remove all the token of a user when a infra context is passed

This commit is contained in:
lucio 2020-01-17 16:56:46 +01:00
parent f71693619e
commit ea4c7c6d67
10 changed files with 111 additions and 52 deletions

52
pom.xml
View File

@ -34,6 +34,7 @@
<dependencies>
<dependency>
<groupId>org.gcube.common</groupId>
<artifactId>common-authorization</artifactId>
@ -71,15 +72,6 @@
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.containers.glassfish</groupId>
<artifactId>jersey-gf-cdi</artifactId>
<version>2.13</version>
</dependency>
<dependency>
<groupId>javax.transaction</groupId>
@ -100,24 +92,45 @@
<scope>runtime</scope>
</dependency>
<!-- weld -->
<dependency>
<groupId>javax.enterprise</groupId>
<artifactId>cdi-api</artifactId>
<version>1.1</version>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet-core</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.hk2.external</groupId>
<artifactId>javax.inject</artifactId>
<version>2.4.0</version>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-server</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.ext.cdi</groupId>
<artifactId>jersey-cdi1x</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.ext.cdi</groupId>
<artifactId>jersey-cdi1x-servlet</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.jboss.weld.servlet</groupId>
<artifactId>weld-servlet</artifactId>
<version>2.2.4.Final</version>
</dependency>
<dependency>
<groupId>org.jboss</groupId>
<artifactId>jandex</artifactId>
<version>1.2.2.Final</version>
<version>2.4.8.Final</version>
</dependency>
<!-- lombok -->
<dependency>
<groupId>org.projectlombok</groupId>
@ -140,7 +153,6 @@
<dependency>
<groupId>org.glassfish.jersey.test-framework.providers</groupId>
<artifactId>jersey-test-framework-provider-simple</artifactId>
<version>2.17</version>
<scope>test</scope>
</dependency>

View File

@ -2,6 +2,7 @@ package org.gcube.common.authorizationservice;
import java.util.UUID;
import javax.annotation.ManagedBean;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
@ -28,6 +29,7 @@ import org.gcube.common.authorizationservice.util.TokenPersistence;
@Path("apikey")
@Slf4j
@ManagedBean
public class ApiKeyManager {
@Inject

View File

@ -1,18 +1,30 @@
package org.gcube.common.authorizationservice;
import java.util.HashSet;
import java.util.Set;
import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;
import org.gcube.common.authorizationservice.configuration.AuthorizationConfiguration;
import org.glassfish.jersey.server.ResourceConfig;
@ApplicationPath("/gcube/service/")
public class AuthorizationService extends ResourceConfig {
@ApplicationPath("/gcube/service/*")
public class AuthorizationService extends Application {
public static AuthorizationConfiguration configuration;
public AuthorizationService(){
packages("org.gcube.common.authorizationservice");
@Override
public Set<Class<?>> getClasses() {
final Set<Class<?>> classes = new HashSet<>();
classes.add(TokenManager.class);
classes.add(KeyRetriever.class);
classes.add(PolicyManager.class);
classes.add(TokenManager.class);
return classes;
}
}

View File

@ -5,6 +5,7 @@ import java.io.InputStream;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import javax.annotation.ManagedBean;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
@ -26,6 +27,7 @@ import org.gcube.common.scope.impl.ScopeBean.Type;
@Path("symmKey")
@Slf4j
@ManagedBean
public class KeyRetriever {
@GET

View File

@ -1,5 +1,6 @@
package org.gcube.common.authorizationservice;
import javax.annotation.ManagedBean;
import javax.inject.Inject;
import javax.validation.constraints.NotNull;
import javax.validation.constraints.Null;
@ -21,6 +22,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@Path("policyManager")
@ManagedBean
public class PolicyManager {
private static Logger log = LoggerFactory.getLogger(PolicyManager.class);

View File

@ -4,6 +4,7 @@ import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
import javax.annotation.ManagedBean;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.validation.constraints.NotNull;
@ -29,7 +30,6 @@ import org.gcube.common.authorization.library.provider.ServiceInfo;
import org.gcube.common.authorization.library.provider.UserInfo;
import org.gcube.common.authorization.library.utils.AuthorizationEntryList;
import org.gcube.common.authorization.library.utils.ListMapper;
import org.gcube.common.authorization.library.utils.MapAdapter;
import org.gcube.common.authorization.library.utils.MultiServiceTokenRequest;
import org.gcube.common.authorizationservice.filters.AuthorizedCallFilter;
import org.gcube.common.authorizationservice.util.Constants;
@ -39,6 +39,7 @@ import lombok.extern.slf4j.Slf4j;
@Path("token")
@Slf4j
@ManagedBean
public class TokenManager {
@Inject
@ -56,7 +57,7 @@ public class TokenManager {
@Path("{token}")
@Produces(MediaType.APPLICATION_XML)
public AuthorizationEntry retrieveToken(@NotNull @PathParam("token") String token ) {
CalledMethodProvider.instance.set("retieve");
CalledMethodProvider.instance.set("retrieve");
log.info("token retreiver called with token {}",token);
AuthorizationEntry info = persistence.getAuthorizationEntry(token);
@ -99,12 +100,14 @@ public class TokenManager {
@Produces(MediaType.APPLICATION_XML)
public AuthorizationEntryList retrieveTokenBunch(@NotNull @QueryParam("token") List<String> tokens ) {
CalledMethodProvider.instance.set("retrieve");
log.info("token retreiver called with token {}",tokens);
log.info("token retreiver called with tokens {}",tokens);
List<AuthorizationEntry> toReturn = new ArrayList<AuthorizationEntry>();
for (String token : tokens ) {
try {
AuthorizationEntry info = persistence.getAuthorizationEntry(token);
if (token!=null) toReturn.add(info);
toReturn.add(info);
}catch(Exception e) {}
}
log.info("info retrieved {}",toReturn);
@ -284,19 +287,20 @@ public class TokenManager {
/**
*
* Generates a token for a service if it doesn't exist yet.
* Generates a list of tokens for a service if it doesn't exist yet.
*
* @param userName
* @param roles
* @return the generated token or the token related to the user (if it was already created)
* @param MultiServiceTokenRequest entity
* @return a list generated token or the token related to the user (if it was already created)
*/
@Path("service/bunch")
@PUT
@Consumes(MediaType.APPLICATION_XML)
@Produces(MediaType.APPLICATION_XML)
public ListMapper generateServiceTokenBunch(MultiServiceTokenRequest entity,
@Context HttpServletRequest req) {
CalledMethodProvider.instance.set("generate");
log.info("calling generate service token bunch");
try{
AuthorizationEntry callerInfo = (AuthorizationEntry)req.getAttribute(AuthorizedCallFilter.AUTH_ATTRIBUTE);
@ -306,6 +310,8 @@ public class TokenManager {
for (String token: entity.getContainerTokens()) {
AuthorizationEntry authInfo = this.retrieveToken(token);
if (authInfo==null) continue;
if (!authInfo.getClientInfo().getId().equals(callerInfo.getClientInfo().getId()))
log.warn("a token with a different ContainerInfo of the caller used, skipping it");
else {

View File

@ -57,6 +57,11 @@ public class AuthorizedCallFilter implements Filter {
long startTime = System.currentTimeMillis();
String callerIp = ((HttpServletRequest)request).getHeader("x-forwarded-for");
if(callerIp==null)
callerIp=request.getRemoteHost();
log.info("caller ip {}", callerIp);
AuthorizationEntry info = null;
if (token!=null){
info = persistence.getAuthorizationEntry(token);
@ -65,13 +70,22 @@ public class AuthorizedCallFilter implements Filter {
request.setAttribute(AUTH_ATTRIBUTE, info);
String pathInfo = ((HttpServletRequest) request).getPathInfo();
log.info("called path {}", pathInfo);
String servletPath = ((HttpServletRequest) request).getServletPath();
if (pathInfo==null || pathInfo.isEmpty()){
log.info("call rejected from filters: invalid path info");
pathInfo = servletPath.replace("/gcube/service", "");
log.info("called path info {} ", pathInfo);
if (pathInfo==null || pathInfo.isEmpty()){
log.info("call rejected from filters: invalid path");
return;
}
}
if (requiresToken(pathInfo) && token==null ){
@ -80,10 +94,7 @@ public class AuthorizedCallFilter implements Filter {
return;
}
String callerIp = ((HttpServletRequest)request).getHeader("x-forwarded-for");
if(callerIp==null)
callerIp=request.getRemoteHost();
log.info("caller ip {}", callerIp);
/*X509Certificate certs[] =
(X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
@ -102,7 +113,7 @@ public class AuthorizedCallFilter implements Filter {
chain.doFilter(request, response);
generateAccounting("Unknown", "Unknown", callerIp, true, startTime, request.getLocalName());
//generateAccounting("Unknown", "Unknown", callerIp, true, startTime, request.getLocalName());
}
private boolean requiresToken(String pathInfo) {

View File

@ -40,6 +40,8 @@ import org.gcube.common.authorizationservice.persistence.entities.ServicePolicyE
import org.gcube.common.authorizationservice.persistence.entities.UserAuthorizationEntity;
import org.gcube.common.authorizationservice.persistence.entities.UserPolicyEntity;
import org.gcube.common.authorizationservice.util.TokenPersistence;
import org.gcube.common.scope.impl.ScopeBean;
import org.gcube.common.scope.impl.ScopeBean.Type;
@Singleton
@Slf4j
@ -391,9 +393,15 @@ public class RelationDBPersistence implements TokenPersistence{
EntityManager em = emFactory.createEntityManager();
try{
em.getTransaction().begin();
TypedQuery<AuthorizationEntity> queryS = em.createNamedQuery("Authz.getGeneratedTokenByClientId", AuthorizationEntity.class);
queryS.setParameter("clientid", clientId);
TypedQuery<AuthorizationEntity> queryS;
if (new ScopeBean(context).is(Type.INFRASTRUCTURE)) {
queryS = em.createNamedQuery("Authz.getAllGeneratedTokenByClientId", AuthorizationEntity.class);
} else {
queryS = em.createNamedQuery("Authz.getGeneratedTokenByClientId", AuthorizationEntity.class);
queryS.setParameter("context", context);
}
queryS.setParameter("clientid", clientId);
List<AuthorizationEntity> authEntries = queryS.getResultList();
for (AuthorizationEntity entry:authEntries)
em.remove(entry);

View File

@ -48,7 +48,9 @@ import org.slf4j.LoggerFactory;
@NamedQuery(name="Authz.getByToken", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
+ " info.token=:token"),
@NamedQuery(name="Authz.getGeneratedTokenByClientId", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid) AND info.id.context=:context")
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid) AND info.id.context=:context"),
@NamedQuery(name="Authz.getAllGeneratedTokenByClientId", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid)")
})
public abstract class AuthorizationEntity {

View File

@ -1,4 +1,6 @@
<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee">
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
bean-discovery-mode="all">
</beans>