From 07c8a1219e9c29a6e4ae3bdc3ae0cae1f87da3b5 Mon Sep 17 00:00:00 2001
From: Mauro Mugnaini <themaxx76@gmail.com>
Date: Fri, 22 Jan 2021 14:59:19 +0100
Subject: [PATCH] The UMA refresh token flow is skipped by the specific setting
 (constant in the class) and a new token is requested if the old is expired.

---
 .../SmartGearsPortalValve.java                | 60 ++++++++++++-------
 1 file changed, 37 insertions(+), 23 deletions(-)

diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java
index c4679a4..155af15 100644
--- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java
+++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java
@@ -48,6 +48,7 @@ public class SmartGearsPortalValve extends ValveBase {
     private final static String DEFAULT_ROLE = "OrganizationMember";
     private final static String LIFERAY_POLLER_CONTEXT = "poller/receive";
 
+    private static boolean REFRESH_UMA_TOKEN = false;
     private static String LOGOUT_URI = "/c/portal/logout";
     private static boolean FORCE_LOGOUT_ON_INVALID_OIDC = true;
     private static boolean FORCE_LOGOUT_ON_MISSING_OIDC = true;
@@ -125,37 +126,50 @@ public class SmartGearsPortalValve extends ValveBase {
                 _log.trace("Current UMA token is OK {}", umaToken.getTokenEssentials());
             } else {
                 if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) {
-                    _log.debug("Suitable UMA token found but is expired, trying to refresh it {}",
-                            umaToken.getTokenEssentials());
+                    if (REFRESH_UMA_TOKEN) {
+                        _log.debug("Suitable UMA token found but is expired, trying to refresh it {}",
+                                umaToken.getTokenEssentials());
 
-                    OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
-                            .getConfiguration(request);
-                    try {
-                        umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
-                        _log.debug("Got a refreshed UMA token {}", umaToken.getTokenEssentials());
+                        OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
+                                .getConfiguration(request);
+                        try {
+                            umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
+                            _log.debug("Got a refreshed UMA token {}", umaToken.getTokenEssentials());
 
-                        _log.debug("Setting the refreshed UMA token in cache proxy for user {}, and session]",
-                                user.getScreenName(), sessionId);
+                            _log.debug("Setting the refreshed UMA token in cache proxy for user {}, and session]",
+                                    user.getScreenName(), sessionId);
 
-                        JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
-                    } catch (OpenIdConnectRESTHelperException e) {
-                        if (e.hasJSONPayload()) {
-                            if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
-                                if (FORCE_LOGOUT_ON_INVALID_OIDC) {
-                                    _log.warn("OIDC token is become invalid, forcing redirect to logout URI");
-                                    forceLogout(response);
+                            JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
+                        } catch (OpenIdConnectRESTHelperException e) {
+                            if (e.hasJSONPayload()) {
+                                if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
+                                    if (FORCE_LOGOUT_ON_INVALID_OIDC) {
+                                        _log.warn("OIDC token is become invalid, forcing redirect to logout URI");
+                                        forceLogout(response);
+                                    } else {
+                                        _log.warn("OIDC token is become invalid, cannot continue");
+                                    }
+                                    return;
+                                } else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
+                                    _log.info("UMA token is no more active, get new one");
                                 } else {
-                                    _log.warn("OIDC token is become invalid, cannot continue");
+                                    _log.error("Other UMA token refresh error", e);
                                 }
-                                return;
-                            } else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
-                                _log.info("UMA token is no more active, get new one");
                             } else {
-                                _log.error("Other UMA token refresh error", e);
+                                _log.error("Refreshing UMA token on server " + umaToken.getTokenEssentials(), e);
                             }
-                        } else {
-                            _log.error("Refreshing UMA token on server " + umaToken.getTokenEssentials(), e);
+                            umaToken = null;
+                            _log.debug(
+                                    "Removing inactive UMA token from cache proxy if present for user {} and session {}",
+                                    user.getScreenName(), sessionId);
+
+                            JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
                         }
+                    } else {
+                        _log.debug("Suitable UMA token found but it is expired."
+                                + "It will be replaced with new one according to settings {}",
+                                umaToken.getTokenEssentials());
+
                         umaToken = null;
                         _log.debug("Removing inactive UMA token from cache proxy if present for user {} and session {}",
                                 user.getScreenName(), sessionId);