Search in sources :

Example 1 with JsonWebToken

use of io.hops.hopsworks.jwt.JsonWebToken in project hopsworks by logicalclocks.

the class AuthService method serviceLogin.

@POST
@Path("/service")
@Produces(MediaType.APPLICATION_JSON)
@JWTNotRequired
public Response serviceLogin(@FormParam("email") String email, @FormParam("password") String password, @Context HttpServletRequest request) throws UserException, GeneralSecurityException, SigningKeyNotFoundException, DuplicateSigningKeyException, HopsSecurityException {
    if (Strings.isNullOrEmpty(email)) {
        throw new IllegalArgumentException("Email cannot be null or empty");
    }
    if (Strings.isNullOrEmpty(password)) {
        throw new IllegalArgumentException("Password cannot be null or empty");
    }
    Users user = userFacade.findByEmail(email);
    if (user == null) {
        throw new LoginException("Could not find registered user with email " + email);
    }
    if (!needLogin(request, user)) {
        return Response.ok().build();
    }
    if (!userController.isUserInRole(user, "AGENT")) {
        throw new HopsSecurityException(RESTCodes.SecurityErrorCode.REST_ACCESS_CONTROL, Level.FINE, "Users are not allowed to access this endpoint, use auth/login instead", "User " + user.getUsername() + " tried to login but they don't have AGENT role");
    }
    request.getSession();
    Collection roles = user.getBbcGroupCollection();
    if (roles == null || roles.isEmpty()) {
        throw new UserException(RESTCodes.UserErrorCode.NO_ROLE_FOUND, Level.FINE);
    }
    statusValidator.checkStatus(user.getStatus());
    String saltedPassword = authController.preCustomRealmLoginCheck(user, password, null);
    try {
        request.login(user.getEmail(), saltedPassword);
    } catch (ServletException ex) {
        authController.registerAuthenticationFailure(user);
        throw new UserException(RESTCodes.UserErrorCode.AUTHENTICATION_FAILURE, Level.FINE, null, ex.getMessage(), ex);
    }
    // First generate the one-time tokens for renewal of master token
    String renewalKeyName = jwtController.getServiceOneTimeJWTSigningKeyname(user.getUsername(), request.getRemoteHost());
    LocalDateTime masterExpiration = DateUtils.getNow().plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
    LocalDateTime notBefore = jwtController.computeNotBefore4ServiceRenewalTokens(masterExpiration);
    LocalDateTime expiresAt = notBefore.plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
    List<String> userRoles = userController.getUserRoles(user);
    JsonWebToken renewalJWTSpec = new JsonWebToken();
    renewalJWTSpec.setSubject(user.getUsername());
    renewalJWTSpec.setIssuer(settings.getJWTIssuer());
    renewalJWTSpec.setAudience(JWTHelper.SERVICE_RENEW_JWT_AUDIENCE);
    renewalJWTSpec.setKeyId(renewalKeyName);
    renewalJWTSpec.setNotBefore(DateUtils.localDateTime2Date(notBefore));
    renewalJWTSpec.setExpiresAt(DateUtils.localDateTime2Date(expiresAt));
    Map<String, Object> claims = new HashMap<>(4);
    claims.put(Constants.RENEWABLE, false);
    claims.put(Constants.EXPIRY_LEEWAY, 3600);
    claims.put(Constants.ROLES, userRoles.toArray(new String[1]));
    String[] oneTimeRenewalTokens = jwtController.generateOneTimeTokens4ServiceJWTRenewal(renewalJWTSpec, claims, settings.getJWTSigningKeyName());
    // Then generate the master service token
    try {
        String signingKeyID = jwtController.getSignKeyID(oneTimeRenewalTokens[0]);
        claims.clear();
        // The rest of JWT claims will be added by JWTHelper
        claims.put(Constants.RENEWABLE, false);
        claims.put(Constants.SERVICE_JWT_RENEWAL_KEY_ID, signingKeyID);
        String token = jWTHelper.createToken(user, settings.getJWTIssuer(), claims);
        ServiceJWTDTO renewTokensResponse = new ServiceJWTDTO();
        renewTokensResponse.setRenewTokens(oneTimeRenewalTokens);
        return Response.ok().header(AUTHORIZATION, Constants.BEARER + token).entity(renewTokensResponse).build();
    } catch (Exception ex) {
        jwtController.deleteSigningKey(renewalKeyName);
        throw ex;
    }
}
Also used : LocalDateTime(java.time.LocalDateTime) HashMap(java.util.HashMap) Users(io.hops.hopsworks.persistence.entity.user.Users) JsonWebToken(io.hops.hopsworks.jwt.JsonWebToken) LoginException(javax.security.auth.login.LoginException) ServletException(javax.servlet.ServletException) MessagingException(javax.mail.MessagingException) GeneralSecurityException(java.security.GeneralSecurityException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException) DuplicateSigningKeyException(io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException) SigningKeyNotFoundException(io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException) UserException(io.hops.hopsworks.exceptions.UserException) InvalidationException(io.hops.hopsworks.jwt.exception.InvalidationException) HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException) ServletException(javax.servlet.ServletException) LoginException(javax.security.auth.login.LoginException) Collection(java.util.Collection) UserException(io.hops.hopsworks.exceptions.UserException) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces) JWTNotRequired(io.hops.hopsworks.api.filter.JWTNotRequired)

Aggregations

JWTNotRequired (io.hops.hopsworks.api.filter.JWTNotRequired)1 HopsSecurityException (io.hops.hopsworks.exceptions.HopsSecurityException)1 UserException (io.hops.hopsworks.exceptions.UserException)1 JsonWebToken (io.hops.hopsworks.jwt.JsonWebToken)1 DuplicateSigningKeyException (io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException)1 InvalidationException (io.hops.hopsworks.jwt.exception.InvalidationException)1 SigningKeyNotFoundException (io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException)1 Users (io.hops.hopsworks.persistence.entity.user.Users)1 GeneralSecurityException (java.security.GeneralSecurityException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 LocalDateTime (java.time.LocalDateTime)1 Collection (java.util.Collection)1 HashMap (java.util.HashMap)1 MessagingException (javax.mail.MessagingException)1 LoginException (javax.security.auth.login.LoginException)1 ServletException (javax.servlet.ServletException)1 POST (javax.ws.rs.POST)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1