Examples with UserSubject org.apache.cxf.rs.security.oauth2.common.UserSubject used on opensource projects

Example 26 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project meecrowave by apache.

the class OAuth2Configurer method preCompute.

// TODO: still some missing configuration for jwt etc to add/wire from OAuth2Options
@PostConstruct
private void preCompute() {
    configuration = builder.getExtension(OAuth2Options.class);
    AbstractOAuthDataProvider provider;
    switch(configuration.getProvider().toLowerCase(ENGLISH)) {
        case "jpa":
            {
                if (!configuration.isAuthorizationCodeSupport()) {
                    // else use code impl
                    final JPAOAuthDataProvider jpaProvider = new JPAOAuthDataProvider();
                    jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
                    provider = jpaProvider;
                    break;
                }
            }
        case "jpa-code":
            {
                final JPACodeDataProvider jpaProvider = new JPACodeDataProvider();
                jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
                provider = jpaProvider;
                break;
            }
        case "jcache":
            if (!configuration.isAuthorizationCodeSupport()) {
                // else use code impl
                jCacheConfigurer.doSetup(configuration);
                try {
                    provider = new JCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus, configuration.isJcacheStoreJwtKeyOnly());
                } catch (final Exception e) {
                    throw new IllegalStateException(e);
                }
                break;
            }
        case "jcache-code":
            jCacheConfigurer.doSetup(configuration);
            try {
                provider = new JCacheCodeDataProvider(configuration, bus);
            } catch (final Exception e) {
                throw new IllegalStateException(e);
            }
            break;
        case // not sure it makes sense since we have jcache but this one is cheap to support
        "ehcache":
            provider = new DefaultEHCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus);
            break;
        case "encrypted":
            if (!configuration.isAuthorizationCodeSupport()) {
                // else use code impl
                provider = new DefaultEncryptingOAuthDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo()));
                break;
            }
        case "encrypted-code":
            provider = new DefaultEncryptingCodeDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo()));
            break;
        default:
            throw new IllegalArgumentException("Unsupported oauth2 provider: " + configuration.getProvider());
    }
    final RefreshTokenGrantHandler refreshTokenGrantHandler = new RefreshTokenGrantHandler();
    refreshTokenGrantHandler.setDataProvider(provider);
    refreshTokenGrantHandler.setUseAllClientScopes(configuration.isUseAllClientScopes());
    refreshTokenGrantHandler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
    final ResourceOwnerLoginHandler loginHandler = configuration.isJaas() ? new JAASResourceOwnerLoginHandler() : (client, name, password) -> {
        try {
            request.login(name, password);
            try {
                final Principal pcp = request.getUserPrincipal();
                final List<String> roles = GenericPrincipal.class.isInstance(pcp) ? new ArrayList<>(asList(GenericPrincipal.class.cast(pcp).getRoles())) : Collections.<String>emptyList();
                final UserSubject userSubject = new UserSubject(name, roles);
                userSubject.setAuthenticationMethod(PASSWORD);
                return userSubject;
            } finally {
                request.logout();
            }
        } catch (final ServletException e) {
            throw new AuthenticationException(e.getMessage());
        }
    };
    final List<AccessTokenGrantHandler> handlers = new ArrayList<>();
    handlers.add(refreshTokenGrantHandler);
    handlers.add(new ClientCredentialsGrantHandler());
    handlers.add(new ResourceOwnerGrantHandler() {

        {
            setLoginHandler(loginHandler);
        }
    });
    handlers.add(new AuthorizationCodeGrantHandler());
    handlers.add(new JwtBearerGrantHandler());
    provider.setUseJwtFormatForAccessTokens(configuration.isUseJwtFormatForAccessTokens());
    provider.setAccessTokenLifetime(configuration.getAccessTokenLifetime());
    provider.setRefreshTokenLifetime(configuration.getRefreshTokenLifetime());
    provider.setRecycleRefreshTokens(configuration.isRecycleRefreshTokens());
    provider.setSupportPreauthorizedTokens(configuration.isSupportPreauthorizedTokens());
    ofNullable(configuration.getRequiredScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setRequiredScopes);
    ofNullable(configuration.getDefaultScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setDefaultScopes);
    ofNullable(configuration.getInvisibleToClientScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setInvisibleToClientScopes);
    ofNullable(configuration.getJwtAccessTokenClaimMap()).map(s -> new Properties() {

        {
            try {
                load(new StringReader(s));
            } catch (IOException e) {
                throw new IllegalArgumentException("Bad claim map configuration, use properties syntax");
            }
        }
    }).ifPresent(m -> provider.setJwtAccessTokenClaimMap(new HashMap<>(Map.class.cast(m))));
    final OAuthDataProvider dataProvider;
    if (configuration.isRefreshToken()) {
        dataProvider = new RefreshTokenEnabledProvider(provider);
        if (provider.getInvisibleToClientScopes() == null) {
            provider.setInvisibleToClientScopes(new ArrayList<>());
        }
        provider.getInvisibleToClientScopes().add(OAuthConstants.REFRESH_TOKEN_SCOPE);
    } else {
        dataProvider = provider;
    }
    handlers.stream().filter(AbstractGrantHandler.class::isInstance).forEach(h -> {
        final AbstractGrantHandler handler = AbstractGrantHandler.class.cast(h);
        handler.setDataProvider(dataProvider);
        handler.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
        handler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
    });
    abstractTokenServiceConsumer = s -> {
        // this is used @RequestScoped so ensure it is not slow for no reason
        s.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
        s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
        s.setWriteCustomErrors(configuration.isWriteCustomErrors());
        s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
        s.setDataProvider(dataProvider);
    };
    tokenServiceConsumer = s -> {
        // this is used @RequestScoped so ensure it is not slow for no reason
        abstractTokenServiceConsumer.accept(s);
        s.setGrantHandlers(handlers);
    };
    final List<String> noConsentScopes = ofNullable(configuration.getScopesRequiringNoConsent()).map(s -> asList(s.split(","))).orElse(null);
    // we prefix them oauth2.cxf. but otherwise it is the plain cxf config
    final Map<String, String> contextualProperties = ofNullable(builder.getProperties()).map(Properties::stringPropertyNames).orElse(emptySet()).stream().filter(s -> s.startsWith("oauth2.cxf.rs.security.")).collect(toMap(s -> s.substring("oauth2.cxf.".length()), s -> builder.getProperties().getProperty(s)));
    final JoseSessionTokenProvider sessionAuthenticityTokenProvider = new JoseSessionTokenProvider() {

        private int maxDefaultSessionInterval;

        private boolean jweRequired;

        private JweEncryptionProvider jweEncryptor;

        // workaround a NPE of 3.2.0 - https://issues.apache.org/jira/browse/CXF-7504
        @Override
        public String createSessionToken(final MessageContext mc, final MultivaluedMap<String, String> params, final UserSubject subject, final OAuthRedirectionState secData) {
            String stateString = convertStateToString(secData);
            final JwsSignatureProvider jws = getInitializedSigProvider();
            final JweEncryptionProvider jwe = jweEncryptor == null ? JweUtils.loadEncryptionProvider(new JweHeaders(), jweRequired) : jweEncryptor;
            if (jws == null && jwe == null) {
                throw new OAuthServiceException("Session token can not be created");
            }
            if (jws != null) {
                stateString = JwsUtils.sign(jws, stateString, null);
            }
            if (jwe != null) {
                stateString = jwe.encrypt(StringUtils.toBytesUTF8(stateString), null);
            }
            return OAuthUtils.setSessionToken(mc, stateString, maxDefaultSessionInterval);
        }

        public void setJweEncryptor(final JweEncryptionProvider jweEncryptor) {
            super.setJweEncryptor(jweEncryptor);
            this.jweEncryptor = jweEncryptor;
        }

        @Override
        public void setJweRequired(final boolean jweRequired) {
            super.setJweRequired(jweRequired);
            this.jweRequired = jweRequired;
        }

        @Override
        public void setMaxDefaultSessionInterval(final int maxDefaultSessionInterval) {
            super.setMaxDefaultSessionInterval(maxDefaultSessionInterval);
            this.maxDefaultSessionInterval = maxDefaultSessionInterval;
        }
    };
    sessionAuthenticityTokenProvider.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
    // TODO: other configs
    redirectionBasedGrantServiceConsumer = s -> {
        s.setDataProvider(dataProvider);
        s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
        s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
        s.setUseAllClientScopes(configuration.isUseAllClientScopes());
        s.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
        s.setUseRegisteredRedirectUriIfPossible(configuration.isUseRegisteredRedirectUriIfPossible());
        s.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
        s.setMatchRedirectUriWithApplicationUri(configuration.isMatchRedirectUriWithApplicationUri());
        s.setScopesRequiringNoConsent(noConsentScopes);
        s.setSessionAuthenticityTokenProvider(sessionAuthenticityTokenProvider);
        // TODO: make it even more contextual, client based?
        final Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
        contextualProperties.forEach(currentMessage::put);
    };
}

Example 27 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class Saml2BearerGrantHandler method createAccessToken.

public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
    String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
    if (assertion == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    try {
        InputStream tokenStream = decodeAssertion(assertion);
        Element token = readToken(tokenStream);
        SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(token);
        Message message = PhaseInterceptorChain.getCurrentMessage();
        validateToken(message, assertionWrapper);
        UserSubject grantSubject = getGrantSubject(message, assertionWrapper);
        return doCreateAccessToken(client, grantSubject, Constants.SAML2_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)));
    } catch (OAuthServiceException ex) {
        throw ex;
    } catch (Exception ex) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
    }
}

Example 28 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class Saml2BearerGrantHandler method getGrantSubject.

protected UserSubject getGrantSubject(Message message, SamlAssertionWrapper wrapper) {
    SecurityContext sc = scProvider.getSecurityContext(message, wrapper);
    if (sc instanceof SAMLSecurityContext) {
        SAMLSecurityContext jaxrsSc = (SAMLSecurityContext) sc;
        Set<Principal> rolesP = jaxrsSc.getUserRoles();
        List<String> roles = new ArrayList<>();
        if (roles != null) {
            for (Principal p : rolesP) {
                roles.add(p.getName());
            }
        }
        return new SamlUserSubject(jaxrsSc.getUserPrincipal().getName(), roles, jaxrsSc.getClaims());
    }
    return new UserSubject(sc.getUserPrincipal().getName());
}

Example 29 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class JwtAccessTokenValidator method convertClaimsToValidation.

private AccessTokenValidation convertClaimsToValidation(JwtClaims claims) {
    AccessTokenValidation atv = new AccessTokenValidation();
    atv.setInitialValidationSuccessful(true);
    String clientId = claims.getStringProperty(OAuthConstants.CLIENT_ID);
    if (clientId != null) {
        atv.setClientId(clientId);
    }
    if (claims.getIssuedAt() != null) {
        atv.setTokenIssuedAt(claims.getIssuedAt());
    } else {
        Instant now = Instant.now();
        atv.setTokenIssuedAt(now.toEpochMilli());
    }
    if (claims.getExpiryTime() != null) {
        atv.setTokenLifetime(claims.getExpiryTime() - atv.getTokenIssuedAt());
    }
    List<String> audiences = claims.getAudiences();
    if (audiences != null && !audiences.isEmpty()) {
        atv.setAudiences(claims.getAudiences());
    }
    if (claims.getIssuer() != null) {
        atv.setTokenIssuer(claims.getIssuer());
    }
    Object scope = claims.getClaim(OAuthConstants.SCOPE);
    if (scope != null) {
        String[] scopes = scope instanceof String ? scope.toString().split(" ") : CastUtils.cast((List<?>) scope).toArray(new String[] {});
        List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
        for (String s : scopes) {
            if (!StringUtils.isEmpty(s)) {
                perms.add(new OAuthPermission(s.trim()));
            }
        }
        atv.setTokenScopes(perms);
    }
    String usernameClaimName = JwtTokenUtils.getClaimName(USERNAME_PROP, USERNAME_PROP, jwtAccessTokenClaimMap);
    String username = claims.getStringProperty(usernameClaimName);
    if (username != null) {
        UserSubject userSubject = new UserSubject(username);
        if (claims.getSubject() != null) {
            userSubject.setId(claims.getSubject());
        }
        atv.setTokenSubject(userSubject);
    } else if (claims.getSubject() != null) {
        atv.setTokenSubject(new UserSubject(claims.getSubject()));
    }
    Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>) claims.getClaim("extra_properties"));
    if (extraProperties != null) {
        atv.getExtraProps().putAll(extraProperties);
    }
    Map<String, Object> cnfClaim = CastUtils.cast((Map<?, ?>) claims.getClaim(JwtConstants.CLAIM_CONFIRMATION));
    if (cnfClaim != null) {
        Object certCnf = cnfClaim.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
        if (certCnf != null) {
            atv.getExtraProps().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf.toString());
        }
    }
    return atv;
}

Example 30 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class JCacheOAuthDataProviderTest method testAddGetDeleteClients.

@Test
public void testAddGetDeleteClients() {
    Client c = addClient("12345", "alice");
    Client c2 = addClient("56789", "alice");
    Client c3 = addClient("09876", "bob");
    List<Client> aliceClients = provider.getClients(new UserSubject("alice"));
    assertNotNull(aliceClients);
    assertEquals(2, aliceClients.size());
    compareClients(c, aliceClients.get(0).getClientId().equals("12345") ? aliceClients.get(0) : aliceClients.get(1));
    compareClients(c2, aliceClients.get(0).getClientId().equals("56789") ? aliceClients.get(0) : aliceClients.get(1));
    List<Client> bobClients = provider.getClients(new UserSubject("bob"));
    assertNotNull(bobClients);
    assertEquals(1, bobClients.size());
    Client bobClient = bobClients.get(0);
    compareClients(c3, bobClient);
    List<Client> allClients = provider.getClients(null);
    assertNotNull(allClients);
    assertEquals(3, allClients.size());
    provider.removeClient(c.getClientId());
    provider.removeClient(c2.getClientId());
    provider.removeClient(c3.getClientId());
    allClients = provider.getClients(null);
    assertNotNull(allClients);
    assertEquals(0, allClients.size());
}