Search in sources :

Example 1 with CertificateIdentityException

use of com.yahoo.athenz.auth.impl.CertificateIdentityException in project athenz by yahoo.

the class OAuthCertBoundJwtAccessTokenAuthority method authenticate.

/**
 * Process the authenticate request based on http request object.
 * Skip if access token not exists or cannot be extracted.
 * Fail if it is not mTLS.
 * @param request http servlet request
 * @param errMsg will contain error message if authenticate fails
 * @return the Principal for the certificate, or null in case of failure.
 */
@Override
public Principal authenticate(HttpServletRequest request, StringBuilder errMsg) {
    errMsg = errMsg == null ? new StringBuilder(512) : errMsg;
    // extract credentials from request
    String jwsString = OAuthAuthorityUtils.extractHeaderToken(request);
    // skip when no credentials provided
    if (jwsString == null) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("OAuthCertBoundJwtAccessTokenAuthority:authenticate: no credentials, skip...");
        }
        return null;
    }
    // parse certificate
    CertificateIdentity certificateIdentity = null;
    try {
        certificateIdentity = this.certificateIdentityParser.parse(request);
    } catch (CertificateIdentityException e) {
        this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid certificate: " + e.getMessage(), errMsg);
        return null;
    }
    X509Certificate clientCert = certificateIdentity.getX509Certificate();
    String clientCertPrincipal = certificateIdentity.getPrincipalName();
    // parse JWT
    OAuthJwtAccessToken at = null;
    try {
        at = this.parser.parse(jwsString);
    } catch (OAuthJwtAccessTokenException e) {
        this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e.getMessage(), errMsg);
        return null;
    }
    // validate JWT
    try {
        this.validator.validate(at);
        this.validator.validateClientId(at, clientCertPrincipal);
        if (this.shouldVerifyCertThumbprint) {
            String clientCertThumbprint = this.validator.getX509CertificateThumbprint(clientCert);
            this.validator.validateCertificateBinding(at, clientCertThumbprint);
        }
    } catch (CertificateEncodingException | CryptoException | OAuthJwtAccessTokenException e) {
        this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e.getMessage(), errMsg);
        return null;
    }
    // create principal
    String[] ds = AthenzUtils.splitPrincipalName(at.getSubject());
    if (ds == null) {
        errMsg.append("OAuthCertBoundJwtAccessTokenAuthority:authenticate: sub is not a valid service identity: got=").append(at.getSubject());
        return null;
    }
    String domain = ds[0];
    String service = ds[1];
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create(domain, service, jwsString, at.getIssuedAt(), this);
    principal.setUnsignedCreds(at.toString());
    principal.setX509Certificate(clientCert);
    // principal.setRoles(at.getScopes());
    principal.setApplicationId(clientCertPrincipal);
    principal.setAuthorizedService(this.authorizedServices.getOrDefault(clientCertPrincipal, clientCertPrincipal));
    if (LOG.isDebugEnabled()) {
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: client certificate name={}", clientCertPrincipal);
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: valid user={}", principal.toString());
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: unsignedCredentials={}", principal.getUnsignedCredentials());
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: credentials={}", principal.getCredentials());
    }
    return principal;
}
Also used : OAuthJwtAccessToken(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessToken) CertificateIdentity(com.yahoo.athenz.auth.impl.CertificateIdentity) OAuthJwtAccessTokenException(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException) CertificateEncodingException(java.security.cert.CertificateEncodingException) CryptoException(com.yahoo.athenz.auth.util.CryptoException) CertificateIdentityException(com.yahoo.athenz.auth.impl.CertificateIdentityException) X509Certificate(java.security.cert.X509Certificate) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)

Aggregations

CertificateIdentity (com.yahoo.athenz.auth.impl.CertificateIdentity)1 CertificateIdentityException (com.yahoo.athenz.auth.impl.CertificateIdentityException)1 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)1 OAuthJwtAccessToken (com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessToken)1 OAuthJwtAccessTokenException (com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException)1 CryptoException (com.yahoo.athenz.auth.util.CryptoException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 X509Certificate (java.security.cert.X509Certificate)1