From b67996b6a811a26596f3e75637d72957d35b4c27 Mon Sep 17 00:00:00 2001 From: lucio Date: Mon, 23 May 2022 16:39:48 +0200 Subject: [PATCH] first commit --- .classpath | 38 +++ .gitignore | 1 + .project | 23 ++ .settings/org.eclipse.core.resources.prefs | 6 + .settings/org.eclipse.jdt.core.prefs | 8 + .settings/org.eclipse.m2e.core.prefs | 4 + CHANGELOG.md | 8 + LICENSE.md | 312 ++++++++++++++++++ README.md | 73 ++++ pom.xml | 38 +++ .../org/gcube/common/security/Caller.java | 92 ++++++ .../gcube/common/security/GCubeJWTObject.java | 111 +++++++ .../common/security/secrets/GCubeSecret.java | 80 +++++ .../common/security/secrets/JWTSecret.java | 165 +++++++++ .../gcube/common/security/secrets/Secret.java | 22 ++ .../security/secrets/SecretUtility.java | 22 ++ src/main/java/providers/ClientIDManager.java | 48 +++ src/main/java/providers/RenewalProvider.java | 11 + .../java/providers/SecretManagerProvider.java | 37 +++ 19 files changed, 1099 insertions(+) create mode 100644 .classpath create mode 100644 .gitignore create mode 100644 .project create mode 100644 .settings/org.eclipse.core.resources.prefs create mode 100644 .settings/org.eclipse.jdt.core.prefs create mode 100644 .settings/org.eclipse.m2e.core.prefs create mode 100644 CHANGELOG.md create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 pom.xml create mode 100644 src/main/java/org/gcube/common/security/Caller.java create mode 100644 src/main/java/org/gcube/common/security/GCubeJWTObject.java create mode 100644 src/main/java/org/gcube/common/security/secrets/GCubeSecret.java create mode 100644 src/main/java/org/gcube/common/security/secrets/JWTSecret.java create mode 100644 src/main/java/org/gcube/common/security/secrets/Secret.java create mode 100644 src/main/java/org/gcube/common/security/secrets/SecretUtility.java create mode 100644 src/main/java/providers/ClientIDManager.java create mode 100644 src/main/java/providers/RenewalProvider.java create mode 100644 src/main/java/providers/SecretManagerProvider.java diff --git a/.classpath b/.classpath new file mode 100644 index 0000000..002ad57 --- /dev/null +++ b/.classpath @@ -0,0 +1,38 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b83d222 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/target/ diff --git a/.project b/.project new file mode 100644 index 0000000..6192bdd --- /dev/null +++ b/.project @@ -0,0 +1,23 @@ + + + gcube-security + + + + + + org.eclipse.jdt.core.javabuilder + + + + + org.eclipse.m2e.core.maven2Builder + + + + + + org.eclipse.jdt.core.javanature + org.eclipse.m2e.core.maven2Nature + + diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs new file mode 100644 index 0000000..29abf99 --- /dev/null +++ b/.settings/org.eclipse.core.resources.prefs @@ -0,0 +1,6 @@ +eclipse.preferences.version=1 +encoding//src/main/java=UTF-8 +encoding//src/main/resources=UTF-8 +encoding//src/test/java=UTF-8 +encoding//src/test/resources=UTF-8 +encoding/=UTF-8 diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs new file mode 100644 index 0000000..2f5cc74 --- /dev/null +++ b/.settings/org.eclipse.jdt.core.prefs @@ -0,0 +1,8 @@ +eclipse.preferences.version=1 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8 +org.eclipse.jdt.core.compiler.compliance=1.8 +org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled +org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning +org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore +org.eclipse.jdt.core.compiler.release=disabled +org.eclipse.jdt.core.compiler.source=1.8 diff --git a/.settings/org.eclipse.m2e.core.prefs b/.settings/org.eclipse.m2e.core.prefs new file mode 100644 index 0000000..f897a7f --- /dev/null +++ b/.settings/org.eclipse.m2e.core.prefs @@ -0,0 +1,4 @@ +activeProfiles= +eclipse.preferences.version=1 +resolveWorkspaceProjects=true +version=1 diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..3c9e16b --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,8 @@ +This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +# Changelog for Common Smartgears + +## [v.1.0.0] - 2013-10-24 + +- First Release + diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..3af0507 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,312 @@ +# European Union Public Licence V. 1.1 + + +EUPL © the European Community 2007 + + +This European Union Public Licence (the “EUPL”) applies to the Work or Software +(as defined below) which is provided under the terms of this Licence. Any use of +the Work, other than as authorised under this Licence is prohibited (to the +extent such use is covered by a right of the copyright holder of the Work). + +The Original Work is provided under the terms of this Licence when the Licensor +(as defined below) has placed the following notice immediately following the +copyright notice for the Original Work: + +Licensed under the EUPL V.1.1 + +or has expressed by any other mean his willingness to license under the EUPL. + + + +## 1. Definitions + +In this Licence, the following terms have the following meaning: + +- The Licence: this Licence. + +- The Original Work or the Software: the software distributed and/or + communicated by the Licensor under this Licence, available as Source Code and + also as Executable Code as the case may be. + +- Derivative Works: the works or software that could be created by the Licensee, + based upon the Original Work or modifications thereof. This Licence does not + define the extent of modification or dependence on the Original Work required + in order to classify a work as a Derivative Work; this extent is determined by + copyright law applicable in the country mentioned in Article 15. + +- The Work: the Original Work and/or its Derivative Works. + +- The Source Code: the human-readable form of the Work which is the most + convenient for people to study and modify. + +- The Executable Code: any code which has generally been compiled and which is + meant to be interpreted by a computer as a program. + +- The Licensor: the natural or legal person that distributes and/or communicates + the Work under the Licence. + +- Contributor(s): any natural or legal person who modifies the Work under the + Licence, or otherwise contributes to the creation of a Derivative Work. + +- The Licensee or “You”: any natural or legal person who makes any usage of the + Software under the terms of the Licence. + +- Distribution and/or Communication: any act of selling, giving, lending, + renting, distributing, communicating, transmitting, or otherwise making + available, on-line or off-line, copies of the Work or providing access to its + essential functionalities at the disposal of any other natural or legal + person. + + + +## 2. Scope of the rights granted by the Licence + +The Licensor hereby grants You a world-wide, royalty-free, non-exclusive, +sub-licensable licence to do the following, for the duration of copyright vested +in the Original Work: + +- use the Work in any circumstance and for all usage, reproduce the Work, modify +- the Original Work, and make Derivative Works based upon the Work, communicate +- to the public, including the right to make available or display the Work or +- copies thereof to the public and perform publicly, as the case may be, the +- Work, distribute the Work or copies thereof, lend and rent the Work or copies +- thereof, sub-license rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports and formats, whether now +known or later invented, as far as the applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to +exercise his moral right to the extent allowed by law in order to make effective +the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non exclusive usage rights to +any patents held by the Licensor, to the extent necessary to make use of the +rights granted on the Work under this Licence. + + + +## 3. Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form, or as +Executable Code. If the Work is provided as Executable Code, the Licensor +provides in addition a machine-readable copy of the Source Code of the Work +along with each copy of the Work that the Licensor distributes or indicates, in +a notice following the copyright notice attached to the Work, a repository where +the Source Code is easily and freely accessible for as long as the Licensor +continues to distribute and/or communicate the Work. + + + +## 4. Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits from +any exception or limitation to the exclusive rights of the rights owners in the +Original Work or Software, of the exhaustion of those rights or of other +applicable limitations thereto. + + + +## 5. Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and +obligations imposed on the Licensee. Those obligations are the following: + +Attribution right: the Licensee shall keep intact all copyright, patent or +trademarks notices and all notices that refer to the Licence and to the +disclaimer of warranties. The Licensee must include a copy of such notices and a +copy of the Licence with every copy of the Work he/she distributes and/or +communicates. The Licensee must cause any Derivative Work to carry prominent +notices stating that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes and/or communicates copies of the +Original Works or Derivative Works based upon the Original Work, this +Distribution and/or Communication will be done under the terms of this Licence +or of a later version of this Licence unless the Original Work is expressly +distributed only under this version of the Licence. The Licensee (becoming +Licensor) cannot offer or impose any additional terms or conditions on the Work +or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes and/or Communicates Derivative +Works or copies thereof based upon both the Original Work and another work +licensed under a Compatible Licence, this Distribution and/or Communication can +be done under the terms of this Compatible Licence. For the sake of this clause, +“Compatible Licence” refers to the licences listed in the appendix attached to +this Licence. Should the Licensee’s obligations under the Compatible Licence +conflict with his/her obligations under this Licence, the obligations of the +Compatible Licence shall prevail. + +Provision of Source Code: When distributing and/or communicating copies of the +Work, the Licensee will provide a machine-readable copy of the Source Code or +indicate a repository where this Source will be easily and freely available for +as long as the Licensee continues to distribute and/or communicate the Work. + +Legal Protection: This Licence does not grant permission to use the trade names, +trademarks, service marks, or names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + + + +## 6. Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted +hereunder is owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings +to the Work are owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent +Contributors grant You a licence to their contributions to the Work, under the +terms of this Licence. + + + +## 7. Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous +contributors. It is not a finished work and may therefore contain defects or +“bugs” inherent to this type of software development. + +For the above reason, the Work is provided under the Licence on an “as is” basis +and without warranties of any kind concerning the Work, including without +limitation merchantability, fitness for a particular purpose, absence of defects +or errors, accuracy, non-infringement of intellectual property rights other than +copyright as stated in Article 6 of this Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition +for the grant of any rights to the Work. + + + +## 8. Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural +persons, the Licensor will in no event be liable for any direct or indirect, +material or moral, damages of any kind, arising out of the Licence or of the use +of the Work, including without limitation, damages for loss of goodwill, work +stoppage, computer failure or malfunction, loss of data or any commercial +damage, even if the Licensor has been advised of the possibility of such +damage. However, the Licensor will be liable under statutory product liability +laws as far such laws apply to the Work. + + + +## 9. Additional agreements + +While distributing the Original Work or Derivative Works, You may choose to +conclude an additional agreement to offer, and charge a fee for, acceptance of +support, warranty, indemnity, or other liability obligations and/or services +consistent with this Licence. However, in accepting such obligations, You may +act only on your own behalf and on your sole responsibility, not on behalf of +the original Licensor or any other Contributor, and only if You agree to +indemnify, defend, and hold each Contributor harmless for any liability incurred +by, or claims asserted against such Contributor by the fact You have accepted +any such warranty or additional liability. + + + +## 10. Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon “I agree” +placed under the bottom of a window displaying the text of this Licence or by +affirming consent in any other similar way, in accordance with the rules of +applicable law. Clicking on that icon indicates your clear and irrevocable +acceptance of this Licence and all of its terms and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and +conditions by exercising any rights granted to You by Article 2 of this Licence, +such as the use of the Work, the creation by You of a Derivative Work or the +Distribution and/or Communication by You of the Work or copies thereof. + + + +## 11. Information to the public + +In case of any Distribution and/or Communication of the Work by means of +electronic communication by You (for example, by offering to download the Work +from a remote location) the distribution channel or media (for example, a +website) must at least provide to the public the information requested by the +applicable law regarding the Licensor, the Licence and the way it may be +accessible, concluded, stored and reproduced by the Licensee. + + + +## 12. Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically upon +any breach by the Licensee of the terms of the Licence. + +Such a termination will not terminate the licences of any person who has +received the Work from the Licensee under the Licence, provided such persons +remain in full compliance with the Licence. + + + +## 13. Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete +agreement between the Parties as to the Work licensed hereunder. + +If any provision of the Licence is invalid or unenforceable under applicable +law, this will not affect the validity or enforceability of the Licence as a +whole. Such provision will be construed and/or reformed so as necessary to make +it valid and enforceable. + +The European Commission may publish other linguistic versions and/or new +versions of this Licence, so far this is required and reasonable, without +reducing the scope of the rights granted by the Licence. New versions of the +Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, +have identical value. Parties can take advantage of the linguistic version of +their choice. + + + +## 14. Jurisdiction + +Any litigation resulting from the interpretation of this License, arising +between the European Commission, as a Licensor, and any Licensee, will be +subject to the jurisdiction of the Court of Justice of the European Communities, +as laid down in article 238 of the Treaty establishing the European Community. + +Any litigation arising between Parties, other than the European Commission, and +resulting from the interpretation of this License, will be subject to the +exclusive jurisdiction of the competent court where the Licensor resides or +conducts its primary business. + + + +## 15. Applicable Law + +This Licence shall be governed by the law of the European Union country where +the Licensor resides or has his registered office. + +This licence shall be governed by the Belgian law if: + +- a litigation arises between the European Commission, as a Licensor, and any +- Licensee; the Licensor, other than the European Commission, has no residence +- or registered office inside a European Union country. + + + +## Appendix + + + +“Compatible Licences” according to article 5 EUPL are: + + +- GNU General Public License (GNU GPL) v. 2 + +- Open Software License (OSL) v. 2.1, v. 3.0 + +- Common Public License v. 1.0 + +- Eclipse Public License v. 1.0 + +- Cecill v. 2.0 + diff --git a/README.md b/README.md new file mode 100644 index 0000000..292b036 --- /dev/null +++ b/README.md @@ -0,0 +1,73 @@ +# GCube Security + +A core gCube library which empower authorization + +## Built With + +* [OpenJDK](https://openjdk.java.net/) - The JDK used +* [Maven](https://maven.apache.org/) - Dependency Management + +## Documentation + +[SmartGears](https://wiki.gcube-system.org/gcube/gCubeSecurity) + +## Change log + +See [Releases](https://code-repo.d4science.org/gCubeSystem/gcube-security/releases). + +## Authors + +* **Luca Frosini** ([ORCID](https://orcid.org/0000-0003-3183-2291)) - [ISTI-CNR Infrascience Group](http://nemis.isti.cnr.it/groups/infrascience) +* **Lucio Lelii** - [ISTI-CNR Infrascience Group](http://nemis.isti.cnr.it/groups/infrascience) + + +## How to Cite this Software + +Tell people how to cite this software. +* Cite an associated paper? +* Use a specific BibTeX entry for the software? + + + @Manual{, + title = {Common Smartgears}, + author = {{Frosini, Luca}, {Lelii, Lucio}}, + organization = {{ISTI - CNR}, {FAO}}, + address = {{Pisa, Italy}, {Roma, Italy}}, + year = 2022, + url = {http://www.gcube-system.org/} + } + +## License + +This project is licensed under the EUPL V.1.1 License - see the [LICENSE.md](LICENSE.md) file for details. + + +## About the gCube Framework +This software is part of the [gCubeFramework](https://www.gcube-system.org/ "gCubeFramework"): an +open-source software toolkit used for building and operating Hybrid Data +Infrastructures enabling the dynamic deployment of Virtual Research Environments +by favouring the realisation of reuse oriented policies. + +The projects leading to this software have received funding from a series of European Union programmes including: + +- the Sixth Framework Programme for Research and Technological Development + - DILIGENT (grant no. 004260). +- the Seventh Framework Programme for research, technological development and demonstration + - D4Science (grant no. 212488); + - D4Science-II (grant no.239019); + - ENVRI (grant no. 283465); + - iMarine(grant no. 283644); + - EUBrazilOpenBio (grant no. 288754). +- the H2020 research and innovation programme + - SoBigData (grant no. 654024); + - PARTHENOS (grant no. 654119); + - EGIEngage (grant no. 654142); + - ENVRIplus (grant no. 654182); + - BlueBRIDGE (grant no. 675680); + - PerformFish (grant no. 727610); + - AGINFRAplus (grant no. 731001); + - DESIRA (grant no. 818194); + - ARIADNEplus (grant no. 823914); + - RISIS2 (grant no. 824091); + + diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000..4e3917e --- /dev/null +++ b/pom.xml @@ -0,0 +1,38 @@ + + 4.0.0 + org.gcube.common + common-security + 1.0.0-SNAPSHOT + gcube security + + + maven-parent + org.gcube.tools + 1.1.0 + + + + + + org.gcube.distribution + gcube-bom + 3.0.0-SNAPSHOT + pom + import + + + + + + + org.slf4j + slf4j-api + + + org.gcube.common + keycloak-client + + + \ No newline at end of file diff --git a/src/main/java/org/gcube/common/security/Caller.java b/src/main/java/org/gcube/common/security/Caller.java new file mode 100644 index 0000000..f8b1b30 --- /dev/null +++ b/src/main/java/org/gcube/common/security/Caller.java @@ -0,0 +1,92 @@ +package org.gcube.common.security; + +import java.util.ArrayList; +import java.util.List; + +public class Caller { + + private String clientId; + private List roles = new ArrayList(); + + boolean externalClient; + + private String email; + private String firstName; + private String lastName; + + //"name", as the client pretty name, e.g. Catalogue for gcat, Workspace for storage-hub + private String clientName; + + //username of the user who requested such client + private String contactPerson; + + //the name of the organisation / community using such client. D4Science will be used for internal clients. + private String contactOrganisation; + + + public Caller(String clientId, List roles, boolean external) { + super(); + this.clientId = clientId; + this.roles = roles; + this.externalClient = external; + } + + public Caller(String clientId, List roles, String email, String firstName, String lastName,boolean external) { + super(); + this.clientId = clientId; + this.roles = roles; + this.email = email; + this.firstName = firstName; + this.lastName = lastName; + this.externalClient = external; + } + + public String getId() { + return clientId; + } + + public List getRoles() { + return roles; + } + + public String getEmail() { + return email; + } + + public String getFirstName() { + return firstName; + } + + public String getLastName() { + return lastName; + } + + public boolean isExternalClient() { + return externalClient; + } + + public String getClientName() { + return clientName; + } + + public void setClientName(String clientName) { + this.clientName = clientName; + } + + public String getContactPerson() { + return contactPerson; + } + + public void setContactPerson(String contactPerson) { + this.contactPerson = contactPerson; + } + + public String getContactOrganisation() { + return contactOrganisation; + } + + public void setContactOrganisation(String contactOrganisation) { + this.contactOrganisation = contactOrganisation; + } + +} diff --git a/src/main/java/org/gcube/common/security/GCubeJWTObject.java b/src/main/java/org/gcube/common/security/GCubeJWTObject.java new file mode 100644 index 0000000..8f38386 --- /dev/null +++ b/src/main/java/org/gcube/common/security/GCubeJWTObject.java @@ -0,0 +1,111 @@ +package org.gcube.common.security; + + +import java.io.UnsupportedEncodingException; +import java.net.URLDecoder; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import org.gcube.com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import org.gcube.com.fasterxml.jackson.annotation.JsonProperty; + +@JsonIgnoreProperties(ignoreUnknown = true) +public class GCubeJWTObject { + + protected final static List MINIMAL_ROLES = Arrays.asList("Member"); + + @JsonProperty("aud") + private String context; + + @JsonProperty("resource_access") + private Map contextAccess = new HashMap<>(); + + @JsonProperty("preferred_username") + private String username; + + @JsonProperty("given_name") + private String firstName; + + @JsonProperty("family_name") + private String lastName; + + @JsonProperty("clientId") + private String clientId; + + //"name", as the client pretty name, e.g. Catalogue for gcat, Workspace for storage-hub + @JsonProperty("name") + private String clientName; + + //username of the user who requested such client + @JsonProperty("contact_person") + private String contactPerson; + + //the name of the organisation / community using such client. D4Science will be used for internal clients. + @JsonProperty("contact_organisation") + private String contactOrganisation; + + private static final String INTERNAL_CLIENT_ORGANISATION_NAME = "D4Science"; + + @JsonProperty("email") + private String email; + public List getRoles(){ + return contextAccess.get(this.context) == null ? MINIMAL_ROLES : contextAccess.get(this.context).roles; + } + + public String getContext() { + try { + return URLDecoder.decode(context, StandardCharsets.UTF_8.toString()); + }catch (UnsupportedEncodingException e) { + return context; + } + } + + public String getUsername() { + return username; + } + public boolean isExternalService() { + return contactOrganisation != null && contactOrganisation.equals(INTERNAL_CLIENT_ORGANISATION_NAME); + } + + public String getFirstName() { + return firstName; + } + public String getLastName() { + return lastName; + } + public String getEmail() { + return email; + } + @Override + public String toString() { + return "GcubeJwt [context=" + getContext() + ", roles=" + getRoles() + ", username=" + username + + ", firstName=" + firstName + ", lastName=" + lastName + ", email=" + email + "]"; + } + + + public String getClientName() { + return clientName; + } + + public String getContactPerson() { + return contactPerson; + } + + public String getContactOrganisation() { + return contactOrganisation; + } + + + + public static class Roles { + + @JsonProperty("roles") + List roles = new ArrayList<>(); + + } + +} + diff --git a/src/main/java/org/gcube/common/security/secrets/GCubeSecret.java b/src/main/java/org/gcube/common/security/secrets/GCubeSecret.java new file mode 100644 index 0000000..ca74f44 --- /dev/null +++ b/src/main/java/org/gcube/common/security/secrets/GCubeSecret.java @@ -0,0 +1,80 @@ +package org.gcube.common.security.secrets; + +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; +import java.util.regex.Pattern; + +import org.gcube.common.authorization.client.Constants; +import org.gcube.common.authorization.library.AuthorizationEntry; +import org.gcube.common.authorization.library.ClientType; +import org.gcube.common.security.Caller; + +/** + * @author Luca Frosini (ISTI - CNR) + */ +public class GCubeSecret extends Secret { + + public static final String GCUBE_TOKEN_REGEX = "^([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}-[a-fA-F0-9]{8,9}){1}$"; + + private String gcubeToken; + private Caller caller; + private String context; + + public GCubeSecret(String gcubeToken) { + Objects.requireNonNull(gcubeToken); + if(!Pattern.matches(GCubeSecret.GCUBE_TOKEN_REGEX, gcubeToken)) + throw new RuntimeException("The GUCBE token must comply with the regex " + GCUBE_TOKEN_REGEX); + this.gcubeToken = gcubeToken; + } + + private void init() throws Exception{ + AuthorizationEntry authorizationEntry = Constants.authorizationService().get(gcubeToken); + this.caller = new Caller(authorizationEntry.getClientInfo().getId(), + authorizationEntry.getClientInfo().getRoles(), authorizationEntry.getClientInfo().getType()!=ClientType.USER); + this.context = authorizationEntry.getContext(); + } + + + @Override + public Caller getCaller() { + if (Objects.isNull(caller)) + try { + init(); + } catch (Exception e) { + throw new RuntimeException("error retrieving context",e); + } + + return caller; + } + + @Override + public String getContext() { + if (Objects.isNull(context)) + try { + init(); + } catch (Exception e) { + throw new RuntimeException("error retrieving context",e); + } + + return context; + } + + @Override + public Map getHTTPAuthorizationHeaders() { + Map authorizationHeaders = new HashMap<>(); + authorizationHeaders.put(org.gcube.common.authorization.client.Constants.TOKEN_HEADER_ENTRY, gcubeToken); + return authorizationHeaders; + } + + @Override + public boolean isExpired() { + return false; + } + + @Override + public boolean isRefreshable() { + return false; + } + +} diff --git a/src/main/java/org/gcube/common/security/secrets/JWTSecret.java b/src/main/java/org/gcube/common/security/secrets/JWTSecret.java new file mode 100644 index 0000000..2a2622c --- /dev/null +++ b/src/main/java/org/gcube/common/security/secrets/JWTSecret.java @@ -0,0 +1,165 @@ +package org.gcube.common.security.secrets; + +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.TimeUnit; + +import org.gcube.com.fasterxml.jackson.databind.ObjectMapper; +import org.gcube.common.keycloak.KeycloakClientFactory; +import org.gcube.common.keycloak.model.AccessToken; +import org.gcube.common.keycloak.model.ModelUtils; +import org.gcube.common.keycloak.model.RefreshToken; +import org.gcube.common.keycloak.model.TokenResponse; +import org.gcube.common.keycloak.model.util.Time; +import org.gcube.common.security.Caller; +import org.gcube.common.security.GCubeJWTObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import providers.RenewalProvider; + +/** + * @author Luca Frosini (ISTI - CNR) + */ +public class JWTSecret extends Secret { + + private static final Logger logger = LoggerFactory.getLogger(JWTSecret.class); + + /** + * The interval of time expressed in milliseconds used as guard to refresh the token before that it expires . + * TimeUnit has been used to in place of just + * using the number to have a clearer code + */ + public static final long TOLERANCE = TimeUnit.MILLISECONDS.toMillis(200); + + protected String jwtToken; + + protected AccessToken accessToken; + protected TokenResponse tokenResponse; + protected RenewalProvider renewalProvider; + protected Caller caller; + protected String context; + + protected boolean initialised = false; + + public JWTSecret(String jwtToken) { + this.jwtToken = jwtToken; + } + + private String getTokenString() { + try { + boolean expired = false; + getAccessToken(); + + if(Time.currentTimeMillis()>=(accessToken.getExp()-TOLERANCE)) { + expired = true; + if(tokenResponse!=null) { + try { + KeycloakClientFactory.newInstance().refreshToken(this.getCaller().getId(), tokenResponse); + expired = false; + }catch (Exception e) { + logger.warn("Unable to refresh the token with RefreshToken. Going to try to renew it if possible.", e); + } + } + } + + if(expired && renewalProvider!=null) { + try { + JWTSecret renewed = (JWTSecret) renewalProvider.renew(); + this.jwtToken = renewed.jwtToken; + this.accessToken = getAccessToken(); + }catch (Exception e) { + logger.warn("Unable to renew the token with the RenewalProvider. I'll continue using the old token.", e); + } + } + }catch (Exception e) { + logger.error("Unexpected error in the procedure to evaluate/refresh the current token. I'll continue using the old token.", e); + } + return jwtToken; + } + + + protected AccessToken getAccessToken() { + if(accessToken==null) { + String realUmaTokenEncoded = jwtToken.split("\\.")[1]; + String realUmaToken = new String(Base64.getDecoder().decode(realUmaTokenEncoded.getBytes())); + ObjectMapper mapper = new ObjectMapper(); + try { + accessToken = mapper.readValue(realUmaToken, AccessToken.class); + }catch(Exception e){ + logger.error("Error parsing JWT token",e); + throw new RuntimeException("Error parsing JWT token", e); + } + } + return accessToken; + } + + private synchronized void init() { + if (!initialised) + try { + ObjectMapper objectMapper = new ObjectMapper(); + String accessTokenString = objectMapper.writeValueAsString(getAccessToken()); + GCubeJWTObject obj = objectMapper.readValue(accessTokenString, GCubeJWTObject.class); + Caller caller = new Caller(obj.getUsername(), obj.getRoles(), obj.getEmail(), obj.getFirstName(), obj.getLastName(), obj.isExternalService()); + caller.setClientName(obj.getClientName()); + caller.setContactOrganisation(obj.getContactOrganisation()); + caller.setClientName(obj.getClientName()); + context = obj.getContext(); + initialised = true; + } catch (Exception e) { + throw new RuntimeException(); + } + + } + + @Override + public Caller getCaller() { + init(); + return this.caller; + } + + @Override + public String getContext() { + init(); + return context; + } + + @Override + public Map getHTTPAuthorizationHeaders() { + Map authorizationHeaders = new HashMap<>(); + authorizationHeaders.put("Authorization", "Bearer " + getTokenString()); + return authorizationHeaders; + } + + public void setRenewalProvider(RenewalProvider renewalProvider) { + this.renewalProvider = renewalProvider; + } + + public void setTokenResponse(TokenResponse tokenResponse) { + this.tokenResponse = tokenResponse; + } + + protected boolean isExpired(AccessToken accessToken) { + return Time.currentTimeMillis()>accessToken.getExp(); + } + + @Override + public boolean isExpired() { + return isExpired(getAccessToken()); + } + + @Override + public boolean isRefreshable() { + if(tokenResponse!=null) { + try { + RefreshToken refreshToken = ModelUtils.getRefreshTokenFrom(tokenResponse); + return isExpired(refreshToken); + } catch (Exception e) { + return false; + } + } + return false; + } + +} \ No newline at end of file diff --git a/src/main/java/org/gcube/common/security/secrets/Secret.java b/src/main/java/org/gcube/common/security/secrets/Secret.java new file mode 100644 index 0000000..917d573 --- /dev/null +++ b/src/main/java/org/gcube/common/security/secrets/Secret.java @@ -0,0 +1,22 @@ +package org.gcube.common.security.secrets; + +import java.util.Map; + +import org.gcube.common.security.Caller; + +/** + * @author Luca Frosini (ISTI - CNR) + */ +public abstract class Secret { + + public abstract Caller getCaller(); + + public abstract String getContext(); + + public abstract Map getHTTPAuthorizationHeaders(); + + public abstract boolean isExpired(); + + public abstract boolean isRefreshable(); + +} diff --git a/src/main/java/org/gcube/common/security/secrets/SecretUtility.java b/src/main/java/org/gcube/common/security/secrets/SecretUtility.java new file mode 100644 index 0000000..f991fe9 --- /dev/null +++ b/src/main/java/org/gcube/common/security/secrets/SecretUtility.java @@ -0,0 +1,22 @@ +package org.gcube.common.security.secrets; + +import java.util.regex.Pattern; + +import org.gcube.common.security.secrets.Secret; + +/** + * @author Luca Frosini (ISTI - CNR) + */ +public class SecretUtility { + + public static final String UUID_REGEX = "^([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}-[a-fA-F0-9]{8,9}){1}$"; + + public static Secret getSecretByTokenString(String token) { + if(Pattern.matches(UUID_REGEX, token)) { + return new GCubeSecret(token); + }else { + return new JWTSecret(token); + } + } + +} diff --git a/src/main/java/providers/ClientIDManager.java b/src/main/java/providers/ClientIDManager.java new file mode 100644 index 0000000..12bacfc --- /dev/null +++ b/src/main/java/providers/ClientIDManager.java @@ -0,0 +1,48 @@ +package providers; + +import org.gcube.common.keycloak.KeycloakClientFactory; +import org.gcube.common.keycloak.model.TokenResponse; +import org.gcube.common.security.secrets.JWTSecret; +import org.gcube.common.security.secrets.Secret; + +/** + * @author Luca Frosini (ISTI - CNR) + */ +public class ClientIDManager implements RenewalProvider { + + protected final String clientID; + protected final String clientSecret; + + public ClientIDManager(String clientID, String clientSecret) { + this.clientID = clientID; + this.clientSecret = clientSecret; + } + + public Secret getSecret() throws Exception { + TokenResponse tokenResponse = KeycloakClientFactory.newInstance().queryUMAToken(clientID, clientSecret, null); + + JWTSecret jwtSecret = new JWTSecret(tokenResponse.getAccessToken()); + jwtSecret.setRenewalProvider(this); + + jwtSecret.setTokenResponse(tokenResponse); + + return jwtSecret; + } + + public Secret getSecret(String context) throws Exception { + TokenResponse tokenResponse = KeycloakClientFactory.newInstance().queryUMAToken(clientID, clientSecret, context, null); + + JWTSecret jwtSecret = new JWTSecret(tokenResponse.getAccessToken()); + jwtSecret.setRenewalProvider(this); + + jwtSecret.setTokenResponse(tokenResponse); + + return jwtSecret; + } + + @Override + public Secret renew() throws Exception { + return getSecret(); + } + +} diff --git a/src/main/java/providers/RenewalProvider.java b/src/main/java/providers/RenewalProvider.java new file mode 100644 index 0000000..63ab8a3 --- /dev/null +++ b/src/main/java/providers/RenewalProvider.java @@ -0,0 +1,11 @@ +package providers; + +import org.gcube.common.security.secrets.Secret; + +/** + * @author Luca Frosini (ISTI - CNR) + */ +public interface RenewalProvider { + + public Secret renew() throws Exception; +} diff --git a/src/main/java/providers/SecretManagerProvider.java b/src/main/java/providers/SecretManagerProvider.java new file mode 100644 index 0000000..2864c68 --- /dev/null +++ b/src/main/java/providers/SecretManagerProvider.java @@ -0,0 +1,37 @@ +package providers; + +import org.gcube.common.security.secrets.Secret; + +/** + * @author Luca Frosini (ISTI - CNR) + */ +public class SecretManagerProvider { + + public static SecretManagerProvider instance = new SecretManagerProvider(); + + // Thread local variable containing each thread's ID + private static final InheritableThreadLocal thread = new InheritableThreadLocal() { + + @Override + protected Secret initialValue() { + return null; + } + + }; + + private SecretManagerProvider(){} + + public Secret get(){ + Secret secret = thread.get(); + return secret; + } + + public void set(Secret secret){ + thread.set(secret); + } + + public void reset(){ + thread.remove(); + } + +}