Search in sources :

Example 1 with VerificationException

use of io.hops.hopsworks.jwt.exception.VerificationException in project hopsworks by logicalclocks.

the class JWTController method verifyToken.

/**
 * Verify a token
 *
 * @param token
 * @param issuer
 * @param audiences
 * @param roles
 * @return
 * @throws SigningKeyNotFoundException
 * @throws VerificationException
 */
public DecodedJWT verifyToken(String token, String issuer, Set<String> audiences, Set<String> roles) throws SigningKeyNotFoundException, VerificationException {
    JsonWebToken jwt = new JsonWebToken(JWT.decode(token));
    issuer = issuer == null || issuer.isEmpty() ? jwt.getIssuer() : issuer;
    DecodedJWT djwt = verifyToken(token, issuer, jwt.getExpLeeway(), algorithmFactory.getAlgorithm(jwt));
    if (isTokenInvalidated(djwt)) {
        throw new VerificationException("Invalidated token.");
    }
    Set<String> rolesSet = new HashSet<>(jwt.getRole());
    if (roles != null && !roles.isEmpty()) {
        if (!intersect(roles, rolesSet)) {
            throw new AccessLocalException("Client not authorized for this invocation.");
        }
    }
    Set<String> audiencesSet = new HashSet<>(jwt.getAudience());
    if (audiences != null && !audiences.isEmpty()) {
        if (!intersect(audiences, audiencesSet)) {
            throw new AccessLocalException("Token not issued for this recipient.");
        }
    }
    return djwt;
}
Also used : VerificationException(io.hops.hopsworks.jwt.exception.VerificationException) AccessLocalException(javax.ejb.AccessLocalException) DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT) HashSet(java.util.HashSet)

Example 2 with VerificationException

use of io.hops.hopsworks.jwt.exception.VerificationException in project hopsworks by logicalclocks.

the class JWTController method verifyToken.

private DecodedJWT verifyToken(String token, String issuer, int expLeeway, Algorithm algorithm) throws VerificationException {
    DecodedJWT jwt = null;
    try {
        JWTVerifier verifier = JWT.require(algorithm).withIssuer(issuer).acceptExpiresAt(expLeeway).build();
        jwt = verifier.verify(token);
    } catch (Exception e) {
        throw new VerificationException(e.getMessage());
    }
    return jwt;
}
Also used : VerificationException(io.hops.hopsworks.jwt.exception.VerificationException) DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT) JWTVerifier(com.auth0.jwt.JWTVerifier) NotRenewableException(io.hops.hopsworks.jwt.exception.NotRenewableException) DuplicateSigningKeyException(io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException) AccessLocalException(javax.ejb.AccessLocalException) SigningKeyNotFoundException(io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException) JWTException(io.hops.hopsworks.jwt.exception.JWTException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) VerificationException(io.hops.hopsworks.jwt.exception.VerificationException) InvalidationException(io.hops.hopsworks.jwt.exception.InvalidationException)

Example 3 with VerificationException

use of io.hops.hopsworks.jwt.exception.VerificationException in project hopsworks by logicalclocks.

the class JWTController method verifyToken.

/**
 * Verify a token
 *
 * @param token
 * @param issuer
 * @return
 * @throws SigningKeyNotFoundException
 * @throws VerificationException
 */
public DecodedJWT verifyToken(String token, String issuer) throws SigningKeyNotFoundException, VerificationException {
    DecodedJWT jwt = JWT.decode(token);
    issuer = issuer == null || issuer.isEmpty() ? jwt.getIssuer() : issuer;
    int expLeeway = getExpLeewayClaim(jwt);
    jwt = verifyToken(token, issuer, expLeeway, algorithmFactory.getAlgorithm(jwt));
    if (isTokenInvalidated(jwt)) {
        throw new VerificationException("Invalidated token.");
    }
    return jwt;
}
Also used : VerificationException(io.hops.hopsworks.jwt.exception.VerificationException) DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT)

Example 4 with VerificationException

use of io.hops.hopsworks.jwt.exception.VerificationException in project hopsworks by logicalclocks.

the class JWTHelper method renewServiceToken.

/**
 * Helper method to generate one-time tokens for service JWT renewal and renew the
 * master service JWT
 * @param token2renew Service JWT to renew
 * @param oneTimeRenewalToken Valid one-time token associated with the master token to be renewed.
 *                            One time tokens are generated once a service is logged-in and every time
 *                            it renews its master token
 * @param user Logged in user
 * @param remoteHostname Hostname of the machine the service runs
 * @return Renewed master service JWT and five one-time tokens used to renew it
 * @throws JWTException
 * @throws NoSuchAlgorithmException
 */
public ServiceJWTDTO renewServiceToken(JsonWebTokenDTO token2renew, String oneTimeRenewalToken, Users user, String remoteHostname) throws JWTException, NoSuchAlgorithmException {
    if (Strings.isNullOrEmpty(oneTimeRenewalToken)) {
        throw new VerificationException("Service renewal token cannot be null or empty");
    }
    if (user == null) {
        DecodedJWT decodedJWT = jwtController.decodeToken(oneTimeRenewalToken);
        throw new VerificationException("Could not find user associated with JWT with ID: " + decodedJWT.getId());
    }
    LocalDateTime now = DateUtils.getNow();
    Date expiresAt = token2renew.getExpiresAt() != null ? token2renew.getExpiresAt() : DateUtils.localDateTime2Date(now.plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS));
    Date notBefore = token2renew.getNbf() != null ? token2renew.getNbf() : DateUtils.localDateTime2Date(now);
    List<String> userRoles = userController.getUserRoles(user);
    Pair<String, String[]> renewedTokens = jwtController.renewServiceToken(oneTimeRenewalToken, token2renew.getToken(), expiresAt, notBefore, settings.getServiceJWTLifetimeMS(), user.getUsername(), userRoles, SERVICE_RENEW_JWT_AUDIENCE, remoteHostname, settings.getJWTIssuer(), settings.getJWTSigningKeyName(), false);
    int expLeeway = jwtController.getExpLeewayClaim(jwtController.decodeToken(renewedTokens.getLeft()));
    JWTResponseDTO renewedServiceToken = new JWTResponseDTO(renewedTokens.getLeft(), expiresAt, notBefore, expLeeway);
    return new ServiceJWTDTO(renewedServiceToken, renewedTokens.getRight());
}
Also used : LocalDateTime(java.time.LocalDateTime) VerificationException(io.hops.hopsworks.jwt.exception.VerificationException) ServiceJWTDTO(io.hops.hopsworks.api.user.ServiceJWTDTO) DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT) Date(java.util.Date)

Aggregations

DecodedJWT (com.auth0.jwt.interfaces.DecodedJWT)4 VerificationException (io.hops.hopsworks.jwt.exception.VerificationException)4 AccessLocalException (javax.ejb.AccessLocalException)2 JWTVerifier (com.auth0.jwt.JWTVerifier)1 ServiceJWTDTO (io.hops.hopsworks.api.user.ServiceJWTDTO)1 DuplicateSigningKeyException (io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException)1 InvalidationException (io.hops.hopsworks.jwt.exception.InvalidationException)1 JWTException (io.hops.hopsworks.jwt.exception.JWTException)1 NotRenewableException (io.hops.hopsworks.jwt.exception.NotRenewableException)1 SigningKeyNotFoundException (io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 LocalDateTime (java.time.LocalDateTime)1 Date (java.util.Date)1 HashSet (java.util.HashSet)1