Google Git
Sign in
apache / usergrid / 5095891dd3882adb33a5b50eeab1748c6e3d9df1 / . / stack / services / src / main / java / org / apache / usergrid / security / sso / ApigeeSSO2Provider.java
blob: 8ee8e031be3bfd6575513af4724d1468d5270017 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.usergrid.security.sso;
import io.jsonwebtoken.*;
import org.apache.usergrid.corepersistence.util.CpNamingUtils;
import org.apache.usergrid.management.ManagementService;
import org.apache.usergrid.management.UserInfo;
import org.apache.usergrid.management.exceptions.ExternalSSOProviderAdminUserNotFoundException;
import org.apache.usergrid.security.AuthPrincipalInfo;
import org.apache.usergrid.security.AuthPrincipalType;
import org.apache.usergrid.security.tokens.TokenInfo;
import org.apache.usergrid.security.tokens.exceptions.BadTokenException;
import org.apache.usergrid.security.tokens.exceptions.ExpiredTokenException;
import org.apache.usergrid.utils.JsonUtils;
import org.apache.usergrid.utils.UUIDUtils;
import org.glassfish.jersey.client.ClientConfig;
import org.glassfish.jersey.jackson.JacksonFeature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import static org.apache.commons.codec.binary.Base64.decodeBase64;
/**
* Created by ayeshadastagiri on 6/22/16.
*/
public class ApigeeSSO2Provider implements ExternalSSOProvider {
private static final Logger logger = LoggerFactory.getLogger(ApigeeSSO2Provider.class);
private static final String RESPONSE_PUBLICKEY_VALUE = "value";
protected Properties properties;
protected ManagementService management;
protected Client client;
protected PublicKey publicKey;
public static final String USERGRID_EXTERNAL_PUBLICKEY_URL = "usergrid.external.sso.url";
public ApigeeSSO2Provider() {
ClientConfig clientConfig = new ClientConfig();
clientConfig.register(new JacksonFeature());
client = ClientBuilder.newClient(clientConfig);
}
public PublicKey getPublicKey(String keyUrl) {
if(keyUrl != null && !keyUrl.isEmpty()) {
try {
Map<String, Object> publicKey = client.target(keyUrl).request().get(Map.class);
String ssoPublicKey = publicKey.get(RESPONSE_PUBLICKEY_VALUE).toString().split("----\n")[1].split("\n---")[0];
byte[] publicBytes = decodeBase64(ssoPublicKey);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey pubKey = keyFactory.generatePublic(keySpec);
return pubKey;
}
catch(Exception e){
throw new IllegalArgumentException("error getting public key");
}
}
return null;
}
@Override
public TokenInfo validateAndReturnTokenInfo(String token, long ttl) throws Exception {
UserInfo userInfo = validateAndReturnUserInfo(token, ttl);
if(userInfo == null){
throw new ExternalSSOProviderAdminUserNotFoundException("Unable to load user from token: "+token);
}
return new TokenInfo(UUIDUtils.newTimeUUID(), "access", 1, 1, 1, ttl,
new AuthPrincipalInfo(AuthPrincipalType.ADMIN_USER, userInfo.getUuid(),
CpNamingUtils.MANAGEMENT_APPLICATION_ID), null);
}
@Override
public UserInfo validateAndReturnUserInfo(String token, long ttl) throws Exception {
Jws<Claims> payload = getClaims(token);
// this step super important to ensure the token is a valid token
validateClaims(payload);
UserInfo userInfo = management.getAdminUserByEmail(payload.getBody().get("email").toString());
return userInfo;
}
@Override
public Map<String, String> getDecodedTokenDetails(String token) throws Exception {
Jws<Claims> jws = getClaims(token);
Claims claims = jws.getBody();
Map<String, String> tokenDetails = new HashMap<>();
tokenDetails.put("username", (String)claims.get("user_name"));
tokenDetails.put("email", (String)claims.get("email"));
tokenDetails.put("expiry", claims.get("exp").toString());
tokenDetails.put("user_id", claims.get("user_id").toString());
return tokenDetails;
}
@Override
public Map<String, Object> getAllTokenDetails(String token, String keyUrl) throws Exception {
Jws<Claims> claims = getClaimsForKeyUrl(token,getPublicKey(keyUrl));
return JsonUtils.toJsonMap(claims.getBody());
}
@Override
public String getExternalSSOUrl() {
return properties.getProperty(USERGRID_EXTERNAL_PUBLICKEY_URL);
}
public Jws<Claims> getClaimsForKeyUrl(String token, PublicKey ssoPublicKey) throws NoSuchAlgorithmException, InvalidKeySpecException, BadTokenException, ExpiredTokenException {
Jws<Claims> claims = null;
if(ssoPublicKey == null){
throw new IllegalArgumentException("Public key must be provided with Apigee " +
"token in order to verify signature.");
}
try {
claims = Jwts.parser().setSigningKey(ssoPublicKey).parseClaimsJws(token);
} catch (SignatureException se) {
if(logger.isDebugEnabled()) {
logger.debug("Signature was invalid for Apigee JWT: {} and key: {}", token, ssoPublicKey);
}
throw new BadTokenException("Invalid Apigee SSO token signature");
} catch (MalformedJwtException me){
if(logger.isDebugEnabled()) {
logger.debug("Beginning JSON object section of Apigee JWT invalid for token: {}", token);
}
throw new BadTokenException("Malformed Apigee JWT");
} catch (ArrayIndexOutOfBoundsException aio){
if(logger.isDebugEnabled()) {
logger.debug("Signature section of Apigee JWT invalid for token: {}", token);
}
throw new BadTokenException("Malformed Apigee JWT");
} catch ( ExpiredJwtException e ){
final long expiry = Long.valueOf(e.getClaims().get("exp").toString());
final long expirationDelta = ((System.currentTimeMillis()/1000) - expiry)*1000;
throw new ExpiredTokenException(String.format("Token expired %d milliseconds ago.", expirationDelta ));
}
return claims;
}
public Jws<Claims> getClaims(String token) throws Exception{
return getClaimsForKeyUrl(token,publicKey);
}
private void validateClaims (final Jws<Claims> claims) throws ExpiredTokenException {
final Claims body = claims.getBody();
final long expiry = Long.valueOf(body.get("exp").toString());
if(expiry - (System.currentTimeMillis()/1000) < 0 ){
final long expirationDelta = ((System.currentTimeMillis()/1000) - expiry)*1000;
throw new ExpiredTokenException(String.format("Token expired %d milliseconds ago.", expirationDelta ));
}
}
public void setPublicKey( PublicKey publicKeyArg){
this.publicKey = publicKeyArg;
}
@Autowired
public void setManagement(ManagementService management) {
this.management = management;
}
@Autowired
public void setProperties(Properties properties) {
this.properties = properties;
this.publicKey = getPublicKey(getExternalSSOUrl());
}
}