Examples with PowerAuthApiAuthentication io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthApiAuthentication used on opensource projects

Example 1 with PowerAuthApiAuthentication

use of io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthApiAuthentication in project powerauth-restful-integration by lime-company.

the class PowerAuthAuthenticationProvider method validateRequestSignatureWithActivationDetails.

@Override
@Nonnull
public PowerAuthApiAuthentication validateRequestSignatureWithActivationDetails(@Nonnull String httpMethod, @Nullable byte[] httpBody, @Nonnull String requestUriIdentifier, @Nonnull String httpAuthorizationHeader, @Nonnull List<PowerAuthSignatureTypes> allowedSignatureTypes, @Nullable Integer forcedSignatureVersion) throws PowerAuthAuthenticationException {
    // Check for HTTP PowerAuth signature header
    if (httpAuthorizationHeader.equals("undefined")) {
        logger.warn("Signature HTTP header is missing");
        throw new PowerAuthHeaderMissingException();
    }
    // Parse HTTP header
    final PowerAuthSignatureHttpHeader header = new PowerAuthSignatureHttpHeader().fromValue(httpAuthorizationHeader);
    // Validate the header
    try {
        PowerAuthSignatureHttpHeaderValidator.validate(header);
    } catch (InvalidPowerAuthHttpHeaderException ex) {
        logger.warn("Signature HTTP header validation failed, error: {}", ex.getMessage());
        logger.debug(ex.getMessage(), ex);
        throw new PowerAuthSignatureInvalidException();
    }
    // Check if the signature type is allowed
    final PowerAuthSignatureTypes expectedSignatureType = PowerAuthSignatureTypes.getEnumFromString(header.getSignatureType());
    if (expectedSignatureType == null || !allowedSignatureTypes.contains(expectedSignatureType)) {
        logger.warn("Invalid signature type: {}", expectedSignatureType);
        throw new PowerAuthSignatureTypeInvalidException();
    }
    // Configure PowerAuth authentication object
    final PowerAuthSignatureAuthenticationImpl powerAuthAuthentication = new PowerAuthSignatureAuthenticationImpl();
    powerAuthAuthentication.setActivationId(header.getActivationId());
    powerAuthAuthentication.setApplicationKey(header.getApplicationKey());
    powerAuthAuthentication.setNonce(BaseEncoding.base64().decode(header.getNonce()));
    powerAuthAuthentication.setSignatureType(header.getSignatureType());
    powerAuthAuthentication.setSignature(header.getSignature());
    powerAuthAuthentication.setHttpMethod(httpMethod);
    powerAuthAuthentication.setRequestUri(requestUriIdentifier);
    powerAuthAuthentication.setData(httpBody);
    powerAuthAuthentication.setVersion(header.getVersion());
    powerAuthAuthentication.setHttpHeader(header);
    powerAuthAuthentication.setForcedSignatureVersion(forcedSignatureVersion);
    // Call the authentication based on signature authentication object
    final PowerAuthApiAuthentication auth = (PowerAuthApiAuthentication) this.authenticate(powerAuthAuthentication);
    // In case authentication is null, throw PowerAuth exception
    if (auth == null) {
        logger.debug("Signature validation failed");
        throw new PowerAuthSignatureInvalidException();
    }
    return auth;
}

Example 2 with PowerAuthApiAuthentication

use of io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthApiAuthentication in project powerauth-restful-integration by lime-company.

the class UpgradeService method upgradeCommit.

/**
 * Commit upgrade of activation to version 3.
 * @param signatureHeader PowerAuth signature HTTP header.
 * @param httpServletRequest HTTP servlet request.
 * @return Commit upgrade response.
 * @throws PowerAuthAuthenticationException in case authentication fails.
 * @throws PowerAuthUpgradeException In case upgrade commit fails.
 */
public Response upgradeCommit(String signatureHeader, HttpServletRequest httpServletRequest) throws PowerAuthAuthenticationException, PowerAuthUpgradeException {
    try {
        // Extract request body
        final byte[] requestBodyBytes = authenticationProvider.extractRequestBodyBytes(httpServletRequest);
        if (requestBodyBytes == null || requestBodyBytes.length == 0) {
            // Expected request body is {}, do not accept empty body
            logger.warn("Empty request body");
            throw new PowerAuthInvalidRequestException();
        }
        // Verify signature, force signature version during upgrade to version 3
        final List<PowerAuthSignatureTypes> allowedSignatureTypes = Collections.singletonList(PowerAuthSignatureTypes.POSSESSION);
        final PowerAuthApiAuthentication authentication = authenticationProvider.validateRequestSignatureWithActivationDetails("POST", requestBodyBytes, "/pa/upgrade/commit", signatureHeader, allowedSignatureTypes, 3);
        // In case signature verification fails, upgrade fails, too
        if (!authentication.getAuthenticationContext().isValid() || authentication.getActivationContext().getActivationId() == null) {
            logger.debug("Signature validation failed");
            throw new PowerAuthSignatureInvalidException();
        }
        // Get signature HTTP headers
        final String activationId = authentication.getActivationContext().getActivationId();
        final PowerAuthSignatureHttpHeader httpHeader = (PowerAuthSignatureHttpHeader) authentication.getHttpHeader();
        final String applicationKey = httpHeader.getApplicationKey();
        // Commit upgrade on PowerAuth server
        final CommitUpgradeResponse upgradeResponse = powerAuthClient.commitUpgrade(activationId, applicationKey);
        if (upgradeResponse.isCommitted()) {
            return new Response();
        } else {
            logger.debug("Upgrade commit failed");
            throw new PowerAuthUpgradeException();
        }
    } catch (PowerAuthAuthenticationException ex) {
        throw ex;
    } catch (Exception ex) {
        logger.warn("PowerAuth upgrade commit failed, error: {}", ex.getMessage());
        logger.debug(ex.getMessage(), ex);
        throw new PowerAuthUpgradeException();
    }
}

Example 3 with PowerAuthApiAuthentication

use of io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthApiAuthentication in project powerauth-restful-integration by lime-company.

the class PowerAuthAnnotationInterceptor method preHandle.

@Override
public boolean preHandle(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull Object handler) {
    // requests before the actual requests.
    if (handler instanceof HandlerMethod) {
        final HandlerMethod handlerMethod = (HandlerMethod) handler;
        // Obtain annotations
        PowerAuth powerAuthSignatureAnnotation = handlerMethod.getMethodAnnotation(PowerAuth.class);
        PowerAuthToken powerAuthTokenAnnotation = handlerMethod.getMethodAnnotation(PowerAuthToken.class);
        PowerAuthEncryption powerAuthEncryptionAnnotation = handlerMethod.getMethodAnnotation(PowerAuthEncryption.class);
        // Check that either signature or token annotation is active
        if (powerAuthSignatureAnnotation != null && powerAuthTokenAnnotation != null) {
            logger.warn("You cannot use both @PowerAuth and @PowerAuthToken on same handler method. We are removing both.");
            powerAuthSignatureAnnotation = null;
            powerAuthTokenAnnotation = null;
        }
        // sign-then-encrypt sequence in case both authorization and encryption are used.
        if (powerAuthEncryptionAnnotation != null) {
            final Type requestType = resolveGenericParameterTypeForEcies(handlerMethod);
            try {
                encryptionProvider.decryptRequest(request, requestType, powerAuthEncryptionAnnotation.scope());
            // Encryption object is saved in HTTP servlet request by encryption provider, so that it is available for Spring
            } catch (PowerAuthEncryptionException ex) {
                logger.warn("Decryption failed, error: {}", ex.getMessage());
                logger.debug("Error details", ex);
            }
        }
        // Resolve @PowerAuth annotation
        if (powerAuthSignatureAnnotation != null) {
            try {
                final String resourceId = expandResourceId(powerAuthSignatureAnnotation.resourceId(), request, handlerMethod);
                final String header = request.getHeader(PowerAuthSignatureHttpHeader.HEADER_NAME);
                final List<PowerAuthSignatureTypes> signatureTypes = Arrays.asList(powerAuthSignatureAnnotation.signatureType());
                final PowerAuthApiAuthentication authentication = authenticationProvider.validateRequestSignatureWithActivationDetails(request, resourceId, header, signatureTypes);
                request.setAttribute(PowerAuthRequestObjects.AUTHENTICATION_OBJECT, authentication);
            } catch (PowerAuthAuthenticationException ex) {
                logger.warn("Invalid request signature, authentication object was removed");
                request.setAttribute(PowerAuthRequestObjects.AUTHENTICATION_OBJECT, null);
            }
        }
        // Resolve @PowerAuthToken annotation
        if (powerAuthTokenAnnotation != null) {
            try {
                final String header = request.getHeader(PowerAuthTokenHttpHeader.HEADER_NAME);
                final List<PowerAuthSignatureTypes> signatureTypes = Arrays.asList(powerAuthTokenAnnotation.signatureType());
                final PowerAuthApiAuthentication authentication = authenticationProvider.validateTokenWithActivationDetails(header, signatureTypes);
                request.setAttribute(PowerAuthRequestObjects.AUTHENTICATION_OBJECT, authentication);
            } catch (PowerAuthAuthenticationException ex) {
                logger.warn("Invalid token, authentication object was removed");
                request.setAttribute(PowerAuthRequestObjects.AUTHENTICATION_OBJECT, null);
            }
        }
    }
    return true;
}

Example 4 with PowerAuthApiAuthentication

use of io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthApiAuthentication in project powerauth-restful-integration by lime-company.

the class PowerAuthWebArgumentResolver method resolveArgument.

@Override
public Object resolveArgument(@NonNull MethodParameter parameter, ModelAndViewContainer mavContainer, @NonNull NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
    if (parameter.getParameterType().isAssignableFrom(PowerAuthApiAuthentication.class)) {
        HttpServletRequest request = (HttpServletRequest) webRequest.getNativeRequest();
        PowerAuthApiAuthentication apiAuthentication = (PowerAuthApiAuthentication) request.getAttribute(PowerAuthRequestObjects.AUTHENTICATION_OBJECT);
        if (apiAuthentication == null) {
            return null;
        }
        if (apiAuthentication.getAuthenticationContext().isValid()) {
            // Return PowerAuthApiAuthentication instance only for successful authentication due to compatibility reasons
            return apiAuthentication;
        }
    }
    if (parameter.getParameterType().isAssignableFrom(PowerAuthActivation.class)) {
        HttpServletRequest request = (HttpServletRequest) webRequest.getNativeRequest();
        PowerAuthApiAuthentication apiAuthentication = (PowerAuthApiAuthentication) request.getAttribute(PowerAuthRequestObjects.AUTHENTICATION_OBJECT);
        if (apiAuthentication == null) {
            return null;
        }
        // Activation context is returned for both successful and failed authentication
        return apiAuthentication.getActivationContext();
    }
    return null;
}

Example 5 with PowerAuthApiAuthentication

use of io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthApiAuthentication in project powerauth-restful-integration by lime-company.

the class PowerAuthAuthenticationProvider method validateTokenWithActivationDetails.

@Nonnull
@Override
public PowerAuthApiAuthentication validateTokenWithActivationDetails(@Nonnull String tokenHeader, @Nonnull List<PowerAuthSignatureTypes> allowedSignatureTypes) throws PowerAuthAuthenticationException {
    // Check for HTTP PowerAuth signature header
    if (tokenHeader.equals("undefined")) {
        logger.warn("Token HTTP header is missing");
        throw new PowerAuthHeaderMissingException();
    }
    // Parse HTTP header
    final PowerAuthTokenHttpHeader header = new PowerAuthTokenHttpHeader().fromValue(tokenHeader);
    // Validate the header
    try {
        PowerAuthTokenHttpHeaderValidator.validate(header);
    } catch (InvalidPowerAuthHttpHeaderException ex) {
        logger.warn("Token validation failed, error: {}", ex.getMessage());
        logger.debug(ex.getMessage(), ex);
        throw new PowerAuthTokenInvalidException();
    }
    // Prepare authentication object
    final PowerAuthTokenAuthenticationImpl powerAuthTokenAuthentication = new PowerAuthTokenAuthenticationImpl();
    powerAuthTokenAuthentication.setTokenId(header.getTokenId());
    powerAuthTokenAuthentication.setTokenDigest(header.getTokenDigest());
    powerAuthTokenAuthentication.setNonce(header.getNonce());
    powerAuthTokenAuthentication.setTimestamp(header.getTimestamp());
    powerAuthTokenAuthentication.setVersion(header.getVersion());
    powerAuthTokenAuthentication.setHttpHeader(header);
    // Call the authentication based on token authentication object
    final PowerAuthApiAuthentication auth = (PowerAuthApiAuthentication) this.authenticate(powerAuthTokenAuthentication);
    // In case authentication is null, throw PowerAuth exception
    if (auth == null) {
        logger.debug("Invalid token value");
        throw new PowerAuthTokenInvalidException();
    }
    // Check if the signature type is allowed
    final PowerAuthSignatureTypes expectedSignatureType = auth.getAuthenticationContext().getSignatureType();
    if (expectedSignatureType == null || !allowedSignatureTypes.contains(expectedSignatureType)) {
        logger.warn("Invalid signature type in token validation: {}", expectedSignatureType);
        throw new PowerAuthSignatureTypeInvalidException();
    }
    return auth;
}