From 2968ccd3a015595bf8dc1f4468a5e5af9b58d3bd Mon Sep 17 00:00:00 2001 From: Marco Caberletti Date: Wed, 13 Dec 2017 16:29:37 +0100 Subject: [PATCH 1/3] Add OIDC profile --- Jenkinsfile | 116 ++++++++++++++++++ pom.xml | 5 +- .../common/profile/OidcProfileConstants.java | 79 ++++++++++++ .../pep/profile/OidcAuthorizationProfile.java | 115 +++++++++++++++++ src/main/resources/log4j.properties | 11 ++ 5 files changed, 323 insertions(+), 3 deletions(-) create mode 100644 Jenkinsfile create mode 100644 src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java create mode 100644 src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java create mode 100644 src/main/resources/log4j.properties diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..a1e5f67 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,116 @@ +#!/usr/bin/env groovy + +pipeline { + + agent { label 'maven' } + + options { + timeout(time: 1, unit: 'HOURS') + buildDiscarder(logRotator(numToKeepStr: '5')) + } + + stages { + stage('build') { + steps { + container('maven-runner'){ + sh 'mvn -U -B clean compile' + } + } + } + + stage('test') { + steps { + container('maven-runner'){ + sh 'mvn -U -B clean test' + } + } + + post { + always { + container('maven-runner'){ + junit '**/target/surefire-reports/TEST-*.xml' + jacoco() + } + } + } + } + + stage('PR analysis'){ + when{ + not { + environment name: 'CHANGE_URL', value: '' + } + } + steps { + container('maven-runner'){ + script{ + def tokens = "${env.CHANGE_URL}".tokenize('/') + def organization = tokens[tokens.size()-4] + def repo = tokens[tokens.size()-3] + + withCredentials([string(credentialsId: '630f8e6c-0d31-4f96-8d82-a1ef536ef059', variable: 'GITHUB_ACCESS_TOKEN')]) { + withSonarQubeEnv{ + sh """ + mvn -B -U clean compile sonar:sonar \\ + -Dsonar.analysis.mode=preview \\ + -Dsonar.github.pullRequest=${env.CHANGE_ID} \\ + -Dsonar.github.repository=${organization}/${repo} \\ + -Dsonar.github.oauth=${GITHUB_ACCESS_TOKEN} \\ + -Dsonar.host.url=${SONAR_HOST_URL} \\ + -Dsonar.login=${SONAR_AUTH_TOKEN} + """ + } + } + } + } + } + } + + stage('analysis'){ + when{ + anyOf { branch 'master'; branch 'develop' } + environment name: 'CHANGE_URL', value: '' + } + steps { + container('maven-runner'){ + script{ + def opts = '-Dmaven.test.failure.ignore -DfailIfNoTests=false' + def checkstyle_opts = 'checkstyle:check -Dcheckstyle.config.location=google_checks.xml' + + withSonarQubeEnv{ + sh "mvn clean compile -U ${opts} ${checkstyle_opts} ${SONAR_MAVEN_GOAL} -Dsonar.host.url=${SONAR_HOST_URL} -Dsonar.login=${SONAR_AUTH_TOKEN}" + } + } + } + } + } + + stage('deploy'){ + steps{ + container('maven-runner'){ + sh 'mvn -B -U clean deploy' + } + } + } + + stage('result'){ + steps { + script { currentBuild.result = 'SUCCESS' } + } + } + } + + post { + failure { + slackSend color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)" + } + + changed { + script{ + if('SUCCESS'.equals(currentBuild.result)) { + slackSend color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Back to normal (<${env.BUILD_URL}|Open>)" + } + } + } + } +} diff --git a/pom.xml b/pom.xml index efdd998..202fd24 100644 --- a/pom.xml +++ b/pom.xml @@ -22,13 +22,12 @@ limitations under the License. org.glite.authz argus-parent - 1.7.0 + 1.7.2-SNAPSHOT Argus PEP client Java library - org.glite.authz pep-java - 2.3.0 + 2.4.0-SNAPSHOT jar Argus PEP client API for the Argus Authorization Service diff --git a/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java b/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java new file mode 100644 index 0000000..dc51a4b --- /dev/null +++ b/src/main/java/org/glite/authz/common/profile/OidcProfileConstants.java @@ -0,0 +1,79 @@ +/* + * Copyright (c) Members of the EGEE Collaboration. 2006-2010. See http://www.eu-egee.org/partners/ + * for details on the copyright holders. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + * + * $Id$ + */ +package org.glite.authz.common.profile; + +public class OidcProfileConstants { + + protected static final char SEPARATOR = '/'; + + protected static final String NS_PREFIX = "http://glite.org/xacml"; + + public static final String NS_ATTRIBUTE = NS_PREFIX + SEPARATOR + "attribute"; + + public static final String NS_ACTION = NS_PREFIX + SEPARATOR + "action"; + + public static final String NS_PROFILE = NS_PREFIX + SEPARATOR + "profile"; + + public static final String NS_OBLIGATION = NS_PREFIX + SEPARATOR + "obligation"; + + public static final String ID_ATTRIBUTE_PROFILE_ID = NS_ATTRIBUTE + SEPARATOR + "profile-id"; + + public static final String ID_ATTRIBUTE_OIDC_ACCESS_TOKEN = + NS_ATTRIBUTE + SEPARATOR + "oidc-access-token"; + + public static final String ID_ATTRIBUTE_OIDC_ORGANISATION = + NS_ATTRIBUTE + SEPARATOR + "oidc-organisation"; + + public static final String ID_ATTRIBUTE_OIDC_ISSUER = NS_ATTRIBUTE + SEPARATOR + "oidc-issuer"; + + public static final String ID_ATTRIBUTE_OIDC_SUBJECT = NS_ATTRIBUTE + SEPARATOR + "oidc-subject"; + + public static final String ID_ATTRIBUTE_OIDC_GROUP = NS_ATTRIBUTE + SEPARATOR + "oidc-group"; + + public static final String ID_ATTRIBUTE_OIDC_SCOPE = NS_ATTRIBUTE + SEPARATOR + "oidc-scope"; + + public static final String ID_ATTRIBUTE_OIDC_USER_NAME = + NS_ATTRIBUTE + SEPARATOR + "oidc-user-name"; + + public static final String ID_ATTRIBUTE_OIDC_USER_ID = NS_ATTRIBUTE + SEPARATOR + "oidc-user-id"; + + public static final String ID_ATTRIBUTE_OIDC_CLIENTID = + NS_ATTRIBUTE + SEPARATOR + "oidc-client-id"; + + public static final String ID_ATTRIBUTE_SUBJECT_ID = + "urn:oasis:names:tc:xacml:1.0:subject:subject-id"; + + public static final String ID_ATTRIBUTE_RESOURCE_ID = + "urn:oasis:names:tc:xacml:1.0:resource:resource-id"; + + public static final String ID_ATTRIBUTE_ACTION_ID = + "urn:oasis:names:tc:xacml:1.0:action:action-id"; + + /** The datatype #anyURI: {@value} */ + public static final String DATATYPE_ANY_URI = "http://www.w3.org/2001/XMLSchema#anyURI"; + + /** The datatype #string: {@value} */ + public static final String DATATYPE_STRING = "http://www.w3.org/2001/XMLSchema#string"; + + /** Common XACML Authorization Profile version: {@value} */ + public static final String OIDC_XACML_AUTHZ_V1_0_PROFILE_VERSION = "1.0"; + + /** Common XACML Authorization Profile identifier: {@value} */ + public static final String OIDC_XACML_AUTHZ_V1_0_PROFILE_ID = + NS_PROFILE + SEPARATOR + "oidc-authz" + SEPARATOR + OIDC_XACML_AUTHZ_V1_0_PROFILE_VERSION; + +} diff --git a/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java b/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java new file mode 100644 index 0000000..66cb418 --- /dev/null +++ b/src/main/java/org/glite/authz/pep/profile/OidcAuthorizationProfile.java @@ -0,0 +1,115 @@ +/* + * Copyright (c) Members of the EGEE Collaboration. 2006-2010. See http://www.eu-egee.org/partners/ + * for details on the copyright holders. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + * + * $Id$ + */ + +package org.glite.authz.pep.profile; + +import org.glite.authz.common.model.Action; +import org.glite.authz.common.model.Attribute; +import org.glite.authz.common.model.Environment; +import org.glite.authz.common.model.Request; +import org.glite.authz.common.model.Resource; +import org.glite.authz.common.model.Subject; +import org.glite.authz.common.profile.OidcProfileConstants; + +public class OidcAuthorizationProfile extends AbstractAuthorizationProfile + implements AuthorizationProfile { + + private static OidcAuthorizationProfile singleton = null; + + public OidcAuthorizationProfile() { + super(OidcProfileConstants.OIDC_XACML_AUTHZ_V1_0_PROFILE_ID); + } + + public static synchronized OidcAuthorizationProfile getInstance() { + if (singleton == null) { + singleton = new OidcAuthorizationProfile(); + } + return singleton; + } + + public Request createRequest(String accessToken, String resourceId, String actionId) { + Request request = new Request(); + request.setEnvironment(createEnvironment()); + + Subject subj = new Subject(); + subj.getAttributes().add(createOidcAccessTokenAttribute(accessToken)); + request.getSubjects().add(subj); + + Resource resource = new Resource(); + resource.getAttributes() + .add(createAttribute(OidcProfileConstants.ID_ATTRIBUTE_RESOURCE_ID, resourceId)); + request.getResources().add(resource); + + Action action = new Action(); + action.getAttributes() + .add(createAttribute(OidcProfileConstants.ID_ATTRIBUTE_ACTION_ID, actionId)); + request.setAction(action); + + return request; + } + + protected Environment createEnvironment() { + Environment env = new Environment(); + env.getAttributes().add(createOidcProfileAttribute()); + return env; + } + + protected Attribute createOidcAccessTokenAttribute(String accessToken) { + return createAttribute(OidcProfileConstants.ID_ATTRIBUTE_OIDC_ACCESS_TOKEN, accessToken); + } + + protected Attribute createOidcProfileAttribute() { + return createAttribute(OidcProfileConstants.ID_ATTRIBUTE_PROFILE_ID, getProfileId()); + } + + @Override + protected String getSubjectKeyInfoAttributeDatatype() { + return null; + } + + @Override + protected String getProfileIdAttributeIdentifer() { + return OidcProfileConstants.ID_ATTRIBUTE_PROFILE_ID; + } + + @Override + protected String getMapUserToPOSIXEnvironmentObligationIdentifier() { + return null; + } + + @Override + protected String getUserIdAttributeAssignmentIdentifier() { + return null; + } + + @Override + protected String getGroupIdAttributeAssignmentIdentifier() { + return null; + } + + @Override + protected String getPrimaryGroupIdAttributeAssignmentIdentifier() { + return null; + } + + private Attribute createAttribute(String id, String value) { + Attribute attr = new Attribute(id); + attr.getValues().add(value); + return attr; + } + +} diff --git a/src/main/resources/log4j.properties b/src/main/resources/log4j.properties new file mode 100644 index 0000000..0fa23c4 --- /dev/null +++ b/src/main/resources/log4j.properties @@ -0,0 +1,11 @@ +# Root logger option +log4j.rootLogger=INFO, file + +# Direct log messages to a log file +log4j.appender.file=org.apache.log4j.RollingFileAppender + +log4j.appender.file.File=/tmp/argus-pep-api-java.log +log4j.appender.file.MaxFileSize=10MB +log4j.appender.file.MaxBackupIndex=10 +log4j.appender.file.layout=org.apache.log4j.PatternLayout +log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n \ No newline at end of file From 4b8f8278e757183bcceb65a807f400d5512e4bff Mon Sep 17 00:00:00 2001 From: Marco Caberletti Date: Tue, 16 Jan 2018 15:59:48 +0100 Subject: [PATCH 2/3] Removed properties file --- src/main/resources/log4j.properties | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 src/main/resources/log4j.properties diff --git a/src/main/resources/log4j.properties b/src/main/resources/log4j.properties deleted file mode 100644 index 0fa23c4..0000000 --- a/src/main/resources/log4j.properties +++ /dev/null @@ -1,11 +0,0 @@ -# Root logger option -log4j.rootLogger=INFO, file - -# Direct log messages to a log file -log4j.appender.file=org.apache.log4j.RollingFileAppender - -log4j.appender.file.File=/tmp/argus-pep-api-java.log -log4j.appender.file.MaxFileSize=10MB -log4j.appender.file.MaxBackupIndex=10 -log4j.appender.file.layout=org.apache.log4j.PatternLayout -log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n \ No newline at end of file From cbcebe71ae090e55717c3234f0391e808be95b6f Mon Sep 17 00:00:00 2001 From: enricovianello Date: Thu, 27 Jun 2019 16:54:03 +0200 Subject: [PATCH 3/3] Adapt Jenkinsfile to ci changes --- Jenkinsfile | 94 ++++++++++++++++++++++++++--------------------------- 1 file changed, 46 insertions(+), 48 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index a1e5f67..ea631cb 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,9 +1,19 @@ #!/usr/bin/env groovy +@Library('sd')_ +def kubeLabel = getKubeLabel() + pipeline { - - agent { label 'maven' } - + + agent { + kubernetes { + label "${kubeLabel}" + cloud 'Kube mwdevel' + defaultContainer 'runner' + inheritFrom 'ci-template' + } + } + options { timeout(time: 1, unit: 'HOURS') buildDiscarder(logRotator(numToKeepStr: '5')) @@ -12,88 +22,76 @@ pipeline { stages { stage('build') { steps { - container('maven-runner'){ - sh 'mvn -U -B clean compile' - } + sh 'mvn -U -B clean compile' } } stage('test') { steps { - container('maven-runner'){ - sh 'mvn -U -B clean test' - } + sh 'mvn -U -B clean test' } post { always { - container('maven-runner'){ - junit '**/target/surefire-reports/TEST-*.xml' - jacoco() - } + junit '**/target/surefire-reports/TEST-*.xml' + jacoco() } } } - stage('PR analysis'){ - when{ + stage('PR analysis') { + when { not { environment name: 'CHANGE_URL', value: '' } } steps { - container('maven-runner'){ - script{ - def tokens = "${env.CHANGE_URL}".tokenize('/') - def organization = tokens[tokens.size()-4] - def repo = tokens[tokens.size()-3] + script { + def tokens = "${env.CHANGE_URL}".tokenize('/') + def organization = tokens[tokens.size()-4] + def repo = tokens[tokens.size()-3] - withCredentials([string(credentialsId: '630f8e6c-0d31-4f96-8d82-a1ef536ef059', variable: 'GITHUB_ACCESS_TOKEN')]) { - withSonarQubeEnv{ - sh """ - mvn -B -U clean compile sonar:sonar \\ - -Dsonar.analysis.mode=preview \\ - -Dsonar.github.pullRequest=${env.CHANGE_ID} \\ - -Dsonar.github.repository=${organization}/${repo} \\ - -Dsonar.github.oauth=${GITHUB_ACCESS_TOKEN} \\ - -Dsonar.host.url=${SONAR_HOST_URL} \\ - -Dsonar.login=${SONAR_AUTH_TOKEN} - """ - } + withCredentials([string(credentialsId: '630f8e6c-0d31-4f96-8d82-a1ef536ef059', variable: 'GITHUB_ACCESS_TOKEN')]) { + withSonarQubeEnv{ + sh """ + mvn -B -U clean compile sonar:sonar \\ + -Dsonar.analysis.mode=preview \\ + -Dsonar.github.pullRequest=${env.CHANGE_ID} \\ + -Dsonar.github.repository=${organization}/${repo} \\ + -Dsonar.github.oauth=${GITHUB_ACCESS_TOKEN} \\ + -Dsonar.host.url=${SONAR_HOST_URL} \\ + -Dsonar.login=${SONAR_AUTH_TOKEN} + """ } } } } } - stage('analysis'){ + stage('analysis') { when{ anyOf { branch 'master'; branch 'develop' } environment name: 'CHANGE_URL', value: '' } steps { - container('maven-runner'){ - script{ - def opts = '-Dmaven.test.failure.ignore -DfailIfNoTests=false' - def checkstyle_opts = 'checkstyle:check -Dcheckstyle.config.location=google_checks.xml' + script{ + def opts = '-Dmaven.test.failure.ignore -DfailIfNoTests=false' + def checkstyle_opts = 'checkstyle:check -Dcheckstyle.config.location=google_checks.xml' - withSonarQubeEnv{ - sh "mvn clean compile -U ${opts} ${checkstyle_opts} ${SONAR_MAVEN_GOAL} -Dsonar.host.url=${SONAR_HOST_URL} -Dsonar.login=${SONAR_AUTH_TOKEN}" - } + withSonarQubeEnv{ + sh "mvn clean compile -U ${opts} ${checkstyle_opts} ${SONAR_MAVEN_GOAL} -Dsonar.host.url=${SONAR_HOST_URL} -Dsonar.login=${SONAR_AUTH_TOKEN}" } } } } - stage('deploy'){ - steps{ - container('maven-runner'){ - sh 'mvn -B -U clean deploy' - } + stage('deploy') { + steps { + sh 'mvn -B -U clean deploy' } } - stage('result'){ + stage('result') { steps { script { currentBuild.result = 'SUCCESS' } } @@ -106,8 +104,8 @@ pipeline { } changed { - script{ - if('SUCCESS'.equals(currentBuild.result)) { + script { + if ('SUCCESS'.equals(currentBuild.result)) { slackSend color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Back to normal (<${env.BUILD_URL}|Open>)" } }