src/main/java/io/streamnative/pulsar/manager/service/impl/JwtServiceImpl.java

/**
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.streamnative.pulsar.manager.service.impl;

import io.jsonwebtoken.*;
import io.jsonwebtoken.security.Keys;
import io.streamnative.pulsar.manager.service.JwtService;

import lombok.extern.slf4j.Slf4j;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.common.util.RelativeTimeUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

import java.io.IOException;
import java.security.Key;
import java.util.Date;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;

@Slf4j
@Service
public class JwtServiceImpl implements JwtService {

    private int sessionTime;

    @Value("${jwt.broker.token.mode}")
    private String jwtBrokerTokenMode;

    @Value("${jwt.broker.secret.key}")
    private String jwtBrokerSecretKey;

    @Value("${jwt.broker.private.key}")
    private String jwtBrokerPrivateKey;

    @Value("${jwt.broker.public.key}")
    private String jwtBrokerPublicKey;

    private final Map<String, String> tokens = new ConcurrentHashMap<>();

    private final Key key = Keys.secretKeyFor(SignatureAlgorithm.HS256);

    @Autowired
    public JwtServiceImpl(@Value("${jwt.sessionTime}") int sessionTime) {
        this.sessionTime = sessionTime;
    }

    @Override
    public String toToken(String id) {
        return Jwts.builder()
                .setSubject(id)
                .setExpiration(expireTimeFromNow())
                .signWith(key)
                .compact();
    }

    @Override
    public Optional<String> getSubFromToken(String token) {
        try {
            Jws<Claims> claimsJws = Jwts.parser().setSigningKey(key).parseClaimsJws(token);
            return Optional.ofNullable(claimsJws.getBody().getSubject());
        } catch (Exception e) {
            return Optional.empty();
        }
    }

    private Date expireTimeFromNow() {
        return new Date(System.currentTimeMillis() + sessionTime * 1000);
    }

    @Override
    public void setToken(String key, String value) {
        synchronized (this.tokens) {
            this.tokens.put(key, value);
        }
    }

    @Override
    public String getToken(String key) {
        return this.tokens.get(key);
    }

    @Override
    public void removeToken(String key) {
        synchronized (this.tokens) {
            this.tokens.remove(key);
        }
    }

    private Key decodeBySecretKey() {
        try {
            byte[] encodedKey = AuthTokenUtils.readKeyFromUrl(jwtBrokerSecretKey);
            Key signingKey = AuthTokenUtils.decodeSecretKey(encodedKey);
            return signingKey;
        } catch (IOException e) {
            log.error("Decode failed by secrete key, error: {}", e.getMessage());
            return null;
        }
    }

    public String createBrokerToken(String role, String expiryTime) {
        Key signingKey;
        if (jwtBrokerTokenMode.equals("SECRET")) {
            signingKey = decodeBySecretKey();
        } else if (jwtBrokerTokenMode.equals("PRIVATE")){
            signingKey = decodeByPrivateKey();
        } else {
            log.info("Default disable JWT auth, please set jwt.broker.token.mode.");
            return null;
        }
        if (signingKey == null) {
            log.error("JWT Auth failed, signingKey is not empty");
            return null;
        }
        Optional<Date> optExpiryTime = Optional.empty();
        if (expiryTime != null) {
            long relativeTimeMillis = TimeUnit.SECONDS
                    .toMillis(RelativeTimeUtil.parseRelativeTimeInSeconds(expiryTime));
            optExpiryTime = Optional.of(new Date(System.currentTimeMillis() + relativeTimeMillis));
        }
        String token = AuthTokenUtils.createToken(signingKey, role, optExpiryTime);
        return token;
    }

    private Key decodeByPrivateKey() {
        try {
            byte[] encodedKey = AuthTokenUtils.readKeyFromUrl(jwtBrokerPrivateKey);
            SignatureAlgorithm algorithm = SignatureAlgorithm.RS256;
            Key signingKey = AuthTokenUtils.decodePrivateKey(encodedKey, algorithm);
            return signingKey;
        } catch (IOException e) {
            log.error("Decode failed by private key, error: {}", e.getMessage());
            return null;
        }
    }

    public Claims validateBrokerToken(String token) {
        Key validationKey;
        if (jwtBrokerTokenMode.equals("SECRET")) {
            validationKey = decodeBySecretKey();
        } else if (jwtBrokerTokenMode.equals("PRIVATE")){
            validationKey = decodeByPrivateKey();
        } else {
            log.info("Default disable JWT auth, please set jwt.broker.token.mode.");
            return null;
        }
        Jwt<?, Claims> jwt = Jwts.parser()
                .setSigningKey(validationKey)
                .parse(token);
        return jwt.getBody();
    }
}