diff --git a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java index e8df27a..f2a8267 100644 --- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java +++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java @@ -7,6 +7,9 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.inv import java.util.Set; +import org.gcube.common.keycloak.KeycloakClient; +import org.gcube.common.keycloak.KeycloakClientException; +import org.gcube.common.keycloak.KeycloakClientFactory; import org.gcube.common.security.ContextBean; import org.gcube.common.security.ContextBean.Type; import org.gcube.common.security.providers.SecretManagerProvider; @@ -20,6 +23,7 @@ import org.gcube.smartgears.context.application.ApplicationContext; import org.gcube.smartgears.handlers.application.RequestEvent; import org.gcube.smartgears.handlers.application.RequestHandler; import org.gcube.smartgears.handlers.application.ResponseEvent; +import org.gcube.smartgears.security.SimpleCredentials; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -42,9 +46,9 @@ public class RequestValidator extends RequestHandler { log.trace("executing request validator ON REQUEST"); appContext = call.context(); - + SecretManagerProvider.instance.set(getSecret(call)); - + validateAgainstLifecycle(call); rejectUnauthorizedCalls(call); @@ -116,7 +120,7 @@ public class RequestValidator extends RequestHandler { } private void validatePolicy(RequestEvent call){ - //TODO: must be rethought + //TODO: must be re-thought } private Secret getSecret(RequestEvent call){ @@ -126,16 +130,26 @@ public class RequestValidator extends RequestHandler { log.trace("authorization header is {}",authHeader); log.trace("token header is {}", token); + log.info("d4s-user set to {} ", call.request().getHeader("d4s-user")); + String accessToken = null; if (authHeader!=null && !authHeader.isEmpty()) if (authHeader.startsWith(BEARER_AUTH_PREFIX)) accessToken = authHeader.substring(BEARER_AUTH_PREFIX.length()).trim(); Secret secret = null; - if (accessToken!=null) + if (accessToken!=null) { secret = new AccessTokenSecret(accessToken); - else if (token!=null) - secret = new GCubeSecret(token); + SimpleCredentials credentials = (SimpleCredentials)appContext.container().configuration().authorizationProvider().getCredentials(); + KeycloakClient client = KeycloakClientFactory.newInstance(); + try { + if(!client.isAccessTokenVerified(secret.getContext(), credentials.getClientID(), credentials.getSecret(), accessToken)) + invalid_request_error.fire("access token verification error"); + }catch (KeycloakClientException e) { + RequestError.internal_server_error.fire("error contacting keycloak client", e); + } + } else if (token!=null) + secret = new GCubeSecret(token); return secret; } diff --git a/src/main/java/org/gcube/smartgears/security/AuthorizationProvider.java b/src/main/java/org/gcube/smartgears/security/AuthorizationProvider.java index 2393a5f..d18e436 100644 --- a/src/main/java/org/gcube/smartgears/security/AuthorizationProvider.java +++ b/src/main/java/org/gcube/smartgears/security/AuthorizationProvider.java @@ -2,6 +2,7 @@ package org.gcube.smartgears.security; import java.util.Set; +import org.gcube.common.security.credentials.Credentials; import org.gcube.common.security.secrets.Secret; public interface AuthorizationProvider { @@ -9,4 +10,6 @@ public interface AuthorizationProvider { Set getContexts(); Secret getSecretForContext(String context); + + Credentials getCredentials(); } diff --git a/src/main/java/org/gcube/smartgears/security/defaults/DefaultAuthorizationProvider.java b/src/main/java/org/gcube/smartgears/security/defaults/DefaultAuthorizationProvider.java index 65363d5..8e9f221 100644 --- a/src/main/java/org/gcube/smartgears/security/defaults/DefaultAuthorizationProvider.java +++ b/src/main/java/org/gcube/smartgears/security/defaults/DefaultAuthorizationProvider.java @@ -70,8 +70,6 @@ public class DefaultAuthorizationProvider implements AuthorizationProvider { } - @Deprecated - //TODO: remove when whnManager will be removed public SimpleCredentials getCredentials() { return credentials; }