package org.gcube.portal.threadlocalexec; import static org.gcube.common.authorization.client.Constants.authorizationService; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.util.ArrayList; import java.util.List; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.valves.ValveBase; import org.gcube.common.authorization.client.exceptions.ObjectNotFound; import org.gcube.common.authorization.library.provider.AuthorizationProvider; import org.gcube.common.authorization.library.provider.SecurityTokenProvider; import org.gcube.common.authorization.library.provider.UmaJWTProvider; import org.gcube.common.authorization.library.provider.UserInfo; import org.gcube.common.portal.PortalContext; import org.gcube.common.scope.api.ScopeProvider; import org.gcube.oidc.rest.JWTToken; import org.gcube.oidc.rest.OpenIdConnectConfiguration; import org.gcube.oidc.rest.OpenIdConnectRESTHelper; import org.gcube.oidc.rest.OpenIdConnectRESTHelperException; import org.gcube.portal.oidc.lr62.JWTCacheProxy; import org.gcube.portal.oidc.lr62.JWTTokenUtil; import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.liferay.portal.model.User; import com.liferay.portal.service.UserLocalServiceUtil; /** * * @author Massimiliano Assante, CNR ISTI * @author Lucio Lelii, CNR ISTI * @author Mauro Mugnaini, Nubisware S.r.l. * */ public class SmartGearsPortalValve extends ValveBase { private static final Logger _log = LoggerFactory.getLogger(SmartGearsPortalValve.class); private final static String DEFAULT_ROLE = "OrganizationMember"; private final static String LIFERAY_POLLER_CONTEXT = "poller/receive"; private static String LOGOUT_URI = "/c/portal/logout"; private static boolean FORCE_LOGOUT_ON_INVALID_OIDC = true; private static boolean FORCE_LOGOUT_ON_MISSING_OIDC = true; private static boolean FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR = true; private static final int MAX_AUTHORIZATION_RETRY_ATTEMPTS = 4; private static final int AUTHORIZATION_RETRY_ATTEMPTS_DELAY = 4000; @Override public void invoke(Request req, Response resp) throws IOException, ServletException { SecurityTokenProvider.instance.reset(); ScopeProvider.instance.reset(); AuthorizationProvider.instance.reset(); UmaJWTProvider.instance.reset(); //_log.trace("SmartGearsPortalValve SecurityTokenProvider and AuthorizationProvider reset OK"); if (req instanceof HttpServletRequest) { HttpServletRequest request = (HttpServletRequest) req; if (!req.getRequestURL().toString().endsWith(LIFERAY_POLLER_CONTEXT)) { //avoid calling gCube auth service for liferay internal poller PortalContext context = PortalContext.getConfiguration(); String scope = context.getCurrentScope(request); String username = getCurrentUsername(request); if (scope != null && username != null && validateContext(scope)) { String userToken = null; try { ScopeProvider.instance.set(scope); userToken = authorizationService().resolveTokenByUserAndContext(username, scope); SecurityTokenProvider.instance.set(userToken); } catch (ObjectNotFound ex) { userToken = generateAuthorizationToken(username, scope); SecurityTokenProvider.instance.set(userToken); _log.debug("generateAuthorizationToken OK for " + username + " in scope " + scope); } catch (Exception e) { _log.error("Something went wrong in generating token for " + username + " in scope " + scope); e.printStackTrace(); } checkUMATicket(request, (HttpServletResponse) resp, scope); //_log.trace("Security token set OK for " + username + " in scope " + scope); } } } getNext().invoke(req, resp); } private void checkUMATicket(HttpServletRequest request, HttpServletResponse response, String scope) { _log.debug("Getting current user"); User user = getCurrentUser(request); if (user == null) { // Almost impossible _log.error("Current user not found, cannot continue"); return; } HttpSession session = request.getSession(false); if (session == null) { _log.debug("Session is null, cannot continue"); return; } synchronized (session) { String urlEncodedScope = null; try { urlEncodedScope = URLEncoder.encode(scope, "UTF-8"); } catch (UnsupportedEncodingException e) { // Almost impossible _log.error("Cannot URL encode scope", e); return; } _log.debug("URL encoded scope is: {}", urlEncodedScope); _log.trace("Getting UMA token from session: {}", session); JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session); if (umaToken == null) { _log.debug("UMA token not found in session. Trying to get it from cache proxy"); umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session); } if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) { _log.trace("Current UMA token is OK"); if (JWTTokenUtil.getUMAFromSession(session) == null) { _log.debug("Setting UMA token also in current session"); JWTTokenUtil.putUMAInSession(umaToken, session); } } else if (JWTCacheProxy.getInstance().getUMAToken(user, session) != null && !JWTCacheProxy.getInstance().getUMAToken(user, session).isExpired() && JWTCacheProxy.getInstance().getUMAToken(user, session).getAud().contains(urlEncodedScope)) { _log.debug("Cache proxy already contains the suitable UMA token. Putting it also in session and using it"); umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session); JWTTokenUtil.putUMAInSession(umaToken, session); } else { if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) { _log.debug("UMA token is expired, trying to refresh it"); OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); try { umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); _log.debug("Setting refreshed UMA token in cache proxy"); JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken); _log.debug("Setting refreshed UMA token in session"); JWTTokenUtil.putUMAInSession(umaToken, session); } catch (OpenIdConnectRESTHelperException e) { if (e.hasJSONPayload()) { if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { if (FORCE_LOGOUT_ON_INVALID_OIDC) { _log.warn("OIDC token is become invalid, forcing redirect to logout URI"); forceLogout(session, response); } else { _log.warn("OIDC token is become invalid, cannot continue"); } return; } else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) { _log.info("UMA token is no more active, get new one"); } } else { _log.error("Refreshing UMA token on server", e); } umaToken = null; _log.info("Removing probably inactive OIDC token from session"); JWTTokenUtil.removeOIDCFromSession(session); _log.info("Removing all inactive UMA token from session and from cache proxy if present"); JWTTokenUtil.removeUMAFromSession(session); JWTCacheProxy.getInstance().removeUMAToken(user, session); } } if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { boolean scopeIsChanged = false; if (umaToken == null) { _log.debug("Getting new UMA token for scope {}", urlEncodedScope); } else if (!umaToken.getAud().contains(urlEncodedScope)) { scopeIsChanged = true; _log.info("UMA token has been issued for another scope ({}). Getting new one for scope: {}", umaToken.getAud(), urlEncodedScope); } _log.debug("Getting OIDC token from session"); JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); if (authToken == null) { _log.debug("OIDC token not found in session. Trying to get it from cache proxy"); authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session); if (authToken == null) { _log.info("OIDC token is null also in cache proxy"); if (FORCE_LOGOUT_ON_MISSING_OIDC) { _log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI"); forceLogout(session, response); return; } else { _log.error("OIDC token is null also in cache proxy, cannot continue!"); return; } } else { _log.debug("Setting OIDC token took from cache proxy in session"); JWTTokenUtil.putOIDCInSession(authToken, session); } } OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); boolean OK = false; boolean isNotAuthorized = false; int authorizationAttempts = 0; while (!OK) { try { if (isNotAuthorized || scopeIsChanged || authToken.isExpired()) { if (isNotAuthorized) { _log.info( "UMA token is not authorized with current OIDC token, " + "refreshing it to be sure that new grants are present. " + "[attempts: {}]", authorizationAttempts); } else if (scopeIsChanged) { _log.info("Scope is changed, refreshing token to be sure that new grants are present"); } else if (authToken.isExpired()) { _log.debug("OIDC token is expired, trying to refresh it"); } try { authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken); } catch (OpenIdConnectRESTHelperException e) { if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) { _log.warn("Error refreshing OIDC token, force redirecting to logut URI"); forceLogout(session, response); } else { _log.error("Refreshing OIDC token on server", e); } return; } _log.debug("Setting refreshed OIDC token in cache proxy and session"); JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken); JWTTokenUtil.putOIDCInSession(authToken, session); } _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), authToken.getAccessTokenAsBearer(), urlEncodedScope, null); OK = true; } catch (OpenIdConnectRESTHelperException e) { if (e.hasJSONPayload()) { if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { if (FORCE_LOGOUT_ON_INVALID_OIDC) { _log.warn("OIDC token is become invalid, forcing redirect to logout URI"); forceLogout(session, response); } else { _log.error("OIDC token is become invalid, cannot continue"); } return; } else if (OpenIdConnectRESTHelper .isAccessDeniedNotAuthorizedError(e.getResponseString())) { _log.info("UMA token is" + (isNotAuthorized ? " still" : "") + " not authorized with actual OIDC token"); isNotAuthorized = true; authorizationAttempts += 1; if (authorizationAttempts <= MAX_AUTHORIZATION_RETRY_ATTEMPTS) { _log.debug("Sleeping " + AUTHORIZATION_RETRY_ATTEMPTS_DELAY + " ms and refreshing the OIDC"); try { Thread.sleep(AUTHORIZATION_RETRY_ATTEMPTS_DELAY); } catch (InterruptedException ie) { ie.printStackTrace(); } } else { _log.warn("OIDC token refresh attempts exhausted"); return; } } } else { _log.error("Getting UMA token from server", e); return; } } } } _log.debug("Setting UMA token in cache proxy and in session"); JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken); JWTTokenUtil.putUMAInSession(umaToken, session); } _log.trace("Current UMA token audience is: {}", umaToken.getAud()); _log.debug("Setting UMA token in UMA JWT provider"); UmaJWTProvider.instance.set(umaToken.getRaw()); } } protected void forceLogout(HttpSession session, HttpServletResponse response) { try { response.sendRedirect(LOGOUT_URI); } catch (IOException e) { _log.error("Cannot redirect to logout URI: " + LOGOUT_URI, e); } } /** * * @param context * @return true if is the context is syntactically valid */ private static boolean validateContext(String context) { String separator = "/"; if (!context.matches("\\S+")) return false; String[] components = context.split(separator); if (components.length < 2 || components.length > 4) return false; return true; } /** * * @param username * @param scope * @throws Exception */ private static String generateAuthorizationToken(String username, String scope) { List userRoles = new ArrayList<>(); userRoles.add(DEFAULT_ROLE); String token; try { token = authorizationService().generateUserToken(new UserInfo(username, userRoles), scope); } catch (Exception e) { e.printStackTrace(); return null; } return token; } /** * * @param httpServletRequest the httpServletRequest object * @return the instance of the user * @see GCubeUser */ public static String getCurrentUsername(HttpServletRequest httpServletRequest) { User user = getCurrentUser(httpServletRequest); return user != null ? user.getScreenName() : null; } public static User getCurrentUser(HttpServletRequest httpServletRequest) { String userIdNo = httpServletRequest.getHeader(PortalContext.USER_ID_ATTR_NAME); if (userIdNo != null && userIdNo.compareTo("undefined") != 0) { long userId = -1; try { userId = Long.parseLong(userIdNo); return UserLocalServiceUtil.getUser(userId); } catch (NumberFormatException e) { _log.error("The userId is not a number -> " + userIdNo); return null; } catch (Exception e) { _log.error("The userId does not belong to any user -> " + userIdNo); return null; } } return null; } }