adde validation on acess token
This commit is contained in:
parent
b73a2963e5
commit
c92f119a0c
|
@ -7,6 +7,9 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.inv
|
||||||
|
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
import org.gcube.common.keycloak.KeycloakClient;
|
||||||
|
import org.gcube.common.keycloak.KeycloakClientException;
|
||||||
|
import org.gcube.common.keycloak.KeycloakClientFactory;
|
||||||
import org.gcube.common.security.ContextBean;
|
import org.gcube.common.security.ContextBean;
|
||||||
import org.gcube.common.security.ContextBean.Type;
|
import org.gcube.common.security.ContextBean.Type;
|
||||||
import org.gcube.common.security.providers.SecretManagerProvider;
|
import org.gcube.common.security.providers.SecretManagerProvider;
|
||||||
|
@ -20,6 +23,7 @@ import org.gcube.smartgears.context.application.ApplicationContext;
|
||||||
import org.gcube.smartgears.handlers.application.RequestEvent;
|
import org.gcube.smartgears.handlers.application.RequestEvent;
|
||||||
import org.gcube.smartgears.handlers.application.RequestHandler;
|
import org.gcube.smartgears.handlers.application.RequestHandler;
|
||||||
import org.gcube.smartgears.handlers.application.ResponseEvent;
|
import org.gcube.smartgears.handlers.application.ResponseEvent;
|
||||||
|
import org.gcube.smartgears.security.SimpleCredentials;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
@ -42,9 +46,9 @@ public class RequestValidator extends RequestHandler {
|
||||||
log.trace("executing request validator ON REQUEST");
|
log.trace("executing request validator ON REQUEST");
|
||||||
|
|
||||||
appContext = call.context();
|
appContext = call.context();
|
||||||
|
|
||||||
SecretManagerProvider.instance.set(getSecret(call));
|
SecretManagerProvider.instance.set(getSecret(call));
|
||||||
|
|
||||||
validateAgainstLifecycle(call);
|
validateAgainstLifecycle(call);
|
||||||
|
|
||||||
rejectUnauthorizedCalls(call);
|
rejectUnauthorizedCalls(call);
|
||||||
|
@ -116,7 +120,7 @@ public class RequestValidator extends RequestHandler {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void validatePolicy(RequestEvent call){
|
private void validatePolicy(RequestEvent call){
|
||||||
//TODO: must be rethought
|
//TODO: must be re-thought
|
||||||
}
|
}
|
||||||
|
|
||||||
private Secret getSecret(RequestEvent call){
|
private Secret getSecret(RequestEvent call){
|
||||||
|
@ -126,16 +130,26 @@ public class RequestValidator extends RequestHandler {
|
||||||
log.trace("authorization header is {}",authHeader);
|
log.trace("authorization header is {}",authHeader);
|
||||||
log.trace("token header is {}", token);
|
log.trace("token header is {}", token);
|
||||||
|
|
||||||
|
log.info("d4s-user set to {} ", call.request().getHeader("d4s-user"));
|
||||||
|
|
||||||
String accessToken = null;
|
String accessToken = null;
|
||||||
if (authHeader!=null && !authHeader.isEmpty())
|
if (authHeader!=null && !authHeader.isEmpty())
|
||||||
if (authHeader.startsWith(BEARER_AUTH_PREFIX))
|
if (authHeader.startsWith(BEARER_AUTH_PREFIX))
|
||||||
accessToken = authHeader.substring(BEARER_AUTH_PREFIX.length()).trim();
|
accessToken = authHeader.substring(BEARER_AUTH_PREFIX.length()).trim();
|
||||||
|
|
||||||
Secret secret = null;
|
Secret secret = null;
|
||||||
if (accessToken!=null)
|
if (accessToken!=null) {
|
||||||
secret = new AccessTokenSecret(accessToken);
|
secret = new AccessTokenSecret(accessToken);
|
||||||
else if (token!=null)
|
SimpleCredentials credentials = (SimpleCredentials)appContext.container().configuration().authorizationProvider().getCredentials();
|
||||||
secret = new GCubeSecret(token);
|
KeycloakClient client = KeycloakClientFactory.newInstance();
|
||||||
|
try {
|
||||||
|
if(!client.isAccessTokenVerified(secret.getContext(), credentials.getClientID(), credentials.getSecret(), accessToken))
|
||||||
|
invalid_request_error.fire("access token verification error");
|
||||||
|
}catch (KeycloakClientException e) {
|
||||||
|
RequestError.internal_server_error.fire("error contacting keycloak client", e);
|
||||||
|
}
|
||||||
|
} else if (token!=null)
|
||||||
|
secret = new GCubeSecret(token);
|
||||||
return secret;
|
return secret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,7 @@ package org.gcube.smartgears.security;
|
||||||
|
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
import org.gcube.common.security.credentials.Credentials;
|
||||||
import org.gcube.common.security.secrets.Secret;
|
import org.gcube.common.security.secrets.Secret;
|
||||||
|
|
||||||
public interface AuthorizationProvider {
|
public interface AuthorizationProvider {
|
||||||
|
@ -9,4 +10,6 @@ public interface AuthorizationProvider {
|
||||||
Set<String> getContexts();
|
Set<String> getContexts();
|
||||||
|
|
||||||
Secret getSecretForContext(String context);
|
Secret getSecretForContext(String context);
|
||||||
|
|
||||||
|
Credentials getCredentials();
|
||||||
}
|
}
|
||||||
|
|
|
@ -70,8 +70,6 @@ public class DefaultAuthorizationProvider implements AuthorizationProvider {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Deprecated
|
|
||||||
//TODO: remove when whnManager will be removed
|
|
||||||
public SimpleCredentials getCredentials() {
|
public SimpleCredentials getCredentials() {
|
||||||
return credentials;
|
return credentials;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue