library/src/main/java/io/mifos/anubis/security/IsisAuthenticatedAuthenticationProvider.java - fineract-cn-anubis - Git at Google

 /*
  * Copyright 2017 The Mifos Initiative.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package io.mifos.anubis.security;

 import io.jsonwebtoken.*;
 import io.mifos.anubis.api.v1.TokenConstants;
 import io.mifos.anubis.provider.InvalidKeyVersionException;
 import io.mifos.anubis.provider.SystemRsaKeyProvider;
 import io.mifos.anubis.provider.TenantRsaKeyProvider;
 import io.mifos.anubis.token.TokenType;

 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.stereotype.Component;
 import org.springframework.util.Assert;

 import javax.annotation.Nonnull;
 import java.security.Key;
 import java.util.Optional;


 /**
  * @author Myrle Krantz
  */
 @Component
 public class IsisAuthenticatedAuthenticationProvider implements AuthenticationProvider {
   private final SystemRsaKeyProvider systemRsaKeyProvider;
   private final TenantRsaKeyProvider tenantRsaKeyProvider;
   private final SystemAuthenticator systemAuthenticator;
   private final TenantAuthenticator tenantAuthenticator;
   private final GuestAuthenticator guestAuthenticator;

   @Autowired
   public IsisAuthenticatedAuthenticationProvider(
       final SystemRsaKeyProvider systemRsaKeyProvider,
       final TenantRsaKeyProvider tenantRsaKeyProvider,
       final SystemAuthenticator systemAuthenticator,
       final TenantAuthenticator tenantAuthenticator,
       final GuestAuthenticator guestAuthenticator) {
     this.systemRsaKeyProvider = systemRsaKeyProvider;
     this.tenantRsaKeyProvider = tenantRsaKeyProvider;
     this.systemAuthenticator = systemAuthenticator;
     this.tenantAuthenticator = tenantAuthenticator;
     this.guestAuthenticator = guestAuthenticator;
   }

   @Override public boolean supports(final Class<?> clazz) {
     return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(clazz);
   }

   @Override public Authentication authenticate(Authentication authentication)
       throws AuthenticationException {
     if (!PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication.getClass()))
     {
       throw AmitAuthenticationException.internalError(
           "authentication called with unexpected authentication object.");
     }

     final PreAuthenticatedAuthenticationToken preAuthentication = (PreAuthenticatedAuthenticationToken) authentication;

     final String user = (String) preAuthentication.getPrincipal();
     Assert.hasText(user, "user cannot be empty.  This should have been assured in preauthentication");

     return convert(user, (String)preAuthentication.getCredentials());
   }

   private Authentication convert(final @Nonnull String user, final String authenticationHeader) {
     final Optional<String> token = getJwtTokenString(authenticationHeader);
     return token.map(x -> {
       final TokenInfo tokenInfo = getTokenInfo(x);

       switch (tokenInfo.getType()) {
         case TENANT:
           return tenantAuthenticator.authenticate(user, x, tokenInfo.getVersion());
         case SYSTEM:
           return systemAuthenticator.authenticate(user, x, tokenInfo.getVersion());
         default:
           throw AmitAuthenticationException.invalidTokenIssuer(tokenInfo.getType().getIssuer());
       }
     }).orElseGet(() -> guestAuthenticator.authenticate(user));
   }

   private Optional<String> getJwtTokenString(final String authenticationHeader) {
     if ((authenticationHeader == null) || authenticationHeader.equals(
         TokenConstants.NO_AUTHENTICATION)){
       return Optional.empty();
     }

     if (!authenticationHeader.startsWith(TokenConstants.PREFIX)) {
       throw AmitAuthenticationException.invalidHeader();
     }
     return Optional.of(authenticationHeader.substring(TokenConstants.PREFIX.length()).trim());
   }

   @Nonnull private TokenInfo getTokenInfo(final String token)
   {
     try {
       @SuppressWarnings("unchecked")
       final Jwt<Header, Claims> jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolver() {
         @Override public Key resolveSigningKey(final JwsHeader header, final Claims claims) {
           final TokenType tokenType = getTokenTypeFromClaims(claims);
           final String version = getVersionFromClaims(claims);

           try {
             switch (tokenType) {
               case TENANT:
                 return tenantRsaKeyProvider.getPublicKey(version);
               case SYSTEM:
                 return systemRsaKeyProvider.getPublicKey(version);
               default:
                 throw AmitAuthenticationException.invalidTokenIssuer(tokenType.getIssuer());
             }
           }
           catch (final IllegalArgumentException e)
           {
             throw AmitAuthenticationException.missingTenant();
           }
           catch (final InvalidKeyVersionException e)
           {
             throw AmitAuthenticationException.invalidTokenVersion(tokenType.getIssuer(), version);
           }
         }

         @Override public Key resolveSigningKey(final JwsHeader header, final String plaintext) {
           return null;
         }
       }).parse(token);

       final String alg = jwt.getHeader().get("alg").toString();
       final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forName(alg);
       if (!signatureAlgorithm.isRsa()) {
         throw AmitAuthenticationException.invalidTokenAlgorithm(alg);
       }

       final String version = getVersionFromClaims(jwt.getBody());
       final TokenType tokenType = getTokenTypeFromClaims(jwt.getBody());

       return new TokenInfo(tokenType, version);
     }
     catch (final JwtException e)
     {
       throw AmitAuthenticationException.invalidToken();
     }
   }

   private @Nonnull String getVersionFromClaims(final Claims claims) {
     final String version = claims.get(TokenConstants.JWT_VERSION_CLAIM, String.class);
     if (version == null)
     {
       return "1";
     }
     return version;
   }

   private @Nonnull TokenType getTokenTypeFromClaims(final Claims claims) {
     final String issuer = claims.getIssuer();
     final Optional<TokenType> tokenType = TokenType.valueOfIssuer(issuer);
     if (!tokenType.isPresent())
       throw AmitAuthenticationException.invalidTokenIssuer(issuer);
     return tokenType.get();
   }
 }
	/*
	* Copyright 2017 The Mifos Initiative.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package io.mifos.anubis.security;

	import io.jsonwebtoken.*;
	import io.mifos.anubis.api.v1.TokenConstants;
	import io.mifos.anubis.provider.InvalidKeyVersionException;
	import io.mifos.anubis.provider.SystemRsaKeyProvider;
	import io.mifos.anubis.provider.TenantRsaKeyProvider;
	import io.mifos.anubis.token.TokenType;

	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.security.authentication.AuthenticationProvider;
	import org.springframework.security.core.Authentication;
	import org.springframework.security.core.AuthenticationException;
	import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
	import org.springframework.stereotype.Component;
	import org.springframework.util.Assert;

	import javax.annotation.Nonnull;
	import java.security.Key;
	import java.util.Optional;


	/**
	* @author Myrle Krantz
	*/
	@Component
	public class IsisAuthenticatedAuthenticationProvider implements AuthenticationProvider {
	private final SystemRsaKeyProvider systemRsaKeyProvider;
	private final TenantRsaKeyProvider tenantRsaKeyProvider;
	private final SystemAuthenticator systemAuthenticator;
	private final TenantAuthenticator tenantAuthenticator;
	private final GuestAuthenticator guestAuthenticator;

	@Autowired
	public IsisAuthenticatedAuthenticationProvider(
	final SystemRsaKeyProvider systemRsaKeyProvider,
	final TenantRsaKeyProvider tenantRsaKeyProvider,
	final SystemAuthenticator systemAuthenticator,
	final TenantAuthenticator tenantAuthenticator,
	final GuestAuthenticator guestAuthenticator) {
	this.systemRsaKeyProvider = systemRsaKeyProvider;
	this.tenantRsaKeyProvider = tenantRsaKeyProvider;
	this.systemAuthenticator = systemAuthenticator;
	this.tenantAuthenticator = tenantAuthenticator;
	this.guestAuthenticator = guestAuthenticator;
	}

	@Override public boolean supports(final Class<?> clazz) {
	return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(clazz);
	}

	@Override public Authentication authenticate(Authentication authentication)
	throws AuthenticationException {
	if (!PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication.getClass()))
	{
	throw AmitAuthenticationException.internalError(
	"authentication called with unexpected authentication object.");
	}

	final PreAuthenticatedAuthenticationToken preAuthentication = (PreAuthenticatedAuthenticationToken) authentication;

	final String user = (String) preAuthentication.getPrincipal();
	Assert.hasText(user, "user cannot be empty. This should have been assured in preauthentication");

	return convert(user, (String)preAuthentication.getCredentials());
	}

	private Authentication convert(final @Nonnull String user, final String authenticationHeader) {
	final Optional<String> token = getJwtTokenString(authenticationHeader);
	return token.map(x -> {
	final TokenInfo tokenInfo = getTokenInfo(x);

	switch (tokenInfo.getType()) {
	case TENANT:
	return tenantAuthenticator.authenticate(user, x, tokenInfo.getVersion());
	case SYSTEM:
	return systemAuthenticator.authenticate(user, x, tokenInfo.getVersion());
	default:
	throw AmitAuthenticationException.invalidTokenIssuer(tokenInfo.getType().getIssuer());
	}
	}).orElseGet(() -> guestAuthenticator.authenticate(user));
	}

	private Optional<String> getJwtTokenString(final String authenticationHeader) {
	if ((authenticationHeader == null) \|\| authenticationHeader.equals(
	TokenConstants.NO_AUTHENTICATION)){
	return Optional.empty();
	}

	if (!authenticationHeader.startsWith(TokenConstants.PREFIX)) {
	throw AmitAuthenticationException.invalidHeader();
	}
	return Optional.of(authenticationHeader.substring(TokenConstants.PREFIX.length()).trim());
	}

	@Nonnull private TokenInfo getTokenInfo(final String token)
	{
	try {
	@SuppressWarnings("unchecked")
	final Jwt<Header, Claims> jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolver() {
	@Override public Key resolveSigningKey(final JwsHeader header, final Claims claims) {
	final TokenType tokenType = getTokenTypeFromClaims(claims);
	final String version = getVersionFromClaims(claims);

	try {
	switch (tokenType) {
	case TENANT:
	return tenantRsaKeyProvider.getPublicKey(version);
	case SYSTEM:
	return systemRsaKeyProvider.getPublicKey(version);
	default:
	throw AmitAuthenticationException.invalidTokenIssuer(tokenType.getIssuer());
	}
	}
	catch (final IllegalArgumentException e)
	{
	throw AmitAuthenticationException.missingTenant();
	}
	catch (final InvalidKeyVersionException e)
	{
	throw AmitAuthenticationException.invalidTokenVersion(tokenType.getIssuer(), version);
	}
	}

	@Override public Key resolveSigningKey(final JwsHeader header, final String plaintext) {
	return null;
	}
	}).parse(token);

	final String alg = jwt.getHeader().get("alg").toString();
	final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forName(alg);
	if (!signatureAlgorithm.isRsa()) {
	throw AmitAuthenticationException.invalidTokenAlgorithm(alg);
	}

	final String version = getVersionFromClaims(jwt.getBody());
	final TokenType tokenType = getTokenTypeFromClaims(jwt.getBody());

	return new TokenInfo(tokenType, version);
	}
	catch (final JwtException e)
	{
	throw AmitAuthenticationException.invalidToken();
	}
	}

	private @Nonnull String getVersionFromClaims(final Claims claims) {
	final String version = claims.get(TokenConstants.JWT_VERSION_CLAIM, String.class);
	if (version == null)
	{
	return "1";
	}
	return version;
	}

	private @Nonnull TokenType getTokenTypeFromClaims(final Claims claims) {
	final String issuer = claims.getIssuer();
	final Optional<TokenType> tokenType = TokenType.valueOfIssuer(issuer);
	if (!tokenType.isPresent())
	throw AmitAuthenticationException.invalidTokenIssuer(issuer);
	return tokenType.get();
	}
	}