Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 02444200C3C for ; Mon, 3 Apr 2017 19:50:25 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 00CD4160B8F; Mon, 3 Apr 2017 17:50:25 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D1177160B8D for ; Mon, 3 Apr 2017 19:50:23 +0200 (CEST) Received: (qmail 61261 invoked by uid 500); 3 Apr 2017 17:50:23 -0000 Mailing-List: contact commits-help@airavata.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@airavata.apache.org Delivered-To: mailing list commits@airavata.apache.org Received: (qmail 61252 invoked by uid 99); 3 Apr 2017 17:50:23 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Apr 2017 17:50:23 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id EAA30DFE59; Mon, 3 Apr 2017 17:50:22 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: scnakandala@apache.org To: commits@airavata.apache.org Date: Mon, 03 Apr 2017 17:50:22 -0000 Message-Id: <43cdab678ac34a128f8ebdb9e34e173e@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [1/3] airavata git commit: adding KeyCloak based security manager archived-at: Mon, 03 Apr 2017 17:50:25 -0000 Repository: airavata Updated Branches: refs/heads/develop 5100c07db -> 048a11bab adding KeyCloak based security manager Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/4ec28232 Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/4ec28232 Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/4ec28232 Branch: refs/heads/develop Commit: 4ec282320f267729c9c8b7138667c092d8f98035 Parents: 6bc536f Author: scnakandala Authored: Mon Apr 3 13:48:59 2017 -0400 Committer: scnakandala Committed: Mon Apr 3 13:48:59 2017 -0400 ---------------------------------------------------------------------- .../security/KeyCloakSecurityManager.java | 286 +++++++++++++++++++ .../apache/airavata/common/utils/Constants.java | 2 + .../airavata/common/utils/ServerSettings.java | 9 + .../main/resources/airavata-server.properties | 5 + .../src/main/resources/client_truststore.jks | Bin 2423 -> 3740 bytes 5 files changed, 302 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/4ec28232/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/KeyCloakSecurityManager.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/KeyCloakSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/KeyCloakSecurityManager.java new file mode 100644 index 0000000..bd1c90b --- /dev/null +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/KeyCloakSecurityManager.java @@ -0,0 +1,286 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * +*/ +package org.apache.airavata.api.server.security; + +import org.apache.airavata.api.server.security.authzcache.*; +import org.apache.airavata.common.exception.ApplicationSettingsException; +import org.apache.airavata.common.utils.Constants; +import org.apache.airavata.common.utils.ServerSettings; +import org.apache.airavata.credential.store.client.CredentialStoreClientFactory; +import org.apache.airavata.credential.store.cpi.CredentialStoreService; +import org.apache.airavata.credential.store.exception.CredentialStoreException; +import org.apache.airavata.model.appcatalog.gatewayprofile.GatewayResourceProfile; +import org.apache.airavata.model.credential.store.PasswordCredential; +import org.apache.airavata.model.security.AuthzToken; +import org.apache.airavata.registry.api.RegistryService; +import org.apache.airavata.registry.api.client.RegistryServiceClientFactory; +import org.apache.airavata.registry.api.exception.RegistryServiceException; +import org.apache.airavata.security.AiravataSecurityException; +import org.apache.airavata.security.util.TrustStoreManager; +import org.apache.thrift.TException; +import org.json.JSONArray; +import org.json.JSONObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.net.HttpURLConnection; +import java.net.URL; +import java.util.HashMap; +import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +public class KeyCloakSecurityManager implements AiravataSecurityManager { + private final static Logger logger = LoggerFactory.getLogger(KeyCloakSecurityManager.class); + + private HashMap rolePermissionConfig = new HashMap<>(); + + + public KeyCloakSecurityManager() throws AiravataSecurityException { + rolePermissionConfig.put("admin", "/airavata/.*"); + rolePermissionConfig.put("gateway-provider", "/airavata/.*"); + rolePermissionConfig.put("admin-read-only", "/airavata/getSSHPubKey|/airavata/getAllGatewaySSHPubKeys" + + "|/airavata/getAllGatewayPWDCredentials|/airavata/getApplicationModule|/airavata/getAllAppModules" + + "|/airavata/getApplicationDeployment|/airavata/getAllApplicationDeployments|/airavata/getAppModuleDeployedResources" + + "|/airavata/getStorageResource|/airavata/getAllStorageResourceNames|/airavata/getSCPDataMovement" + + "|/airavata/getUnicoreDataMovement|/airavata/getGridFTPDataMovement|/airavata/getResourceJobManager" + + "|/airavata/deleteResourceJobManager|/airavata/getGatewayResourceProfile|/airavata/getGatewayComputeResourcePreference" + + "|/airavata/getGatewayStoragePreference|/airavata/getAllGatewayComputeResourcePreferences" + + "|/airavata/getAllGatewayStoragePreferences|/airavata/getAllGatewayResourceProfiles|/airavata/getAPIVersion" + + "|/airavata/getNotification|/airavata/getAllNotifications|/airavata/createProject|/airavata/updateProject" + + "|/airavata/getProject|/airavata/deleteProject|/airavata/getUserProjects|/airavata/searchProjectsByProjectName" + + "|/airavata/searchProjectsByProjectDesc|/airavata/searchExperimentsByName|/airavata/searchExperimentsByDesc" + + "|/airavata/searchExperimentsByApplication|/airavata/searchExperimentsByStatus|/airavata/searchExperimentsByCreationTime" + + "|/airavata/searchExperiments|/airavata/getExperimentStatistics|/airavata/getExperimentsInProject" + + "|/airavata/getUserExperiments|/airavata/createExperiment|/airavata/deleteExperiment|/airavata/getExperiment" + + "|/airavata/getDetailedExperimentTree|/airavata/updateExperiment|/airavata/updateExperimentConfiguration" + + "|/airavata/updateResourceScheduleing|/airavata/validateExperiment|/airavata/launchExperiment" + + "|/airavata/getExperimentStatus|/airavata/getExperimentOutputs|/airavata/getIntermediateOutputs" + + "|/airavata/getJobStatuses|/airavata/getJobDetails|/airavata/cloneExperiment|/airavata/terminateExperiment" + + "|/airavata/getApplicationInterface|/airavata/getAllApplicationInterfaceNames|/airavata/getAllApplicationInterfaces" + + "|/airavata/getApplicationInputs|/airavata/getApplicationOutputs|/airavata/getAvailableAppInterfaceComputeResources" + + "|/airavata/getComputeResource|/airavata/getAllComputeResourceNames|/airavata/getWorkflow|/airavata/getWorkflowTemplateId" + + "|/airavata/isWorkflowExistWithName|/airavata/registerDataProduct|/airavata/getDataProduct|/airavata/registerReplicaLocation" + + "|/airavata/getParentDataProduct|/airavata/getChildDataProducts"); + rolePermissionConfig.put("gateway-user", "/airavata/getAPIVersion|/airavata/getNotification|/airavata/getAllNotifications|" + + "/airavata/createProject|/airavata/updateProject|/airavata/getProject|/airavata/deleteProject|/airavata/getUserProjects|" + + "/airavata/searchProjectsByProjectName|/airavata/searchProjectsByProjectDesc|/airavata/searchExperimentsByName|" + + "/airavata/searchExperimentsByDesc|/airavata/searchExperimentsByApplication|/airavata/searchExperimentsByStatus|" + + "/airavata/searchExperimentsByCreationTime|/airavata/searchExperiments|/airavata/getExperimentStatistics|" + + "/airavata/getExperimentsInProject|/airavata/getUserExperiments|/airavata/createExperiment|/airavata/deleteExperiment|" + + "/airavata/getExperiment|/airavata/getDetailedExperimentTree|/airavata/updateExperiment|/airavata/updateExperimentConfiguration|" + + "/airavata/updateResourceScheduleing|/airavata/validateExperiment|/airavata/launchExperiment|/airavata/getExperimentStatus|" + + "/airavata/getExperimentOutputs|/airavata/getIntermediateOutputs|/airavata/getJobStatuses|/airavata/getJobDetails|" + + "/airavata/cloneExperiment|/airavata/terminateExperiment|/airavata/getApplicationInterface|/airavata/getAllApplicationInterfaceNames|" + + "/airavata/getAllApplicationInterfaces|/airavata/getApplicationInputs|/airavata/getApplicationOutputs|" + + "/airavata/getAvailableAppInterfaceComputeResources|/airavata/getComputeResource|/airavata/getAllComputeResourceNames|" + + "/airavata/getWorkflow|/airavata/getWorkflowTemplateId|/airavata/isWorkflowExistWithName|/airavata/registerDataProduct|" + + "/airavata/getDataProduct|/airavata/registerReplicaLocation|/airavata/getParentDataProduct|/airavata/getChildDataProducts"); + + initializeSecurityInfra(); + } + + /** + * Implement this method in your SecurityManager to perform necessary initializations at the server startup. + * + * @throws AiravataSecurityException + */ + @Override + public void initializeSecurityInfra() throws AiravataSecurityException { + try { + //initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server. + TrustStoreManager trustStoreManager = new TrustStoreManager(); + trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(), + ServerSettings.getTrustStorePassword()); + } catch (Exception e) { + throw new AiravataSecurityException(e.getMessage(), e); + } + + } + + /** + * Implement this method with the user authentication/authorization logic in your SecurityManager. + * + * @param authzToken : this includes OAuth token and user's claims + * @param metaData : this includes other meta data needed for security enforcements. + * @return + * @throws AiravataSecurityException + */ + @Override + public boolean isUserAuthorized(AuthzToken authzToken, Map metaData) throws AiravataSecurityException { + String subject = authzToken.getClaimsMap().get(Constants.USER_NAME); + String accessToken = authzToken.getAccessToken(); + String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID); + String action = metaData.get(Constants.API_METHOD_NAME); + try { + if (!ServerSettings.isAPISecured()) { + return true; + } + + if (ServerSettings.isAuthzCacheEnabled()) { + //obtain an instance of AuthzCacheManager implementation. + AuthzCacheManager authzCacheManager = AuthzCacheManagerFactory.getAuthzCacheManager(); + + //check in the cache + AuthzCachedStatus authzCachedStatus = authzCacheManager.getAuthzCachedStatus( + new AuthzCacheIndex(subject, gatewayId, accessToken, action)); + + if (AuthzCachedStatus.AUTHORIZED.equals(authzCachedStatus)) { + logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache."); + return true; + } else if (AuthzCachedStatus.NOT_AUTHORIZED.equals(authzCachedStatus)) { + logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache."); + return false; + } else if (AuthzCachedStatus.NOT_CACHED.equals(authzCachedStatus)) { + logger.debug("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is not in the cache. " + + "Obtaining it from the authorization server."); + String[] roles = getUserRolesFromOAuthToken(subject, accessToken, gatewayId); + boolean authorizationDecision = hasPermission(roles, action); + //cache the authorization decision + long currentTime = System.currentTimeMillis(); + //TODO get the actual token expiration time + authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, gatewayId, accessToken, action), + new AuthzCacheEntry(authorizationDecision, currentTime + 1000 * 60 * 60, currentTime)); + return authorizationDecision; + } else { + //undefined status returned from the authz cache manager + throw new AiravataSecurityException("Error in reading from the authorization cache."); + } + } else { + String[] roles = getUserRolesFromOAuthToken(subject, accessToken, gatewayId); + return hasPermission(roles, action); + } + + } catch (ApplicationSettingsException e) { + e.printStackTrace(); + throw new AiravataSecurityException(e.getMessage(), e); + } catch (Exception e) { + e.printStackTrace(); + throw new AiravataSecurityException(e.getMessage(), e); + } + } + + private String[] getUserRolesFromOAuthToken(String username, String token, String gatewayId) throws Exception { + String openIdConnectUrl = ServerSettings.getRemoteOpenIdDiscoveryUrl(); + JSONObject openIdConnectConfig = new JSONObject(getFromUrl(openIdConnectUrl, token)); + String userInfoEndPoint = openIdConnectConfig.getString("userinfo_endpoint"); + JSONObject userInfo = new JSONObject(getFromUrl(userInfoEndPoint, token)); + if (!username.equals(userInfo.get("preferred_username"))) { + throw new AiravataSecurityException("Subject name and username for the token doesn't match"); + } + String userId = userInfo.getString("sub"); + + GatewayResourceProfile gwrp = getRegistryServiceClient().getGatewayResourceProfile(gatewayId); + String identityServerRelam = gwrp.getIdentityServerTenant(); + String userRoleMappingUrl = ServerSettings.getRemoteIDPServiceUrl() + "/admin/realms/" + + identityServerRelam + "/users/" + + userId + "/role-mappings/realm"; + JSONArray roleMappings = new JSONArray(getFromUrl(userRoleMappingUrl, getAdminAccessToken(gatewayId))); + String[] roles = new String[roleMappings.length()]; + for (int i = 0; i < roleMappings.length(); i++) { + roles[i] = (new JSONObject(roleMappings.get(i).toString())).get("name").toString(); + } + + return roles; + } + + public String getFromUrl(String urlToRead, String token) throws Exception { + StringBuilder result = new StringBuilder(); + URL url = new URL(urlToRead); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setRequestMethod("GET"); + String bearerAuth = "Bearer " + token; + conn.setRequestProperty("Authorization", bearerAuth); + BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream())); + String line; + while ((line = rd.readLine()) != null) { + result.append(line); + } + rd.close(); + return result.toString(); + } + + private String getAdminAccessToken(String gatewayId) throws TException, ApplicationSettingsException, IOException { + CredentialStoreService.Client csClient = getCredentialStoreServiceClient(); + GatewayResourceProfile gwrp = getRegistryServiceClient().getGatewayResourceProfile(gatewayId); + PasswordCredential credential = csClient.getPasswordCredential(gwrp.getIdentityServerPwdCredToken(), gwrp.getGatewayID()); + String username = credential.getLoginUserName(); + String password = credential.getPassword(); + String urlString = ServerSettings.getRemoteIDPServiceUrl() + "/realms/master/protocol/openid-connect/token"; + StringBuilder result = new StringBuilder(); + URL url = new URL(urlString); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setRequestMethod("POST"); + conn.setDoOutput(true); + String postFields = "client_id=admin-cli&username=" + username + "&password=" + password + "&grant_type=password"; + conn.getOutputStream().write(postFields.getBytes()); + BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream())); + String line; + while ((line = rd.readLine()) != null) { + result.append(line); + } + rd.close(); + JSONObject tokenInfo = new JSONObject(result.toString()); + return tokenInfo.get("access_token").toString(); + } + + + private boolean hasPermission(String[] roles, String apiMethod) { + for (int i = 0; i < roles.length; i++) { + String role = roles[i]; + if (this.rolePermissionConfig.keySet().contains(role)) { + Pattern pattern = Pattern.compile(this.rolePermissionConfig.get(role)); + Matcher matcher = pattern.matcher(apiMethod); + if (matcher.matches()) + return true; + } + } + return false; + } + + private RegistryService.Client getRegistryServiceClient() throws TException, ApplicationSettingsException { + final int serverPort = Integer.parseInt(ServerSettings.getRegistryServerPort()); + final String serverHost = ServerSettings.getRegistryServerHost(); + try { + return RegistryServiceClientFactory.createRegistryClient(serverHost, serverPort); + } catch (RegistryServiceException e) { + throw new TException("Unable to create registry client...", e); + } + } + + private CredentialStoreService.Client getCredentialStoreServiceClient() throws TException, ApplicationSettingsException { + final int serverPort = Integer.parseInt(ServerSettings.getCredentialStoreServerPort()); + final String serverHost = ServerSettings.getCredentialStoreServerHost(); + try { + return CredentialStoreClientFactory.createAiravataCSClient(serverHost, serverPort); + } catch (CredentialStoreException e) { + throw new TException("Unable to create credential store client...", e); + } + } + + public static void main(String[] args) throws Exception { + KeyCloakSecurityManager keyCloakSecurityManager = new KeyCloakSecurityManager(); + keyCloakSecurityManager.getUserRolesFromOAuthToken("supun.nakandala@gmail.com", "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKd1pob2pURlJHaVVCaGh3aFBWUFBVeHpUNmFmTmllZ0lnejZqbHhmR1BRIn0.eyJqdGkiOiIxMjhjMjBhZC1hNTUxLTQ2MWYtODYzNS02NjA1MDkzM2IzOTEiLCJleHAiOjE0OTEyNDE3MzcsIm5iZiI6MCwiaWF0IjoxNDkxMjQxNDM3LCJpc3MiOiJodHRwczovL2lhbS5zY2lnYXAub3JnL2F1dGgvcmVhbG1zL2FpcmF2YXRhIiwiYXVkIjoicGdhIiwic3ViIjoiY2Y2ZDUyNzMtMGEzNC00MTUzLWEyZDktZmMzMWUyMzFiODY4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicGdhIiwiYXV0aF90aW1lIjoxNDkxMjM5OTgwLCJzZXNzaW9uX3N0YXRlIjoiNGIzNDRhNGUtNDU3Ny00NDgzLTk0OTItYTJkMjhiYzVmY2E4IiwiYWNyIjoiMCIsImNsaWVudF9zZXNzaW9uIjoiMDhlMjkzOTEtMTRkYS00ZGJmLWI5NzAtMDliNDYwZGM2YmQ2IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdXB1biBOYWthbmRhbGEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB1bi5uYWthbmRhbGFAZ21haWwuY29tIiwiZ2l2ZW5fbmFtZSI6 IlN1cHVuIiwiZmFtaWx5X25hbWUiOiJOYWthbmRhbGEiLCJlbWFpbCI6InN1cHVuLm5ha2FuZGFsYUBnbWFpbC5jb20ifQ.I93re0YweCBhAAgOVFGbBPEsF7nRjeXQHut8NOdpXiVbeDe1BrcoS5Y86DOPZBWUQBg9GfUF7ZGt4xSatu3aHOOkiANRAAWucwZxuYD8-IXnnrF2ao8lUD94mpORszz_G4ZFcCP6cV6qG9SptdqhvHCYIdH8LvfMCBgjGTe7Um-7RHRrTavaN9b52Wsz-1CQeAcEQkwsGOoyVWUQ_3Cyo2aXpua34DLVJrkSsrSZxIQm5ojq8H3YJzKsssAhMuaIrh5oaDKRr7NjZvzV7aheMt-NwEgKc85Rqk-765tsICBbAjmw7r-cGxlvE32g7HI0-cNjuCVdNOEawoOeD3jH-Q", "airavata"); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/airavata/blob/4ec28232/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java ---------------------------------------------------------------------- diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java index b5fbd4b..59b2d96 100644 --- a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java +++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java @@ -35,6 +35,8 @@ public final class Constants { public static final String IS_API_SECURED = "api.secured"; public static final String SECURITY_MANAGER_CLASS = "security.manager.class"; public static final String REMOTE_OAUTH_SERVER_URL = "remote.oauth.authorization.server"; + public static final String REMOTE_OPENID_DISCOVERY_URL = "remote.openid.connect.discovery.url"; + public static final String REMOTE_IDP_SERVICE_URL = "remote.idp.service.url"; public static final String IS_TLS_ENABLED = "TLS.enabled"; public static final String TLS_SERVER_PORT = "TLS.api.server.port"; public static final String KEYSTORE_PATH = "keystore.path"; http://git-wip-us.apache.org/repos/asf/airavata/blob/4ec28232/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java ---------------------------------------------------------------------- diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java index 49fdc54..559d44d 100644 --- a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java +++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java @@ -329,6 +329,15 @@ public class ServerSettings extends ApplicationSettings { return getSetting(Constants.REMOTE_OAUTH_SERVER_URL); } + public static String getRemoteOpenIdDiscoveryUrl() throws ApplicationSettingsException { + return getSetting(Constants.REMOTE_OPENID_DISCOVERY_URL); + } + + public static String getRemoteIDPServiceUrl() throws ApplicationSettingsException { + return getSetting(Constants.REMOTE_IDP_SERVICE_URL); + } + + public static String getAuthorizationPoliyName() throws ApplicationSettingsException { return getSetting(Constants.AUTHORIZATION_POLICY_NAME); } http://git-wip-us.apache.org/repos/asf/airavata/blob/4ec28232/modules/configuration/server/src/main/resources/airavata-server.properties ---------------------------------------------------------------------- diff --git a/modules/configuration/server/src/main/resources/airavata-server.properties b/modules/configuration/server/src/main/resources/airavata-server.properties index fd1449f..5450fc4 100644 --- a/modules/configuration/server/src/main/resources/airavata-server.properties +++ b/modules/configuration/server/src/main/resources/airavata-server.properties @@ -325,6 +325,11 @@ authz.cache.enabled=true authz.cache.manager.class=org.apache.airavata.api.server.security.authzcache.DefaultAuthzCacheManager in.memory.cache.size=1000 +#### remote idp service url for KeyCloak based setup#### +remote.idp.service.url=https://iam.scigap.org/auth +#### remote openid connect discovery url for KeyCloak based setup #### +remote.openid.connect.discovery.url=https://iam.scigap.org/auth/realms/airavata/.well-known/openid-configuration + # Kafka Logging related configuration isRunningOnAws=false kafka.broker.list=localhost:9092 http://git-wip-us.apache.org/repos/asf/airavata/blob/4ec28232/modules/configuration/server/src/main/resources/client_truststore.jks ---------------------------------------------------------------------- diff --git a/modules/configuration/server/src/main/resources/client_truststore.jks b/modules/configuration/server/src/main/resources/client_truststore.jks index 21e4e62..f9805a3 100644 Binary files a/modules/configuration/server/src/main/resources/client_truststore.jks and b/modules/configuration/server/src/main/resources/client_truststore.jks differ