package org.gcube.common.iam; import java.net.URL; import java.util.List; import org.gcube.common.keycloak.KeycloakClient; import org.gcube.common.keycloak.KeycloakClientException; import org.gcube.common.keycloak.KeycloakClientFactory; /** * Helper class that acts as IAM client providing authentication and authorization using the IAM hiding the underlying implementation * * @author Mauro Mugnaini */ public class D4ScienceIAMClient { private KeycloakClient keycloakClient; private URL tokenEndpointURL; /** * Creates a new client for the specific context, in the default IAM realm. * @param context the context to be used to obtain the endpoint URL * @return the client to be used for authn and authz requests * @throws D4ScienceIAMClientException if an error occurs obtaining the base URL */ public static D4ScienceIAMClient newInstance(String context) throws D4ScienceIAMClientException { KeycloakClient keycloakClient = KeycloakClientFactory.newInstance(); try { return new D4ScienceIAMClient(keycloakClient, keycloakClient.getTokenEndpointURL(keycloakClient.getRealmBaseURL(context))); } catch (KeycloakClientException e) { throw new D4ScienceIAMClientException(e); } } /** * Creates a new client for the specific context, in the default realm. * @param context the context to be used to obtain the endpoint URL * @param realm the IAM realm * @return the client to be used for authn and authz requests * @throws D4ScienceIAMClientException if an error occurs obtaining the base URL */ public static D4ScienceIAMClient newInstance(String context, String realm) throws D4ScienceIAMClientException { KeycloakClient keycloakClient = KeycloakClientFactory.newInstance(); try { return new D4ScienceIAMClient(keycloakClient, keycloakClient.getTokenEndpointURL(keycloakClient.getRealmBaseURL(context, realm))); } catch (KeycloakClientException e) { throw new D4ScienceIAMClientException(e); } } /** * Creates a new client with the provided endpoint URL. * @param tokenEndpointURL the endpoint URL * @return the client to be used for authn and authz requests */ public static D4ScienceIAMClient newInstance(URL tokenEndpointURL) { return new D4ScienceIAMClient(KeycloakClientFactory.newInstance(), tokenEndpointURL); } private D4ScienceIAMClient(KeycloakClient keycloakClient, URL tokenEndpointURL) { this.keycloakClient = keycloakClient; this.tokenEndpointURL = tokenEndpointURL; } protected KeycloakClient getKeycloakClient() { return this.keycloakClient; } public URL getTokenEndpointURL() { return this.tokenEndpointURL; } /** * Authenticates the client with provided id and secret, * @param clientId the client id * @param clientSecret the client secret * @return the authn object * @throws D4ScienceIAMClientException if an error occurs during authn process */ public D4ScienceIAMClientAuthn authenticate(String clientId, String clientSecret) throws D4ScienceIAMClientException { return authenticate(clientId, clientSecret, null); } /** * Authenticates the client with provided credentials, reducing the token audience to the requested. * @param clientId the client id * @param clientSecret the client secret * @param audience the requested audience (e.g. a specific context) * @return the authn object * @throws D4ScienceIAMClientException if an error occurs during authn process */ public D4ScienceIAMClientAuthn authenticate(String clientId, String clientSecret, String audience) throws D4ScienceIAMClientException { return new D4ScienceIAMClientAuthn(this, clientId, clientSecret, audience); } /** * Directly authorizes the client by using the provided credentials, for the specific audience and with optional permissions * @param clientId the client id * @param clientSecret the client secret * @param audience the requested audience (e.g. a specific context) * @param permissions the optional permissions * @return the authz object * @throws D4ScienceIAMClientException if an error occurs during authz process */ public D4ScienceIAMClientAuthz authorize(String clientId, String clientSecret, String audience, List permissions) throws D4ScienceIAMClientException { return new D4ScienceIAMClientAuthz(this, clientId, clientSecret, audience, permissions); } }