| /**************************************************************** |
| * Licensed to the Apache Software Foundation (ASF) under one * |
| * or more contributor license agreements. See the NOTICE file * |
| * distributed with this work for additional information * |
| * regarding copyright ownership. The ASF licenses this file * |
| * to you under the Apache License, Version 2.0 (the * |
| * "License"); you may not use this file except in compliance * |
| * with the License. You may obtain a copy of the License at * |
| * * |
| * http://www.apache.org/licenses/LICENSE-2.0 * |
| * * |
| * Unless required by applicable law or agreed to in writing, * |
| * software distributed under the License is distributed on an * |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * |
| * KIND, either express or implied. See the License for the * |
| * specific language governing permissions and limitations * |
| * under the License. * |
| ****************************************************************/ |
| package org.apache.james.jmap.jwt; |
| |
| import javax.inject.Inject; |
| import javax.inject.Named; |
| |
| import org.apache.james.core.Username; |
| import org.apache.james.jmap.exceptions.UnauthorizedException; |
| import org.apache.james.jmap.http.AuthenticationChallenge; |
| import org.apache.james.jmap.http.AuthenticationScheme; |
| import org.apache.james.jmap.http.AuthenticationStrategy; |
| import org.apache.james.jwt.JwtTokenVerifier; |
| import org.apache.james.mailbox.MailboxManager; |
| import org.apache.james.mailbox.MailboxSession; |
| import org.apache.james.user.api.UsersRepository; |
| import org.apache.james.user.api.UsersRepositoryException; |
| |
| import com.google.common.annotations.VisibleForTesting; |
| import com.google.common.collect.ImmutableMap; |
| |
| import reactor.core.publisher.Mono; |
| import reactor.core.scheduler.Schedulers; |
| import reactor.netty.http.server.HttpServerRequest; |
| |
| public class JWTAuthenticationStrategy implements AuthenticationStrategy { |
| |
| @VisibleForTesting |
| public static final String AUTHORIZATION_HEADER_PREFIX = "Bearer "; |
| private final JwtTokenVerifier tokenManager; |
| private final MailboxManager mailboxManager; |
| private final UsersRepository usersRepository; |
| |
| @Inject |
| @VisibleForTesting |
| public JWTAuthenticationStrategy(@Named("jmap") JwtTokenVerifier tokenManager, |
| MailboxManager mailboxManager, |
| UsersRepository usersRepository) { |
| this.tokenManager = tokenManager; |
| this.mailboxManager = mailboxManager; |
| this.usersRepository = usersRepository; |
| } |
| |
| @Override |
| public Mono<MailboxSession> createMailboxSession(HttpServerRequest httpRequest) { |
| return Mono.fromCallable(() -> authHeaders(httpRequest)) |
| .filter(header -> header.startsWith(AUTHORIZATION_HEADER_PREFIX)) |
| .map(header -> header.substring(AUTHORIZATION_HEADER_PREFIX.length())) |
| .flatMap(userJWTToken -> Mono.fromCallable(() -> { |
| if (!tokenManager.verify(userJWTToken)) { |
| throw new UnauthorizedException("Failed Jwt verification"); |
| } |
| |
| Username username = Username.of(tokenManager.extractLogin(userJWTToken)); |
| try { |
| usersRepository.assertValid(username); |
| } catch (UsersRepositoryException e) { |
| throw new UnauthorizedException("Invalid username", e); |
| } |
| |
| return username; |
| }).subscribeOn(Schedulers.elastic())) |
| .map(mailboxManager::createSystemSession); |
| } |
| |
| @Override |
| public AuthenticationChallenge correspondingChallenge() { |
| return AuthenticationChallenge.of( |
| AuthenticationScheme.of("Bearer"), |
| ImmutableMap.of("realm", "JWT")); |
| } |
| } |