gCubeSystem
/
oidc-library-portal
18
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

New methods exposed to issue a temporary UMA/RPT token to the OIDC server and some exceptions classes related to inreresting cases

This commit is contained in:
Mauro Mugnaini 2021-03-30 19:50:57 +02:00
parent b09f9509d5
commit bef2410aa4
7 changed files with 307 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/main/java/org/gcube/portal/oidc/lr62/InvalidTokenException.java Normal file
View File

@ -0,0 +1,22 @@
package org.gcube.portal.oidc.lr62;
public class InvalidTokenException extends OIDCException {
private static final long serialVersionUID = 6104023137356404839L;
public InvalidTokenException() {
}
public InvalidTokenException(String message) {
super(message);
}
public InvalidTokenException(Throwable cause) {
super(cause);
}
public InvalidTokenException(String message, Throwable cause) {
super(message, cause);
}
}

22
src/main/java/org/gcube/portal/oidc/lr62/MissingTokenException.java Normal file
View File

@ -0,0 +1,22 @@
package org.gcube.portal.oidc.lr62;
public class MissingTokenException extends OIDCException {
private static final long serialVersionUID = -3156396867055045014L;
public MissingTokenException() {
}
public MissingTokenException(String message) {
super(message);
}
public MissingTokenException(Throwable cause) {
super(cause);
}
public MissingTokenException(String message, Throwable cause) {
super(message, cause);
}
}

22
src/main/java/org/gcube/portal/oidc/lr62/NotAuthorizedException.java Normal file
View File

@ -0,0 +1,22 @@
package org.gcube.portal.oidc.lr62;
public class NotAuthorizedException extends OIDCException {
private static final long serialVersionUID = 67891107946900764L;
public NotAuthorizedException() {
}
public NotAuthorizedException(String message) {
super(message);
}
public NotAuthorizedException(Throwable cause) {
super(cause);
}
public NotAuthorizedException(String message, Throwable cause) {
super(message, cause);
}
}

31
src/main/java/org/gcube/portal/oidc/lr62/OIDCException.java Normal file
View File

@ -0,0 +1,31 @@
package org.gcube.portal.oidc.lr62;
public class OIDCException extends Exception {
private static final long serialVersionUID = -882800971125567037L;
public OIDCException() {
// TODO Auto-generated constructor stub
}
public OIDCException(String message) {
super(message);
// TODO Auto-generated constructor stub
}
public OIDCException(Throwable cause) {
super(cause);
// TODO Auto-generated constructor stub
}
public OIDCException(String message, Throwable cause) {
super(message, cause);
// TODO Auto-generated constructor stub
}
public OIDCException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
super(message, cause, enableSuppression, writableStackTrace);
// TODO Auto-generated constructor stub
}
}

214
src/main/java/org/gcube/portal/oidc/lr62/OIDCUmaUtil.java
View File

@ -17,7 +17,11 @@ import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.model.User;
import com.liferay.portal.service.UserLocalServiceUtil;
import com.liferay.portal.util.PortalUtil;
public class OIDCUmaUtil {
@ -25,7 +29,7 @@ public class OIDCUmaUtil {
private static final boolean REFRESH_UMA_TOKEN = false;
private static final String LOGOUT_URI = "/c/portal/logout";
private static final boolean FORCE_LOGOUT_ON_INVALID_OIDC = true;
private static final boolean FORCE_LOGOUT_ON_INVALID_TOKEN = true;
private static final boolean FORCE_LOGOUT_ON_MISSING_OIDC = true;
private static final boolean FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR = true;
private static final int MAX_AUTHORIZATION_RETRY_ATTEMPTS = 4;
@ -76,19 +80,109 @@ public class OIDCUmaUtil {
}
}
/**
* Used to request a temporary UMA/RPT token to the OIDC server in a specific context for an user.
*
* The OIDC access token in the {@link JWTCacheProxy} for the user in the current <code>session</code> will be used.
*
* @param request the current HTTP request
* @param screenName the user's user id
* @param scope the scope to issue the token for (e.g. "/gcube")
* @return the temporary token in the requested context for the user
* @throws UMAException if a generic error related to the UMA/RPT token issue occurs
* @throws InvalidTokenException if the OIDC access token is become invalid for the user
* @throws MissingTokenException if the OIDC token is missing for the user in the cache proxy
* @throws RefreshException if an error occurs refreshing the OIDC token that is expired
* @throws NotAuthorizedException if the user is not authorized to access the requested context
*/
public static JWTToken getUMAToken(HttpServletRequest request, Long userId, String scope)
throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
NotAuthorizedException {
public static void checkUMATicketAndProvideInThreadLocal(HttpServletRequest request, HttpServletResponse response,
User user, HttpSession session, String scope) {
return getUMAToken(request, userId, scope, true);
}
private static JWTToken getUMAToken(HttpServletRequest request, Long userId, String scope, boolean temporary)
throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
NotAuthorizedException {
try {
return getUMAToken(request, UserLocalServiceUtil.getUser(userId), scope, temporary);
} catch (PortalException | SystemException e) {
throw new UMAException("Cannot get liferay user from userId", e);
}
}
/**
* Used to request a temporary UMA/RPT token to the OIDC server in a specific context for an user.
*
* The OIDC access token in the {@link JWTCacheProxy} for the user in the current <code>session</code> will be used.
*
* @param request the current HTTP request
* @param screenName the user's screen name
* @param scope the scope to issue the token for (e.g. "/gcube")
* @return the temporary token in the requested context for the user
* @throws UMAException if a generic error related to the UMA/RPT token issue occurs
* @throws InvalidTokenException if the OIDC access token is become invalid for the user
* @throws MissingTokenException if the OIDC token is missing for the user in the cache proxy
* @throws RefreshException if an error occurs refreshing the OIDC token that is expired
* @throws NotAuthorizedException if the user is not authorized to access the requested context
*/
public static JWTToken getUMAToken(HttpServletRequest request, String screenName, String scope)
throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
NotAuthorizedException {
return getUMAToken(request, screenName, scope, true);
}
private static JWTToken getUMAToken(HttpServletRequest request, String screenName, String scope, boolean temporary)
throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
NotAuthorizedException {
try {
return getUMAToken(request,
UserLocalServiceUtil.getUserByScreenName(PortalUtil.getCompanyId(request), screenName), scope, temporary);
} catch (PortalException | SystemException e) {
throw new UMAException("Cannot get liferay user from companyId and screenName", e);
}
}
public static JWTToken getUMAToken(HttpServletRequest request, User user, String scope)
throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
UMAException {
return getUMAToken(request, user, scope, true);
}
private static JWTToken getUMAToken(HttpServletRequest request, User user, String scope, boolean temporary)
throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
UMAException {
return getUMAToken(request, user, request.getSession(false), scope, temporary);
}
// public static JWTToken getUMAToken(HttpServletRequest request, User user, HttpSession session, String scope)
// throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
// UMAException {
//
// return getUMAToken(request, user, session, scope, true);
// }
private static JWTToken getUMAToken(HttpServletRequest request, User user, HttpSession session, String scope,
boolean temporary)
throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
UMAException {
if (user == null) {
log.error("Current user not found, cannot continue");
return;
log.error("User is null, cannot continue");
return null;
}
log.debug("Current user is: {} [{}]", user.getScreenName(), user.getEmailAddress());
if (session == null) {
log.debug("Session is null, cannot continue");
return;
throw new UMAException("Session is null");
}
String sessionId = session.getId();
log.debug("Current session ID is {}", sessionId);
@ -99,14 +193,15 @@ public class OIDCUmaUtil {
} catch (UnsupportedEncodingException e) {
// Almost impossible
log.error("Cannot URL encode scope", e);
return;
return null;
}
log.debug("URL encoded scope is: {}", urlEncodedScope);
JWTToken umaToken = null;
synchronized (JWTCacheProxy.getInstance().getMutexFor(user)) {
JWTCacheProxy jwtCacheProxy = JWTCacheProxy.getInstance();
synchronized (jwtCacheProxy.getMutexFor(user)) {
log.trace("Getting UMA token for user {}, and session {}", user.getScreenName(), sessionId);
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, sessionId);
umaToken = jwtCacheProxy.getUMAToken(user, sessionId);
if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) {
log.trace("Current UMA token is OK {}", umaToken.getTokenEssentials());
} else {
@ -124,17 +219,13 @@ public class OIDCUmaUtil {
log.debug("Setting the refreshed UMA token in cache proxy for user {}, and session]",
user.getScreenName(), sessionId);
JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
// This is independent from "temporary" setting since is a refresh of an expired token
// issued for the same context
jwtCacheProxy.setUMAToken(user, sessionId, umaToken);
} catch (OpenIdConnectRESTHelperException e) {
if (e.hasJSONPayload()) {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
if (FORCE_LOGOUT_ON_INVALID_OIDC) {
log.warn("OIDC token is become invalid, forcing redirect to logout URI");
forceLogout(response);
} else {
log.warn("OIDC token is become invalid, cannot continue");
}
return;
throw new InvalidTokenException("UMA token become invalid", e);
} else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
log.info("UMA token is no more active, get new one");
} else {
@ -148,7 +239,7 @@ public class OIDCUmaUtil {
"Removing inactive UMA token from cache proxy if present for user {} and session {}",
user.getScreenName(), sessionId);
JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
jwtCacheProxy.removeUMAToken(user, sessionId);
}
} else {
log.debug("Suitable UMA token found but it is expired."
@ -159,7 +250,7 @@ public class OIDCUmaUtil {
log.debug("Removing inactive UMA token from cache proxy if present for user {} and session {}",
user.getScreenName(), sessionId);
JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
jwtCacheProxy.removeUMAToken(user, sessionId);
}
}
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
@ -174,15 +265,9 @@ public class OIDCUmaUtil {
log.debug("Getting OIDC token from cache proxy for user {} and session {}", user.getScreenName(),
sessionId);
JWTToken authToken = JWTCacheProxy.getInstance().getOIDCToken(user, sessionId);
JWTToken authToken = jwtCacheProxy.getOIDCToken(user, sessionId);
if (authToken == null) {
if (FORCE_LOGOUT_ON_MISSING_OIDC) {
log.debug("OIDC token is null in cache proxy, force redirecting to logut URI");
forceLogout(response);
} else {
log.debug("OIDC token is null in cache proxy, cannot continue!");
}
return;
throw new MissingTokenException("Token is null in proxy");
} else {
log.debug("OIDC token is {}", authToken.getTokenEssentials());
}
@ -214,16 +299,10 @@ public class OIDCUmaUtil {
authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(),
authToken);
} catch (OpenIdConnectRESTHelperException e) {
if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
log.warn("Error refreshing OIDC token, force redirecting to logut URI");
forceLogout(response);
} else {
log.error("Refreshing OIDC token on server", e);
}
return;
throw new RefreshException("Refreshing OIDC token", e);
}
log.debug("Setting refreshed OIDC token in cache proxy");
JWTCacheProxy.getInstance().setOIDCToken(user, sessionId, authToken);
jwtCacheProxy.setOIDCToken(user, sessionId, authToken);
}
log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
@ -233,13 +312,7 @@ public class OIDCUmaUtil {
} catch (OpenIdConnectRESTHelperException e) {
if (e.hasJSONPayload()) {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
if (FORCE_LOGOUT_ON_INVALID_OIDC) {
log.warn("OIDC token is become invalid, forcing redirect to logout URI");
forceLogout(response);
} else {
log.error("OIDC token is become invalid, cannot continue");
}
return;
throw new InvalidTokenException("OIDC token is become invalid", e);
} else if (OpenIdConnectRESTHelper
.isAccessDeniedNotAuthorizedError(e.getResponseString())) {
@ -257,29 +330,66 @@ public class OIDCUmaUtil {
ie.printStackTrace();
}
} else {
log.warn("OIDC token refresh attempts exhausted");
return;
throw new NotAuthorizedException("OIDC token refresh attempts exhausted");
}
}
} else {
log.error("Getting UMA token from server", e);
return;
throw new UMAException(e);
}
}
} while (isNotAuthorized);
}
log.debug("Setting UMA token in cache proxy for user {} and session {}", user.getScreenName(),
sessionId);
if (!temporary) {
log.debug("Setting UMA token in cache proxy for user {} and session {}", user.getScreenName(),
sessionId);
JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
jwtCacheProxy.setUMAToken(user, sessionId, umaToken);
}
}
}
return umaToken;
}
log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
public static void checkUMATicketAndProvideInThreadLocal(HttpServletRequest request, HttpServletResponse response,
User user, HttpSession session, String scope) {
try {
JWTToken umaToken = getUMAToken(request, user, scope, false);
log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
log.debug("Setting UMA token with jti {} in UMA JWT provider", umaToken.getJti());
UmaJWTProvider.instance.set(umaToken.getRaw());
} catch (MissingTokenException e) {
if (FORCE_LOGOUT_ON_MISSING_OIDC) {
log.debug("OIDC token is null in cache proxy, force redirecting to logut URI");
forceLogout(response);
} else {
log.debug("OIDC token is null in cache proxy, cannot continue");
}
return;
} catch (RefreshException e) {
if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
log.warn("Error refreshing OIDC token, force redirecting to logut URI");
forceLogout(response);
} else {
log.error("Refreshing OIDC token on server", e);
}
return;
} catch (InvalidTokenException e) {
if (FORCE_LOGOUT_ON_INVALID_TOKEN) {
log.warn("OIDC token is become invalid, forcing redirect to logout URI");
forceLogout(response);
} else {
log.error("OIDC token is become invalid, cannot continue");
}
return;
} catch (NotAuthorizedException e) {
log.error("", e);
} catch (UMAException e) {
log.error("Getting UMA token from server", e);
}
log.debug("Setting UMA token with jti {} in UMA JWT provider", umaToken.getJti());
UmaJWTProvider.instance.set(umaToken.getRaw());
}
protected static void forceLogout(HttpServletResponse response) {

22
src/main/java/org/gcube/portal/oidc/lr62/RefreshException.java Normal file
View File

@ -0,0 +1,22 @@
package org.gcube.portal.oidc.lr62;
public class RefreshException extends OIDCException {
private static final long serialVersionUID = -8657006296380516704L;
public RefreshException() {
}
public RefreshException(String message) {
super(message);
}
public RefreshException(Throwable cause) {
super(cause);
}
public RefreshException(String message, Throwable cause) {
super(message, cause);
}
}

26
src/main/java/org/gcube/portal/oidc/lr62/UMAException.java Normal file
View File

@ -0,0 +1,26 @@
package org.gcube.portal.oidc.lr62;
public class UMAException extends Exception {
private static final long serialVersionUID = 9158301486748240970L;
public UMAException() {
}
public UMAException(String message) {
super(message);
}
public UMAException(Throwable cause) {
super(cause);
}
public UMAException(String message, Throwable cause) {
super(message, cause);
}
public UMAException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
super(message, cause, enableSuppression, writableStackTrace);
}
}