adde validation on acess token
This commit is contained in:
parent
b73a2963e5
commit
c92f119a0c
|
@ -7,6 +7,9 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.inv
|
|||
|
||||
import java.util.Set;
|
||||
|
||||
import org.gcube.common.keycloak.KeycloakClient;
|
||||
import org.gcube.common.keycloak.KeycloakClientException;
|
||||
import org.gcube.common.keycloak.KeycloakClientFactory;
|
||||
import org.gcube.common.security.ContextBean;
|
||||
import org.gcube.common.security.ContextBean.Type;
|
||||
import org.gcube.common.security.providers.SecretManagerProvider;
|
||||
|
@ -20,6 +23,7 @@ import org.gcube.smartgears.context.application.ApplicationContext;
|
|||
import org.gcube.smartgears.handlers.application.RequestEvent;
|
||||
import org.gcube.smartgears.handlers.application.RequestHandler;
|
||||
import org.gcube.smartgears.handlers.application.ResponseEvent;
|
||||
import org.gcube.smartgears.security.SimpleCredentials;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
|
@ -42,9 +46,9 @@ public class RequestValidator extends RequestHandler {
|
|||
log.trace("executing request validator ON REQUEST");
|
||||
|
||||
appContext = call.context();
|
||||
|
||||
|
||||
SecretManagerProvider.instance.set(getSecret(call));
|
||||
|
||||
|
||||
validateAgainstLifecycle(call);
|
||||
|
||||
rejectUnauthorizedCalls(call);
|
||||
|
@ -116,7 +120,7 @@ public class RequestValidator extends RequestHandler {
|
|||
}
|
||||
|
||||
private void validatePolicy(RequestEvent call){
|
||||
//TODO: must be rethought
|
||||
//TODO: must be re-thought
|
||||
}
|
||||
|
||||
private Secret getSecret(RequestEvent call){
|
||||
|
@ -126,16 +130,26 @@ public class RequestValidator extends RequestHandler {
|
|||
log.trace("authorization header is {}",authHeader);
|
||||
log.trace("token header is {}", token);
|
||||
|
||||
log.info("d4s-user set to {} ", call.request().getHeader("d4s-user"));
|
||||
|
||||
String accessToken = null;
|
||||
if (authHeader!=null && !authHeader.isEmpty())
|
||||
if (authHeader.startsWith(BEARER_AUTH_PREFIX))
|
||||
accessToken = authHeader.substring(BEARER_AUTH_PREFIX.length()).trim();
|
||||
|
||||
Secret secret = null;
|
||||
if (accessToken!=null)
|
||||
if (accessToken!=null) {
|
||||
secret = new AccessTokenSecret(accessToken);
|
||||
else if (token!=null)
|
||||
secret = new GCubeSecret(token);
|
||||
SimpleCredentials credentials = (SimpleCredentials)appContext.container().configuration().authorizationProvider().getCredentials();
|
||||
KeycloakClient client = KeycloakClientFactory.newInstance();
|
||||
try {
|
||||
if(!client.isAccessTokenVerified(secret.getContext(), credentials.getClientID(), credentials.getSecret(), accessToken))
|
||||
invalid_request_error.fire("access token verification error");
|
||||
}catch (KeycloakClientException e) {
|
||||
RequestError.internal_server_error.fire("error contacting keycloak client", e);
|
||||
}
|
||||
} else if (token!=null)
|
||||
secret = new GCubeSecret(token);
|
||||
return secret;
|
||||
}
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@ package org.gcube.smartgears.security;
|
|||
|
||||
import java.util.Set;
|
||||
|
||||
import org.gcube.common.security.credentials.Credentials;
|
||||
import org.gcube.common.security.secrets.Secret;
|
||||
|
||||
public interface AuthorizationProvider {
|
||||
|
@ -9,4 +10,6 @@ public interface AuthorizationProvider {
|
|||
Set<String> getContexts();
|
||||
|
||||
Secret getSecretForContext(String context);
|
||||
|
||||
Credentials getCredentials();
|
||||
}
|
||||
|
|
|
@ -70,8 +70,6 @@ public class DefaultAuthorizationProvider implements AuthorizationProvider {
|
|||
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
//TODO: remove when whnManager will be removed
|
||||
public SimpleCredentials getCredentials() {
|
||||
return credentials;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue