use of io.hops.hopsworks.jwt.JsonWebToken in project hopsworks by logicalclocks.
the class AuthService method serviceLogin.
@POST
@Path("/service")
@Produces(MediaType.APPLICATION_JSON)
@JWTNotRequired
public Response serviceLogin(@FormParam("email") String email, @FormParam("password") String password, @Context HttpServletRequest request) throws UserException, GeneralSecurityException, SigningKeyNotFoundException, DuplicateSigningKeyException, HopsSecurityException {
if (Strings.isNullOrEmpty(email)) {
throw new IllegalArgumentException("Email cannot be null or empty");
}
if (Strings.isNullOrEmpty(password)) {
throw new IllegalArgumentException("Password cannot be null or empty");
}
Users user = userFacade.findByEmail(email);
if (user == null) {
throw new LoginException("Could not find registered user with email " + email);
}
if (!needLogin(request, user)) {
return Response.ok().build();
}
if (!userController.isUserInRole(user, "AGENT")) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.REST_ACCESS_CONTROL, Level.FINE, "Users are not allowed to access this endpoint, use auth/login instead", "User " + user.getUsername() + " tried to login but they don't have AGENT role");
}
request.getSession();
Collection roles = user.getBbcGroupCollection();
if (roles == null || roles.isEmpty()) {
throw new UserException(RESTCodes.UserErrorCode.NO_ROLE_FOUND, Level.FINE);
}
statusValidator.checkStatus(user.getStatus());
String saltedPassword = authController.preCustomRealmLoginCheck(user, password, null);
try {
request.login(user.getEmail(), saltedPassword);
} catch (ServletException ex) {
authController.registerAuthenticationFailure(user);
throw new UserException(RESTCodes.UserErrorCode.AUTHENTICATION_FAILURE, Level.FINE, null, ex.getMessage(), ex);
}
// First generate the one-time tokens for renewal of master token
String renewalKeyName = jwtController.getServiceOneTimeJWTSigningKeyname(user.getUsername(), request.getRemoteHost());
LocalDateTime masterExpiration = DateUtils.getNow().plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
LocalDateTime notBefore = jwtController.computeNotBefore4ServiceRenewalTokens(masterExpiration);
LocalDateTime expiresAt = notBefore.plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
List<String> userRoles = userController.getUserRoles(user);
JsonWebToken renewalJWTSpec = new JsonWebToken();
renewalJWTSpec.setSubject(user.getUsername());
renewalJWTSpec.setIssuer(settings.getJWTIssuer());
renewalJWTSpec.setAudience(JWTHelper.SERVICE_RENEW_JWT_AUDIENCE);
renewalJWTSpec.setKeyId(renewalKeyName);
renewalJWTSpec.setNotBefore(DateUtils.localDateTime2Date(notBefore));
renewalJWTSpec.setExpiresAt(DateUtils.localDateTime2Date(expiresAt));
Map<String, Object> claims = new HashMap<>(4);
claims.put(Constants.RENEWABLE, false);
claims.put(Constants.EXPIRY_LEEWAY, 3600);
claims.put(Constants.ROLES, userRoles.toArray(new String[1]));
String[] oneTimeRenewalTokens = jwtController.generateOneTimeTokens4ServiceJWTRenewal(renewalJWTSpec, claims, settings.getJWTSigningKeyName());
// Then generate the master service token
try {
String signingKeyID = jwtController.getSignKeyID(oneTimeRenewalTokens[0]);
claims.clear();
// The rest of JWT claims will be added by JWTHelper
claims.put(Constants.RENEWABLE, false);
claims.put(Constants.SERVICE_JWT_RENEWAL_KEY_ID, signingKeyID);
String token = jWTHelper.createToken(user, settings.getJWTIssuer(), claims);
ServiceJWTDTO renewTokensResponse = new ServiceJWTDTO();
renewTokensResponse.setRenewTokens(oneTimeRenewalTokens);
return Response.ok().header(AUTHORIZATION, Constants.BEARER + token).entity(renewTokensResponse).build();
} catch (Exception ex) {
jwtController.deleteSigningKey(renewalKeyName);
throw ex;
}
}
Aggregations