d4science-iam-client/src/main/java/org/gcube/common/iam/D4ScienceIAMClient.java

package org.gcube.common.iam;

import java.net.URL;
import java.util.List;

import org.gcube.common.keycloak.KeycloakClient;
import org.gcube.common.keycloak.KeycloakClientException;
import org.gcube.common.keycloak.KeycloakClientFactory;

/**
 * Helper class that acts as IAM client providing authentication and authorization using the IAM hiding the underlying implementation
 * 
 * @author Mauro Mugnaini
 */
public class D4ScienceIAMClient {

    private KeycloakClient keycloakClient;
    private URL tokenEndpointURL;

    /**
     * Creates a new client for the specific context, in the default IAM realm.
     * @param context the context to be used to obtain the endpoint URL
     * @return the client to be used for authn and authz requests
     * @throws D4ScienceIAMClientException if an error occurs obtaining the base URL
     */
    public static D4ScienceIAMClient newInstance(String context) throws D4ScienceIAMClientException {
        KeycloakClient keycloakClient = KeycloakClientFactory.newInstance();
        try {
            return new D4ScienceIAMClient(keycloakClient,
                    keycloakClient.getTokenEndpointURL(keycloakClient.getRealmBaseURL(context)));
        } catch (KeycloakClientException e) {
            throw new D4ScienceIAMClientException(e);
        }
    }

    /**
     * Creates a new client for the specific context, in the default realm.
     * @param context the context to be used to obtain the endpoint URL
     * @param realm the IAM realm
     * @return the client to be used for authn and authz requests
     * @throws D4ScienceIAMClientException if an error occurs obtaining the base URL
     */
    public static D4ScienceIAMClient newInstance(String context, String realm) throws D4ScienceIAMClientException {
        KeycloakClient keycloakClient = KeycloakClientFactory.newInstance();
        try {
            return new D4ScienceIAMClient(keycloakClient,
                    keycloakClient.getTokenEndpointURL(keycloakClient.getRealmBaseURL(context, realm)));
        } catch (KeycloakClientException e) {
            throw new D4ScienceIAMClientException(e);
        }
    }

    /**
     * Creates a new client with the provided endpoint URL.
     * @param tokenEndpointURL the endpoint URL
     * @return the client to be used for authn and authz requests
     */
    public static D4ScienceIAMClient newInstance(URL tokenEndpointURL) {
        return new D4ScienceIAMClient(KeycloakClientFactory.newInstance(), tokenEndpointURL);
    }

    private D4ScienceIAMClient(KeycloakClient keycloakClient, URL tokenEndpointURL) {
        this.keycloakClient = keycloakClient;
        this.tokenEndpointURL = tokenEndpointURL;
    }

    protected KeycloakClient getKeycloakClient() {
        return this.keycloakClient;
    }

    public URL getTokenEndpointURL() {
        return this.tokenEndpointURL;
    }

    /**
     * Authenticates the client with provided id and secret,
     * @param clientId the client id
     * @param clientSecret the client secret
     * @return the authn object
     * @throws D4ScienceIAMClientException if an error occurs during authn process
     */
    public D4ScienceIAMClientAuthn authenticate(String clientId, String clientSecret)
            throws D4ScienceIAMClientException {

        return authenticate(clientId, clientSecret, null);
    }

    /**
     * Authenticates the client with provided credentials, reducing the token audience to the requested.
     * @param clientId the client id
     * @param clientSecret the client secret
     * @param audience the requested audience (e.g. a specific context)
     * @return the authn object
     * @throws D4ScienceIAMClientException if an error occurs during authn process
     */
    public D4ScienceIAMClientAuthn authenticate(String clientId, String clientSecret, String audience)
            throws D4ScienceIAMClientException {

        return new D4ScienceIAMClientAuthn(this, clientId, clientSecret, audience);
    }

    /**
     * Directly authorizes the client by using the provided credentials, for the specific audience and with optional permissions
     * @param clientId the client id
     * @param clientSecret the client secret
     * @param audience the requested audience (e.g. a specific context)
     * @param permissions the optional permissions
     * @return the authz object
     * @throws D4ScienceIAMClientException if an error occurs during authz process
     */
    public D4ScienceIAMClientAuthz authorize(String clientId, String clientSecret, String audience,
            List<String> permissions)
            throws D4ScienceIAMClientException {

        return new D4ScienceIAMClientAuthz(this, clientId, clientSecret, audience, permissions);
    }

}