Chnaged to authenticate identity by using Bearer token or cookie and better handling of unauthorized calls

2020-08-21 11:12:17 +02:00 · 2020-08-21 11:12:17 +02:00 · 1c1f8ea18e
parent e9061b5fee
commit 1c1f8ea18e
2 changed files with 18 additions and 19 deletions
--- a/avatar-realm-resource/src/main/java/org/gcube/keycloak/avatar/AbstractAvatarResource.java
+++ b/avatar-realm-resource/src/main/java/org/gcube/keycloak/avatar/AbstractAvatarResource.java
@ -2,7 +2,6 @@ package org.gcube.keycloak.avatar;

 import java.io.InputStream;

-import javax.ws.rs.core.Response;
 import javax.ws.rs.core.StreamingOutput;

 import org.apache.commons.io.IOUtils;
@ -46,14 +45,6 @@ public abstract class AbstractAvatarResource {
        return keycloakSession.getProvider(AvatarStorageProvider.class);
    }

-    protected Response unauthorized() {
-        return Response.status(Response.Status.UNAUTHORIZED).build();
-    }
-
-    protected Response invalidState() {
-        return Response.status(Response.Status.FORBIDDEN).build();
-    }
-
    protected void saveUserImage(RealmModel realm, UserModel user, InputStream imageInputStream) {
        getAvatarStorageProvider().saveAvatarImage(realm, user, imageInputStream);
    }
--- a/avatar-realm-resource/src/main/java/org/gcube/keycloak/avatar/AvatarResource.java
+++ b/avatar-realm-resource/src/main/java/org/gcube/keycloak/avatar/AvatarResource.java
@ -4,7 +4,9 @@ import java.io.InputStream;
 import java.util.Objects;

 import javax.ws.rs.Consumes;
+import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.GET;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@ -17,9 +19,9 @@ import org.jboss.resteasy.annotations.cache.NoCache;
 import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataInput;
 import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.RealmModel;
 import org.keycloak.services.managers.AppAuthManager;
 import org.keycloak.services.managers.AuthenticationManager;
+import org.keycloak.services.managers.AuthenticationManager.AuthResult;
 import org.keycloak.services.resources.RealmsResource;

 public class AvatarResource extends AbstractAvatarResource {
@ -31,14 +33,17 @@ public class AvatarResource extends AbstractAvatarResource {

    public AvatarResource(KeycloakSession session) {
        super(session);
-        this.auth = resolveAuthentication(session);
+        auth = authenticate(session);
    }

-    private AuthenticationManager.AuthResult resolveAuthentication(KeycloakSession keycloakSession) {
-        AppAuthManager appAuthManager = new AppAuthManager();
-        RealmModel realm = keycloakSession.getContext().getRealm();
-
-        return appAuthManager.authenticateIdentityCookie(keycloakSession, realm);
+    private AuthResult authenticate(KeycloakSession session) {
+        logger.debug("Authenticating with bearer token");
+        AuthResult auth = new AppAuthManager().authenticateBearerToken(session, session.getContext().getRealm());
+        if (auth == null) {
+            logger.debug("Authenticating with identity cookie");
+            auth = new AppAuthManager().authenticateIdentityCookie(session, session.getContext().getRealm());
+        }
+        return auth;
    }

    @Path("/admin")
@ -53,8 +58,10 @@ public class AvatarResource extends AbstractAvatarResource {
    @Produces({ "image/png", "image/jpeg", "image/gif" })
    public Response downloadCurrentUserAvatarImage() {
        if (auth == null) {
-            return unauthorized();
+            logger.debug("Unhautorized call to get avatar");
+            throw new NotAuthorizedException("Bearer");
        }
+        logger.debugf("Getting avatar for user %s in realm %s", auth.getUser(), auth.getSession().getRealm());
        return Response.ok(fetchUserImage(auth.getSession().getRealm(), auth.getUser())).build();
    }

@ -63,13 +70,14 @@ public class AvatarResource extends AbstractAvatarResource {
    @Consumes(MediaType.MULTIPART_FORM_DATA)
    public Response uploadCurrentUserAvatarImage(MultipartFormDataInput input, @Context UriInfo uriInfo) {
        if (auth == null) {
-            return unauthorized();
+            throw new NotAuthorizedException("Bearer");
        }

        if (!isValidStateChecker(input)) {
-            return invalidState();
+            throw new ForbiddenException("State");
        }

+        logger.debugf("Uploading new avatar for user %s in realm %s", auth.getUser(), auth.getSession().getRealm());
        try {
            InputStream imageInputStream = input.getFormDataPart(AVATAR_IMAGE_PARAMETER, InputStream.class, null);