remove all the token of a user when a infra context is passed
This commit is contained in:
parent
f71693619e
commit
ea4c7c6d67
52
pom.xml
52
pom.xml
|
@ -34,6 +34,7 @@
|
|||
|
||||
<dependencies>
|
||||
|
||||
|
||||
<dependency>
|
||||
<groupId>org.gcube.common</groupId>
|
||||
<artifactId>common-authorization</artifactId>
|
||||
|
@ -71,15 +72,6 @@
|
|||
<groupId>javax.ws.rs</groupId>
|
||||
<artifactId>javax.ws.rs-api</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish.jersey.containers</groupId>
|
||||
<artifactId>jersey-container-servlet</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish.jersey.containers.glassfish</groupId>
|
||||
<artifactId>jersey-gf-cdi</artifactId>
|
||||
<version>2.13</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>javax.transaction</groupId>
|
||||
|
@ -100,24 +92,45 @@
|
|||
<scope>runtime</scope>
|
||||
</dependency>
|
||||
|
||||
<!-- weld -->
|
||||
<dependency>
|
||||
<groupId>javax.enterprise</groupId>
|
||||
<artifactId>cdi-api</artifactId>
|
||||
<version>1.1</version>
|
||||
<groupId>org.glassfish.jersey.containers</groupId>
|
||||
<artifactId>jersey-container-servlet</artifactId>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.glassfish.jersey.containers</groupId>
|
||||
<artifactId>jersey-container-servlet-core</artifactId>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish.hk2.external</groupId>
|
||||
<artifactId>javax.inject</artifactId>
|
||||
<version>2.4.0</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish.jersey.core</groupId>
|
||||
<artifactId>jersey-server</artifactId>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish.jersey.ext.cdi</groupId>
|
||||
<artifactId>jersey-cdi1x</artifactId>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish.jersey.ext.cdi</groupId>
|
||||
<artifactId>jersey-cdi1x-servlet</artifactId>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jboss.weld.servlet</groupId>
|
||||
<artifactId>weld-servlet</artifactId>
|
||||
<version>2.2.4.Final</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jboss</groupId>
|
||||
<artifactId>jandex</artifactId>
|
||||
<version>1.2.2.Final</version>
|
||||
<version>2.4.8.Final</version>
|
||||
</dependency>
|
||||
|
||||
|
||||
|
||||
<!-- lombok -->
|
||||
<dependency>
|
||||
<groupId>org.projectlombok</groupId>
|
||||
|
@ -140,7 +153,6 @@
|
|||
<dependency>
|
||||
<groupId>org.glassfish.jersey.test-framework.providers</groupId>
|
||||
<artifactId>jersey-test-framework-provider-simple</artifactId>
|
||||
<version>2.17</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@ package org.gcube.common.authorizationservice;
|
|||
|
||||
import java.util.UUID;
|
||||
|
||||
import javax.annotation.ManagedBean;
|
||||
import javax.inject.Inject;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.ws.rs.Consumes;
|
||||
|
@ -28,6 +29,7 @@ import org.gcube.common.authorizationservice.util.TokenPersistence;
|
|||
|
||||
@Path("apikey")
|
||||
@Slf4j
|
||||
@ManagedBean
|
||||
public class ApiKeyManager {
|
||||
|
||||
@Inject
|
||||
|
|
|
@ -1,18 +1,30 @@
|
|||
package org.gcube.common.authorizationservice;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.ws.rs.ApplicationPath;
|
||||
import javax.ws.rs.core.Application;
|
||||
|
||||
import org.gcube.common.authorizationservice.configuration.AuthorizationConfiguration;
|
||||
import org.glassfish.jersey.server.ResourceConfig;
|
||||
|
||||
@ApplicationPath("/gcube/service/")
|
||||
public class AuthorizationService extends ResourceConfig {
|
||||
@ApplicationPath("/gcube/service/*")
|
||||
public class AuthorizationService extends Application {
|
||||
|
||||
public static AuthorizationConfiguration configuration;
|
||||
|
||||
public AuthorizationService(){
|
||||
packages("org.gcube.common.authorizationservice");
|
||||
|
||||
@Override
|
||||
public Set<Class<?>> getClasses() {
|
||||
final Set<Class<?>> classes = new HashSet<>();
|
||||
classes.add(TokenManager.class);
|
||||
classes.add(KeyRetriever.class);
|
||||
classes.add(PolicyManager.class);
|
||||
classes.add(TokenManager.class);
|
||||
return classes;
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
|
@ -5,6 +5,7 @@ import java.io.InputStream;
|
|||
import java.io.OutputStream;
|
||||
import java.security.InvalidKeyException;
|
||||
|
||||
import javax.annotation.ManagedBean;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.ws.rs.GET;
|
||||
import javax.ws.rs.Path;
|
||||
|
@ -26,6 +27,7 @@ import org.gcube.common.scope.impl.ScopeBean.Type;
|
|||
|
||||
@Path("symmKey")
|
||||
@Slf4j
|
||||
@ManagedBean
|
||||
public class KeyRetriever {
|
||||
|
||||
@GET
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
package org.gcube.common.authorizationservice;
|
||||
|
||||
import javax.annotation.ManagedBean;
|
||||
import javax.inject.Inject;
|
||||
import javax.validation.constraints.NotNull;
|
||||
import javax.validation.constraints.Null;
|
||||
|
@ -21,6 +22,7 @@ import org.slf4j.Logger;
|
|||
import org.slf4j.LoggerFactory;
|
||||
|
||||
@Path("policyManager")
|
||||
@ManagedBean
|
||||
public class PolicyManager {
|
||||
|
||||
private static Logger log = LoggerFactory.getLogger(PolicyManager.class);
|
||||
|
|
|
@ -4,6 +4,7 @@ import java.util.ArrayList;
|
|||
import java.util.List;
|
||||
import java.util.UUID;
|
||||
|
||||
import javax.annotation.ManagedBean;
|
||||
import javax.inject.Inject;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.validation.constraints.NotNull;
|
||||
|
@ -29,7 +30,6 @@ import org.gcube.common.authorization.library.provider.ServiceInfo;
|
|||
import org.gcube.common.authorization.library.provider.UserInfo;
|
||||
import org.gcube.common.authorization.library.utils.AuthorizationEntryList;
|
||||
import org.gcube.common.authorization.library.utils.ListMapper;
|
||||
import org.gcube.common.authorization.library.utils.MapAdapter;
|
||||
import org.gcube.common.authorization.library.utils.MultiServiceTokenRequest;
|
||||
import org.gcube.common.authorizationservice.filters.AuthorizedCallFilter;
|
||||
import org.gcube.common.authorizationservice.util.Constants;
|
||||
|
@ -39,6 +39,7 @@ import lombok.extern.slf4j.Slf4j;
|
|||
|
||||
@Path("token")
|
||||
@Slf4j
|
||||
@ManagedBean
|
||||
public class TokenManager {
|
||||
|
||||
@Inject
|
||||
|
@ -56,7 +57,7 @@ public class TokenManager {
|
|||
@Path("{token}")
|
||||
@Produces(MediaType.APPLICATION_XML)
|
||||
public AuthorizationEntry retrieveToken(@NotNull @PathParam("token") String token ) {
|
||||
CalledMethodProvider.instance.set("retieve");
|
||||
CalledMethodProvider.instance.set("retrieve");
|
||||
log.info("token retreiver called with token {}",token);
|
||||
|
||||
AuthorizationEntry info = persistence.getAuthorizationEntry(token);
|
||||
|
@ -99,12 +100,14 @@ public class TokenManager {
|
|||
@Produces(MediaType.APPLICATION_XML)
|
||||
public AuthorizationEntryList retrieveTokenBunch(@NotNull @QueryParam("token") List<String> tokens ) {
|
||||
CalledMethodProvider.instance.set("retrieve");
|
||||
log.info("token retreiver called with token {}",tokens);
|
||||
log.info("token retreiver called with tokens {}",tokens);
|
||||
|
||||
List<AuthorizationEntry> toReturn = new ArrayList<AuthorizationEntry>();
|
||||
for (String token : tokens ) {
|
||||
try {
|
||||
AuthorizationEntry info = persistence.getAuthorizationEntry(token);
|
||||
if (token!=null) toReturn.add(info);
|
||||
toReturn.add(info);
|
||||
}catch(Exception e) {}
|
||||
}
|
||||
log.info("info retrieved {}",toReturn);
|
||||
|
||||
|
@ -284,19 +287,20 @@ public class TokenManager {
|
|||
|
||||
/**
|
||||
*
|
||||
* Generates a token for a service if it doesn't exist yet.
|
||||
* Generates a list of tokens for a service if it doesn't exist yet.
|
||||
*
|
||||
* @param userName
|
||||
* @param roles
|
||||
* @return the generated token or the token related to the user (if it was already created)
|
||||
* @param MultiServiceTokenRequest entity
|
||||
* @return a list generated token or the token related to the user (if it was already created)
|
||||
*/
|
||||
@Path("service/bunch")
|
||||
@PUT
|
||||
@Consumes(MediaType.APPLICATION_XML)
|
||||
@Produces(MediaType.APPLICATION_XML)
|
||||
public ListMapper generateServiceTokenBunch(MultiServiceTokenRequest entity,
|
||||
@Context HttpServletRequest req) {
|
||||
CalledMethodProvider.instance.set("generate");
|
||||
|
||||
log.info("calling generate service token bunch");
|
||||
try{
|
||||
|
||||
AuthorizationEntry callerInfo = (AuthorizationEntry)req.getAttribute(AuthorizedCallFilter.AUTH_ATTRIBUTE);
|
||||
|
@ -306,6 +310,8 @@ public class TokenManager {
|
|||
for (String token: entity.getContainerTokens()) {
|
||||
AuthorizationEntry authInfo = this.retrieveToken(token);
|
||||
|
||||
if (authInfo==null) continue;
|
||||
|
||||
if (!authInfo.getClientInfo().getId().equals(callerInfo.getClientInfo().getId()))
|
||||
log.warn("a token with a different ContainerInfo of the caller used, skipping it");
|
||||
else {
|
||||
|
|
|
@ -57,6 +57,11 @@ public class AuthorizedCallFilter implements Filter {
|
|||
|
||||
long startTime = System.currentTimeMillis();
|
||||
|
||||
String callerIp = ((HttpServletRequest)request).getHeader("x-forwarded-for");
|
||||
if(callerIp==null)
|
||||
callerIp=request.getRemoteHost();
|
||||
log.info("caller ip {}", callerIp);
|
||||
|
||||
AuthorizationEntry info = null;
|
||||
if (token!=null){
|
||||
info = persistence.getAuthorizationEntry(token);
|
||||
|
@ -65,13 +70,22 @@ public class AuthorizedCallFilter implements Filter {
|
|||
|
||||
request.setAttribute(AUTH_ATTRIBUTE, info);
|
||||
|
||||
|
||||
|
||||
String pathInfo = ((HttpServletRequest) request).getPathInfo();
|
||||
log.info("called path {}", pathInfo);
|
||||
String servletPath = ((HttpServletRequest) request).getServletPath();
|
||||
|
||||
|
||||
|
||||
if (pathInfo==null || pathInfo.isEmpty()){
|
||||
log.info("call rejected from filters: invalid path info");
|
||||
|
||||
pathInfo = servletPath.replace("/gcube/service", "");
|
||||
log.info("called path info {} ", pathInfo);
|
||||
if (pathInfo==null || pathInfo.isEmpty()){
|
||||
log.info("call rejected from filters: invalid path");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (requiresToken(pathInfo) && token==null ){
|
||||
|
@ -80,10 +94,7 @@ public class AuthorizedCallFilter implements Filter {
|
|||
return;
|
||||
}
|
||||
|
||||
String callerIp = ((HttpServletRequest)request).getHeader("x-forwarded-for");
|
||||
if(callerIp==null)
|
||||
callerIp=request.getRemoteHost();
|
||||
log.info("caller ip {}", callerIp);
|
||||
|
||||
|
||||
/*X509Certificate certs[] =
|
||||
(X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
|
||||
|
@ -102,7 +113,7 @@ public class AuthorizedCallFilter implements Filter {
|
|||
|
||||
chain.doFilter(request, response);
|
||||
|
||||
generateAccounting("Unknown", "Unknown", callerIp, true, startTime, request.getLocalName());
|
||||
//generateAccounting("Unknown", "Unknown", callerIp, true, startTime, request.getLocalName());
|
||||
}
|
||||
|
||||
private boolean requiresToken(String pathInfo) {
|
||||
|
|
|
@ -40,6 +40,8 @@ import org.gcube.common.authorizationservice.persistence.entities.ServicePolicyE
|
|||
import org.gcube.common.authorizationservice.persistence.entities.UserAuthorizationEntity;
|
||||
import org.gcube.common.authorizationservice.persistence.entities.UserPolicyEntity;
|
||||
import org.gcube.common.authorizationservice.util.TokenPersistence;
|
||||
import org.gcube.common.scope.impl.ScopeBean;
|
||||
import org.gcube.common.scope.impl.ScopeBean.Type;
|
||||
|
||||
@Singleton
|
||||
@Slf4j
|
||||
|
@ -391,9 +393,15 @@ public class RelationDBPersistence implements TokenPersistence{
|
|||
EntityManager em = emFactory.createEntityManager();
|
||||
try{
|
||||
em.getTransaction().begin();
|
||||
TypedQuery<AuthorizationEntity> queryS = em.createNamedQuery("Authz.getGeneratedTokenByClientId", AuthorizationEntity.class);
|
||||
queryS.setParameter("clientid", clientId);
|
||||
TypedQuery<AuthorizationEntity> queryS;
|
||||
if (new ScopeBean(context).is(Type.INFRASTRUCTURE)) {
|
||||
queryS = em.createNamedQuery("Authz.getAllGeneratedTokenByClientId", AuthorizationEntity.class);
|
||||
} else {
|
||||
queryS = em.createNamedQuery("Authz.getGeneratedTokenByClientId", AuthorizationEntity.class);
|
||||
queryS.setParameter("context", context);
|
||||
}
|
||||
queryS.setParameter("clientid", clientId);
|
||||
|
||||
List<AuthorizationEntity> authEntries = queryS.getResultList();
|
||||
for (AuthorizationEntity entry:authEntries)
|
||||
em.remove(entry);
|
||||
|
|
|
@ -48,7 +48,9 @@ import org.slf4j.LoggerFactory;
|
|||
@NamedQuery(name="Authz.getByToken", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
|
||||
+ " info.token=:token"),
|
||||
@NamedQuery(name="Authz.getGeneratedTokenByClientId", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
|
||||
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid) AND info.id.context=:context")
|
||||
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid) AND info.id.context=:context"),
|
||||
@NamedQuery(name="Authz.getAllGeneratedTokenByClientId", query="SELECT DISTINCT info FROM AuthorizationEntity info WHERE "
|
||||
+ " (info.id.clientId=:clientid OR info.generatedBy=:clientid)")
|
||||
})
|
||||
public abstract class AuthorizationEntity {
|
||||
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee">
|
||||
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
|
||||
bean-discovery-mode="all">
|
||||
|
||||
</beans>
|
Loading…
Reference in New Issue