DDF-04481 Removed realm support from the Web Context Policy Manager (#715)

Author: blen-desta

catalog/nsili/catalog-nsili-endpoint/src/main/java/org/codice/alliance/nsili/endpoint/NsiliEndpoint.java

@@ -34,7 +34,6 @@
 import org.codice.alliance.nsili.orb.api.CorbaServiceListener;
 import org.codice.ddf.security.common.Security;
 import org.codice.ddf.security.handler.api.AuthenticationHandler;
-import org.codice.ddf.security.handler.api.BaseAuthenticationToken;
 import org.codice.ddf.security.handler.api.GuestAuthenticationToken;
 import org.omg.CORBA.ORB;
 import org.omg.CORBA.ORBPackage.InvalidName;
@@ -385,8 +384,7 @@ public static synchronized Subject getGuestSubject() throws SecurityServiceExcep
       }
 
       String guestTokenId = ip;
-      GuestAuthenticationToken guestToken =
-          new GuestAuthenticationToken(BaseAuthenticationToken.ALL_REALM, guestTokenId);
+      GuestAuthenticationToken guestToken = new GuestAuthenticationToken(guestTokenId);
       guestSubject = securityManager.getSubject(guestToken);
     }
 

catalog/video/video-mpegts-stream/src/main/java/org/codice/alliance/video/stream/mpegts/netty/RawUdpDataToMTSPacketDecoder.java

@@ -31,7 +31,6 @@
 import org.codice.alliance.libs.mpegts.Constants;
 import org.codice.alliance.video.security.token.videographer.VideographerAuthenticationToken;
 import org.codice.ddf.security.common.Security;
-import org.codice.ddf.security.handler.api.BaseAuthenticationToken;
 import org.osgi.framework.Bundle;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
@@ -96,8 +95,7 @@ public void channelActive(ChannelHandlerContext ctx) throws Exception {
 
   private Subject getSecuritySubject(String ipAddress) throws SecurityServiceException {
     Subject subject = null;
-    VideographerAuthenticationToken token =
-        new VideographerAuthenticationToken(BaseAuthenticationToken.DEFAULT_REALM, ipAddress);
+    VideographerAuthenticationToken token = new VideographerAuthenticationToken(ipAddress);
     LOGGER.debug(
         "Getting new videographer user token for ip address {}: token={}", ipAddress, token);
 

catalog/video/video-security/src/main/java/org/codice/alliance/video/security/token/videographer/VideographerAuthenticationToken.java

@@ -29,8 +29,8 @@ public class VideographerAuthenticationToken extends BSTAuthenticationToken {
           + BSTAuthenticationToken.TOKEN_VALUE_SEPARATOR
           + BST_VIDEOGRAPHER_LN;
 
-  public VideographerAuthenticationToken(String realm, String ip) {
-    super(new VideographerPrincipal(ip), VIDEOGRAPHER_CREDENTIALS, realm);
+  public VideographerAuthenticationToken(String ip) {
+    super(new VideographerPrincipal(ip), VIDEOGRAPHER_CREDENTIALS);
     setTokenValueType(BSTAuthenticationToken.BST_NS, BST_VIDEOGRAPHER_LN);
     setTokenId(BST_VIDEOGRAPHER_LN);
 
@@ -59,6 +59,6 @@ public String getIpAddress() {
 
   @Override
   public String toString() {
-    return "Videographer IP: " + getIpAddress() + "; realm: " + realm;
+    return "Videographer IP: " + getIpAddress();
   }
 }

catalog/video/video-security/src/main/java/org/codice/alliance/video/security/validator/videographer/VideographerValidator.java

@@ -13,7 +13,6 @@
  */
 package org.codice.alliance.video.security.validator.videographer;
 
-import java.util.List;
 import org.apache.commons.validator.routines.InetAddressValidator;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.token.validator.TokenValidator;
@@ -33,8 +32,6 @@ public class VideographerValidator implements TokenValidator {
 
   private static final String WILDCARD = "*";
 
-  private List<String> supportedRealms;
-
   private VideographerAuthenticationToken getVideographerTokenFromTarget(
       ReceivedToken validateTarget) {
 
@@ -48,7 +45,6 @@ private VideographerAuthenticationToken getVideographerTokenFromTarget(
       try {
         BaseAuthenticationToken base = VideographerAuthenticationToken.parse(credential, true);
         return new VideographerAuthenticationToken(
-            base.getRealm(),
             VideographerPrincipal.parseAddressFromName(base.getPrincipal().toString()));
       } catch (WSSecurityException e) {
         LOGGER.debug(
@@ -80,22 +76,12 @@ public boolean canHandleToken(ReceivedToken validateTarget, String realm) {
     // based on the web context. So this just looks at the realm passed in the credentials.
     // This generic instance just looks for the default realms (DDF and Karaf)
     if (videographerToken != null) {
-      if (videographerToken.getRealm() == null) {
-        LOGGER.trace("No realm specified in request, canHandletoken = true");
-        return true;
-      } else {
-        if (supportedRealms.contains(videographerToken.getRealm())
-            || WILDCARD.equals(videographerToken.getRealm())) {
-          LOGGER.trace(
-              "Realm '{}' recognized - canHandleToken = true", videographerToken.getRealm());
-          return true;
-        } else {
-          LOGGER.trace(
-              "Realm '{}' unrecognized - canHandleToken = false", videographerToken.getRealm());
-        }
-      }
+      LOGGER.trace("canHandletoken = true");
+      return true;
+    } else {
+      LOGGER.trace("canHandleToken = false");
+      return false;
     }
-    return false;
   }
 
   @Override
@@ -112,17 +98,7 @@ public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParame
     if (videographerToken != null) {
       response.setPrincipal(new VideographerPrincipal(videographerToken.getIpAddress()));
 
-      if (videographerToken.getRealm() != null) {
-        if ((supportedRealms.contains(videographerToken.getRealm())
-                || WILDCARD.equals(videographerToken.getRealm()))
-            && videographerToken
-                .getCredentials()
-                .equals(VideographerAuthenticationToken.VIDEOGRAPHER_CREDENTIALS)
-            && validIpAddress(videographerToken.getIpAddress())) {
-          validateTarget.setState(ReceivedToken.STATE.VALID);
-          validateTarget.setPrincipal(new VideographerPrincipal(videographerToken.getIpAddress()));
-        }
-      } else if (videographerToken
+      if (videographerToken
               .getCredentials()
               .equals(VideographerAuthenticationToken.VIDEOGRAPHER_CREDENTIALS)
           && validIpAddress(videographerToken.getIpAddress())) {
@@ -132,14 +108,4 @@ && validIpAddress(videographerToken.getIpAddress())) {
     }
     return response;
   }
-
-  /**
-   * Set the realm that this validator supports. This can be used to differentiate between two
-   * instances of this validator where each contains a differnent token validator.
-   *
-   * @param supportedRealms string representing the realm supported by this validator
-   */
-  public void setSupportedRealms(List<String> supportedRealms) {
-    this.supportedRealms = supportedRealms;
-  }
 }

catalog/video/video-security/src/main/resources/OSGI-INF/blueprint/blueprint.xml

@@ -30,18 +30,7 @@
 
     <service ref="videographerClaimsHandler" interface="org.apache.cxf.sts.claims.ClaimsHandler"/>
 
-    <bean id="videographerValidator" class="org.codice.alliance.video.security.validator.videographer.VideographerValidator">
-
-       <cm:managed-properties persistent-id="org.codice.alliance.video.security.validator.videographer.VideographerValidator"
-                               update-strategy="container-managed"/>
-
-        <property name="supportedRealms">
-            <list>
-                <value>karaf</value>
-                <value>ldap</value>
-            </list>
-        </property>
-    </bean>
+    <bean id="videographerValidator" class="org.codice.alliance.video.security.validator.videographer.VideographerValidator"/>
 
     <service ref="videographerValidator" interface="org.apache.cxf.sts.token.validator.TokenValidator"/>
 

catalog/video/video-security/src/main/resources/OSGI-INF/metatype/metatype.xml

@@ -25,17 +25,6 @@
 
     </OCD>
 
-    <OCD description="Videographer Validator"
-         name="Videographer Validator"
-         id="org.codice.alliance.video.security.validator.videographer.VideographerValidator">
-
-        <AD description="Supported Realms"
-            name="Supported Realms" id="supportedRealms" required="true" type="String"
-            default="karaf,ldap"
-            cardinality="100"/>
-
-    </OCD>
-
     <Designate pid="org.codice.alliance.video.security.claims.videographer.VideographerClaimsHandler">
         <Object ocdref="org.codice.alliance.video.security.claims.videographer.VideographerClaimsHandler"/>
     </Designate>

catalog/video/video-security/src/test/java/org/codice/alliance/video/security/token/videographer/VideographerAuthenticationTokenTest.java

@@ -24,12 +24,10 @@ public class VideographerAuthenticationTokenTest {
 
   @Test
   public void testConstructor() {
-    final String realm = "someRealm";
-    VideographerAuthenticationToken token = new VideographerAuthenticationToken(realm, "127.0.0.1");
+    VideographerAuthenticationToken token = new VideographerAuthenticationToken("127.0.0.1");
     assertThat(token.getPrincipal(), is(instanceOf(VideographerPrincipal.class)));
     assertThat(
         token.getCredentials(), is(VideographerAuthenticationToken.VIDEOGRAPHER_CREDENTIALS));
-    assertThat(token.getRealm(), is(realm));
     assertThat(
         token.getTokenValueType(),
         is(VideographerAuthenticationToken.VIDEOGRAPHER_TOKEN_VALUE_TYPE));

catalog/video/video-security/src/test/java/org/codice/alliance/video/security/validator/videographer/VideographerValidatorTest.java

@@ -18,7 +18,6 @@
 import static org.hamcrest.core.IsInstanceOf.instanceOf;
 
 import java.util.Base64;
-import java.util.Collections;
 import javax.xml.bind.JAXBElement;
 import javax.xml.bind.JAXBException;
 import javax.xml.namespace.QName;
@@ -59,21 +58,20 @@ public class VideographerValidatorTest {
   @Before
   public void setup() {
     validator = new VideographerValidator();
-    validator.setSupportedRealms(Collections.singletonList("DDF"));
     VideographerAuthenticationToken videographerAuthenticationToken =
-        new VideographerAuthenticationToken("DDF", "127.0.0.1");
+        new VideographerAuthenticationToken("127.0.0.1");
 
     VideographerAuthenticationToken videographerAuthenticationTokenAnyRealm =
-        new VideographerAuthenticationToken("*", "127.0.0.1");
+        new VideographerAuthenticationToken("127.0.0.1");
 
     VideographerAuthenticationToken videographerAuthenticationTokenIpv6 =
-        new VideographerAuthenticationToken("*", "0:0:0:0:0:0:0:1");
+        new VideographerAuthenticationToken("0:0:0:0:0:0:0:1");
 
     VideographerAuthenticationToken videographerAuthenticationTokenBadIp =
-        new VideographerAuthenticationToken("*", "123.abc.45.def");
+        new VideographerAuthenticationToken("123.abc.45.def");
 
     VideographerAuthenticationToken videographerAuthenticationTokenIpv6Reachability =
-        new VideographerAuthenticationToken("*", "0:0:0:0:0:0:0:1%4");
+        new VideographerAuthenticationToken("0:0:0:0:0:0:0:1%4");
 
     BinarySecurityTokenType binarySecurityTokenType = new BinarySecurityTokenType();
     binarySecurityTokenType.setValueType(

distribution/test/itests/test-itests-alliance/src/test/java/org/codice/alliance/test/itests/BannerMarkingsTest.java

@@ -57,6 +57,8 @@ public class BannerMarkingsTest extends AbstractAllianceIntegrationTest {
   public void beforeAllianceTest() throws Exception {
     try {
       waitForSystemReady();
+      getSecurityPolicy().configureRestForGuest();
+      waitForSystemReady();
 
     } catch (Exception e) {
       LOGGER.error("Failed in @BeforeExam: ", e);

distribution/test/itests/test-itests-alliance/src/test/java/org/codice/alliance/test/itests/ImagingTest.java

@@ -67,6 +67,8 @@ public class ImagingTest extends AbstractAllianceIntegrationTest {
   @BeforeExam
   public void beforeAllianceTest() throws Exception {
     try {
+      waitForSystemReady();
+      getSecurityPolicy().configureRestForGuest();
       waitForSystemReady();
       getServiceManager().startFeature(true, "nitf-render-plugin");
     } catch (Exception e) {

distribution/test/itests/test-itests-alliance/src/test/java/org/codice/alliance/test/itests/NsiliEndpointTest.java

@@ -81,7 +81,8 @@ public class NsiliEndpointTest extends AbstractAllianceIntegrationTest {
   public void beforeNsiliEndpointTest() throws Exception {
     try {
       waitForSystemReady();
-
+      getSecurityPolicy().configureRestForGuest();
+      waitForSystemReady();
       System.setProperty(CORBA_DEFAULT_PORT_PROPERTY, CORBA_DEFAULT_PORT.getPort());
 
       startHttpListener();

distribution/test/itests/test-itests-alliance/src/test/java/org/codice/alliance/test/itests/NsiliSourceTest.java

@@ -75,6 +75,8 @@ public class NsiliSourceTest extends AbstractAllianceIntegrationTest {
   public void beforeAllianceTest() throws Exception {
     try {
       waitForSystemReady();
+      getSecurityPolicy().configureRestForGuest();
+      waitForSystemReady();
 
       System.setProperty(CORBA_DEFAULT_PORT_PROPERTY, CORBA_DEFAULT_PORT.getPort());
 
@@ -103,20 +105,26 @@ public void beforeAllianceTest() throws Exception {
    */
   @Test
   public void testNsiliHttpSourceAvailable() throws Exception {
-    // @formatter:off
-    given()
-        .auth()
-        .basic("admin", "admin")
-        .header("X-Requested-With", "XMLHttpRequest")
-        .header("Origin", ADMIN_ALL_SOURCES_PATH.getUrl())
-        .when()
-        .get(ADMIN_ALL_SOURCES_PATH.getUrl())
-        .then()
-        .log()
-        .all()
-        .assertThat()
-        .body(containsString("\"id\":\"httpNsiliSource\""));
-    // @formatter:on
+    try {
+      getSecurityPolicy().configureRestForBasic();
+
+      // @formatter:off
+      given()
+          .auth()
+          .basic("admin", "admin")
+          .header("X-Requested-With", "XMLHttpRequest")
+          .header("Origin", ADMIN_ALL_SOURCES_PATH.getUrl())
+          .when()
+          .get(ADMIN_ALL_SOURCES_PATH.getUrl())
+          .then()
+          .log()
+          .all()
+          .assertThat()
+          .body(containsString("\"id\":\"httpNsiliSource\""));
+      // @formatter:on
+    } finally {
+      getSecurityPolicy().configureRestForGuest();
+    }
   }
 
   /**
@@ -126,20 +134,26 @@ public void testNsiliHttpSourceAvailable() throws Exception {
    */
   @Test
   public void testNsiliFtpSourceAvailable() throws Exception {
-    // @formatter:off
-    given()
-        .auth()
-        .basic("admin", "admin")
-        .header("X-Requested-With", "XMLHttpRequest")
-        .header("Origin", ADMIN_ALL_SOURCES_PATH.getUrl())
-        .when()
-        .get(ADMIN_ALL_SOURCES_PATH.getUrl())
-        .then()
-        .log()
-        .all()
-        .assertThat()
-        .body(containsString("\"id\":\"ftpNsiliSource\""));
-    // @formatter:on
+    try {
+      getSecurityPolicy().configureRestForBasic();
+
+      // @formatter:off
+      given()
+          .auth()
+          .basic("admin", "admin")
+          .header("X-Requested-With", "XMLHttpRequest")
+          .header("Origin", ADMIN_ALL_SOURCES_PATH.getUrl())
+          .when()
+          .get(ADMIN_ALL_SOURCES_PATH.getUrl())
+          .then()
+          .log()
+          .all()
+          .assertThat()
+          .body(containsString("\"id\":\"ftpNsiliSource\""));
+      // @formatter:on
+    } finally {
+      getSecurityPolicy().configureRestForGuest();
+    }
   }
 
   /**

distribution/test/itests/test-itests-alliance/src/test/java/org/codice/alliance/test/itests/VideoTest.java

@@ -74,6 +74,8 @@ public class VideoTest extends AbstractAllianceIntegrationTest {
 
   @BeforeExam
   public void beforeExam() throws Exception {
+    waitForSystemReady();
+    getSecurityPolicy().configureRestForBasic();
     waitForSystemReady();
     udpPort = new DynamicPort(6);
     udpPortNum = Integer.parseInt(udpPort.getPort());