![[Jenkins]](/kapua/static/dff81f37/images/svgs/logo.svg){kind=logo}
Package: KapuaSession
KapuaSession
| name | instruction | branch | complexity | line | method | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| KapuaSession() |
|
|
|
|
|
||||||||||||||||||||
| KapuaSession(AccessToken, KapuaId, KapuaId) |
|
|
|
|
|
||||||||||||||||||||
| KapuaSession(AccessToken, KapuaId, KapuaId, String) |
|
|
|
|
|
||||||||||||||||||||
| KapuaSession(KapuaId, KapuaId, boolean) |
|
|
|
|
|
||||||||||||||||||||
| KapuaSession(KapuaPrincipal) |
|
|
|
|
|
||||||||||||||||||||
| createFrom() |
|
|
|
|
|
||||||||||||||||||||
| createFrom(KapuaId, KapuaId) |
|
|
|
|
|
||||||||||||||||||||
| getAccessToken() |
|
|
|
|
|
||||||||||||||||||||
| getOpenIDidToken() |
|
|
|
|
|
||||||||||||||||||||
| getScopeId() |
|
|
|
|
|
||||||||||||||||||||
| getUserId() |
|
|
|
|
|
||||||||||||||||||||
| isCallerClassTrusted() |
|
|
|
|
|
||||||||||||||||||||
| isTrustedMode() |
|
|
|
|
|
||||||||||||||||||||
| isUserInitiatedLogout() |
|
|
|
|
|
||||||||||||||||||||
| setTrustedMode(boolean) |
|
|
|
|
|
||||||||||||||||||||
| setUserInitiatedLogout(boolean) |
|
|
|
|
|
||||||||||||||||||||
| static {...} |
|
|
|
|
|
||||||||||||||||||||
Coverage
1: /*******************************************************************************
2: * Copyright (c) 2016, 2022 Eurotech and/or its affiliates and others
3: *
4: * This program and the accompanying materials are made
5: * available under the terms of the Eclipse Public License 2.0
6: * which is available at https://www.eclipse.org/legal/epl-2.0/
7: *
8: * SPDX-License-Identifier: EPL-2.0
9: *
10: * Contributors:
11: * Eurotech - initial API and implementation
12: *******************************************************************************/
13: package org.eclipse.kapua.commons.security;
14:
15: import org.eclipse.kapua.model.id.KapuaId;
16: import org.eclipse.kapua.service.authentication.KapuaPrincipal;
17: import org.eclipse.kapua.service.authentication.token.AccessToken;
18:
19: import java.io.Serializable;
20: import java.text.MessageFormat;
21: import java.util.ArrayList;
22: import java.util.List;
23:
24: /**
25: * Kapua session
26: *
27: * @since 1.0
28: */
29: public class KapuaSession implements Serializable {
30:
31: private static final long serialVersionUID = -3831904230950408142L;
32:
33: public static final String KAPUA_SESSION_KEY = "KapuaSession";
34:
35: private static final List<String> TRUSTED_CLASSES = new ArrayList<>();
36: private static final String TRUST_CLASS_METHOD_PATTERN = "{0}.{1}";
37:
38: // TODO to be moved inside configuration service or something like that "fully.qualified.classname.methodname" (<init> for the constructor)
39: static {
40: TRUSTED_CLASSES.add("org.eclipse.kapua.broker.core.plugin.KapuaSecurityContext.<init>");
41: TRUSTED_CLASSES.add("org.eclipse.kapua.commons.security.KapuaSecurityUtils.doPrivileged");
42: TRUSTED_CLASSES.add("org.eclipse.kapua.commons.event.jms.JMSServiceEventBus.setSession");
43: TRUSTED_CLASSES.add("org.eclipse.kapua.job.engine.app.core.filter.RebuildSessionFilter.onAccessDenied");
44: }
45:
46: /**
47: * Access token that identify the logged in session.
48: */
49: private AccessToken accessToken;
50:
51: /**
52: * User scope identifier
53: */
54: private KapuaId scopeId;
55:
56: /**
57: * User identifier
58: */
59: private KapuaId userId;
60:
61: /**
62: * Trusted mode.<br>
63: * If true every rights check will be skipped, in other word <b>the user is trusted so he is allowed to execute every operation</b> defined in the system.
64: */
65: private boolean trustedMode;
66:
67: /**
68: * OpenID Connect idToken obtained with an OpenID Connect login, contains user information, used for the OpenID Connect logout
69: */
70: private String openIDidToken;
71:
72: /**
73: * Set to true when the logout from the current session is triggered by the user
74: */
75: private boolean userInitiatedLogout;
76:
77: /**
78: * Default constructor
79: */
80: public KapuaSession() {
81: super();
82: }
83:
84: private KapuaSession(KapuaId scopeId, KapuaId userId, boolean trustedMode) {
85: this.scopeId = scopeId;
86: this.userId = userId;
87: this.trustedMode = trustedMode;
88: }
89:
90: /**
91: * Creates a {@link KapuaSession} copy with trusted mode flag set to true (to be used only from trusted classes)
92: *
93: * @return
94: */
95: public static KapuaSession createFrom() {
96:• if (isCallerClassTrusted()) {
97: KapuaSession kapuaSession = KapuaSecurityUtils.getSession();
98: KapuaSession kapuaSessionCopy = new KapuaSession(kapuaSession.getAccessToken(),
99: kapuaSession.getScopeId(),
100: kapuaSession.getUserId());
101: kapuaSessionCopy.trustedMode = true;
102: return kapuaSessionCopy;
103: } else {
104: // TODO to be replaced with a security exception
105: throw new RuntimeException("Method not allowed for the caller class");
106: }
107: }
108:
109: /**
110: * Creates a new {@link KapuaSession} with trusted mode flag set to true (to be used only from trusted classes)
111: *
112: * @return
113: */
114: public static KapuaSession createFrom(KapuaId scopeId, KapuaId userId) {
115:• if (isCallerClassTrusted()) {
116: KapuaSession session = new KapuaSession(scopeId, userId, true);
117: KapuaSecurityUtils.setSession(session);
118: return session;
119: } else {
120: // TODO to be replaced with a security exception
121: throw new RuntimeException("Method not allowed for the caller class");
122: }
123: }
124:
125: /**
126: * Check if the caller is included in the caller list allowed to change the trusted mode flag.
127: *
128: * @return
129: */
130: private static boolean isCallerClassTrusted() {
131: // the stack trace should be like
132: // 0 ---> Thread
133: // 1 ---> KapuaSession -> isCallerClassTrusted()
134: // 2 ---> KapuaSession -> createFrom()
135: // 3 ---> "outside" caller class that should be checked
136: StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace();
137:• if (stackTraceElements != null && stackTraceElements.length > 4) {
138: return TRUSTED_CLASSES.contains(MessageFormat.format(TRUST_CLASS_METHOD_PATTERN, stackTraceElements[3].getClassName(), stackTraceElements[3].getMethodName()));
139: } else {
140: return false;
141: }
142: }
143:
144: /**
145: * Constructs a {@link KapuaSession} with given parameters
146: *
147: * @param accessToken
148: * @param scopeId
149: * @param userId
150: */
151: public KapuaSession(AccessToken accessToken,
152: KapuaId scopeId,
153: KapuaId userId) {
154: this();
155: this.accessToken = accessToken;
156: this.scopeId = scopeId;
157: this.userId = userId;
158: }
159:
160: /**
161: * Constructs a {@link KapuaSession} with given parameters
162: *
163: * @param accessToken
164: * @param scopeId
165: * @param userId
166: * @param openIDidToken the idToken obtained with an OpenID Connect login, contains user information, used for the logout
167: */
168: public KapuaSession(AccessToken accessToken, KapuaId scopeId, KapuaId userId, String openIDidToken) {
169: this();
170: this.accessToken = accessToken;
171: this.scopeId = scopeId;
172: this.userId = userId;
173: this.openIDidToken = openIDidToken;
174: }
175:
176: /**
177: * Constructs a {@link KapuaSession} with given parameter
178: *
179: * @param principal
180: */
181: public KapuaSession(KapuaPrincipal principal) {
182: scopeId = principal.getAccountId();
183: userId = principal.getUserId();
184: }
185:
186: /**
187: * Get the access token
188: *
189: * @return
190: */
191: public AccessToken getAccessToken() {
192: return accessToken;
193: }
194:
195: /**
196: * Get the scope identifier
197: *
198: * @return
199: */
200: public KapuaId getScopeId() {
201: return scopeId;
202: }
203:
204: /**
205: * Get the user identifier
206: *
207: * @return
208: */
209: public KapuaId getUserId() {
210: return userId;
211: }
212:
213: /**
214: * Get the OpenID Connect idToken
215: *
216: * @return
217: */
218: public String getOpenIDidToken() {
219: return openIDidToken;
220: }
221:
222: /**
223: * Set the trusted mode status.<br>
224: * If true every rights check will be skipped, in other word <b>the user is trusted so he is allowed to execute every operation</b> defined in the system.
225: */
226: final void setTrustedMode(boolean trustedMode) {
227: this.trustedMode = trustedMode;
228: }
229:
230: /**
231: * Return the trusted mode status.<br>
232: * If true every rights check will be skipped, in other word <b>the user is trusted so he is allowed to execute every operation</b> defined in the system.
233: *
234: * @return
235: */
236: public final boolean isTrustedMode() {
237: return trustedMode;
238: }
239:
240: /**
241: * Get the `userInitiatedLogout` value.
242: *
243: * @return 'true' if user initiated logout, 'false' otherwise
244: */
245: public boolean isUserInitiatedLogout() {
246: return userInitiatedLogout;
247: }
248:
249: /**
250: * Set the logout as 'user initiated'. This will allow to avoid logging out from an OpenID session by using the OpenIDLogoutListener.
251: *
252: * @param userInitiatedLogout 'true' if user initiated logout, 'false' otherwise
253: */
254: public void setUserInitiatedLogout(boolean userInitiatedLogout) {
255: this.userInitiatedLogout = userInitiatedLogout;
256: }
257: }