diff --git a/Jenkinsfile b/Jenkinsfile
new file mode 100644
index 0000000..ea631cb
--- /dev/null
+++ b/Jenkinsfile
@@ -0,0 +1,114 @@
+#!/usr/bin/env groovy
+
+@Library('sd')_
+def kubeLabel = getKubeLabel()
+
+pipeline {
+
+ agent {
+ kubernetes {
+ label "${kubeLabel}"
+ cloud 'Kube mwdevel'
+ defaultContainer 'runner'
+ inheritFrom 'ci-template'
+ }
+ }
+
+ options {
+ timeout(time: 1, unit: 'HOURS')
+ buildDiscarder(logRotator(numToKeepStr: '5'))
+ }
+
+ stages {
+ stage('build') {
+ steps {
+ sh 'mvn -U -B clean compile'
+ }
+ }
+
+ stage('test') {
+ steps {
+ sh 'mvn -U -B clean test'
+ }
+
+ post {
+ always {
+ junit '**/target/surefire-reports/TEST-*.xml'
+ jacoco()
+ }
+ }
+ }
+
+ stage('PR analysis') {
+ when {
+ not {
+ environment name: 'CHANGE_URL', value: ''
+ }
+ }
+ steps {
+ script {
+ def tokens = "${env.CHANGE_URL}".tokenize('/')
+ def organization = tokens[tokens.size()-4]
+ def repo = tokens[tokens.size()-3]
+
+ withCredentials([string(credentialsId: '630f8e6c-0d31-4f96-8d82-a1ef536ef059', variable: 'GITHUB_ACCESS_TOKEN')]) {
+ withSonarQubeEnv{
+ sh """
+ mvn -B -U clean compile sonar:sonar \\
+ -Dsonar.analysis.mode=preview \\
+ -Dsonar.github.pullRequest=${env.CHANGE_ID} \\
+ -Dsonar.github.repository=${organization}/${repo} \\
+ -Dsonar.github.oauth=${GITHUB_ACCESS_TOKEN} \\
+ -Dsonar.host.url=${SONAR_HOST_URL} \\
+ -Dsonar.login=${SONAR_AUTH_TOKEN}
+ """
+ }
+ }
+ }
+ }
+ }
+
+ stage('analysis') {
+ when{
+ anyOf { branch 'master'; branch 'develop' }
+ environment name: 'CHANGE_URL', value: ''
+ }
+ steps {
+ script{
+ def opts = '-Dmaven.test.failure.ignore -DfailIfNoTests=false'
+ def checkstyle_opts = 'checkstyle:check -Dcheckstyle.config.location=google_checks.xml'
+
+ withSonarQubeEnv{
+ sh "mvn clean compile -U ${opts} ${checkstyle_opts} ${SONAR_MAVEN_GOAL} -Dsonar.host.url=${SONAR_HOST_URL} -Dsonar.login=${SONAR_AUTH_TOKEN}"
+ }
+ }
+ }
+ }
+
+ stage('deploy') {
+ steps {
+ sh 'mvn -B -U clean deploy'
+ }
+ }
+
+ stage('result') {
+ steps {
+ script { currentBuild.result = 'SUCCESS' }
+ }
+ }
+ }
+
+ post {
+ failure {
+ slackSend color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)"
+ }
+
+ changed {
+ script {
+ if ('SUCCESS'.equals(currentBuild.result)) {
+ slackSend color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Back to normal (<${env.BUILD_URL}|Open>)"
+ }
+ }
+ }
+ }
+}
diff --git a/pom.xml b/pom.xml
index efdd998..202fd24 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,13 +22,12 @@ limitations under the License.
org.glite.authz
argus-parent
- 1.7.0
+ 1.7.2-SNAPSHOT
Argus PEP client Java library
- org.glite.authz
pep-java
- 2.3.0
+ 2.4.0-SNAPSHOT
jar
Argus PEP client API for the Argus Authorization Service
diff --git a/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java b/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java
new file mode 100644
index 0000000..dc51a4b
--- /dev/null
+++ b/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) Members of the EGEE Collaboration. 2006-2010. See http://www.eu-egee.org/partners/
+ * for details on the copyright holders.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ * $Id$
+ */
+package org.glite.authz.common.profile;
+
+public class OidcProfileConstants {
+
+ protected static final char SEPARATOR = '/';
+
+ protected static final String NS_PREFIX = "http://glite.org/xacml";
+
+ public static final String NS_ATTRIBUTE = NS_PREFIX + SEPARATOR + "attribute";
+
+ public static final String NS_ACTION = NS_PREFIX + SEPARATOR + "action";
+
+ public static final String NS_PROFILE = NS_PREFIX + SEPARATOR + "profile";
+
+ public static final String NS_OBLIGATION = NS_PREFIX + SEPARATOR + "obligation";
+
+ public static final String ID_ATTRIBUTE_PROFILE_ID = NS_ATTRIBUTE + SEPARATOR + "profile-id";
+
+ public static final String ID_ATTRIBUTE_OIDC_ACCESS_TOKEN =
+ NS_ATTRIBUTE + SEPARATOR + "oidc-access-token";
+
+ public static final String ID_ATTRIBUTE_OIDC_ORGANISATION =
+ NS_ATTRIBUTE + SEPARATOR + "oidc-organisation";
+
+ public static final String ID_ATTRIBUTE_OIDC_ISSUER = NS_ATTRIBUTE + SEPARATOR + "oidc-issuer";
+
+ public static final String ID_ATTRIBUTE_OIDC_SUBJECT = NS_ATTRIBUTE + SEPARATOR + "oidc-subject";
+
+ public static final String ID_ATTRIBUTE_OIDC_GROUP = NS_ATTRIBUTE + SEPARATOR + "oidc-group";
+
+ public static final String ID_ATTRIBUTE_OIDC_SCOPE = NS_ATTRIBUTE + SEPARATOR + "oidc-scope";
+
+ public static final String ID_ATTRIBUTE_OIDC_USER_NAME =
+ NS_ATTRIBUTE + SEPARATOR + "oidc-user-name";
+
+ public static final String ID_ATTRIBUTE_OIDC_USER_ID = NS_ATTRIBUTE + SEPARATOR + "oidc-user-id";
+
+ public static final String ID_ATTRIBUTE_OIDC_CLIENTID =
+ NS_ATTRIBUTE + SEPARATOR + "oidc-client-id";
+
+ public static final String ID_ATTRIBUTE_SUBJECT_ID =
+ "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
+
+ public static final String ID_ATTRIBUTE_RESOURCE_ID =
+ "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
+
+ public static final String ID_ATTRIBUTE_ACTION_ID =
+ "urn:oasis:names:tc:xacml:1.0:action:action-id";
+
+ /** The datatype #anyURI: {@value} */
+ public static final String DATATYPE_ANY_URI = "http://www.w3.org/2001/XMLSchema#anyURI";
+
+ /** The datatype #string: {@value} */
+ public static final String DATATYPE_STRING = "http://www.w3.org/2001/XMLSchema#string";
+
+ /** Common XACML Authorization Profile version: {@value} */
+ public static final String OIDC_XACML_AUTHZ_V1_0_PROFILE_VERSION = "1.0";
+
+ /** Common XACML Authorization Profile identifier: {@value} */
+ public static final String OIDC_XACML_AUTHZ_V1_0_PROFILE_ID =
+ NS_PROFILE + SEPARATOR + "oidc-authz" + SEPARATOR + OIDC_XACML_AUTHZ_V1_0_PROFILE_VERSION;
+
+}
diff --git a/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java b/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java
new file mode 100644
index 0000000..66cb418
--- /dev/null
+++ b/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) Members of the EGEE Collaboration. 2006-2010. See http://www.eu-egee.org/partners/
+ * for details on the copyright holders.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ * $Id$
+ */
+
+package org.glite.authz.pep.profile;
+
+import org.glite.authz.common.model.Action;
+import org.glite.authz.common.model.Attribute;
+import org.glite.authz.common.model.Environment;
+import org.glite.authz.common.model.Request;
+import org.glite.authz.common.model.Resource;
+import org.glite.authz.common.model.Subject;
+import org.glite.authz.common.profile.OidcProfileConstants;
+
+public class OidcAuthorizationProfile extends AbstractAuthorizationProfile
+ implements AuthorizationProfile {
+
+ private static OidcAuthorizationProfile singleton = null;
+
+ public OidcAuthorizationProfile() {
+ super(OidcProfileConstants.OIDC_XACML_AUTHZ_V1_0_PROFILE_ID);
+ }
+
+ public static synchronized OidcAuthorizationProfile getInstance() {
+ if (singleton == null) {
+ singleton = new OidcAuthorizationProfile();
+ }
+ return singleton;
+ }
+
+ public Request createRequest(String accessToken, String resourceId, String actionId) {
+ Request request = new Request();
+ request.setEnvironment(createEnvironment());
+
+ Subject subj = new Subject();
+ subj.getAttributes().add(createOidcAccessTokenAttribute(accessToken));
+ request.getSubjects().add(subj);
+
+ Resource resource = new Resource();
+ resource.getAttributes()
+ .add(createAttribute(OidcProfileConstants.ID_ATTRIBUTE_RESOURCE_ID, resourceId));
+ request.getResources().add(resource);
+
+ Action action = new Action();
+ action.getAttributes()
+ .add(createAttribute(OidcProfileConstants.ID_ATTRIBUTE_ACTION_ID, actionId));
+ request.setAction(action);
+
+ return request;
+ }
+
+ protected Environment createEnvironment() {
+ Environment env = new Environment();
+ env.getAttributes().add(createOidcProfileAttribute());
+ return env;
+ }
+
+ protected Attribute createOidcAccessTokenAttribute(String accessToken) {
+ return createAttribute(OidcProfileConstants.ID_ATTRIBUTE_OIDC_ACCESS_TOKEN, accessToken);
+ }
+
+ protected Attribute createOidcProfileAttribute() {
+ return createAttribute(OidcProfileConstants.ID_ATTRIBUTE_PROFILE_ID, getProfileId());
+ }
+
+ @Override
+ protected String getSubjectKeyInfoAttributeDatatype() {
+ return null;
+ }
+
+ @Override
+ protected String getProfileIdAttributeIdentifer() {
+ return OidcProfileConstants.ID_ATTRIBUTE_PROFILE_ID;
+ }
+
+ @Override
+ protected String getMapUserToPOSIXEnvironmentObligationIdentifier() {
+ return null;
+ }
+
+ @Override
+ protected String getUserIdAttributeAssignmentIdentifier() {
+ return null;
+ }
+
+ @Override
+ protected String getGroupIdAttributeAssignmentIdentifier() {
+ return null;
+ }
+
+ @Override
+ protected String getPrimaryGroupIdAttributeAssignmentIdentifier() {
+ return null;
+ }
+
+ private Attribute createAttribute(String id, String value) {
+ Attribute attr = new Attribute(id);
+ attr.getValues().add(value);
+ return attr;
+ }
+
+}