added isValid to secrets

This commit is contained in:
lucio 2024-04-30 16:55:51 +02:00
parent 85637986d6
commit 683699aaa3
6 changed files with 51 additions and 17 deletions

View File

@ -47,6 +47,13 @@
<groupId>org.gcube.common</groupId> <groupId>org.gcube.common</groupId>
<artifactId>keycloak-client</artifactId> <artifactId>keycloak-client</artifactId>
</dependency> </dependency>
<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>4.4.0</version>
</dependency>
<dependency> <dependency>
<groupId>org.gcube.common</groupId> <groupId>org.gcube.common</groupId>
<artifactId>common-security</artifactId> <artifactId>common-security</artifactId>

View File

@ -76,9 +76,10 @@ public class AccessTokenSecret extends Secret {
} }
@Override @Override
public boolean isExpired() { public boolean isValid() {
return false; if (this.umaTokenSecret.isExpired())
refreshAccessToken();
return this.umaTokenSecret.isValid();
} }
} }

View File

@ -58,7 +58,7 @@ public class CredentialSecret extends Secret {
} }
@Override @Override
public boolean isExpired() { public boolean isValid() {
return false; return this.accessTokenSecret.isValid();
} }
} }

View File

@ -52,6 +52,10 @@ public class GCubeJWTObject {
@JsonProperty("email") @JsonProperty("email")
private String email; private String email;
@JsonProperty("exp")
private long expirationTime;
public List<String> getRoles(){ public List<String> getRoles(){
return contextAccess.get(this.context) == null ? MINIMAL_ROLES : contextAccess.get(this.context).roles; return contextAccess.get(this.context) == null ? MINIMAL_ROLES : contextAccess.get(this.context).roles;
} }
@ -84,6 +88,11 @@ public class GCubeJWTObject {
public String getEmail() { public String getEmail() {
return email; return email;
} }
public long getExpirationTime() {
return expirationTime;
}
@Override @Override
public String toString() { public String toString() {
return "GcubeJwt [context=" + getContext() + ", roles=" + getRoles() + ", username=" + username return "GcubeJwt [context=" + getContext() + ", roles=" + getRoles() + ", username=" + username

View File

@ -22,10 +22,6 @@ public class GCubeSecret extends Secret {
private String context; private String context;
public GCubeSecret(String gcubeToken) { public GCubeSecret(String gcubeToken) {
if( gcubeToken == null || gcubeToken.isEmpty())
throw new IllegalArgumentException("Invalid token: is null or empty");
if(!Pattern.matches(GCUBE_TOKEN_REGEX, gcubeToken))
throw new IllegalArgumentException("Invalid token: the gCube token must comply with the regex " + GCUBE_TOKEN_REGEX);
this.gcubeToken = gcubeToken; this.gcubeToken = gcubeToken;
} }
@ -38,6 +34,8 @@ public class GCubeSecret extends Secret {
} }
@Override @Override
public Owner getOwner() { public Owner getOwner() {
if (Objects.isNull(owner)) if (Objects.isNull(owner))
@ -70,8 +68,8 @@ public class GCubeSecret extends Secret {
} }
@Override @Override
public boolean isExpired() { public boolean isValid() {
return false; return gcubeToken != null && !gcubeToken.isEmpty() && Pattern.matches(GCUBE_TOKEN_REGEX, gcubeToken);
} }
} }

View File

@ -5,11 +5,19 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.gcube.com.fasterxml.jackson.databind.ObjectMapper; import org.gcube.com.fasterxml.jackson.databind.ObjectMapper;
import org.gcube.common.keycloak.KeycloakClient;
import org.gcube.common.keycloak.KeycloakClientFactory;
import org.gcube.common.keycloak.model.AccessToken; import org.gcube.common.keycloak.model.AccessToken;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.PublishedRealmRepresentation;
import org.gcube.common.security.Owner; import org.gcube.common.security.Owner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class UmaTokenSecret extends Secret { public class UmaTokenSecret extends Secret {
private static final Logger log = LoggerFactory.getLogger(UmaTokenSecret.class);
private static final String AUTH_HEADER = "Authorization"; private static final String AUTH_HEADER = "Authorization";
private static final String USER_HEADER = "d4s-user"; private static final String USER_HEADER = "d4s-user";
@ -52,8 +60,6 @@ public class UmaTokenSecret extends Secret {
return encodedUmaToken; return encodedUmaToken;
} }
@Override
public boolean isExpired() { public boolean isExpired() {
init(); init();
return accessToken.isExpired(); return accessToken.isExpired();
@ -71,14 +77,13 @@ public class UmaTokenSecret extends Secret {
this.accessToken = objectMapper.readValue(decodedAccessPart, AccessToken.class); this.accessToken = objectMapper.readValue(decodedAccessPart, AccessToken.class);
GCubeJWTObject obj = objectMapper.readValue(decodedAccessPart, GCubeJWTObject.class); GCubeJWTObject obj = objectMapper.readValue(decodedAccessPart, GCubeJWTObject.class);
owner = new Owner(obj.getUsername(), obj.getRoles(), obj.getEmail(), obj.getFirstName(), obj.getLastName(), obj.isExternalService(), obj.isApplication()); owner = new Owner(obj.getUsername(), obj.getRoles(), obj.getEmail(), obj.getFirstName(),
obj.getLastName(), obj.isExternalService(), obj.isApplication());
owner.setClientName(obj.getClientName()); owner.setClientName(obj.getClientName());
owner.setContactOrganisation(obj.getContactOrganisation()); owner.setContactOrganisation(obj.getContactOrganisation());
owner.setClientName(obj.getClientName()); owner.setClientName(obj.getClientName());
context = obj.getContext(); context = obj.getContext();
initialised = true; initialised = true;
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
@ -86,4 +91,18 @@ public class UmaTokenSecret extends Secret {
} }
@Override
public boolean isValid() {
init();
try {
KeycloakClient client = KeycloakClientFactory.newInstance();
PublishedRealmRepresentation realmInfo = client.getRealmInfo(client.getRealmBaseURL(context));
return ModelUtils.isValid(encodedUmaToken, realmInfo.getPublicKey());
}catch (Exception e) {
log.error("Error contacting keycloak, is not possible to check token validity",e);
return false;
}
}
} }