use of com.yahoo.athenz.auth.impl.CertificateIdentityException in project athenz by yahoo.
the class OAuthCertBoundJwtAccessTokenAuthority method authenticate.
/**
* Process the authenticate request based on http request object.
* Skip if access token not exists or cannot be extracted.
* Fail if it is not mTLS.
* @param request http servlet request
* @param errMsg will contain error message if authenticate fails
* @return the Principal for the certificate, or null in case of failure.
*/
@Override
public Principal authenticate(HttpServletRequest request, StringBuilder errMsg) {
errMsg = errMsg == null ? new StringBuilder(512) : errMsg;
// extract credentials from request
String jwsString = OAuthAuthorityUtils.extractHeaderToken(request);
// skip when no credentials provided
if (jwsString == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("OAuthCertBoundJwtAccessTokenAuthority:authenticate: no credentials, skip...");
}
return null;
}
// parse certificate
CertificateIdentity certificateIdentity = null;
try {
certificateIdentity = this.certificateIdentityParser.parse(request);
} catch (CertificateIdentityException e) {
this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid certificate: " + e.getMessage(), errMsg);
return null;
}
X509Certificate clientCert = certificateIdentity.getX509Certificate();
String clientCertPrincipal = certificateIdentity.getPrincipalName();
// parse JWT
OAuthJwtAccessToken at = null;
try {
at = this.parser.parse(jwsString);
} catch (OAuthJwtAccessTokenException e) {
this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e.getMessage(), errMsg);
return null;
}
// validate JWT
try {
this.validator.validate(at);
this.validator.validateClientId(at, clientCertPrincipal);
if (this.shouldVerifyCertThumbprint) {
String clientCertThumbprint = this.validator.getX509CertificateThumbprint(clientCert);
this.validator.validateCertificateBinding(at, clientCertThumbprint);
}
} catch (CertificateEncodingException | CryptoException | OAuthJwtAccessTokenException e) {
this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e.getMessage(), errMsg);
return null;
}
// create principal
String[] ds = AthenzUtils.splitPrincipalName(at.getSubject());
if (ds == null) {
errMsg.append("OAuthCertBoundJwtAccessTokenAuthority:authenticate: sub is not a valid service identity: got=").append(at.getSubject());
return null;
}
String domain = ds[0];
String service = ds[1];
SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create(domain, service, jwsString, at.getIssuedAt(), this);
principal.setUnsignedCreds(at.toString());
principal.setX509Certificate(clientCert);
// principal.setRoles(at.getScopes());
principal.setApplicationId(clientCertPrincipal);
principal.setAuthorizedService(this.authorizedServices.getOrDefault(clientCertPrincipal, clientCertPrincipal));
if (LOG.isDebugEnabled()) {
LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: client certificate name={}", clientCertPrincipal);
LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: valid user={}", principal.toString());
LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: unsignedCredentials={}", principal.getUnsignedCredentials());
LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: credentials={}", principal.getCredentials());
}
return principal;
}
Aggregations