Beta version

.classpath

@@ -1,27 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
-	<classpathentry kind="src" output="target/classes" path="src/main/java">
+	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
 		<attributes>
-			<attribute name="optional" value="true"/>
 			<attribute name="maven.pomderived" value="true"/>
 		</attributes>
 	</classpathentry>
-	<classpathentry kind="src" output="target/test-classes" path="src/test/java">
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8">
 		<attributes>
-			<attribute name="optional" value="true"/>
 			<attribute name="maven.pomderived" value="true"/>
 		</attributes>
 	</classpathentry>
-	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
+	<classpathentry kind="con" path="org.eclipse.jdt.junit.JUNIT_CONTAINER/4"/>
+	<classpathentry kind="src" output="target/classes" path="src/main/java">
 		<attributes>
+			<attribute name="optional" value="true"/>
 			<attribute name="maven.pomderived" value="true"/>
 		</attributes>
 	</classpathentry>
-	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER">
+	<classpathentry kind="src" output="target/test-classes" path="src/test/java">
 		<attributes>
+			<attribute name="optional" value="true"/>
 			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="test" value="true"/>
 		</attributes>
 	</classpathentry>
-	<classpathentry kind="con" path="org.eclipse.jdt.junit.JUNIT_CONTAINER/4"/>
 	<classpathentry kind="output" path="target/classes"/>
 </classpath>

.settings/org.eclipse.jdt.core.prefs

@@ -1,5 +1,8 @@
 eclipse.preferences.version=1
-org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8
-org.eclipse.jdt.core.compiler.compliance=1.7
+org.eclipse.jdt.core.compiler.compliance=1.8
+org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
 org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
-org.eclipse.jdt.core.compiler.source=1.7
+org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore
+org.eclipse.jdt.core.compiler.release=disabled
+org.eclipse.jdt.core.compiler.source=1.8

.settings/org.eclipse.m2e.core.prefs

@@ -1,4 +1,4 @@
-activeProfiles=
+activeProfiles=gcube-developer
 eclipse.preferences.version=1
 resolveWorkspaceProjects=true
 version=1

pom.xml

@@ -11,7 +11,7 @@
 
 	<groupId>org.gcube.portal</groupId>
 	<artifactId>threadlocal-vars-cleaner</artifactId>
-	<version>2.1.1</version>
+	<version>2.2.0</version>
 	<packaging>jar</packaging>
 	<name>threadlocal-vars-cleaner</name>
 	<description>This component clean the Smartgears ThreadLocal variables each time a new Thread is assigned to a request from tomcat thread pool</description>
@@ -61,11 +61,22 @@
 			<artifactId>portal-manager</artifactId>
 			<scope>provided</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.gcube.portal</groupId>
+			<artifactId>oidc-library-portal</artifactId>
+			<version>[0.1.0,)</version>
+			<scope>provided</scope>
+		</dependency>
 		<dependency>
 			<groupId>com.liferay.portal</groupId>
 			<artifactId>portal-service</artifactId>
 			<scope>provided</scope>
 		</dependency>
+		<dependency>
+			<groupId>javax.portlet</groupId>
+			<artifactId>portlet-api</artifactId>
+			<scope>provided</scope>
+		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
@@ -81,21 +92,21 @@
 	<build>
 		<finalName>threadlocal-vars-cleaner-${project.version}</finalName>
 		<plugins>
-			<plugin>
+<!-- 			<plugin> -->
-				<groupId>org.apache.maven.plugins</groupId>
+<!-- 				<groupId>org.apache.maven.plugins</groupId> -->
-				<artifactId>maven-war-plugin</artifactId>
+<!-- 				<artifactId>maven-war-plugin</artifactId> -->
-				<executions>
+<!-- 				<executions> -->
-					<execution>
+<!-- 					<execution> -->
-						<phase>compile</phase>
+<!-- 						<phase>compile</phase> -->
-						<goals>
+<!-- 						<goals> -->
-							<goal>exploded</goal>
+<!-- 							<goal>exploded</goal> -->
-						</goals>
+<!-- 						</goals> -->
-					</execution>
+<!-- 					</execution> -->
-				</executions>
+<!-- 				</executions> -->
-				<configuration>
+<!-- 				<configuration> -->
-					<webappDirectory>${webappDirectory}</webappDirectory>
+<!-- 					<webappDirectory>${webappDirectory}</webappDirectory> -->
-				</configuration>
+<!-- 				</configuration> -->
-			</plugin>
+<!-- 			</plugin> -->
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>

src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java

@@ -3,11 +3,14 @@ package org.gcube.portal.threadlocalexec;
 import static org.gcube.common.authorization.client.Constants.authorizationService;
 
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.util.ArrayList;
 import java.util.List;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
 
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
@@ -15,117 +18,237 @@ import org.apache.catalina.valves.ValveBase;
 import org.gcube.common.authorization.client.exceptions.ObjectNotFound;
 import org.gcube.common.authorization.library.provider.AuthorizationProvider;
 import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
+import org.gcube.common.authorization.library.provider.UmaJWTProvider;
 import org.gcube.common.authorization.library.provider.UserInfo;
 import org.gcube.common.portal.PortalContext;
 import org.gcube.common.scope.api.ScopeProvider;
-import org.gcube.common.scope.impl.ScopeBean;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.liferay.portal.model.User;
 import com.liferay.portal.service.UserLocalServiceUtil;
+import com.nubisware.oidc.lr62.JWTTokenUtil;
+import com.nubisware.oidc.lr62.LiferayOpenIdConnectConfiguration;
+import com.nubisware.oidc.lr62.OIDCTokenProxy;
+import com.nubisware.oidc.rest.JWTToken;
+import com.nubisware.oidc.rest.OpenIdConnectConfiguration;
+import com.nubisware.oidc.rest.OpenIdConnectRESTHelper;
+
 /**
  * 
  * @author Massimiliano Assante, CNR ISTI
  * @author Lucio Lelii, CNR ISTI
+ * @author Mauro Mugnaini, Nubisware S.r.l.
  *
  */
-public class SmartGearsPortalValve extends ValveBase  {
+public class SmartGearsPortalValve extends ValveBase {
-	private static final Logger _log = LoggerFactory.getLogger(SmartGearsPortalValve.class);
-	private final static String DEFAULT_ROLE = "OrganizationMember";
-	private final static String LIFERAY_POLLER_CONTEXT = "poller/receive";
 
+    private static final Logger _log = LoggerFactory.getLogger(SmartGearsPortalValve.class);
+    private final static String DEFAULT_ROLE = "OrganizationMember";
+    private final static String LIFERAY_POLLER_CONTEXT = "poller/receive";
 
-	@Override
+    @Override
-	public void invoke(Request req, Response resp) throws IOException,	ServletException {
+    public void invoke(Request req, Response resp) throws IOException, ServletException {
-		SecurityTokenProvider.instance.reset();
+        SecurityTokenProvider.instance.reset();
-		ScopeProvider.instance.reset();
+        ScopeProvider.instance.reset();
-		AuthorizationProvider.instance.reset();
+        AuthorizationProvider.instance.reset();
-		//_log.trace("SmartGearsPortalValve SecurityTokenProvider and AuthorizationProvider reset OK");
+        UmaJWTProvider.instance.reset();
-		if (req instanceof HttpServletRequest) {
+        //_log.trace("SmartGearsPortalValve SecurityTokenProvider and AuthorizationProvider reset OK");
-			HttpServletRequest request =  (HttpServletRequest) req;
+        if (req instanceof HttpServletRequest) {
-			if (!req.getRequestURL().toString().endsWith(LIFERAY_POLLER_CONTEXT)) { //avoid calling gCube auth service for liferay internal poller
+            HttpServletRequest request = (HttpServletRequest) req;
-				PortalContext context = PortalContext.getConfiguration();
+            if (!req.getRequestURL().toString().endsWith(LIFERAY_POLLER_CONTEXT)) { //avoid calling gCube auth service for liferay internal poller
-				String scope = context.getCurrentScope(request);
+                PortalContext context = PortalContext.getConfiguration();
-				String username = getCurrentUsername(request);
+                String scope = context.getCurrentScope(request);
-				if (scope != null && username != null && validateContext(scope)) {
+                String username = getCurrentUsername(request);
-					String userToken = null;
+                if (scope != null && username != null && validateContext(scope)) {
-					try {
+                    String userToken = null;
-						ScopeProvider.instance.set(scope);
+                    try {
-						userToken = authorizationService().resolveTokenByUserAndContext(username, scope);
+                        ScopeProvider.instance.set(scope);
-						SecurityTokenProvider.instance.set(userToken);
+                        userToken = authorizationService().resolveTokenByUserAndContext(username, scope);
-					} 
+                        SecurityTokenProvider.instance.set(userToken);
-					catch (ObjectNotFound ex) {
+                    } catch (ObjectNotFound ex) {
-						userToken = generateAuthorizationToken(username, scope);
+                        userToken = generateAuthorizationToken(username, scope);
-						SecurityTokenProvider.instance.set(userToken);
+                        SecurityTokenProvider.instance.set(userToken);
-						_log.debug("generateAuthorizationToken OK for " + username + " in scope " + scope);
+                        _log.debug("generateAuthorizationToken OK for " + username + " in scope " + scope);
-					}			
+                    } catch (Exception e) {
-					catch (Exception e) {
+                        _log.error("Something went wrong in generating token for " + username + " in scope " + scope);
-						_log.error("Something went wrong in generating token for " + username + " in scope " + scope);
+                        e.printStackTrace();
-						e.printStackTrace();
+                    }
-					}
+                    checkUMATicket(request, scope);
-					//_log.trace("Security token set OK for " + username + " in scope " + scope);
-				}
-			}
-		}
-		getNext().invoke(req, resp);
-	}
-	
-	/**
-	 * 
-	 * @param context
-	 * @return true if is the context is syntactically valid
-	 */
-	private static boolean validateContext(String context) {
-		String separator = "/";			
-		if (!context.matches("\\S+"))
-			return false;
-		String[] components=context.split(separator);
-		if (components.length<2 || components.length>4) 
-			return false;
-		return true;
-	}
 
-	/**
+                    //_log.trace("Security token set OK for " + username + " in scope " + scope);
-	 * 
+                }
-	 * @param username
+            }
-	 * @param scope
+        }
-	 * @throws Exception
+        getNext().invoke(req, resp);
-	 */
+    }
-	private static String generateAuthorizationToken(String username, String scope)  {
-		List<String> userRoles = new ArrayList<>();
-		userRoles.add(DEFAULT_ROLE);
-		String token;
-		try {
-			token = authorizationService().generateUserToken(new UserInfo(username, userRoles), scope);
-		} catch (Exception e) {
-			e.printStackTrace();
-			return null;
-		}
-		return token;
-	}
 
-	/**
+    private void checkUMATicket(HttpServletRequest request, String scope) {
-	 * 
+        HttpSession session = request.getSession(false);
-	 * @param httpServletRequest the httpServletRequest object
+        if (session == null) {
-	 * @return the instance of the user 
+            if (_log.isDebugEnabled()) {
-	 * @see GCubeUser
+                _log.debug("Session is null");
-	 */
+            }
-	public static String getCurrentUsername(HttpServletRequest httpServletRequest) {
+            return;
-		String userIdNo = httpServletRequest.getHeader(PortalContext.USER_ID_ATTR_NAME);
+        }
-		if (userIdNo != null && userIdNo.compareTo("undefined") != 0) {
+        if (_log.isTraceEnabled()) {
-			long userId = -1;
+            _log.trace("Session details: id=" + session.getId() + ", instance=" + session);
-			try {
+        }
-				userId = Long.parseLong(userIdNo);
+        String urlEncodedScope = null;
-				return UserLocalServiceUtil.getUser(userId).getScreenName();
+        try {
-			} catch (NumberFormatException e) {
+            urlEncodedScope = URLEncoder.encode(scope, "UTF-8");
-				_log.error("The userId is not a number -> " + userIdNo);
+        } catch (UnsupportedEncodingException e) {
-				return null;
+            _log.error("Cannot URL encode scope", e);
-			} catch (Exception e) {
+            return;
-				_log.error("The userId does not belong to any user -> " + userIdNo);
+        }
-				return null;
+        if (_log.isDebugEnabled()) {
-			}
+            _log.debug("URL encoded scope is: " + urlEncodedScope);
-		} 
+            _log.debug("Getting UMA token from session");
-		return null;
+        }
-	}
+        JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session);
-}
+        if (umaToken == null) {
+            if (_log.isDebugEnabled()) {
+                _log.debug("UMA token not found in session");
+            }
+            if (_log.isDebugEnabled()) {
+                _log.debug("Getting current user");
+            }
+            User user = getCurrentUser(request);
+            if (user == null) {
+                _log.error("Current user not found, cannot continue");
+                return;
+            }
+            if (_log.isDebugEnabled()) {
+                _log.debug("Trying to get UMA token from cache proxy");
+            }
+            umaToken = OIDCTokenProxy.getInstance().getUMAToken(user, session);
+            if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
+                if (umaToken == null) {
+                    if (_log.isDebugEnabled()) {
+                        _log.debug("UMA token is null. Getting new one...");
+                    }
+                } else {
+                    _log.info("UMA token for another scope (" + umaToken.getAud() + "). Getting new one for scope: "
+                            + urlEncodedScope);
+                }
+                if (_log.isDebugEnabled()) {
+                    _log.debug("Getting OIDC token from session");
+                }
+                JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session);
+                if (authToken == null) {
+                    if (_log.isDebugEnabled()) {
+                        _log.debug("OIDC token not found in session. Trying to get it from cache proxy");
+                    }
+                    authToken = getOIDCTokeFromProxyAndSetInSession(user, request, session);
+                    if (authToken == null) {
+                        _log.error("OIDC token is null, cannot continue");
+                        return;
+                    } else {
+                        if (_log.isDebugEnabled()) {
+                            _log.debug("OIDC token found in cache proxy");
+                        }
+                    }
+                }
+                _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
+                OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request);
+                try {
+                    // TODO: handle the token expired case and renew it with refresh token.
+                    umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenUrl(),
+                            authToken.getAsBearer(),
+                            urlEncodedScope, null);
+                } catch (Exception e) {
+                    _log.error("Getting UMA token from server", e);
+                    return;
+                }
+                if (_log.isDebugEnabled()) {
+                    _log.debug("Setting UMA token in cache proxy");
+                }
+                OIDCTokenProxy.getInstance().setRPTToken(user, session, umaToken);
+                if (_log.isDebugEnabled()) {
+                    _log.debug("Setting UMA token in session");
+                }
+                JWTTokenUtil.putUMAInSession(umaToken, session);
+            }
+        }
+        if (_log.isDebugEnabled()) {
+            _log.debug("Setting UMA token in UMA JWT provider");
+        }
+        UmaJWTProvider.instance.set(umaToken.getRaw());
+    }
+
+    private JWTToken getOIDCTokeFromProxyAndSetInSession(User user, HttpServletRequest request, HttpSession session) {
+        JWTToken token = OIDCTokenProxy.getInstance().getOIDCToken(user, session);
+        if (token == null) {
+            _log.warn("OIDC token is null also in cache proxy!");
+        } else {
+            if (_log.isDebugEnabled()) {
+                _log.debug("Setting OIDC token took from cache proxy in session");
+            }
+            JWTTokenUtil.putOIDCInSession(token, session);
+        }
+        return token;
+    }
+
+    /**
+     * 
+     * @param context
+     * @return true if is the context is syntactically valid
+     */
+    private static boolean validateContext(String context) {
+        String separator = "/";
+        if (!context.matches("\\S+"))
+            return false;
+        String[] components = context.split(separator);
+        if (components.length < 2 || components.length > 4)
+            return false;
+        return true;
+    }
 
+    /**
+     * 
+     * @param username
+     * @param scope
+     * @throws Exception
+     */
+    private static String generateAuthorizationToken(String username, String scope) {
+        List<String> userRoles = new ArrayList<>();
+        userRoles.add(DEFAULT_ROLE);
+        String token;
+        try {
+            token = authorizationService().generateUserToken(new UserInfo(username, userRoles), scope);
+        } catch (Exception e) {
+            e.printStackTrace();
+            return null;
+        }
+        return token;
+    }
+
+    /**
+     * 
+     * @param httpServletRequest the httpServletRequest object
+     * @return the instance of the user 
+     * @see GCubeUser
+     */
+    public static String getCurrentUsername(HttpServletRequest httpServletRequest) {
+        User user = getCurrentUser(httpServletRequest);
+        return user != null ? user.getScreenName() : null;
+    }
+
+    public static User getCurrentUser(HttpServletRequest httpServletRequest) {
+        String userIdNo = httpServletRequest.getHeader(PortalContext.USER_ID_ATTR_NAME);
+        if (userIdNo != null && userIdNo.compareTo("undefined") != 0) {
+            long userId = -1;
+            try {
+                userId = Long.parseLong(userIdNo);
+                return UserLocalServiceUtil.getUser(userId);
+            } catch (NumberFormatException e) {
+                _log.error("The userId is not a number -> " + userIdNo);
+                return null;
+            } catch (Exception e) {
+                _log.error("The userId does not belong to any user -> " + userIdNo);
+                return null;
+            }
+        }
+        return null;
+    }
+}