adde validation on acess token

2022-09-22 11:27:40 +02:00 · 2022-09-22 11:27:40 +02:00 · c92f119a0c
parent b73a2963e5
commit c92f119a0c
3 changed files with 23 additions and 8 deletions
--- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
+++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
@ -7,6 +7,9 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.inv

 import java.util.Set;

+import org.gcube.common.keycloak.KeycloakClient;
+import org.gcube.common.keycloak.KeycloakClientException;
+import org.gcube.common.keycloak.KeycloakClientFactory;
 import org.gcube.common.security.ContextBean;
 import org.gcube.common.security.ContextBean.Type;
 import org.gcube.common.security.providers.SecretManagerProvider;
@ -20,6 +23,7 @@ import org.gcube.smartgears.context.application.ApplicationContext;
 import org.gcube.smartgears.handlers.application.RequestEvent;
 import org.gcube.smartgears.handlers.application.RequestHandler;
 import org.gcube.smartgears.handlers.application.ResponseEvent;
+import org.gcube.smartgears.security.SimpleCredentials;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@ -42,9 +46,9 @@ public class RequestValidator extends RequestHandler {
 		log.trace("executing request validator ON REQUEST");

 		appContext = call.context();
-		
+
 		SecretManagerProvider.instance.set(getSecret(call));
-		
+
 		validateAgainstLifecycle(call);

 		rejectUnauthorizedCalls(call);
@ -116,7 +120,7 @@ public class RequestValidator extends RequestHandler {
 	}

 	private void validatePolicy(RequestEvent call){
-		//TODO: must be rethought
+		//TODO: must be re-thought
 	}

 	private Secret getSecret(RequestEvent call){
@ -126,16 +130,26 @@ public class RequestValidator extends RequestHandler {
 		log.trace("authorization header is {}",authHeader);
 		log.trace("token header is {}", token);

+		log.info("d4s-user set to {} ", call.request().getHeader("d4s-user"));
+
 		String accessToken = null;
 		if (authHeader!=null && !authHeader.isEmpty()) 
 			if (authHeader.startsWith(BEARER_AUTH_PREFIX))
 				accessToken = authHeader.substring(BEARER_AUTH_PREFIX.length()).trim();

 		Secret secret = null;
-		if (accessToken!=null) 
+		if (accessToken!=null) {
 			secret = new AccessTokenSecret(accessToken);
-		else if (token!=null) 
-				secret = new GCubeSecret(token);
+			SimpleCredentials credentials = (SimpleCredentials)appContext.container().configuration().authorizationProvider().getCredentials();
+			KeycloakClient client = KeycloakClientFactory.newInstance();
+			try {
+				if(!client.isAccessTokenVerified(secret.getContext(), credentials.getClientID(), credentials.getSecret(), accessToken))
+					invalid_request_error.fire("access token verification error"); 
+			}catch (KeycloakClientException e) {
+				RequestError.internal_server_error.fire("error contacting keycloak client", e);
+			}
+		} else if (token!=null) 
+			secret = new GCubeSecret(token);
 		return secret;
 	}

--- a/src/main/java/org/gcube/smartgears/security/AuthorizationProvider.java
+++ b/src/main/java/org/gcube/smartgears/security/AuthorizationProvider.java
@ -2,6 +2,7 @@ package org.gcube.smartgears.security;

 import java.util.Set;

+import org.gcube.common.security.credentials.Credentials;
 import org.gcube.common.security.secrets.Secret;

 public interface AuthorizationProvider {
@ -9,4 +10,6 @@ public interface AuthorizationProvider {
 	Set<String> getContexts();
 	
 	Secret getSecretForContext(String context);
+	
+	Credentials getCredentials();
 }
--- a/src/main/java/org/gcube/smartgears/security/defaults/DefaultAuthorizationProvider.java
+++ b/src/main/java/org/gcube/smartgears/security/defaults/DefaultAuthorizationProvider.java
@ -70,8 +70,6 @@ public class DefaultAuthorizationProvider implements AuthorizationProvider {
 		
 	}
 	
-	@Deprecated
-	//TODO: remove when whnManager will be removed
 	public SimpleCredentials getCredentials() {
 		return credentials;
 	}