Merge pull request #59 from karelmaxa/fix-security-authenticationid

Resolve principal name from request context map

Author: pavelhoral

auth-filters/forgerock-authn-filter/forgerock-jaspi-runtime/src/main/java/org/forgerock/caf/authentication/framework/AuthenticationFramework.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2013-2016 ForgeRock AS.
+ * Portions Copyright 2025 Wren Security.
  */
 
 package org.forgerock.caf.authentication.framework;
@@ -29,12 +30,14 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Objects;
 import javax.security.auth.Subject;
 import javax.security.auth.message.AuthStatus;
 
 import org.forgerock.caf.authentication.api.AsyncServerAuthContext;
 import org.forgerock.caf.authentication.api.AuthenticationException;
 import org.forgerock.caf.authentication.api.MessageContext;
+import org.forgerock.caf.authentication.api.MessageInfoContext;
 import org.forgerock.http.Handler;
 import org.forgerock.http.protocol.Request;
 import org.forgerock.http.protocol.Response;
@@ -86,7 +89,6 @@ public final class AuthenticationFramework {
      */
     public static final String ATTRIBUTE_REQUEST_ID = "org.forgerock.authentication.request.id";
 
-    @SuppressWarnings("unchecked")
     static final Collection<Class<?>> REQUIRED_MESSAGE_TYPES_SUPPORT =
             new HashSet<Class<?>>(Arrays.asList(Request.class, Response.class));
 
@@ -161,13 +163,7 @@ public Promise<AuthStatus, AuthenticationException> apply(AuthStatus authStatus)
                     AuthenticationException exception = new AuthenticationFailedException();
                     return Promises.newExceptionPromise(exception);
                 } else if (isSuccess(authStatus)) {
-                    String principalName = null;
-                    for (Principal principal : clientSubject.getPrincipals()) {
-                        if (principal.getName() != null) {
-                            principalName = principal.getName();
-                            break;
-                        }
-                    }
+                    String principalName = resolvePrincipalName(context, clientSubject);
                     Map<String, Object> contextMap =
                             getMap(context.getRequestContextMap(), AuthenticationFramework.ATTRIBUTE_AUTH_CONTEXT);
                     logger.debug("Setting principal name, {}, and {} context values on to the request.",
@@ -252,6 +248,26 @@ private Map<String, Object> getMap(Map<String, Object> containingMap, String key
         return map;
     }
 
+    /**
+     * Resolve the principal name of the user. The principal name is resolved from the context map
+     * of the {@link MessageInfoContext}. When no value is specified in the context map, the principal name
+     * is resolved from the client subject principal.
+     * @param context Request context.
+     * @param clientSubject Client subject.
+     * @return Resolved principal name or null if no value could be resolved.
+     */
+    private String resolvePrincipalName(final MessageContext context, final Subject clientSubject) {
+        String principal = (String) context.getRequestContextMap().get(ATTRIBUTE_AUTH_PRINCIPAL);
+        if (principal != null) {
+            return principal;
+        }
+        return clientSubject.getPrincipals().stream()
+                .map(Principal::getName)
+                .filter(Objects::nonNull)
+                .findFirst()
+                .orElse(null);
+    }
+
     @Override
     public String toString() {
         return "AuthContext: " + authContext.toString() + ", Response Handlers: " + responseHandler.toString();

auth-filters/forgerock-authn-filter/forgerock-jaspi-runtime/src/test/java/org/forgerock/caf/authentication/framework/AuthenticationFrameworkTest.java

@@ -12,7 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2013-2016 ForgeRock AS.
- * Portions Copyright 2018 Wren Security.
+ * Portions Copyright 2018-2025 Wren Security.
  */
 
 package org.forgerock.caf.authentication.framework;
@@ -24,7 +24,9 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
+import static org.testng.Assert.assertEquals;
 
+import java.security.Principal;
 import javax.security.auth.Subject;
 import javax.security.auth.message.AuthStatus;
 
@@ -44,6 +46,8 @@
 import org.forgerock.util.promise.NeverThrowsException;
 import org.forgerock.util.promise.Promise;
 import org.forgerock.util.promise.Promises;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
 import org.slf4j.Logger;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.DataProvider;
@@ -349,4 +353,59 @@ public void whenResourceReturnsResponseExceptionItShouldBeSecuredAndReturned() t
         verify(authContext).secureResponse(any(MessageContext.class), eq(serviceSubject));
         verify(authContext).cleanSubject(any(MessageContext.class), any(Subject.class));
     }
+
+    @Test
+    public void whenProcessingResultShouldSetPrincipalFromMessageContext() {
+        String principal = "john.doe";
+        Context context = mockContext();
+        Request request = new Request();
+        Handler next = mockHandler(request, Promises.<Response, NeverThrowsException>newResultPromise(successfulResponse));
+        mockAuthContext(Promises.<AuthStatus, AuthenticationException>newResultPromise(AuthStatus.SUCCESS),
+                Promises.<AuthStatus, AuthenticationException>newResultPromise(AuthStatus.SEND_SUCCESS));
+        given(authContext.validateRequest(any(MessageContext.class), any(Subject.class), eq(serviceSubject))).willAnswer(new Answer<Object>() {
+            @Override
+            public Object answer(InvocationOnMock invocation) throws Throwable {
+                MessageContext context = (MessageContext) invocation.getArgument(0);
+                context.getRequestContextMap().put(AuthenticationFramework.ATTRIBUTE_AUTH_PRINCIPAL, principal);
+                return Promises.<AuthStatus, AuthenticationException>newResultPromise(AuthStatus.SUCCESS);
+            }
+        });
+
+        Promise<Response, NeverThrowsException> promise = runtime.processMessage(context, request, next);
+
+        assertThat(promise).succeeded();
+        AttributesContext attributesContext = context.asContext(AttributesContext.class);
+        assertEquals(attributesContext.getAttributes().get(AuthenticationFramework.ATTRIBUTE_AUTH_PRINCIPAL), principal);
+    }
+
+    @Test
+    public void whenProcessingResultShouldSetPrincipalFromClientSubject() {
+        String principal = "john.doe";
+        Context context = mockContext();
+        Request request = new Request();
+        Handler next = mockHandler(request, Promises.<Response, NeverThrowsException>newResultPromise(successfulResponse));
+        mockAuthContext(Promises.<AuthStatus, AuthenticationException>newResultPromise(AuthStatus.SUCCESS),
+                Promises.<AuthStatus, AuthenticationException>newResultPromise(AuthStatus.SEND_SUCCESS));
+        given(authContext.validateRequest(any(MessageContext.class), any(Subject.class), eq(serviceSubject))).willAnswer(new Answer<Object>() {
+            @Override
+            public Object answer(InvocationOnMock invocation) throws Throwable {
+                Subject subject = (Subject) invocation.getArgument(1);
+                subject.getPrincipals().add(new Principal() {
+                    @Override
+                    public String getName() {
+                        return principal;
+                    }
+
+                });
+                return Promises.<AuthStatus, AuthenticationException>newResultPromise(AuthStatus.SUCCESS);
+            }
+        });
+
+        Promise<Response, NeverThrowsException> promise = runtime.processMessage(context, request, next);
+
+        assertThat(promise).succeeded();
+        AttributesContext attributesContext = context.asContext(AttributesContext.class);
+        assertEquals(attributesContext.getAttributes().get(AuthenticationFramework.ATTRIBUTE_AUTH_PRINCIPAL), principal);
+    }
+
 }