aboutsummaryrefslogtreecommitdiffstats
path: root/sdnr/wt/oauth-provider/oauth-core/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java
diff options
context:
space:
mode:
Diffstat (limited to 'sdnr/wt/oauth-provider/oauth-core/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java')
-rw-r--r--sdnr/wt/oauth-provider/oauth-core/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java202
1 files changed, 202 insertions, 0 deletions
diff --git a/sdnr/wt/oauth-provider/oauth-core/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java b/sdnr/wt/oauth-provider/oauth-core/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java
new file mode 100644
index 000000000..d8720e823
--- /dev/null
+++ b/sdnr/wt/oauth-provider/oauth-core/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java
@@ -0,0 +1,202 @@
+/*
+ * ============LICENSE_START=======================================================
+ * ONAP : ccsdk features
+ * ================================================================================
+ * Copyright (C) 2021 highstreet technologies GmbH Intellectual Property.
+ * All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ *
+ */
+package org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.jwt.interfaces.JWTVerifier;
+import java.io.IOException;
+import java.security.Security;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.Optional;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet;
+import org.apache.shiro.authc.BearerToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class TokenCreator {
+
+ private static final Logger LOG = LoggerFactory.getLogger(AuthHttpServlet.class.getName());
+ private final String issuer;
+ private static TokenCreator _instance;
+ private final long tokenLifetimeSeconds;
+ private final Algorithm algorithm;
+
+ private static final String ROLES_CLAIM = "roles";
+ private static final String FAMILYNAME_CLAIM = "family_name";
+ private static final String NAME_CLAIM = "name";
+ private static final String PROVIDERID_CLAIM = "provider_id";
+ private static final String COOKIE_NAME_AUTH = "token";
+
+ static {
+ Security.addProvider(
+ new BouncyCastleProvider()
+ );
+ }
+ public static TokenCreator getInstance(Config config) throws IllegalArgumentException, IOException {
+ if (_instance == null) {
+ _instance = new TokenCreator(config);
+ }
+ return _instance;
+ }
+
+ public static TokenCreator getInstance(String alg, String secret, String issuer, long tokenLifetime)
+ throws IllegalArgumentException, IOException {
+ return getInstance(alg, secret, null, issuer, tokenLifetime);
+ }
+
+ public static TokenCreator getInstance(String alg, String secret, String pubkey, String issuer, long tokenLifetime)
+ throws IllegalArgumentException, IOException {
+ if (_instance == null) {
+ _instance = new TokenCreator(alg, secret, pubkey, issuer, tokenLifetime);
+ }
+ return _instance;
+ }
+
+ private TokenCreator(Config config) throws IllegalArgumentException, IOException {
+ this(config.getAlgorithm(), config.getTokenSecret(), config.getPublicKey(), config.getTokenIssuer(),
+ config.getTokenLifetime());
+ }
+
+ private TokenCreator(String alg, String secret, String pubkey, String issuer, long tokenLifetime)
+ throws IllegalArgumentException, IOException {
+ this.issuer = issuer;
+ this.tokenLifetimeSeconds = tokenLifetime;
+ this.algorithm = this.createAlgorithm(alg, secret, pubkey);
+ }
+
+ private Algorithm createAlgorithm(String alg, String secret, String pubkey)
+ throws IllegalArgumentException, IOException {
+ if (alg == null) {
+ alg = Config.TOKENALG_HS256;
+ }
+ switch (alg) {
+ case Config.TOKENALG_HS256:
+ return Algorithm.HMAC256(secret);
+ case Config.TOKENALG_RS256:
+ return Algorithm.RSA256(RSAKeyReader.getPublicKey(pubkey), RSAKeyReader.getPrivateKey(secret));
+ case Config.TOKENALG_RS512:
+ return Algorithm.RSA512(RSAKeyReader.getPublicKey(pubkey), RSAKeyReader.getPrivateKey(secret));
+ case Config.TOKENALG_CLIENT_RS256:
+ return Algorithm.RSA256(RSAKeyReader.getPublicKey(pubkey), null);
+ case Config.TOKENALG_CLIENT_RS512:
+ return Algorithm.RSA512(RSAKeyReader.getPublicKey(pubkey), null);
+ }
+ throw new IllegalArgumentException(String.format("unable to find algorithm for %s", alg));
+
+ }
+
+ public BearerToken createNewJWT(UserTokenPayload data) {
+ final String token = JWT.create().withIssuer(issuer).withExpiresAt(new Date(data.getExp()))
+ .withIssuedAt(new Date(data.getIat())).withSubject(data.getPreferredUsername())
+ .withClaim(NAME_CLAIM, data.getGivenName()).withClaim(FAMILYNAME_CLAIM, data.getFamilyName())
+ .withClaim(PROVIDERID_CLAIM, data.getProviderId())
+ .withArrayClaim(ROLES_CLAIM, data.getRoles().toArray(new String[data.getRoles().size()]))
+ .sign(this.algorithm);
+ LOG.trace("token created: {}", token);
+ return new BearerToken(token);
+ }
+
+ public DecodedJWT verify(String token) {
+ DecodedJWT jwt = null;
+ LOG.debug("try to verify token {}", token);
+ try {
+ JWTVerifier verifier = JWT.require(this.algorithm).withIssuer(issuer).build();
+ jwt = verifier.verify(token);
+
+ } catch (JWTVerificationException e) {
+ LOG.warn("unable to verify token {}:", token, e);
+ }
+ return jwt;
+ }
+
+ public long getDefaultExp() {
+ return new Date().getTime() + (this.tokenLifetimeSeconds * 1000);
+ }
+
+ public long getDefaultExp(long expIn) {
+ return new Date().getTime() + expIn;
+ }
+
+ public long getDefaultIat() {
+ return new Date().getTime();
+ }
+
+ public String getBearerToken(HttpServletRequest req) {
+ return this.getBearerToken(req, false);
+ }
+
+ public String getBearerToken(HttpServletRequest req, boolean checkCookie) {
+ final String authHeader = req.getHeader("Authorization");
+ if ((authHeader == null || !authHeader.startsWith("Bearer")) && checkCookie) {
+ Cookie[] cookies = req.getCookies();
+ Optional<Cookie> ocookie = Optional.empty();
+ if (cookies != null) {
+ ocookie = Arrays.stream(cookies).filter(c -> c != null && COOKIE_NAME_AUTH.equals(c.getName()))
+ .findFirst();
+ }
+ if (ocookie.isEmpty()) {
+ return null;
+ }
+ return ocookie.get().getValue();
+ }
+ return authHeader.substring(7);
+ }
+
+ public UserTokenPayload decode(HttpServletRequest req) throws JWTDecodeException {
+ final String token = this.getBearerToken(req);
+ return token != null ? this.decode(token) : null;
+ }
+
+ public UserTokenPayload decode(String token) {
+ if (token == null) {
+ return null;
+ }
+ DecodedJWT jwt = JWT.decode(token);
+ UserTokenPayload data = new UserTokenPayload();
+ data.setRoles(Arrays.asList(jwt.getClaim(ROLES_CLAIM).asArray(String.class)));
+ data.setExp(jwt.getExpiresAt().getTime());
+ data.setFamilyName(jwt.getClaim(FAMILYNAME_CLAIM).asString());
+ data.setGivenName(jwt.getClaim(NAME_CLAIM).asString());
+ data.setPreferredUsername(jwt.getClaim(NAME_CLAIM).asString());
+ data.setProviderId(jwt.getClaim(PROVIDERID_CLAIM).asString());
+ return data;
+ }
+
+ public Cookie createAuthCookie(BearerToken data) {
+ Cookie cookie = new Cookie(COOKIE_NAME_AUTH, data.getToken());
+ cookie.setMaxAge((int) this.tokenLifetimeSeconds);
+ cookie.setPath("/");
+ cookie.setHttpOnly(true);
+ cookie.setSecure(true);
+ return cookie;
+ }
+}