gCubeSystem
/
threadlocal-vars-cleaner
14
1
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Porting to master repo of the changes that seems to resolves issues related to ticket #20445 #6

Merged
massimiliano.assante merged 4 commits from mauro.mugnaini/threadlocal-vars-cleaner:master into master 2021-01-20 12:35:52 +01:00
Conversation 0 Commits 4 Files Changed 1 +87 -85
1 changed files with 87 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java
View File

@ -28,7 +28,6 @@ import org.gcube.oidc.rest.OpenIdConnectConfiguration;
import org.gcube.oidc.rest.OpenIdConnectRESTHelper; import org.gcube.oidc.rest.OpenIdConnectRESTHelper;
import org.gcube.oidc.rest.OpenIdConnectRESTHelperException; import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
import org.gcube.portal.oidc.lr62.JWTCacheProxy; import org.gcube.portal.oidc.lr62.JWTCacheProxy;
import org.gcube.portal.oidc.lr62.JWTTokenUtil;
import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration; import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -96,77 +95,72 @@ public class SmartGearsPortalValve extends ValveBase {
_log.debug("Getting current user"); _log.debug("Getting current user");
User user = getCurrentUser(request); User user = getCurrentUser(request);
if (user == null) { if (user == null) {
// Almost impossible
_log.error("Current user not found, cannot continue"); _log.error("Current user not found, cannot continue");
return; return;
} }
_log.debug("Current user is: {} [{}]", user.getScreenName(), user.getEmailAddress());
HttpSession session = request.getSession(false); HttpSession session = request.getSession(false);
if (session == null) { if (session == null) {
_log.debug("Session is null, cannot continue"); _log.debug("Session is null, cannot continue");
return; return;
} }
synchronized (session) { String sessionId = session.getId();
String urlEncodedScope = null; _log.debug("Current session ID is {}", sessionId);
try { String urlEncodedScope = null;
urlEncodedScope = URLEncoder.encode(scope, "UTF-8"); try {
} catch (UnsupportedEncodingException e) { urlEncodedScope = URLEncoder.encode(scope, "UTF-8");
// Almost impossible } catch (UnsupportedEncodingException e) {
_log.error("Cannot URL encode scope", e); // Almost impossible
return; _log.error("Cannot URL encode scope", e);
} return;
_log.debug("URL encoded scope is: {}", urlEncodedScope); }
_log.debug("URL encoded scope is: {}", urlEncodedScope);
_log.trace("Getting UMA token from session: {}", session); JWTToken umaToken = null;
JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session); synchronized (JWTCacheProxy.getInstance().getMutexFor(user)) {
if (umaToken == null) { _log.trace("Getting UMA token for user {}, and session {}", user.getScreenName(), sessionId);
_log.debug("UMA token not found in session. Trying to get it from cache proxy"); umaToken = JWTCacheProxy.getInstance().getUMAToken(user, sessionId);
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
}
if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) { if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) {
_log.trace("Current UMA token is OK"); _log.trace("Current UMA token is OK {}", umaToken.getTokenEssentials());
if (JWTTokenUtil.getUMAFromSession(session) == null) {
_log.debug("Setting UMA token also in current session");
JWTTokenUtil.putUMAInSession(umaToken, session);
}
} else if (JWTCacheProxy.getInstance().getUMAToken(user, session) != null
&& !JWTCacheProxy.getInstance().getUMAToken(user, session).isExpired()
&& JWTCacheProxy.getInstance().getUMAToken(user, session).getAud().contains(urlEncodedScope)) {
_log.debug("Cache proxy already contains the suitable UMA token. Putting it also in session and using it");
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
JWTTokenUtil.putUMAInSession(umaToken, session);
} else { } else {
if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) { if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) {
_log.debug("UMA token is expired, trying to refresh it"); _log.debug("Suitable UMA token found but is expired, trying to refresh it {}",
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); umaToken.getTokenEssentials());
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
.getConfiguration(request);
try { try {
umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
_log.debug("Setting refreshed UMA token in cache proxy"); _log.debug("Got a refreshed UMA token {}", umaToken.getTokenEssentials());
JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken);
_log.debug("Setting refreshed UMA token in session"); _log.debug("Setting the refreshed UMA token in cache proxy for user {}, and session]",
JWTTokenUtil.putUMAInSession(umaToken, session); user.getScreenName(), sessionId);
JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
} catch (OpenIdConnectRESTHelperException e) { } catch (OpenIdConnectRESTHelperException e) {
if (e.hasJSONPayload()) { if (e.hasJSONPayload()) {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
if (FORCE_LOGOUT_ON_INVALID_OIDC) { if (FORCE_LOGOUT_ON_INVALID_OIDC) {
_log.warn("OIDC token is become invalid, forcing redirect to logout URI"); _log.warn("OIDC token is become invalid, forcing redirect to logout URI");
forceLogout(session, response); forceLogout(response);
} else { } else {
_log.warn("OIDC token is become invalid, cannot continue"); _log.warn("OIDC token is become invalid, cannot continue");
} }
return; return;
} else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) { } else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
_log.info("UMA token is no more active, get new one"); _log.info("UMA token is no more active, get new one");
} else {
_log.error("Other UMA token refresh error", e);
} }
} else { } else {
_log.error("Refreshing UMA token on server", e); _log.error("Refreshing UMA token on server " + umaToken.getTokenEssentials(), e);
} }
umaToken = null; umaToken = null;
_log.info("Removing probably inactive OIDC token from session"); _log.debug("Removing inactive UMA token from cache proxy if present for user {} and session {}",
JWTTokenUtil.removeOIDCFromSession(session); user.getScreenName(), sessionId);
_log.info("Removing all inactive UMA token from session and from cache proxy if present");
JWTTokenUtil.removeUMAFromSession(session); JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
JWTCacheProxy.getInstance().removeUMAToken(user, session);
} }
} }
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
@ -175,34 +169,30 @@ public class SmartGearsPortalValve extends ValveBase {
_log.debug("Getting new UMA token for scope {}", urlEncodedScope); _log.debug("Getting new UMA token for scope {}", urlEncodedScope);
} else if (!umaToken.getAud().contains(urlEncodedScope)) { } else if (!umaToken.getAud().contains(urlEncodedScope)) {
scopeIsChanged = true; scopeIsChanged = true;
_log.info("UMA token has been issued for another scope ({}). Getting new one for scope: {}", _log.info("Getting new UMA token for scope {} since it has been issued for another scope {}",
umaToken.getAud(), urlEncodedScope); urlEncodedScope, umaToken.getTokenEssentials());
} }
_log.debug("Getting OIDC token from session"); _log.debug("Getting OIDC token from cache proxy for user {} and session {}", user.getScreenName(),
JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); sessionId);
JWTToken authToken = JWTCacheProxy.getInstance().getOIDCToken(user, sessionId);
if (authToken == null) { if (authToken == null) {
_log.debug("OIDC token not found in session. Trying to get it from cache proxy"); if (FORCE_LOGOUT_ON_MISSING_OIDC) {
authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session); _log.warn("OIDC token is null in cache proxy, force redirecting to logut URI");
if (authToken == null) { forceLogout(response);
_log.info("OIDC token is null also in cache proxy");
if (FORCE_LOGOUT_ON_MISSING_OIDC) {
_log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI");
forceLogout(session, response);
return;
} else {
_log.error("OIDC token is null also in cache proxy, cannot continue!");
return;
}
} else { } else {
_log.debug("Setting OIDC token took from cache proxy in session"); _log.error("OIDC token is null in cache proxy, cannot continue!");
JWTTokenUtil.putOIDCInSession(authToken, session);
} }
return;
} else {
_log.debug("OIDC token is {}", authToken.getTokenEssentials());
} }
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
boolean OK = false; .getConfiguration(request);
boolean isNotAuthorized = false; boolean isNotAuthorized = false;
int authorizationAttempts = 0; int authorizationAttempts = 0;
while (!OK) { do {
try { try {
if (isNotAuthorized || scopeIsChanged || authToken.isExpired()) { if (isNotAuthorized || scopeIsChanged || authToken.isExpired()) {
if (isNotAuthorized) { if (isNotAuthorized) {
@ -211,10 +201,15 @@ public class SmartGearsPortalValve extends ValveBase {
+ "refreshing it to be sure that new grants are present. " + "refreshing it to be sure that new grants are present. "
+ "[attempts: {}]", + "[attempts: {}]",
authorizationAttempts); authorizationAttempts);
// Resetting the flag to be sure to have correct log message each loop
isNotAuthorized = false;
} else if (scopeIsChanged) { } else if (scopeIsChanged) {
_log.info("Scope is changed, refreshing token to be sure that new grants are present"); _log.info(
"Scope is changed, refreshing token to be sure that new grants are present");
} else if (authToken.isExpired()) { } else if (authToken.isExpired()) {
_log.debug("OIDC token is expired, trying to refresh it"); _log.debug("OIDC token is expired, trying to refresh it {}",
authToken.getTokenEssentials());
} }
try { try {
authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(),
@ -222,41 +217,41 @@ public class SmartGearsPortalValve extends ValveBase {
} catch (OpenIdConnectRESTHelperException e) { } catch (OpenIdConnectRESTHelperException e) {
if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) { if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
_log.warn("Error refreshing OIDC token, force redirecting to logut URI"); _log.warn("Error refreshing OIDC token, force redirecting to logut URI");
forceLogout(session, response); forceLogout(response);
} else { } else {
_log.error("Refreshing OIDC token on server", e); _log.error("Refreshing OIDC token on server", e);
} }
return; return;
} }
_log.debug("Setting refreshed OIDC token in cache proxy and session"); _log.debug("Setting refreshed OIDC token in cache proxy");
JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken); JWTCacheProxy.getInstance().setOIDCToken(user, sessionId, authToken);
JWTTokenUtil.putOIDCInSession(authToken, session);
} }
_log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
authToken.getAccessTokenAsBearer(), urlEncodedScope, null); authToken.getAccessTokenAsBearer(), urlEncodedScope, null);
OK = true; _log.debug("Got new UMA token {}", umaToken.getTokenEssentials());
} catch (OpenIdConnectRESTHelperException e) { } catch (OpenIdConnectRESTHelperException e) {
if (e.hasJSONPayload()) { if (e.hasJSONPayload()) {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
if (FORCE_LOGOUT_ON_INVALID_OIDC) { if (FORCE_LOGOUT_ON_INVALID_OIDC) {
_log.warn("OIDC token is become invalid, forcing redirect to logout URI"); _log.warn("OIDC token is become invalid, forcing redirect to logout URI");
forceLogout(session, response); forceLogout(response);
} else { } else {
_log.error("OIDC token is become invalid, cannot continue"); _log.error("OIDC token is become invalid, cannot continue");
} }
return; return;
} else if (OpenIdConnectRESTHelper } else if (OpenIdConnectRESTHelper
.isAccessDeniedNotAuthorizedError(e.getResponseString())) { .isAccessDeniedNotAuthorizedError(e.getResponseString())) {
_log.info("UMA token is" + (isNotAuthorized ? " still" : "") _log.info("UMA token is" + (isNotAuthorized ? " still" : "")
+ " not authorized with actual OIDC token"); + " not authorized with actual OIDC token");
isNotAuthorized = true; isNotAuthorized = true;
authorizationAttempts += 1; authorizationAttempts += 1;
if (authorizationAttempts <= MAX_AUTHORIZATION_RETRY_ATTEMPTS) { if (authorizationAttempts <= MAX_AUTHORIZATION_RETRY_ATTEMPTS) {
_log.debug("Sleeping " + AUTHORIZATION_RETRY_ATTEMPTS_DELAY _log.debug("Sleeping " + AUTHORIZATION_RETRY_ATTEMPTS_DELAY
+ " ms and refreshing the OIDC"); + " ms and looping refreshing the OIDC");
try { try {
Thread.sleep(AUTHORIZATION_RETRY_ATTEMPTS_DELAY); Thread.sleep(AUTHORIZATION_RETRY_ATTEMPTS_DELAY);
} catch (InterruptedException ie) { } catch (InterruptedException ie) {
@ -272,22 +267,29 @@ public class SmartGearsPortalValve extends ValveBase {
return; return;
} }
} }
} } while (isNotAuthorized);
} }
_log.debug("Setting UMA token in cache proxy and in session");
JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken);
JWTTokenUtil.putUMAInSession(umaToken, session);
}
_log.trace("Current UMA token audience is: {}", umaToken.getAud());
_log.debug("Setting UMA token in UMA JWT provider"); _log.debug("Setting UMA token in cache proxy for user {} and session {}", user.getScreenName(),
UmaJWTProvider.instance.set(umaToken.getRaw()); sessionId);
JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
}
} }
_log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
_log.debug("Setting UMA token with jti {} in UMA JWT provider", umaToken.getJti());
UmaJWTProvider.instance.set(umaToken.getRaw());
} }
protected void forceLogout(HttpSession session, HttpServletResponse response) { protected void forceLogout(HttpServletResponse response) {
try { try {
response.sendRedirect(LOGOUT_URI); if (!response.isCommitted()) {
response.sendRedirect(LOGOUT_URI);
} else {
_log.warn("Cannot redirect to logout URI since the response is already commited");
}
} catch (IOException e) { } catch (IOException e) {
_log.error("Cannot redirect to logout URI: " + LOGOUT_URI, e); _log.error("Cannot redirect to logout URI: " + LOGOUT_URI, e);
} }