_CLAIM_NAME)).thenReturn("Doe"); when(decodedAccessToken.getClaim(PersonClaims.FAMILY_NAME_CLAIM_NAME)).thenReturn(LAST_NAME);
when(decodedAccessToken.getClaim(PersonClaims.EMAIL_CLAIM_NAME)).thenReturn("johny123@email.com"); when(decodedAccessToken.getClaim(PersonClaims.EMAIL_CLAIM_NAME)).thenReturn(EMAIL);
jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade, personService, transactionService, identityServiceConfig);
Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
JWT_TOKEN); JWT_TOKEN);
assertTrue(result.isPresent()); assertTrue(result.isPresent());
assertEquals("johny123", result.get().username()); assertEquals(USERNAME, result.get().username());
assertEquals("John", result.get().firstName()); assertEquals(FIRST_NAME, result.get().firstName());
assertEquals("Doe", result.get().lastName()); assertEquals(LAST_NAME, result.get().lastName());
assertEquals("johny123@email.com", result.get().email()); assertEquals(EMAIL, result.get().email());
assertTrue(result.get().allFieldsNotEmpty()); assertTrue(result.get().allFieldsNotEmpty());
verify(personService).createPerson(any()); verify(personService).createPerson(any());
verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME); verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, expectedMapping);
} }
@Test @Test
public void shouldExtractUserInfoFromUserInfoEndpointAndCreateUser() public void shouldExtractUserInfoFromUserInfoEndpointAndCreateUser()
{ {
when(userInfo.username()).thenReturn("johny123"); when(decodedTokenUser.username()).thenReturn(USERNAME);
when(userInfo.firstName()).thenReturn("John"); when(decodedTokenUser.firstName()).thenReturn(FIRST_NAME);
when(userInfo.lastName()).thenReturn("Doe"); when(decodedTokenUser.lastName()).thenReturn(LAST_NAME);
when(userInfo.email()).thenReturn("johny123@email.com"); when(decodedTokenUser.email()).thenReturn(EMAIL);
when(personService.personExists(USERNAME)).thenReturn(false);
when(personService.personExists("johny123")).thenReturn(false); when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(USERNAME);
when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(decodedTokenUser));
when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("johny123");
when(identityServiceFacade.getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(Optional.of(userInfo));
Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
JWT_TOKEN); JWT_TOKEN);
assertTrue(result.isPresent()); assertTrue(result.isPresent());
assertEquals("johny123", result.get().username()); assertEquals(USERNAME, result.get().username());
assertEquals("John", result.get().firstName()); assertEquals(FIRST_NAME, result.get().firstName());
assertEquals("Doe", result.get().lastName()); assertEquals(LAST_NAME, result.get().lastName());
assertEquals("johny123@email.com", result.get().email()); assertEquals(EMAIL, result.get().email());
assertTrue(result.get().allFieldsNotEmpty()); assertTrue(result.get().allFieldsNotEmpty());
verify(personService).createPerson(any()); verify(personService).createPerson(any());
verify(identityServiceFacade).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME); verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
} }
@Test @Test
public void shouldReturnEmptyOptionalIfUsernameNotExtracted() public void shouldReturnEmptyOptionalIfUsernameNotExtracted()
{ {
when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(decodedTokenUser));
when(identityServiceFacade.getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(Optional.of(userInfo));
Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
JWT_TOKEN); JWT_TOKEN);
assertFalse(result.isPresent()); assertFalse(result.isPresent());
verify(personService, never()).createPerson(any()); verify(personService, never()).createPerson(any());
verify(identityServiceFacade).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME); verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
} }
@Test @Test
public void shouldCallUserInfoEndpointToGetUsername() public void shouldCallUserInfoEndpointToGetUsername()
{ {
when(personService.personExists("johny123")).thenReturn(true); when(personService.personExists(USERNAME)).thenReturn(true);
when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(""); when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("");
when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(DecodedTokenUser.validateAndCreate(USERNAME, null, null, null)));
when(userInfo.username()).thenReturn("johny123");
when(identityServiceFacade.getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(Optional.of(userInfo));
Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
JWT_TOKEN); JWT_TOKEN);
assertTrue(result.isPresent()); assertTrue(result.isPresent());
assertEquals("johny123", result.get().username()); assertEquals(USERNAME, result.get().username());
assertEquals("", result.get().firstName()); assertEquals("", result.get().firstName());
assertEquals("", result.get().lastName()); assertEquals("", result.get().lastName());
assertEquals("", result.get().email()); assertEquals("", result.get().email());
assertFalse(result.get().allFieldsNotEmpty()); assertFalse(result.get().allFieldsNotEmpty());
verify(personService, never()).createPerson(any()); verify(personService, never()).createPerson(any());
verify(identityServiceFacade).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME); verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
} }
@Test @Test
public void shouldCallUserInfoEndpointToGetUsernameWithProvidedPrincipalAttribute() public void shouldCallUserInfoEndpointToGetUsernameWithProvidedPrincipalAttribute()
{ {
when(identityServiceConfig.getPrincipalAttribute()).thenReturn("nickname"); when(identityServiceConfig.getPrincipalAttribute()).thenReturn(USERNAME_CLAIM);
when(personService.personExists("johny123")).thenReturn(true); when(personService.personExists(USERNAME)).thenReturn(true);
when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn("");
when(decodedAccessToken.getClaim("nickname")).thenReturn(""); when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(DecodedTokenUser.validateAndCreate(USERNAME, null, null, null)));
when(userInfo.username()).thenReturn("johny123");
when(identityServiceFacade.getUserInfo(JWT_TOKEN, "nickname")).thenReturn(Optional.of(userInfo));
Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded( Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
JWT_TOKEN); JWT_TOKEN);
assertTrue(result.isPresent()); assertTrue(result.isPresent());
assertEquals("johny123", result.get().username()); assertEquals(USERNAME, result.get().username());
assertEquals("", result.get().firstName()); assertEquals("", result.get().firstName());
assertEquals("", result.get().lastName()); assertEquals("", result.get().lastName());
assertEquals("", result.get().email()); assertEquals("", result.get().email());
assertFalse(result.get().allFieldsNotEmpty()); assertFalse(result.get().allFieldsNotEmpty());
verify(personService, never()).createPerson(any()); verify(personService, never()).createPerson(any());
verify(identityServiceFacade).getUserInfo(JWT_TOKEN, "nickname"); verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
} }
@Test @Test
@@ -232,8 +249,8 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
verify(personService, never()).createPerson(any()); verify(personService, never()).createPerson(any());
verify(identityServiceFacade, never()).decodeToken(null); verify(identityServiceFacade, never()).decodeToken(null);
verify(identityServiceFacade, never()).decodeToken(""); verify(identityServiceFacade, never()).decodeToken("");
verify(identityServiceFacade, never()).getUserInfo(null, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME); verify(identityServiceFacade, never()).getUserInfo(null, expectedMapping);
verify(identityServiceFacade, never()).getUserInfo("", PersonClaims.PREFERRED_USERNAME_CLAIM_NAME); verify(identityServiceFacade, never()).getUserInfo(null, expectedMapping);
} }
} }

29
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapperTest.java
View File

@@ -34,17 +34,18 @@ import java.time.Instant;
import java.util.Map; import java.util.Map;
import java.util.Vector; import java.util.Vector;
import java.util.function.Supplier; import java.util.function.Supplier;
import jakarta.servlet.http.HttpServletRequest;
import com.nimbusds.openid.connect.sdk.claims.PersonClaims; import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
import jakarta.servlet.http.HttpServletRequest;
import junit.framework.TestCase; import junit.framework.TestCase;
import org.mockito.Mockito;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.DecodedAccessToken; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.DecodedAccessToken;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.TokenDecodingException; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.TokenDecodingException;
import org.alfresco.service.cmr.security.PersonService; import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService; import org.alfresco.service.transaction.TransactionService;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
/** /**
* Tests the Identity Service based authentication subsystem. * Tests the Identity Service based authentication subsystem.
@@ -68,7 +69,9 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
public void testWrongTokenWithSilentValidation() public void testWrongTokenWithSilentValidation()
{ {
final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {throw new TokenDecodingException("Expected ");})); final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {
throw new TokenDecodingException("Expected ");
}));
mapper.setValidationFailureSilent(true); mapper.setValidationFailureSilent(true);
HttpServletRequest mockRequest = createMockTokenRequest("WrOnG-ToKeN"); HttpServletRequest mockRequest = createMockTokenRequest("WrOnG-ToKeN");
@@ -79,7 +82,9 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
public void testWrongTokenWithoutSilentValidation() public void testWrongTokenWithoutSilentValidation()
{ {
final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {throw new TokenDecodingException("Expected");})); final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {
throw new TokenDecodingException("Expected");
}));
mapper.setValidationFailureSilent(false); mapper.setValidationFailureSilent(false);
HttpServletRequest mockRequest = createMockTokenRequest("WrOnG-ToKeN"); HttpServletRequest mockRequest = createMockTokenRequest("WrOnG-ToKeN");
@@ -92,12 +97,14 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
private IdentityServiceRemoteUserMapper givenMapper(Map<String, Supplier<String>> tokenToUser) private IdentityServiceRemoteUserMapper givenMapper(Map<String, Supplier<String>> tokenToUser)
{ {
final TransactionService transactionService = mock(TransactionService.class); final TransactionService transactionService = mock(TransactionService.class);
final IdentityServiceFacade facade = mock(IdentityServiceFacade.class); final IdentityServiceFacade facade = mock(IdentityServiceFacade.class, Mockito.RETURNS_DEEP_STUBS);
final PersonService personService = mock(PersonService.class); final PersonService personService = mock(PersonService.class);
final IdentityServiceConfig identityServiceConfig = mock(IdentityServiceConfig.class); final IdentityServiceConfig identityServiceConfig = mock(IdentityServiceConfig.class);
when(transactionService.isReadOnly()).thenReturn(true); when(transactionService.isReadOnly()).thenReturn(true);
when(facade.decodeToken(anyString())) when(facade.decodeToken(anyString()))
.thenAnswer(i -> new TestDecodedToken(tokenToUser.get(i.getArgument(0, String.class)))); .thenAnswer(i -> new TestDecodedToken(tokenToUser.get(i.getArgument(0, String.class))));
when(facade.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName())
.thenReturn(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
when(personService.getUserIdentifier(anyString())).thenAnswer(i -> i.getArgument(0, String.class)); when(personService.getUserIdentifier(anyString())).thenAnswer(i -> i.getArgument(0, String.class));
@@ -108,21 +115,21 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
mapper.setActive(true); mapper.setActive(true);
mapper.setBearerTokenResolver(new DefaultBearerTokenResolver()); mapper.setBearerTokenResolver(new DefaultBearerTokenResolver());
return mapper; return mapper;
} }
/** /**
* Utility method for creating a mocked Servlet request with a token. * Utility method for creating a mocked Servlet request with a token.
* *
* @param token The token to add to the Authorization header * @param token
* The token to add to the Authorization header
* @return The mocked request object * @return The mocked request object
*/ */
private HttpServletRequest createMockTokenRequest(String token) private HttpServletRequest createMockTokenRequest(String token)
{ {
// Mock a request with the token in the Authorization header (if supplied) // Mock a request with the token in the Authorization header (if supplied)
HttpServletRequest mockRequest = mock(HttpServletRequest.class); HttpServletRequest mockRequest = mock(HttpServletRequest.class);
Vector<String> authHeaderValues = new Vector<>(1); Vector<String> authHeaderValues = new Vector<>(1);
if (token != null) if (token != null)
{ {
@@ -133,7 +140,7 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
.thenReturn(authHeaderValues.elements()); .thenReturn(authHeaderValues.elements());
when(mockRequest.getHeader(AUTHORIZATION_HEADER)) when(mockRequest.getHeader(AUTHORIZATION_HEADER))
.thenReturn(authHeaderValues.isEmpty() ? null : authHeaderValues.get(0)); .thenReturn(authHeaderValues.isEmpty() ? null : authHeaderValues.get(0));
return mockRequest; return mockRequest;
} }
@@ -166,4 +173,4 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
return PersonClaims.PREFERRED_USERNAME_CLAIM_NAME.equals(claim) ? usernameSupplier.get() : null; return PersonClaims.PREFERRED_USERNAME_CLAIM_NAME.equals(claim) ? usernameSupplier.get() : null;
} }
} }
} }

197
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacadeUnitTest.java
View File

@@ -1,98 +1,99 @@
/* /*
* #%L * #%L
* Alfresco Repository * Alfresco Repository
* %% * %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited * Copyright (C) 2005 - 2025 Alfresco Software Limited
* %% * %%
* This file is part of the Alfresco software. * This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of * If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is * the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms: * provided under the following open source license terms:
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L% * #L%
*/ */
package org.alfresco.repo.security.authentication.identityservice; package org.alfresco.repo.security.authentication.identityservice;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException; import org.junit.Test;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant; import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.TokenDecodingException; import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.junit.Test; import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.web.client.RestOperations;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.jwt.JwtDecoder; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
import org.springframework.web.client.RestOperations; import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.TokenDecodingException;
public class SpringBasedIdentityServiceFacadeUnitTest import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
{
private static final String USER_NAME = "user"; public class SpringBasedIdentityServiceFacadeUnitTest
private static final String PASSWORD = "password"; {
private static final String TOKEN = "tEsT-tOkEn"; private static final String USER_NAME = "user";
private static final String PASSWORD = "password";
@Test private static final String TOKEN = "tEsT-tOkEn";
public void shouldThrowVerificationExceptionOnFailure() private static final UserInfoAttrMapping USER_INFO_ATTR_MAPPING = new UserInfoAttrMapping("preferred_username", "given_name", "family_name", "email");
{
final RestOperations restOperations = mock(RestOperations.class); @Test
final JwtDecoder jwtDecoder = mock(JwtDecoder.class); public void shouldThrowVerificationExceptionOnFailure()
when(restOperations.exchange(any(), any(Class.class))).thenThrow(new RuntimeException("Expected")); {
final RestOperations restOperations = mock(RestOperations.class);
final SpringBasedIdentityServiceFacade facade = new SpringBasedIdentityServiceFacade(restOperations, testRegistration(), jwtDecoder); final JwtDecoder jwtDecoder = mock(JwtDecoder.class);
when(restOperations.exchange(any(), any(Class.class))).thenThrow(new RuntimeException("Expected"));
assertThatExceptionOfType(AuthorizationException.class)
.isThrownBy(() -> facade.authorize(AuthorizationGrant.password(USER_NAME, PASSWORD))) final SpringBasedIdentityServiceFacade facade = new SpringBasedIdentityServiceFacade(restOperations, testRegistration(), jwtDecoder);
.havingCause().withNoCause().withMessage("Expected");
} assertThatExceptionOfType(AuthorizationException.class)
.isThrownBy(() -> facade.authorize(AuthorizationGrant.password(USER_NAME, PASSWORD)))
@Test .havingCause().withNoCause().withMessage("Expected");
public void shouldThrowTokenExceptionOnFailure() }
{
final RestOperations restOperations = mock(RestOperations.class); @Test
final JwtDecoder jwtDecoder = mock(JwtDecoder.class); public void shouldThrowTokenExceptionOnFailure()
when(jwtDecoder.decode(TOKEN)).thenThrow(new RuntimeException("Expected")); {
final RestOperations restOperations = mock(RestOperations.class);
final SpringBasedIdentityServiceFacade facade = new SpringBasedIdentityServiceFacade(restOperations, testRegistration(), jwtDecoder); final JwtDecoder jwtDecoder = mock(JwtDecoder.class);
when(jwtDecoder.decode(TOKEN)).thenThrow(new RuntimeException("Expected"));
assertThatExceptionOfType(TokenDecodingException.class)
.isThrownBy(() -> facade.decodeToken(TOKEN)) final SpringBasedIdentityServiceFacade facade = new SpringBasedIdentityServiceFacade(restOperations, testRegistration(), jwtDecoder);
.havingCause().withNoCause().withMessage("Expected");
} assertThatExceptionOfType(TokenDecodingException.class)
.isThrownBy(() -> facade.decodeToken(TOKEN))
.havingCause().withNoCause().withMessage("Expected");
@Test }
public void shouldReturnEmptyOptionalOnFailure()
{ @Test
final RestOperations restOperations = mock(RestOperations.class); public void shouldReturnEmptyOptionalOnFailure()
final JwtDecoder jwtDecoder = mock(JwtDecoder.class); {
final SpringBasedIdentityServiceFacade facade = new SpringBasedIdentityServiceFacade(restOperations, testRegistration(), jwtDecoder); final RestOperations restOperations = mock(RestOperations.class);
final JwtDecoder jwtDecoder = mock(JwtDecoder.class);
final SpringBasedIdentityServiceFacade facade = new SpringBasedIdentityServiceFacade(restOperations, testRegistration(), jwtDecoder);
assertThat(facade.getUserInfo(TOKEN, "preferred_username").isEmpty()).isTrue();
} assertThat(facade.getUserInfo(TOKEN, USER_INFO_ATTR_MAPPING).isEmpty()).isTrue();
}
private ClientRegistration testRegistration()
{ private ClientRegistration testRegistration()
return ClientRegistration.withRegistrationId("test") {
.tokenUri("http://localhost") return ClientRegistration.withRegistrationId("test")
.clientId("test") .tokenUri("http://localhost")
.userInfoUri("http://localhost/userinfo") .clientId("test")
.authorizationGrantType(AuthorizationGrantType.PASSWORD) .userInfoUri("http://localhost/userinfo")
.build(); .authorizationGrantType(AuthorizationGrantType.PASSWORD)
} .build();
} }
}

39
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticatorUnitTest.java
View File

@@ -38,18 +38,11 @@ import java.io.IOException;
import java.time.Instant; import java.time.Instant;
import java.util.Arrays; import java.util.Arrays;
import java.util.Map; import java.util.Map;
import java.util.Set;
import com.nimbusds.oauth2.sdk.Scope;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpServletResponse;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceConfig; import com.nimbusds.oauth2.sdk.Scope;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessToken;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.ArgumentCaptor; import org.mockito.ArgumentCaptor;
@@ -58,6 +51,14 @@ import org.mockito.Mock;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails; import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceConfig;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessToken;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
@SuppressWarnings("PMD.AvoidStringBufferField") @SuppressWarnings("PMD.AvoidStringBufferField")
public class IdentityServiceAdminConsoleAuthenticatorUnitTest public class IdentityServiceAdminConsoleAuthenticatorUnitTest
{ {
@@ -118,7 +119,7 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
{ {
when(cookiesService.getCookie(ALFRESCO_ACCESS_TOKEN, request)).thenReturn("JWT_TOKEN"); when(cookiesService.getCookie(ALFRESCO_ACCESS_TOKEN, request)).thenReturn("JWT_TOKEN");
when(cookiesService.getCookie(ALFRESCO_TOKEN_EXPIRATION, request)).thenReturn( when(cookiesService.getCookie(ALFRESCO_TOKEN_EXPIRATION, request)).thenReturn(
String.valueOf(Instant.now().plusSeconds(60).toEpochMilli())); String.valueOf(Instant.now().plusSeconds(60).toEpochMilli()));
when(remoteUserMapper.getRemoteUser(requestCaptor.capture())).thenReturn("admin"); when(remoteUserMapper.getRemoteUser(requestCaptor.capture())).thenReturn("admin");
String username = authenticator.getAdminConsoleUser(request, response); String username = authenticator.getAdminConsoleUser(request, response);
@@ -134,7 +135,7 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
when(cookiesService.getCookie(ALFRESCO_ACCESS_TOKEN, request)).thenReturn("EXPIRED_JWT_TOKEN"); when(cookiesService.getCookie(ALFRESCO_ACCESS_TOKEN, request)).thenReturn("EXPIRED_JWT_TOKEN");
when(cookiesService.getCookie(ALFRESCO_REFRESH_TOKEN, request)).thenReturn("REFRESH_TOKEN"); when(cookiesService.getCookie(ALFRESCO_REFRESH_TOKEN, request)).thenReturn("REFRESH_TOKEN");
when(cookiesService.getCookie(ALFRESCO_TOKEN_EXPIRATION, request)).thenReturn( when(cookiesService.getCookie(ALFRESCO_TOKEN_EXPIRATION, request)).thenReturn(
String.valueOf(Instant.now().minusSeconds(60).toEpochMilli())); String.valueOf(Instant.now().minusSeconds(60).toEpochMilli()));
when(accessToken.getTokenValue()).thenReturn("REFRESHED_JWT_TOKEN"); when(accessToken.getTokenValue()).thenReturn("REFRESHED_JWT_TOKEN");
when(accessToken.getExpiresAt()).thenReturn(Instant.now().plusSeconds(60)); when(accessToken.getExpiresAt()).thenReturn(Instant.now().plusSeconds(60));
when(accessTokenAuthorization.getAccessToken()).thenReturn(accessToken); when(accessTokenAuthorization.getAccessToken()).thenReturn(accessToken);
@@ -155,10 +156,11 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
{ {
String redirectPath = "/alfresco/s/admin/admin-communitysummary"; String redirectPath = "/alfresco/s/admin/admin-communitysummary";
when(identityServiceConfig.getAdminConsoleScopes()).thenReturn(Set.of("openid", "email", "profile", "offline_access"));
when(identityServiceConfig.getAdminConsoleRedirectPath()).thenReturn("/alfresco/s/admin/admin-communitysummary"); when(identityServiceConfig.getAdminConsoleRedirectPath()).thenReturn("/alfresco/s/admin/admin-communitysummary");
ArgumentCaptor<String> authenticationRequest = ArgumentCaptor.forClass(String.class); ArgumentCaptor<String> authenticationRequest = ArgumentCaptor.forClass(String.class);
String expectedUri = "http://localhost:8999/auth?client_id=alfresco&redirect_uri=%s%s&response_type=code&scope=" String expectedUri = "http://localhost:8999/auth?client_id=alfresco&redirect_uri=%s%s&response_type=code&scope="
.formatted("http://localhost:8080", redirectPath); .formatted("http://localhost:8080", redirectPath);
authenticator.requestAuthentication(request, response); authenticator.requestAuthentication(request, response);
@@ -178,9 +180,10 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
String redirectPath = "/alfresco/s/admin/admin-communitysummary"; String redirectPath = "/alfresco/s/admin/admin-communitysummary";
when(identityServiceConfig.getAudience()).thenReturn(audience); when(identityServiceConfig.getAudience()).thenReturn(audience);
when(identityServiceConfig.getAdminConsoleRedirectPath()).thenReturn(redirectPath); when(identityServiceConfig.getAdminConsoleRedirectPath()).thenReturn(redirectPath);
when(identityServiceConfig.getAdminConsoleScopes()).thenReturn(Set.of("openid", "email", "profile", "offline_access"));
ArgumentCaptor<String> authenticationRequest = ArgumentCaptor.forClass(String.class); ArgumentCaptor<String> authenticationRequest = ArgumentCaptor.forClass(String.class);
String expectedUri = "http://localhost:8999/auth?client_id=alfresco&redirect_uri=%s%s&response_type=code&scope=" String expectedUri = "http://localhost:8999/auth?client_id=alfresco&redirect_uri=%s%s&response_type=code&scope="
.formatted("http://localhost:8080", redirectPath); .formatted("http://localhost:8080", redirectPath);
authenticator.requestAuthentication(request, response); authenticator.requestAuthentication(request, response);
@@ -200,7 +203,7 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
when(cookiesService.getCookie(ALFRESCO_ACCESS_TOKEN, request)).thenReturn("EXPIRED_JWT_TOKEN"); when(cookiesService.getCookie(ALFRESCO_ACCESS_TOKEN, request)).thenReturn("EXPIRED_JWT_TOKEN");
when(cookiesService.getCookie(ALFRESCO_REFRESH_TOKEN, request)).thenReturn("REFRESH_TOKEN"); when(cookiesService.getCookie(ALFRESCO_REFRESH_TOKEN, request)).thenReturn("REFRESH_TOKEN");
when(cookiesService.getCookie(ALFRESCO_TOKEN_EXPIRATION, request)).thenReturn( when(cookiesService.getCookie(ALFRESCO_TOKEN_EXPIRATION, request)).thenReturn(
String.valueOf(Instant.now().minusSeconds(60).toEpochMilli())); String.valueOf(Instant.now().minusSeconds(60).toEpochMilli()));
when(identityServiceFacade.authorize(any(AuthorizationGrant.class))).thenThrow(AuthorizationException.class); when(identityServiceFacade.authorize(any(AuthorizationGrant.class))).thenThrow(AuthorizationException.class);
@@ -221,8 +224,8 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
when(accessTokenAuthorization.getAccessToken()).thenReturn(accessToken); when(accessTokenAuthorization.getAccessToken()).thenReturn(accessToken);
when(accessTokenAuthorization.getRefreshTokenValue()).thenReturn("REFRESH_TOKEN"); when(accessTokenAuthorization.getRefreshTokenValue()).thenReturn("REFRESH_TOKEN");
when(identityServiceFacade.authorize( when(identityServiceFacade.authorize(
AuthorizationGrant.authorizationCode("auth_code", adminConsoleURL.toString()))) AuthorizationGrant.authorizationCode("auth_code", adminConsoleURL.toString())))
.thenReturn(accessTokenAuthorization); .thenReturn(accessTokenAuthorization);
when(remoteUserMapper.getRemoteUser(requestCaptor.capture())).thenReturn("admin"); when(remoteUserMapper.getRemoteUser(requestCaptor.capture())).thenReturn("admin");
String username = authenticator.getAdminConsoleUser(request, response); String username = authenticator.getAdminConsoleUser(request, response);
@@ -242,4 +245,4 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
assertEquals("admin", username); assertEquals("admin", username);
} }
} }

109
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapperUnitTest.java Normal file
View File

@@ -0,0 +1,109 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.identityservice.user;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
import java.util.Optional;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mock;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
public class AccessTokenToDecodedTokenUserMapperUnitTest
{
@Mock
private IdentityServiceFacade.DecodedAccessToken decodedAccessToken;
private AccessTokenToDecodedTokenUserMapper tokenToDecodedTokenUserMapper;
public static final String USERNAME_CLAIM = "nickname";
public static final String EMAIL_CLAIM = "email";
public static final String FIRST_NAME_CLAIM = "given_name";
public static final String LAST_NAME_CLAIM = "family_name";
@Before
public void setup()
{
initMocks(this);
UserInfoAttrMapping userInfoAttrMapping = new UserInfoAttrMapping(USERNAME_CLAIM, FIRST_NAME_CLAIM, LAST_NAME_CLAIM, EMAIL_CLAIM);
tokenToDecodedTokenUserMapper = new AccessTokenToDecodedTokenUserMapper(userInfoAttrMapping);
}
@Test
public void shouldMapToDecodedTokenUserWithAllFieldsPopulated()
{
when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn("johny123");
when(decodedAccessToken.getClaim(FIRST_NAME_CLAIM)).thenReturn("John");
when(decodedAccessToken.getClaim(LAST_NAME_CLAIM)).thenReturn("Doe");
when(decodedAccessToken.getClaim(EMAIL_CLAIM)).thenReturn("johny123@email.com");
Optional<DecodedTokenUser> result = tokenToDecodedTokenUserMapper.toDecodedTokenUser(decodedAccessToken);
assertTrue(result.isPresent());
assertEquals("johny123", result.get().username());
assertEquals("John", result.get().firstName());
assertEquals("Doe", result.get().lastName());
assertEquals("johny123@email.com", result.get().email());
}
@Test
public void shouldMapToDecodedTokenUserWithSomeFieldsEmpty()
{
when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn("johny123");
when(decodedAccessToken.getClaim(FIRST_NAME_CLAIM)).thenReturn("");
when(decodedAccessToken.getClaim(LAST_NAME_CLAIM)).thenReturn("Doe");
when(decodedAccessToken.getClaim(EMAIL_CLAIM)).thenReturn("");
Optional<DecodedTokenUser> result = tokenToDecodedTokenUserMapper.toDecodedTokenUser(decodedAccessToken);
assertTrue(result.isPresent());
assertEquals("johny123", result.get().username());
assertEquals("", result.get().firstName());
assertEquals("Doe", result.get().lastName());
assertEquals("", result.get().email());
}
@Test
public void shouldReturnEmptyOptionalForNullUsername()
{
when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn(null);
when(decodedAccessToken.getClaim(FIRST_NAME_CLAIM)).thenReturn("John");
when(decodedAccessToken.getClaim(LAST_NAME_CLAIM)).thenReturn("Doe");
when(decodedAccessToken.getClaim(EMAIL_CLAIM)).thenReturn("johny123@email.com");
Optional<DecodedTokenUser> result = tokenToDecodedTokenUserMapper.toDecodedTokenUser(decodedAccessToken);
assertFalse(result.isPresent());
}
}

95
repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapperUnitTest.java Normal file
View File

@@ -0,0 +1,95 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2025 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.identityservice.user;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.alfresco.service.cmr.security.PersonService;
public class TokenUserToOIDCUserMapperUnitTest
{
@Mock
private PersonService personService;
@InjectMocks
private TokenUserToOIDCUserMapper tokenUserToOIDCUserMapper;
@Before
public void setup()
{
initMocks(this);
}
@Test
public void shouldMapToOIDCUserWithAllFieldsPopulated()
{
DecodedTokenUser decodedTokenUser = new DecodedTokenUser("JOHNY123", "John", "Doe", "johny123@email.com");
when(personService.getUserIdentifier("JOHNY123")).thenReturn("johny123");
OIDCUserInfo oidcUserInfo = tokenUserToOIDCUserMapper.toOIDCUser(decodedTokenUser);
assertEquals("johny123", oidcUserInfo.username());
assertEquals("John", oidcUserInfo.firstName());
assertEquals("Doe", oidcUserInfo.lastName());
assertEquals("johny123@email.com", oidcUserInfo.email());
}
@Test
public void shouldMapToOIDCUserWithSomeFieldsEmpty()
{
DecodedTokenUser decodedTokenUser = new DecodedTokenUser("johny123", "", "Doe", "");
when(personService.getUserIdentifier("johny123")).thenReturn("johny123");
OIDCUserInfo oidcUserInfo = tokenUserToOIDCUserMapper.toOIDCUser(decodedTokenUser);
assertEquals("johny123", oidcUserInfo.username());
assertEquals("", oidcUserInfo.firstName());
assertEquals("Doe", oidcUserInfo.lastName());
assertEquals("", oidcUserInfo.email());
}
@Test
public void shouldReturnNullForNullUsername()
{
DecodedTokenUser decodedTokenUser = new DecodedTokenUser(null, "John", "Doe", "johny123@email.com");
OIDCUserInfo oidcUserInfo = tokenUserToOIDCUserMapper.toOIDCUser(decodedTokenUser);
assertNull(oidcUserInfo.username());
assertEquals("John", oidcUserInfo.firstName());
assertEquals("Doe", oidcUserInfo.lastName());
assertEquals("johny123@email.com", oidcUserInfo.email());
}
}

3
repository/src/test/resources/alfresco-global.properties
View File

@@ -28,6 +28,9 @@ identity-service.register-node-at-startup=true
identity-service.register-node-period=50 identity-service.register-node-period=50
identity-service.token-store=SESSION identity-service.token-store=SESSION
identity-service.principal-attribute=preferred_username identity-service.principal-attribute=preferred_username
identity-service.first-name-attribute=given_name
identity-service.last-name-attribute=family_name
identity-service.email-attribute=email
identity-service.turn-off-change-session-id-on-login=true identity-service.turn-off-change-session-id-on-login=true
identity-service.token-minimum-time-to-live=10 identity-service.token-minimum-time-to-live=10
identity-service.min-time-between-jwks-requests=60 identity-service.min-time-between-jwks-requests=60