From 081e3dd257b40531012a462660e2754332bdf521 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Wed, 1 Jul 2020 19:40:32 +0200 Subject: [PATCH 1/6] Specific version required. Range removed --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 064a5d9..2aa7a6c 100644 --- a/pom.xml +++ b/pom.xml @@ -64,7 +64,7 @@ org.gcube.portal oidc-library-portal - [0.1.0,) + 0.2-SNAPSHOT provided From 3f965a914317d7dc6864eab6297e1d1342218e26 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Wed, 1 Jul 2020 19:42:10 +0200 Subject: [PATCH 2/6] Implemented the token refresh on expired access-token validity --- .../SmartGearsPortalValve.java | 43 ++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java index 25250be..a7c78c8 100644 --- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java +++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java @@ -152,7 +152,27 @@ public class SmartGearsPortalValve extends ValveBase { _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); try { - // TODO: handle the token expired case and renew it with refresh token. + if (authToken.isExpired()) { + if (_log.isDebugEnabled()) { + _log.debug("OIDC token is expired, refreshing it"); + try { + authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), + authToken); + + } catch (Exception e) { + _log.error("Refreshing OIDC token on server", e); + return; + } + if (_log.isDebugEnabled()) { + _log.debug("Setting refreshed OIDC token in cache proxy"); + } + OIDCTokenCacheProxy.getInstance().setOIDCToken(user, session, umaToken); + if (_log.isDebugEnabled()) { + _log.debug("Setting refreshed OIDC token in session"); + } + JWTTokenUtil.putOIDCInSession(authToken, session); + } + } umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), authToken.getAsBearer(), urlEncodedScope, null); @@ -169,6 +189,27 @@ public class SmartGearsPortalValve extends ValveBase { } JWTTokenUtil.putUMAInSession(umaToken, session); } + } else { + if (umaToken.isExpired()) { + if (_log.isDebugEnabled()) { + _log.debug("UMA token is expired, refreshing it"); + } + OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); + try { + umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); + } catch (Exception e) { + _log.error("Refreshing UMA token on server", e); + return; + } + if (_log.isDebugEnabled()) { + _log.debug("Setting refreshed UMA token in cache proxy"); + } + OIDCTokenCacheProxy.getInstance().setRPTToken(getCurrentUser(request), session, umaToken); + if (_log.isDebugEnabled()) { + _log.debug("Setting refreshed UMA token in session"); + } + JWTTokenUtil.putUMAInSession(umaToken, session); + } } if (_log.isDebugEnabled()) { _log.debug("Setting UMA token in UMA JWT provider"); From be0860d9281768ce4c62ba3cb5344e4eda44396b Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Fri, 3 Jul 2020 18:38:58 +0200 Subject: [PATCH 3/6] Fixed wrong token put in cache after refresh. Rationalized logs. --- .../SmartGearsPortalValve.java | 171 +++++++----------- 1 file changed, 66 insertions(+), 105 deletions(-) diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java index a7c78c8..9ab758f 100644 --- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java +++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java @@ -86,14 +86,9 @@ public class SmartGearsPortalValve extends ValveBase { private void checkUMATicket(HttpServletRequest request, String scope) { HttpSession session = request.getSession(false); if (session == null) { - if (_log.isDebugEnabled()) { - _log.debug("Session is null"); - } + _log.debug("Session is null"); return; } - if (_log.isTraceEnabled()) { - _log.trace("Session details: id=" + session.getId() + ", instance=" + session); - } String urlEncodedScope = null; try { urlEncodedScope = URLEncoder.encode(scope, "UTF-8"); @@ -101,99 +96,78 @@ public class SmartGearsPortalValve extends ValveBase { _log.error("Cannot URL encode scope", e); return; } - if (_log.isDebugEnabled()) { - _log.debug("URL encoded scope is: " + urlEncodedScope); - _log.debug("Getting UMA token from session"); - } + _log.debug("URL encoded scope is: {}", urlEncodedScope); + _log.debug("Getting UMA token from session"); JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session); if (umaToken == null) { - if (_log.isDebugEnabled()) { - _log.debug("UMA token not found in session"); - } - if (_log.isDebugEnabled()) { - _log.debug("Getting current user"); - } + _log.debug("UMA token not found in session"); + + _log.debug("Getting current user"); User user = getCurrentUser(request); if (user == null) { + // Almost impossible _log.error("Current user not found, cannot continue"); return; } - if (_log.isDebugEnabled()) { - _log.debug("Trying to get UMA token from cache proxy"); - } + _log.debug("Trying to get UMA token from cache proxy"); umaToken = OIDCTokenCacheProxy.getInstance().getUMAToken(user, session); - if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { - if (umaToken == null) { - if (_log.isDebugEnabled()) { - _log.debug("UMA token is null. Getting new one..."); - } - } else { - _log.info("UMA token for another scope (" + umaToken.getAud() + "). Getting new one for scope: " - + urlEncodedScope); - } - if (_log.isDebugEnabled()) { - _log.debug("Getting OIDC token from session"); - } - JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); + } + if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { + if (umaToken == null) { + _log.debug("UMA token is null. Getting new one..."); + } else { + _log.info("UMA token has been issued for another scope (" + umaToken.getAud() + + "). Getting new one for scope: " + urlEncodedScope); + } + _log.debug("Getting current user"); + User user = getCurrentUser(request); + if (user == null) { + // Almost impossible + _log.error("Current user not found, cannot continue"); + return; + } + _log.debug("Getting OIDC token from session"); + JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); + if (authToken == null) { + _log.debug("OIDC token not found in session. Trying to get it from cache proxy"); + authToken = OIDCTokenCacheProxy.getInstance().getOIDCToken(user, session); if (authToken == null) { - if (_log.isDebugEnabled()) { - _log.debug("OIDC token not found in session. Trying to get it from cache proxy"); - } - authToken = getOIDCTokeFromProxyAndSetInSession(user, request, session); - if (authToken == null) { - _log.error("OIDC token is null, cannot continue"); + _log.warn("OIDC token is null also in cache proxy, cannot continue!"); + return; + } else { + _log.debug("Setting OIDC token took from cache proxy in session"); + JWTTokenUtil.putOIDCInSession(authToken, session); + } + } + OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); + try { + if (authToken.isExpired()) { + _log.debug("OIDC token is expired, refreshing it"); + try { + authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken); + } catch (Exception e) { + _log.error("Refreshing OIDC token on server", e); return; - } else { - if (_log.isDebugEnabled()) { - _log.debug("OIDC token found in cache proxy"); - } } + _log.debug("Setting refreshed OIDC token in cache proxy"); + OIDCTokenCacheProxy.getInstance().setOIDCToken(user, session, authToken); + _log.debug("Setting refreshed OIDC token in session"); + JWTTokenUtil.putOIDCInSession(authToken, session); } _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); - OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); - try { - if (authToken.isExpired()) { - if (_log.isDebugEnabled()) { - _log.debug("OIDC token is expired, refreshing it"); - try { - authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), - authToken); - - } catch (Exception e) { - _log.error("Refreshing OIDC token on server", e); - return; - } - if (_log.isDebugEnabled()) { - _log.debug("Setting refreshed OIDC token in cache proxy"); - } - OIDCTokenCacheProxy.getInstance().setOIDCToken(user, session, umaToken); - if (_log.isDebugEnabled()) { - _log.debug("Setting refreshed OIDC token in session"); - } - JWTTokenUtil.putOIDCInSession(authToken, session); - } - } - umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), - authToken.getAsBearer(), - urlEncodedScope, null); - } catch (Exception e) { - _log.error("Getting UMA token from server", e); - return; - } - if (_log.isDebugEnabled()) { - _log.debug("Setting UMA token in cache proxy"); - } - OIDCTokenCacheProxy.getInstance().setRPTToken(user, session, umaToken); - if (_log.isDebugEnabled()) { - _log.debug("Setting UMA token in session"); - } - JWTTokenUtil.putUMAInSession(umaToken, session); + umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), authToken.getAsBearer(), + urlEncodedScope, null); + } catch (Exception e) { + _log.error("Getting UMA token from server", e); + return; } + _log.debug("Setting UMA token in cache proxy"); + OIDCTokenCacheProxy.getInstance().setRPTToken(user, session, umaToken); + _log.debug("Setting UMA token in session"); + JWTTokenUtil.putUMAInSession(umaToken, session); } else { if (umaToken.isExpired()) { - if (_log.isDebugEnabled()) { - _log.debug("UMA token is expired, refreshing it"); - } + _log.debug("UMA token is expired, refreshing it"); OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); try { umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); @@ -201,33 +175,20 @@ public class SmartGearsPortalValve extends ValveBase { _log.error("Refreshing UMA token on server", e); return; } - if (_log.isDebugEnabled()) { - _log.debug("Setting refreshed UMA token in cache proxy"); - } + _log.debug("Setting refreshed UMA token in cache proxy"); OIDCTokenCacheProxy.getInstance().setRPTToken(getCurrentUser(request), session, umaToken); - if (_log.isDebugEnabled()) { - _log.debug("Setting refreshed UMA token in session"); - } + _log.debug("Setting refreshed UMA token in session"); + JWTTokenUtil.putUMAInSession(umaToken, session); + } else if (JWTTokenUtil.getUMAFromSession(session) == null) { + _log.debug("Setting UMA token in session"); JWTTokenUtil.putUMAInSession(umaToken, session); } } - if (_log.isDebugEnabled()) { - _log.debug("Setting UMA token in UMA JWT provider"); - } - UmaJWTProvider.instance.set(umaToken.getRaw()); - } - private JWTToken getOIDCTokeFromProxyAndSetInSession(User user, HttpServletRequest request, HttpSession session) { - JWTToken token = OIDCTokenCacheProxy.getInstance().getOIDCToken(user, session); - if (token == null) { - _log.warn("OIDC token is null also in cache proxy!"); - } else { - if (_log.isDebugEnabled()) { - _log.debug("Setting OIDC token took from cache proxy in session"); - } - JWTTokenUtil.putOIDCInSession(token, session); - } - return token; + _log.debug("Current UMA token audience is: {}", umaToken.getAud()); + + _log.debug("Setting UMA token in UMA JWT provider"); + UmaJWTProvider.instance.set(umaToken.getRaw()); } /** From 6b86a0700bd7866a9510b6c06d79afcbced1652b Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Fri, 3 Jul 2020 18:45:41 +0200 Subject: [PATCH 4/6] Changed according to renamed classes method names --- pom.xml | 4 ++-- .../threadlocalexec/SmartGearsPortalValve.java | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pom.xml b/pom.xml index 2aa7a6c..b122a68 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ org.gcube.portal threadlocal-vars-cleaner - 2.2.0-SNAPSHOT + 2.2.1-SNAPSHOT jar threadlocal-vars-cleaner This component clean the Smartgears ThreadLocal variables each time a new Thread is assigned to a request from tomcat thread pool @@ -64,7 +64,7 @@ org.gcube.portal oidc-library-portal - 0.2-SNAPSHOT + 0.2.1-SNAPSHOT provided diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java index 9ab758f..5d7974c 100644 --- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java +++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java @@ -25,9 +25,9 @@ import org.gcube.common.scope.api.ScopeProvider; import org.gcube.oidc.rest.JWTToken; import org.gcube.oidc.rest.OpenIdConnectConfiguration; import org.gcube.oidc.rest.OpenIdConnectRESTHelper; +import org.gcube.portal.oidc.lr62.JWTCacheProxy; import org.gcube.portal.oidc.lr62.JWTTokenUtil; import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration; -import org.gcube.portal.oidc.lr62.OIDCTokenCacheProxy; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -110,7 +110,7 @@ public class SmartGearsPortalValve extends ValveBase { return; } _log.debug("Trying to get UMA token from cache proxy"); - umaToken = OIDCTokenCacheProxy.getInstance().getUMAToken(user, session); + umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session); } if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { if (umaToken == null) { @@ -130,7 +130,7 @@ public class SmartGearsPortalValve extends ValveBase { JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); if (authToken == null) { _log.debug("OIDC token not found in session. Trying to get it from cache proxy"); - authToken = OIDCTokenCacheProxy.getInstance().getOIDCToken(user, session); + authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session); if (authToken == null) { _log.warn("OIDC token is null also in cache proxy, cannot continue!"); return; @@ -150,7 +150,7 @@ public class SmartGearsPortalValve extends ValveBase { return; } _log.debug("Setting refreshed OIDC token in cache proxy"); - OIDCTokenCacheProxy.getInstance().setOIDCToken(user, session, authToken); + JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken); _log.debug("Setting refreshed OIDC token in session"); JWTTokenUtil.putOIDCInSession(authToken, session); } @@ -162,7 +162,7 @@ public class SmartGearsPortalValve extends ValveBase { return; } _log.debug("Setting UMA token in cache proxy"); - OIDCTokenCacheProxy.getInstance().setRPTToken(user, session, umaToken); + JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken); _log.debug("Setting UMA token in session"); JWTTokenUtil.putUMAInSession(umaToken, session); } else { @@ -176,7 +176,7 @@ public class SmartGearsPortalValve extends ValveBase { return; } _log.debug("Setting refreshed UMA token in cache proxy"); - OIDCTokenCacheProxy.getInstance().setRPTToken(getCurrentUser(request), session, umaToken); + JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken); _log.debug("Setting refreshed UMA token in session"); JWTTokenUtil.putUMAInSession(umaToken, session); } else if (JWTTokenUtil.getUMAFromSession(session) == null) { From de67ba9d22cc3f2620bbea49d959dfb9bfbafcb3 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Tue, 7 Jul 2020 10:51:33 +0200 Subject: [PATCH 5/6] Added range dependency according to CI rules --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index b122a68..7964de4 100644 --- a/pom.xml +++ b/pom.xml @@ -64,7 +64,7 @@ org.gcube.portal oidc-library-portal - 0.2.1-SNAPSHOT + [1.0.0, 2.0.0-SNAPSHOT) provided From 3a4fee1fd4eefa29e673997b6384449bb3340179 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Tue, 7 Jul 2020 12:01:19 +0200 Subject: [PATCH 6/6] Added range dependency according to CI rules for DEV --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7964de4..ce575f2 100644 --- a/pom.xml +++ b/pom.xml @@ -64,7 +64,7 @@ org.gcube.portal oidc-library-portal - [1.0.0, 2.0.0-SNAPSHOT) + [1.0.0-SNAPSHOT, 2.0.0-SNAPSHOT) provided