remove all the token of a user when a infra context is passed

This commit is contained in:
lucio 2020-01-17 16:56:46 +01:00
parent f71693619e
commit ea4c7c6d67
10 changed files with 111 additions and 52 deletions

52
pom.xml
View File

@ -34,6 +34,7 @@
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.gcube.common</groupId> <groupId>org.gcube.common</groupId>
<artifactId>common-authorization</artifactId> <artifactId>common-authorization</artifactId>
@ -71,15 +72,6 @@
<groupId>javax.ws.rs</groupId> <groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId> <artifactId>javax.ws.rs-api</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.containers.glassfish</groupId>
<artifactId>jersey-gf-cdi</artifactId>
<version>2.13</version>
</dependency>
<dependency> <dependency>
<groupId>javax.transaction</groupId> <groupId>javax.transaction</groupId>
@ -100,24 +92,45 @@
<scope>runtime</scope> <scope>runtime</scope>
</dependency> </dependency>
<!-- weld -->
<dependency> <dependency>
<groupId>javax.enterprise</groupId> <groupId>org.glassfish.jersey.containers</groupId>
<artifactId>cdi-api</artifactId> <artifactId>jersey-container-servlet</artifactId>
<version>1.1</version> <scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet-core</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.hk2.external</groupId>
<artifactId>javax.inject</artifactId>
<version>2.4.0</version>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-server</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.ext.cdi</groupId>
<artifactId>jersey-cdi1x</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.ext.cdi</groupId>
<artifactId>jersey-cdi1x-servlet</artifactId>
<scope>compile</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.jboss.weld.servlet</groupId> <groupId>org.jboss.weld.servlet</groupId>
<artifactId>weld-servlet</artifactId> <artifactId>weld-servlet</artifactId>
<version>2.2.4.Final</version> <version>2.4.8.Final</version>
</dependency>
<dependency>
<groupId>org.jboss</groupId>
<artifactId>jandex</artifactId>
<version>1.2.2.Final</version>
</dependency> </dependency>
<!-- lombok --> <!-- lombok -->
<dependency> <dependency>
<groupId>org.projectlombok</groupId> <groupId>org.projectlombok</groupId>
@ -140,7 +153,6 @@
<dependency> <dependency>
<groupId>org.glassfish.jersey.test-framework.providers</groupId> <groupId>org.glassfish.jersey.test-framework.providers</groupId>
<artifactId>jersey-test-framework-provider-simple</artifactId> <artifactId>jersey-test-framework-provider-simple</artifactId>
<version>2.17</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>

View File

@ -2,6 +2,7 @@ package org.gcube.common.authorizationservice;
import java.util.UUID; import java.util.UUID;
import javax.annotation.ManagedBean;
import javax.inject.Inject; import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
@ -28,6 +29,7 @@ import org.gcube.common.authorizationservice.util.TokenPersistence;
@Path("apikey") @Path("apikey")
@Slf4j @Slf4j
@ManagedBean
public class ApiKeyManager { public class ApiKeyManager {
@Inject @Inject

View File

@ -1,18 +1,30 @@
package org.gcube.common.authorizationservice; package org.gcube.common.authorizationservice;
import java.util.HashSet;
import java.util.Set;
import javax.ws.rs.ApplicationPath; import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;
import org.gcube.common.authorizationservice.configuration.AuthorizationConfiguration; import org.gcube.common.authorizationservice.configuration.AuthorizationConfiguration;
import org.glassfish.jersey.server.ResourceConfig; import org.glassfish.jersey.server.ResourceConfig;
@ApplicationPath("/gcube/service/") @ApplicationPath("/gcube/service/*")
public class AuthorizationService extends ResourceConfig { public class AuthorizationService extends Application {
public static AuthorizationConfiguration configuration; public static AuthorizationConfiguration configuration;
public AuthorizationService(){
packages("org.gcube.common.authorizationservice");
@Override
public Set<Class<?>> getClasses() {
final Set<Class<?>> classes = new HashSet<>();
classes.add(TokenManager.class);
classes.add(KeyRetriever.class);
classes.add(PolicyManager.class);
classes.add(TokenManager.class);
return classes;
} }
} }

View File

@ -5,6 +5,7 @@ import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import javax.annotation.ManagedBean;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET; import javax.ws.rs.GET;
import javax.ws.rs.Path; import javax.ws.rs.Path;
@ -26,6 +27,7 @@ import org.gcube.common.scope.impl.ScopeBean.Type;
@Path("symmKey") @Path("symmKey")
@Slf4j @Slf4j
@ManagedBean
public class KeyRetriever { public class KeyRetriever {
@GET @GET

View File

@ -1,5 +1,6 @@
package org.gcube.common.authorizationservice; package org.gcube.common.authorizationservice;
import javax.annotation.ManagedBean;
import javax.inject.Inject; import javax.inject.Inject;
import javax.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import javax.validation.constraints.Null; import javax.validation.constraints.Null;
@ -21,6 +22,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@Path("policyManager") @Path("policyManager")
@ManagedBean
public class PolicyManager { public class PolicyManager {
private static Logger log = LoggerFactory.getLogger(PolicyManager.class); private static Logger log = LoggerFactory.getLogger(PolicyManager.class);

View File

@ -4,6 +4,7 @@ import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.UUID; import java.util.UUID;
import javax.annotation.ManagedBean;
import javax.inject.Inject; import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
@ -29,7 +30,6 @@ import org.gcube.common.authorization.library.provider.ServiceInfo;
import org.gcube.common.authorization.library.provider.UserInfo; import org.gcube.common.authorization.library.provider.UserInfo;
import org.gcube.common.authorization.library.utils.AuthorizationEntryList; import org.gcube.common.authorization.library.utils.AuthorizationEntryList;
import org.gcube.common.authorization.library.utils.ListMapper; import org.gcube.common.authorization.library.utils.ListMapper;
import org.gcube.common.authorization.library.utils.MapAdapter;
import org.gcube.common.authorization.library.utils.MultiServiceTokenRequest; import org.gcube.common.authorization.library.utils.MultiServiceTokenRequest;
import org.gcube.common.authorizationservice.filters.AuthorizedCallFilter; import org.gcube.common.authorizationservice.filters.AuthorizedCallFilter;
import org.gcube.common.authorizationservice.util.Constants; import org.gcube.common.authorizationservice.util.Constants;
@ -39,6 +39,7 @@ import lombok.extern.slf4j.Slf4j;
@Path("token") @Path("token")
@Slf4j @Slf4j
@ManagedBean
public class TokenManager { public class TokenManager {
@Inject @Inject
@ -56,7 +57,7 @@ public class TokenManager {
@Path("{token}") @Path("{token}")
@Produces(MediaType.APPLICATION_XML) @Produces(MediaType.APPLICATION_XML)
public AuthorizationEntry retrieveToken(@NotNull @PathParam("token") String token ) { public AuthorizationEntry retrieveToken(@NotNull @PathParam("token") String token ) {
CalledMethodProvider.instance.set("retieve"); CalledMethodProvider.instance.set("retrieve");
log.info("token retreiver called with token {}",token); log.info("token retreiver called with token {}",token);
AuthorizationEntry info = persistence.getAuthorizationEntry(token); AuthorizationEntry info = persistence.getAuthorizationEntry(token);
@ -99,12 +100,14 @@ public class TokenManager {
@Produces(MediaType.APPLICATION_XML) @Produces(MediaType.APPLICATION_XML)
public AuthorizationEntryList retrieveTokenBunch(@NotNull @QueryParam("token") List<String> tokens ) { public AuthorizationEntryList retrieveTokenBunch(@NotNull @QueryParam("token") List<String> tokens ) {
CalledMethodProvider.instance.set("retrieve"); CalledMethodProvider.instance.set("retrieve");
log.info("token retreiver called with token {}",tokens); log.info("token retreiver called with tokens {}",tokens);
List<AuthorizationEntry> toReturn = new ArrayList<AuthorizationEntry>(); List<AuthorizationEntry> toReturn = new ArrayList<AuthorizationEntry>();
for (String token : tokens ) { for (String token : tokens ) {
try {
AuthorizationEntry info = persistence.getAuthorizationEntry(token); AuthorizationEntry info = persistence.getAuthorizationEntry(token);
if (token!=null) toReturn.add(info); toReturn.add(info);
}catch(Exception e) {}
} }
log.info("info retrieved {}",toReturn); log.info("info retrieved {}",toReturn);
@ -284,19 +287,20 @@ public class TokenManager {
/** /**
* *
* Generates a token for a service if it doesn't exist yet. * Generates a list of tokens for a service if it doesn't exist yet.
* *
* @param userName * @param userName
* @param roles * @param MultiServiceTokenRequest entity
* @return the generated token or the token related to the user (if it was already created) * @return a list generated token or the token related to the user (if it was already created)
*/ */
@Path("service/bunch") @Path("service/bunch")
@PUT @PUT
@Consumes(MediaType.APPLICATION_XML) @Consumes(MediaType.APPLICATION_XML)
@Produces(MediaType.APPLICATION_XML)
public ListMapper generateServiceTokenBunch(MultiServiceTokenRequest entity, public ListMapper generateServiceTokenBunch(MultiServiceTokenRequest entity,
@Context HttpServletRequest req) { @Context HttpServletRequest req) {
CalledMethodProvider.instance.set("generate"); CalledMethodProvider.instance.set("generate");
log.info("calling generate service token bunch");
try{ try{
AuthorizationEntry callerInfo = (AuthorizationEntry)req.getAttribute(AuthorizedCallFilter.AUTH_ATTRIBUTE); AuthorizationEntry callerInfo = (AuthorizationEntry)req.getAttribute(AuthorizedCallFilter.AUTH_ATTRIBUTE);
@ -306,6 +310,8 @@ public class TokenManager {
for (String token: entity.getContainerTokens()) { for (String token: entity.getContainerTokens()) {
AuthorizationEntry authInfo = this.retrieveToken(token); AuthorizationEntry authInfo = this.retrieveToken(token);
if (authInfo==null) continue;
if (!authInfo.getClientInfo().getId().equals(callerInfo.getClientInfo().getId())) if (!authInfo.getClientInfo().getId().equals(callerInfo.getClientInfo().getId()))
log.warn("a token with a different ContainerInfo of the caller used, skipping it"); log.warn("a token with a different ContainerInfo of the caller used, skipping it");
else { else {

View File

@ -57,6 +57,11 @@ public class AuthorizedCallFilter implements Filter {
long startTime = System.currentTimeMillis(); long startTime = System.currentTimeMillis();
String callerIp = ((HttpServletRequest)request).getHeader("x-forwarded-for");
if(callerIp==null)
callerIp=request.getRemoteHost();
log.info("caller ip {}", callerIp);
AuthorizationEntry info = null; AuthorizationEntry info = null;
if (token!=null){ if (token!=null){
info = persistence.getAuthorizationEntry(token); info = persistence.getAuthorizationEntry(token);
@ -65,13 +70,22 @@ public class AuthorizedCallFilter implements Filter {
request.setAttribute(AUTH_ATTRIBUTE, info); request.setAttribute(AUTH_ATTRIBUTE, info);
String pathInfo = ((HttpServletRequest) request).getPathInfo(); String pathInfo = ((HttpServletRequest) request).getPathInfo();
log.info("called path {}", pathInfo); String servletPath = ((HttpServletRequest) request).getServletPath();
if (pathInfo==null || pathInfo.isEmpty()){ if (pathInfo==null || pathInfo.isEmpty()){
log.info("call rejected from filters: invalid path info");
pathInfo = servletPath.replace("/gcube/service", "");
log.info("called path info {} ", pathInfo);
if (pathInfo==null || pathInfo.isEmpty()){
log.info("call rejected from filters: invalid path");
return; return;
} }
}
if (requiresToken(pathInfo) && token==null ){ if (requiresToken(pathInfo) && token==null ){
@ -80,10 +94,7 @@ public class AuthorizedCallFilter implements Filter {
return; return;
} }
String callerIp = ((HttpServletRequest)request).getHeader("x-forwarded-for");
if(callerIp==null)
callerIp=request.getRemoteHost();
log.info("caller ip {}", callerIp);
/*X509Certificate certs[] = /*X509Certificate certs[] =
(X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate"); (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
@ -102,7 +113,7 @@ public class AuthorizedCallFilter implements Filter {
chain.doFilter(request, response); chain.doFilter(request, response);
generateAccounting("Unknown", "Unknown", callerIp, true, startTime, request.getLocalName()); //generateAccounting("Unknown", "Unknown", callerIp, true, startTime, request.getLocalName());
} }
private boolean requiresToken(String pathInfo) { private boolean requiresToken(String pathInfo) {

View File

@ -40,6 +40,8 @@ import org.gcube.common.authorizationservice.persistence.entities.ServicePolicyE
import org.gcube.common.authorizationservice.persistence.entities.UserAuthorizationEntity; import org.gcube.common.authorizationservice.persistence.entities.UserAuthorizationEntity;
import org.gcube.common.authorizationservice.persistence.entities.UserPolicyEntity; import org.gcube.common.authorizationservice.persistence.entities.UserPolicyEntity;
import org.gcube.common.authorizationservice.util.TokenPersistence; import org.gcube.common.authorizationservice.util.TokenPersistence;
import org.gcube.common.scope.impl.ScopeBean;
import org.gcube.common.scope.impl.ScopeBean.Type;
@Singleton @Singleton
@Slf4j @Slf4j
@ -391,9 +393,15 @@ public class RelationDBPersistence implements TokenPersistence{
EntityManager em = emFactory.createEntityManager(); EntityManager em = emFactory.createEntityManager();
try{ try{
em.getTransaction().begin(); em.getTransaction().begin();
TypedQuery<AuthorizationEntity> queryS = em.createNamedQuery("Authz.getGeneratedTokenByClientId", AuthorizationEntity.class); TypedQuery<AuthorizationEntity> queryS;
queryS.setParameter("clientid", clientId); if (new ScopeBean(context).is(Type.INFRASTRUCTURE)) {
queryS = em.createNamedQuery("Authz.getAllGeneratedTokenByClientId", AuthorizationEntity.class);
} else {
queryS = em.createNamedQuery("Authz.getGeneratedTokenByClientId", AuthorizationEntity.class);
queryS.setParameter("context", context); queryS.setParameter("context", context);
}
queryS.setParameter("clientid", clientId);
List<AuthorizationEntity> authEntries = queryS.getResultList(); List<AuthorizationEntity> authEntries = queryS.getResultList();
for (AuthorizationEntity entry:authEntries) for (AuthorizationEntity entry:authEntries)
em.remove(entry); em.remove(entry);

View File

@ -48,7 +48,9 @@ import org.slf4j.LoggerFactory;
@NamedQuery(name="Authz.getByToken", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE " @NamedQuery(name="Authz.getByToken", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
+ " info.token=:token"), + " info.token=:token"),
@NamedQuery(name="Authz.getGeneratedTokenByClientId", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE " @NamedQuery(name="Authz.getGeneratedTokenByClientId", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid) AND info.id.context=:context") + " (info.id.clientId=:clientid OR info.generatedBy=:clientid) AND info.id.context=:context"),
@NamedQuery(name="Authz.getAllGeneratedTokenByClientId", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid)")
}) })
public abstract class AuthorizationEntity { public abstract class AuthorizationEntity {

View File

@ -1,4 +1,6 @@
<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" <beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee"> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
bean-discovery-mode="all">
</beans> </beans>