QRunIO/qqq
2
0
Fork 0
mirror of https://github.com/Kingsrook/qqq.git synced 2025-07-17 20:50:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add table-based authentication module; update javalin to support Authentication: Basic header; Move authentication classes

Browse Source
This commit is contained in:
darin.kelkhoff
2022-12-28 16:52:04 -06:00
parent 428f48602b
commit 7fae3e2329
28 changed files with 1872 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
qqq-middleware-javalin/src/main/java/com/kingsrook/qqq/backend/javalin/QJavalinImplementation.java
View File

@ -88,7 +88,6 @@ import com.kingsrook.qqq.backend.core.model.metadata.QInstance;
import com.kingsrook.qqq.backend.core.model.metadata.fields.QFieldMetaData;
import com.kingsrook.qqq.backend.core.model.metadata.tables.QTableMetaData;
import com.kingsrook.qqq.backend.core.model.session.QSession;
import com.kingsrook.qqq.backend.core.modules.authentication.Auth0AuthenticationModule;
import com.kingsrook.qqq.backend.core.modules.authentication.QAuthenticationModuleDispatcher;
import com.kingsrook.qqq.backend.core.modules.authentication.QAuthenticationModuleInterface;
import com.kingsrook.qqq.backend.core.utils.CollectionUtils;
@ -122,6 +121,7 @@ public class QJavalinImplementation
private static final int SESSION_COOKIE_AGE = 60 * 60 * 24;
private static final String SESSION_ID_COOKIE_NAME = "sessionId";
private static final String BASIC_AUTH_NAME = "basicAuthString";
static QInstance qInstance;
static QJavalinMetaData javalinMetaData = new QJavalinMetaData();
@ -326,35 +326,55 @@ public class QJavalinImplementation
/*******************************************************************************
**
*******************************************************************************/
static void setupSession(Context context, AbstractActionInput input) throws QModuleDispatchException
static void setupSession(Context context, AbstractActionInput input) throws QModuleDispatchException, QAuthenticationException
{
QAuthenticationModuleDispatcher qAuthenticationModuleDispatcher = new QAuthenticationModuleDispatcher();
QAuthenticationModuleInterface authenticationModule = qAuthenticationModuleDispatcher.getQModule(input.getAuthenticationMetaData());
boolean needToSetSessionIdCookie = false;
try
{
Map<String, String> authenticationContext = new HashMap<>();
/////////////////////////////////////////////////////////////////////////////////
// look for a token in either the sessionId cookie, or an Authorization header //
/////////////////////////////////////////////////////////////////////////////////
String sessionIdCookieValue = context.cookie(SESSION_ID_COOKIE_NAME);
String sessionIdCookieValue = context.cookie(SESSION_ID_COOKIE_NAME);
String authorizationHeaderValue = context.header("Authorization");
if(StringUtils.hasContent(sessionIdCookieValue))
{
////////////////////////////////////////
// first, look for a sessionId cookie //
////////////////////////////////////////
authenticationContext.put(SESSION_ID_COOKIE_NAME, sessionIdCookieValue);
needToSetSessionIdCookie = true;
}
else if(authorizationHeaderValue != null)
{
/////////////////////////////////////////////////////////////////////////////////////////////////
// second, look for the authorization header: //
// either with a "Basic " prefix (for a username:password pair) //
// or with a "Bearer " prefix (for a token that can be handled the same as a sessionId cookie) //
/////////////////////////////////////////////////////////////////////////////////////////////////
String basicPrefix = "Basic ";
String bearerPrefix = "Bearer ";
if(authorizationHeaderValue.startsWith(basicPrefix))
{
authorizationHeaderValue = authorizationHeaderValue.replaceFirst(basicPrefix, "");
authenticationContext.put(BASIC_AUTH_NAME, authorizationHeaderValue);
needToSetSessionIdCookie = true;
}
else if(authorizationHeaderValue.startsWith(bearerPrefix))
{
authorizationHeaderValue = authorizationHeaderValue.replaceFirst(bearerPrefix, "");
authenticationContext.put(SESSION_ID_COOKIE_NAME, authorizationHeaderValue);
}
else
{
LOG.debug("Authorization header value did not have Basic or Bearer prefix. [" + authorizationHeaderValue + "]");
}
}
else
{
String authorizationHeaderValue = context.header("Authorization");
if(authorizationHeaderValue != null)
{
String bearerPrefix = "Bearer ";
if(authorizationHeaderValue.startsWith(bearerPrefix))
{
authorizationHeaderValue = authorizationHeaderValue.replaceFirst(bearerPrefix, "");
}
authenticationContext.put(SESSION_ID_COOKIE_NAME, authorizationHeaderValue);
}
LOG.debug("Neither [" + SESSION_ID_COOKIE_NAME + "] cookie nor [Authorization] header was present in request.");
}
QSession session = authenticationModule.createSession(qInstance, authenticationContext);
@ -363,7 +383,7 @@ public class QJavalinImplementation
/////////////////////////////////////////////////////////////////////////////////
// if we got a session id cookie in, then send it back with updated cookie age //
/////////////////////////////////////////////////////////////////////////////////
if(StringUtils.hasContent(sessionIdCookieValue))
if(needToSetSessionIdCookie)
{
context.cookie(SESSION_ID_COOKIE_NAME, session.getIdReference(), SESSION_COOKIE_AGE);
}
@ -375,10 +395,12 @@ public class QJavalinImplementation
////////////////////////////////////////////////////////////////////////////////
// if exception caught, clear out the cookie so the frontend will reauthorize //
////////////////////////////////////////////////////////////////////////////////
if(authenticationModule instanceof Auth0AuthenticationModule)
if(needToSetSessionIdCookie)
{
context.removeCookie(SESSION_ID_COOKIE_NAME);
}
throw (qae);
}
}

224
qqq-middleware-javalin/src/test/java/com/kingsrook/qqq/backend/javalin/QJavalinImplementationAuthenticationTest.java Normal file
View File

@ -0,0 +1,224 @@
/*
* QQQ - Low-code Application Framework for Engineers.
* Copyright (C) 2021-2022. Kingsrook, LLC
* 651 N Broad St Ste 205 # 6917 | Middletown DE 19709 | United States
* contact@kingsrook.com
* https://github.com/Kingsrook/
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
package com.kingsrook.qqq.backend.javalin;
import java.time.ZonedDateTime;
import java.util.Base64;
import java.util.List;
import java.util.concurrent.TimeUnit;
import com.kingsrook.qqq.backend.core.exceptions.QInstanceValidationException;
import com.kingsrook.qqq.backend.core.model.data.QRecord;
import com.kingsrook.qqq.backend.core.model.metadata.QInstance;
import com.kingsrook.qqq.backend.core.model.metadata.authentication.TableBasedAuthenticationMetaData;
import com.kingsrook.qqq.backend.core.modules.authentication.implementations.TableBasedAuthenticationModule;
import com.kingsrook.qqq.backend.core.utils.JsonUtils;
import com.kingsrook.qqq.backend.core.utils.SleepUtils;
import kong.unirest.Cookie;
import kong.unirest.Cookies;
import kong.unirest.HttpResponse;
import kong.unirest.Unirest;
import org.json.JSONObject;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.fail;
/*******************************************************************************
** Tests of QJavalinImplementation, but specifically, of the authentication
** code - which uses a different qInstance, and hence javalin server instance
** than the other tests in this package - hence its own before/after, etc.
*******************************************************************************/
public class QJavalinImplementationAuthenticationTest extends QJavalinTestBase
{
/*******************************************************************************
**
*******************************************************************************/
@BeforeEach
public void beforeEach() throws QInstanceValidationException
{
Unirest.config().reset().enableCookieManagement(false);
setupTableBasedAuthenticationInstance();
}
/*******************************************************************************
**
*******************************************************************************/
@AfterAll
public static void afterAll()
{
if(qJavalinImplementation != null)
{
qJavalinImplementation.stopJavalinServer();
}
Unirest.config().reset();
}
/*******************************************************************************
**
*******************************************************************************/
@Test
void testAuthentication_noCredentialsProvided()
{
HttpResponse<String> response = Unirest.get(BASE_URL + "/metaData").asString();
assertEquals(401, response.getStatus());
JSONObject jsonObject = JsonUtils.toJSONObject(response.getBody());
assertNotNull(jsonObject);
assertEquals("Session ID was not provided", jsonObject.getString("error"));
}
/*******************************************************************************
**
*******************************************************************************/
@Test
void testAuthentication_basicAuthSuccess()
{
HttpResponse<String> response = Unirest.get(BASE_URL + "/metaData")
.header("Authorization", "Basic " + encodeBasicAuth("juser", "987zyx"))
.asString();
assertEquals(200, response.getStatus());
}
/*******************************************************************************
**
*******************************************************************************/
@Test
void testAuthentication_basicAuthBadCredentials()
{
HttpResponse<String> response = Unirest.get(BASE_URL + "/metaData")
.header("Authorization", "Basic " + encodeBasicAuth("not-juser", "987zyx"))
.asString();
assertEquals(401, response.getStatus());
}
/*******************************************************************************
**
*******************************************************************************/
@Test
void testAuthentication_authorizationNotBasic()
{
HttpResponse<String> response = Unirest.get(BASE_URL + "/metaData")
.header("Authorization", "not-Basic " + encodeBasicAuth("juser", "987zyx"))
.asString();
assertEquals(401, response.getStatus());
}
/*******************************************************************************
**
*******************************************************************************/
@Test
void testAuthentication_basicAuthSuccessThenSessionIdFromCookie()
{
HttpResponse<String> response = Unirest.get(BASE_URL + "/metaData")
.header("Authorization", "Basic " + encodeBasicAuth("juser", "987zyx"))
.asString();
assertEquals(200, response.getStatus());
Cookies cookies = response.getCookies();
String sessionId = cookies.getNamed("sessionId").getValue();
ZonedDateTime originalExpiration = cookies.getNamed("sessionId").getExpiration();
assertNotNull(sessionId);
SleepUtils.sleep(1, TimeUnit.SECONDS);
response = Unirest.get(BASE_URL + "/metaData")
.cookie(new Cookie("sessionId", sessionId))
.asString();
assertEquals(200, response.getStatus());
assertEquals(sessionId, response.getCookies().getNamed("sessionId").getValue());
assertNotEquals(originalExpiration, response.getCookies().getNamed("sessionId").getExpiration());
}
/*******************************************************************************
**
*******************************************************************************/
@Test
void testAuthentication_badSessionIdCookie()
{
HttpResponse<String> response = Unirest.get(BASE_URL + "/metaData")
.cookie(new Cookie("sessionId", "not-a-sessionId"))
.asString();
assertEquals(401, response.getStatus());
JSONObject jsonObject = JsonUtils.toJSONObject(response.getBody());
assertEquals("Session not found.", jsonObject.getString("error"));
}
/*******************************************************************************
**
*******************************************************************************/
static void setupTableBasedAuthenticationInstance() throws QInstanceValidationException
{
QInstance qInstance = TestUtils.defineInstance();
TableBasedAuthenticationMetaData tableBasedAuthenticationMetaData = new TableBasedAuthenticationMetaData();
qInstance.addTable(tableBasedAuthenticationMetaData.defineStandardUserTable(TestUtils.BACKEND_NAME_MEMORY));
qInstance.addTable(tableBasedAuthenticationMetaData.defineStandardSessionTable(TestUtils.BACKEND_NAME_MEMORY));
try
{
TestUtils.insertRecords(qInstance, qInstance.getTable("user"), List.of(new QRecord()
.withValue("username", "juser")
.withValue("fullName", "Johnny User")
.withValue("passwordHash", TableBasedAuthenticationModule.PasswordHasher.createHashedPassword("987zyx"))));
}
catch(Exception e)
{
fail("Error inserting test user.");
}
qInstance.setAuthentication(tableBasedAuthenticationMetaData);
restartServerWithInstance(qInstance);
}
/*******************************************************************************
**
*******************************************************************************/
private String encodeBasicAuth(String username, String password)
{
Base64.Encoder encoder = Base64.getEncoder();
String originalString = username + ":" + password;
return (encoder.encodeToString(originalString.getBytes()));
}
}

33
qqq-middleware-javalin/src/test/java/com/kingsrook/qqq/backend/javalin/QJavalinTestBase.java
View File

@ -23,7 +23,10 @@ package com.kingsrook.qqq.backend.javalin;
import com.kingsrook.qqq.backend.core.exceptions.QInstanceValidationException;
import com.kingsrook.qqq.backend.core.model.metadata.QInstance;
import com.kingsrook.qqq.backend.core.modules.backend.implementations.memory.MemoryRecordStore;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
@ -36,7 +39,19 @@ public class QJavalinTestBase
private static final int PORT = 6262;
protected static final String BASE_URL = "http://localhost:" + PORT;
private static QJavalinImplementation qJavalinImplementation;
protected static QJavalinImplementation qJavalinImplementation;
/*******************************************************************************
**
*******************************************************************************/
@BeforeEach
@AfterEach
void beforeAndAfterEach()
{
MemoryRecordStore.fullReset();
}
@ -76,4 +91,20 @@ public class QJavalinTestBase
TestUtils.primeTestDatabase();
}
/*******************************************************************************
**
*******************************************************************************/
static protected void restartServerWithInstance(QInstance qInstance) throws QInstanceValidationException
{
if(qJavalinImplementation != null)
{
qJavalinImplementation.stopJavalinServer();
}
qJavalinImplementation = new QJavalinImplementation(qInstance);
QJavalinProcessHandler.setAsyncStepTimeoutMillis(250);
qJavalinImplementation.startJavalinServer(PORT);
}
}

24
qqq-middleware-javalin/src/test/java/com/kingsrook/qqq/backend/javalin/TestUtils.java
View File

@ -26,16 +26,20 @@ import java.io.InputStream;
import java.sql.Connection;
import java.util.List;
import com.kingsrook.qqq.backend.core.actions.processes.BackendStep;
import com.kingsrook.qqq.backend.core.actions.tables.InsertAction;
import com.kingsrook.qqq.backend.core.exceptions.QException;
import com.kingsrook.qqq.backend.core.exceptions.QValueException;
import com.kingsrook.qqq.backend.core.model.actions.processes.RunBackendStepInput;
import com.kingsrook.qqq.backend.core.model.actions.processes.RunBackendStepOutput;
import com.kingsrook.qqq.backend.core.model.actions.tables.insert.InsertInput;
import com.kingsrook.qqq.backend.core.model.actions.tables.query.QCriteriaOperator;
import com.kingsrook.qqq.backend.core.model.actions.tables.query.QFilterCriteria;
import com.kingsrook.qqq.backend.core.model.actions.tables.query.QQueryFilter;
import com.kingsrook.qqq.backend.core.model.data.QRecord;
import com.kingsrook.qqq.backend.core.model.metadata.QAuthenticationType;
import com.kingsrook.qqq.backend.core.model.metadata.QBackendMetaData;
import com.kingsrook.qqq.backend.core.model.metadata.QInstance;
import com.kingsrook.qqq.backend.core.model.metadata.authentication.QAuthenticationMetaData;
import com.kingsrook.qqq.backend.core.model.metadata.code.QCodeReference;
import com.kingsrook.qqq.backend.core.model.metadata.code.QCodeType;
import com.kingsrook.qqq.backend.core.model.metadata.code.QCodeUsage;
@ -59,7 +63,7 @@ import com.kingsrook.qqq.backend.core.model.metadata.reporting.ReportType;
import com.kingsrook.qqq.backend.core.model.metadata.tables.AssociatedScript;
import com.kingsrook.qqq.backend.core.model.metadata.tables.QTableMetaData;
import com.kingsrook.qqq.backend.core.model.scripts.ScriptsMetaDataProvider;
import com.kingsrook.qqq.backend.core.modules.authentication.metadata.QAuthenticationMetaData;
import com.kingsrook.qqq.backend.core.model.session.QSession;
import com.kingsrook.qqq.backend.core.processes.implementations.mock.MockBackendStep;
import com.kingsrook.qqq.backend.module.rdbms.jdbc.ConnectionManager;
import com.kingsrook.qqq.backend.module.rdbms.jdbc.QueryManager;
@ -74,6 +78,8 @@ import static org.junit.jupiter.api.Assertions.assertNotNull;
*******************************************************************************/
public class TestUtils
{
public static final String BACKEND_NAME_MEMORY = "memory";
public static final String TABLE_NAME_PERSON = "person";
public static final String PROCESS_NAME_GREET_PEOPLE_INTERACTIVE = "greetInteractive";
@ -209,7 +215,7 @@ public class TestUtils
{
return new QBackendMetaData()
.withBackendType("memory")
.withName("memory");
.withName(BACKEND_NAME_MEMORY);
}
@ -504,4 +510,18 @@ public class TestUtils
);
}
/*******************************************************************************
**
*******************************************************************************/
public static void insertRecords(QInstance qInstance, QTableMetaData table, List<QRecord> records) throws QException
{
InsertInput insertInput = new InsertInput(qInstance);
insertInput.setSession(new QSession());
insertInput.setTableName(table.getName());
insertInput.setRecords(records);
new InsertAction().execute(insertInput);
}
}