BearerAuthenticationHandler.java 25.5 KB

Edit Raw Blame History Permalink

/*
 * Decompiled with CFR 0_118.
 *
 * Could not load the following classes:
 *  com.adobe.granite.crypto.CryptoSupport
 *  com.adobe.granite.security.user.UserProperties
 *  com.adobe.granite.security.user.UserPropertiesManager
 *  javax.jcr.Session
 *  javax.servlet.http.HttpServletRequest
 *  javax.servlet.http.HttpServletResponse
 *  org.apache.commons.io.IOUtils
 *  org.apache.felix.scr.annotations.Activate
 *  org.apache.felix.scr.annotations.Component
 *  org.apache.felix.scr.annotations.ConfigurationPolicy
 *  org.apache.felix.scr.annotations.Deactivate
 *  org.apache.felix.scr.annotations.Properties
 *  org.apache.felix.scr.annotations.Property
 *  org.apache.felix.scr.annotations.PropertyUnbounded
 *  org.apache.felix.scr.annotations.Reference
 *  org.apache.felix.scr.annotations.ReferenceCardinality
 *  org.apache.felix.scr.annotations.ReferencePolicy
 *  org.apache.felix.scr.annotations.Service
 *  org.apache.http.HttpEntity
 *  org.apache.http.HttpResponse
 *  org.apache.http.StatusLine
 *  org.apache.http.client.ClientProtocolException
 *  org.apache.http.client.HttpClient
 *  org.apache.http.client.methods.HttpGet
 *  org.apache.http.client.methods.HttpUriRequest
 *  org.apache.http.client.utils.HttpClientUtils
 *  org.apache.http.conn.HttpClientConnectionManager
 *  org.apache.http.impl.client.CloseableHttpClient
 *  org.apache.http.impl.client.HttpClientBuilder
 *  org.apache.http.impl.client.HttpClients
 *  org.apache.http.impl.conn.PoolingHttpClientConnectionManager
 *  org.apache.jackrabbit.api.JackrabbitSession
 *  org.apache.jackrabbit.api.security.user.Authorizable
 *  org.apache.jackrabbit.api.security.user.User
 *  org.apache.jackrabbit.api.security.user.UserManager
 *  org.apache.sling.api.resource.ResourceResolver
 *  org.apache.sling.api.resource.ResourceResolverFactory
 *  org.apache.sling.auth.core.spi.AuthenticationHandler
 *  org.apache.sling.auth.core.spi.AuthenticationInfo
 *  org.apache.sling.commons.osgi.OsgiUtil
 *  org.apache.sling.jcr.api.SlingRepository
 *  org.apache.sling.settings.SlingSettingsService
 *  org.osgi.framework.BundleContext
 *  org.scribe.model.Token
 *  org.slf4j.Logger
 *  org.slf4j.LoggerFactory
 */
package com.adobe.granite.auth.oauth.impl;

import com.adobe.granite.auth.oauth.HandlerRedirect;
import com.adobe.granite.auth.oauth.OAuthManager;
import com.adobe.granite.auth.oauth.Provider;
import com.adobe.granite.auth.oauth.impl.helper.OAuthHelper;
import com.adobe.granite.auth.oauth.impl.helper.OAuthUser;
import com.adobe.granite.auth.oauth.impl.helper.ProviderConfig;
import com.adobe.granite.auth.oauth.impl.helper.ProviderConfigManager;
import com.adobe.granite.auth.oauth.impl.helper.RequestHelper;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.security.user.UserProperties;
import com.adobe.granite.security.user.UserPropertiesManager;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.utils.HttpClientUtils;
import org.apache.http.conn.HttpClientConnectionManager;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.osgi.framework.BundleContext;
import org.scribe.model.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/*
 * This class specifies class file version 49.0 but uses Java 6 signatures.  Assumed Java 6.
 */
@Component(metatype=1, policy=ConfigurationPolicy.REQUIRE, label="%auth.bearer.name", description="%auth.bearer.description")
@Service
@Properties(value={@Property(name="service.ranking", intValue={100000}), @Property(name="path", value={"/"}), @Property(name="oauth.clientIds.allowed", unbounded=PropertyUnbounded.ARRAY)})
public class BearerAuthenticationHandler
implements AuthenticationHandler {
    private final Logger log;
    protected static final String ALLOWED_CLIENT_IDS = "oauth.clientIds.allowed";
    private static final String TOKEN_REQUEST_PARAMETER_NAME = "auth.tokenRequestParameter";
    private static final String REDIRECT_KEY = "redirect";
    private static final boolean DEFAULT_SYNC_USER_PROFILE_WITH_IMS = true;
    @Property(boolValue={1})
    private static final String SYNC_USER_PROFILE_WITH_IMS = "auth.bearer.sync.ims";
    private static final String ACCESS_TOKEN_TYPE = "access_token";
    @Property(name="auth.tokenRequestParameter")
    private static final String TOKEN_REQUEST_PARAMETER_DEFAULT = "";
    @Property(value={"configid"})
    protected static final String CONFIGID_PARAMETER_NAME = "oauth.bearer.configid";
    private static final boolean DEFAULT_JWT_SUPPORT = false;
    @Property(boolValue={0})
    private static final String JWT_SUPPORT = "oauth.jwt.support";
    private static final int MAX_HTTP_CONNECTIONS = 100;
    @Reference
    private SlingRepository repository;
    @Reference
    private SlingSettingsService settings;
    @Reference
    private ProviderConfigManager providerConfigManager;
    @Reference
    private OAuthManager oauthManager;
    @Reference
    private ResourceResolverFactory resolverFactory;
    @Reference
    private CryptoSupport cryptoSupport;
    @Reference(policy=ReferencePolicy.DYNAMIC, cardinality=ReferenceCardinality.OPTIONAL_UNARY)
    private volatile HandlerRedirect handlerRedirect;
    private String repositoryId;
    private String requestParameterName;
    private String[] allowedClientIds;
    private PoolingHttpClientConnectionManager connectionManager;
    private HttpClient httpClient;
    private boolean syncWithIms;
    private boolean jwtSupport;
    private String configIdParameterName;
    private Set<String> allowedClients;
    private ExecutorService executorService;

    public BearerAuthenticationHandler() {
        this.log = LoggerFactory.getLogger(this.getClass());
    }

    /*
     * Exception decompiling
     */
    public AuthenticationInfo extractCredentials(HttpServletRequest request, HttpServletResponse response) {
        // This method has failed to decompile.  When submitting a bug report, please provide this stack trace, and (if you hold appropriate legal rights) the relevant class file.
        // org.benf.cfr.reader.util.ConfusedCFRException: Tried to end blocks [0[TRYBLOCK]], but top level block is 13[CATCHBLOCK]
        // org.benf.cfr.reader.bytecode.analysis.opgraph.Op04StructuredStatement.processEndingBlocks(Op04StructuredStatement.java:397)
        // org.benf.cfr.reader.bytecode.analysis.opgraph.Op04StructuredStatement.buildNestedBlocks(Op04StructuredStatement.java:449)
        // org.benf.cfr.reader.bytecode.analysis.opgraph.Op03SimpleStatement.createInitialStructuredBlock(Op03SimpleStatement.java:2877)
        // org.benf.cfr.reader.bytecode.CodeAnalyser.getAnalysisInner(CodeAnalyser.java:825)
        // org.benf.cfr.reader.bytecode.CodeAnalyser.getAnalysisOrWrapFail(CodeAnalyser.java:217)
        // org.benf.cfr.reader.bytecode.CodeAnalyser.getAnalysis(CodeAnalyser.java:162)
        // org.benf.cfr.reader.entities.attributes.AttributeCode.analyse(AttributeCode.java:95)
        // org.benf.cfr.reader.entities.Method.analyse(Method.java:355)
        // org.benf.cfr.reader.entities.ClassFile.analyseMid(ClassFile.java:768)
        // org.benf.cfr.reader.entities.ClassFile.analyseTop(ClassFile.java:700)
        // org.benf.cfr.reader.Main.doJar(Main.java:134)
        // org.benf.cfr.reader.Main.main(Main.java:189)
        throw new IllegalStateException("Decompilation failed");
    }

    private String[] validateTokenAndGetUserId(HttpServletRequest request, String accessToken, OAuthHelper oauthHelper, Provider provider) {
        if (provider != null && oauthHelper != null) {
            String[] clientIds;
            if (this.jwtSupport) {
                this.log.debug("validateTokenAndGetUserId: Use JWT (JSON Web Token) standard for validation (if available)");
                String clientId = oauthHelper.getClientIdFromAccessToken(accessToken);
                if (clientId != null) {
                    if (!this.allowedClients.contains(clientId)) {
                        this.log.debug("validateTokenAndGetUserId:  the client id contained in the claims set is not white listed");
                        return null;
                    }
                    clientIds = new String[]{clientId};
                } else {
                    this.log.debug("validateTokenAndGetUserId: fall back to the configured allowed clientIds list");
                    clientIds = this.allowedClientIds;
                }
            } else {
                this.log.debug("validateTokenAndGetUserId: Dooes not use JWT (JSON Web Token) standard for validation");
                clientIds = this.allowedClientIds;
            }
            for (String clientId : clientIds) {
                String validateTokenUrl = provider.getValidateTokenUrl(clientId, accessToken);
                this.log.debug("createCredentials: obtained validate token url {}", (Object)validateTokenUrl);
                if (validateTokenUrl != null && !"".equals(validateTokenUrl)) {
                    String userId = this.validateTokenAndGetUserId(provider, validateTokenUrl, clientId);
                    if (userId != null) {
                        return new String[]{userId, clientId};
                    }
                    this.log.debug("createCredentials: invalid token, no valid user found");
                    continue;
                }
                this.log.error("createCredentials: validate token url for provider {} is null", (Object)provider);
            }
        } else {
            this.log.error("createCredentials: invalid config: helper is {} provider is {} ", (Object)oauthHelper, (Object)provider);
        }
        return null;
    }

    /*
     * WARNING - Removed try catching itself - possible behaviour change.
     */
    private String validateTokenAndGetUserId(Provider provider, String validateTokenUrl, String clientId) {
        String userId;
        block10 : {
            userId = null;
            HttpGet getMethod = new HttpGet(validateTokenUrl);
            InputStream is = null;
            HttpResponse response = null;
            try {
                response = this.httpClient.execute((HttpUriRequest)getMethod);
                int responseStatus = response.getStatusLine().getStatusCode();
                is = response.getEntity().getContent();
                String responseBody = IOUtils.toString((InputStream)is);
                if (responseStatus == 200) {
                    boolean validToken = provider.isValidToken(responseBody, clientId, "access_token");
                    if (validToken) {
                        userId = provider.getUserIdFromValidateTokenResponseBody(responseBody);
                    } else {
                        this.log.debug("validateTokenAndGetUserId: the provided token is invalid");
                    }
                    break block10;
                }
                this.log.debug("validateTokenAndGetUserId: bad request to validation url, failed with error {}", (Object)provider.getErrorDescriptionFromValidateTokenResponseBody(responseBody));
            }
            catch (ClientProtocolException e) {
                this.log.error("validateTokenAndGetUserId: Failed to connect to validate token url", (Throwable)e);
            }
            catch (IOException e) {
                this.log.error("validateTokenAndGetUserId: Failed to connect to validate token url", (Throwable)e);
            }
            finally {
                HttpClientUtils.closeQuietly((HttpResponse)response);
                getMethod.releaseConnection();
                IOUtils.closeQuietly((InputStream)is);
            }
        }
        return userId;
    }

    public boolean requestCredentials(HttpServletRequest request, HttpServletResponse response) throws IOException {
        return false;
    }

    public void dropCredentials(HttpServletRequest request, HttpServletResponse response) {
    }

    @Activate
    private void activate(BundleContext context, Map<String, Object> config) {
        this.repositoryId = RequestHelper.getRepositoryId(this.repository, this.settings);
        this.log.info("activate: Supporting tokens bound to Repository (Cluster) {}", (Object)this.repositoryId);
        this.requestParameterName = OsgiUtil.toString((Object)config.get("auth.tokenRequestParameter"), (String)"");
        this.allowedClientIds = OsgiUtil.toStringArray((Object)config.get("oauth.clientIds.allowed"), (String[])new String[0]);
        this.syncWithIms = OsgiUtil.toBoolean((Object)config.get("auth.bearer.sync.ims"), (boolean)true);
        this.jwtSupport = OsgiUtil.toBoolean((Object)config.get("oauth.jwt.support"), (boolean)false);
        this.configIdParameterName = OsgiUtil.toString((Object)config.get("oauth.bearer.configid"), (String)"configid");
        this.connectionManager = new PoolingHttpClientConnectionManager();
        this.connectionManager.setDefaultMaxPerRoute(100);
        this.connectionManager.setMaxTotal(100);
        HttpClientBuilder builder = HttpClients.custom();
        builder.setConnectionManager((HttpClientConnectionManager)this.connectionManager);
        this.httpClient = builder.build();
        this.executorService = Executors.newCachedThreadPool();
        this.allowedClients = new HashSet<String>(Arrays.asList(this.allowedClientIds));
    }

    @Deactivate
    private void deactivate() {
        if (this.executorService != null) {
            this.executorService.shutdown();
            this.executorService = null;
        }
        HttpClientUtils.closeQuietly((HttpClient)this.httpClient);
        if (this.connectionManager != null) {
            try {
                this.connectionManager.close();
            }
            catch (Exception e) {
                // empty catch block
            }
            this.connectionManager = null;
        }
    }

    private String getBearerAccessToken(HttpServletRequest request) {
        String token;
        String auth = request.getHeader("Authorization");
        if (auth != null) {
            if (auth.trim().startsWith("Bearer")) {
                String[] parts = auth.split("\\s");
                if (parts.length == 2 && "Bearer".equals(parts[0])) {
                    this.log.debug("getAccessToken: Found access token");
                    return parts[1];
                }
                this.log.debug("getAccessToken: Wrong Authorization header format; ignoring");
            } else {
                this.log.debug("getAccessToken: Authorization scheme is not bearer; ignoring");
            }
        }
        if (!"POST".equals(request.getMethod())) {
            this.log.debug("getAccessToken: the request parameter is limited to POST operation; ignoring");
            return null;
        }
        String string = token = this.requestParameterName.length() > 0 ? request.getParameter(this.requestParameterName) : null;
        if (token != null) {
            this.log.debug("getAccessToken: Found access token");
            return token;
        }
        this.log.debug("getAccessToken: No Authorization header in the request and no request parameter specified; ignoring");
        return null;
    }

    private void setupAuthenticationFailure(HttpServletRequest request, HttpServletResponse response) {
        this.dropCredentials(request, response);
        request.setAttribute("j_reason", (Object)"Authentication Failed");
    }

    /*
     * WARNING - Removed try catching itself - possible behaviour change.
     */
    private OAuthUser getUserDetails(Session serviceSession, OAuthHelper oauthHelper, Provider provider, String oauthUserId) {
        OAuthUser oauthUser;
        User user = null;
        ResourceResolver serviceResolver = null;
        oauthUser = null;
        try {
            HashMap<String, Object> props;
            UserManager um = ((JackrabbitSession)serviceSession).getUserManager();
            serviceResolver = this.resolverFactory.getServiceResourceResolver(null);
            UserPropertiesManager upm = (UserPropertiesManager)serviceResolver.adaptTo(UserPropertiesManager.class);
            if (oauthHelper.getProviderConfig().getForceStrictUsernameMatching()) {
                props = new HashMap<String, Object>();
                Iterator<Authorizable> auths = oauthHelper.getCRXUsersByOAuthId(um, provider, new OAuthUser(oauthUserId, Collections.<String, Object>emptyMap()));
                while (auths.hasNext() && user == null) {
                    Authorizable auth = auths.next();
                    if (auth.isGroup()) continue;
                    user = (User)auth;
                    UserProperties properties = upm.getUserProperties(user.getID(), "profile");
                    for (String property : properties.getPropertyNames()) {
                        String value = properties.getProperty(property);
                        if (value == null) continue;
                        props.put("profile/" + property, value);
                    }
                }
                user = oauthHelper.getCRXUserByMappedId(um, provider, new OAuthUser(oauthUserId, props));
            } else {
                user = oauthHelper.getCRXUserByOAuthId(um, provider, new OAuthUser(oauthUserId, Collections.<String, Object>emptyMap()));
            }
            if (user != null) {
                props = new HashMap();
                UserProperties properties = upm.getUserProperties(user.getID(), "profile");
                for (String property : properties.getPropertyNames()) {
                    String value = properties.getProperty(property);
                    if (value == null) continue;
                    props.put("profile/" + property, value);
                }
                oauthUser = new OAuthUser(oauthUserId, props);
            }
        }
        catch (Exception e) {
            this.log.error("Failed to fetch the user properties from the crx user: {}", (Object)oauthUserId, (Object)e);
        }
        finally {
            if (serviceResolver != null && serviceResolver.isLive()) {
                serviceResolver.close();
            }
        }
        return oauthUser;
    }

    private OAuthUser getUserDetails(Provider provider, OAuthHelper oauthHelper, Token accessToken) throws IOException, InterruptedException {
        ArrayList<DataFutureWithUrl> futures = new ArrayList<DataFutureWithUrl>();
        futures.add(this.createDataFuture(provider, oauthHelper, accessToken, provider.getDetailsURL()));
        String scope = oauthHelper.getProviderConfig().getScope();
        String[] extendedDetailsURLs = provider.getExtendedDetailsURLs(scope);
        if (extendedDetailsURLs != null) {
            for (String extendedDetailsURL : extendedDetailsURLs) {
                futures.add(this.createDataFuture(provider, oauthHelper, accessToken, extendedDetailsURL));
            }
        }
        DataFutureWithUrl profileFuture = (DataFutureWithUrl)futures.get(0);
        Map<String, String> profileData = this.getFutureData(profileFuture);
        String clientId = oauthHelper.getProviderConfig().getClientId();
        Map<String, Object> properties = provider.mapProperties(profileFuture.url, clientId, Collections.<String, Object>emptyMap(), profileData);
        String userId = profileData.get(provider.getUserIdProperty());
        if (userId == null) {
            this.log.error("retrieveBasicData: could not retrieve user id from {}", (Object)provider.getDetailsURL());
            return null;
        }
        String[] dynamicExtendedDetailsURLs = provider.getExtendedDetailsURLs(scope, userId, properties);
        if (dynamicExtendedDetailsURLs != null) {
            for (String dynamicExtendedDetailsUrl : dynamicExtendedDetailsURLs) {
                futures.add(this.createDataFuture(provider, oauthHelper, accessToken, dynamicExtendedDetailsUrl));
            }
        }
        for (int i = 1; i < futures.size(); ++i) {
            DataFutureWithUrl extendedProfileFuture = (DataFutureWithUrl)futures.get(i);
            Map<String, String> extendedProfileData = this.getFutureData(extendedProfileFuture);
            properties = provider.mapProperties(extendedProfileFuture.url, clientId, properties, extendedProfileData);
        }
        OAuthUser oauthUser = new OAuthUser(userId, properties);
        return oauthUser;
    }

    private Map<String, String> getFutureData(DataFutureWithUrl profileFuture) throws InterruptedException, IOException {
        try {
            return profileFuture.future.get();
        }
        catch (ExecutionException e) {
            throw new IOException("Error while fetching data from " + profileFuture.url + ": " + e.getCause());
        }
    }

    private DataFutureWithUrl createDataFuture(final Provider provider, final OAuthHelper oauthHelper, final Token accessToken, final String url) {
        Future<Map<String, String>> future = this.executorService.submit(new Callable<Map<String, String>>(){

            @Override
            public Map<String, String> call() throws Exception {
                return oauthHelper.fetchProfileData(provider, url, accessToken);
            }
        });
        return new DataFutureWithUrl(url, future);
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindSettings(SlingSettingsService slingSettingsService) {
        this.settings = slingSettingsService;
    }

    protected void unbindSettings(SlingSettingsService slingSettingsService) {
        if (this.settings == slingSettingsService) {
            this.settings = null;
        }
    }

    protected void bindProviderConfigManager(ProviderConfigManager providerConfigManager) {
        this.providerConfigManager = providerConfigManager;
    }

    protected void unbindProviderConfigManager(ProviderConfigManager providerConfigManager) {
        if (this.providerConfigManager == providerConfigManager) {
            this.providerConfigManager = null;
        }
    }

    protected void bindOauthManager(OAuthManager oAuthManager) {
        this.oauthManager = oAuthManager;
    }

    protected void unbindOauthManager(OAuthManager oAuthManager) {
        if (this.oauthManager == oAuthManager) {
            this.oauthManager = null;
        }
    }

    protected void bindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resolverFactory = resourceResolverFactory;
    }

    protected void unbindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resolverFactory == resourceResolverFactory) {
            this.resolverFactory = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindHandlerRedirect(HandlerRedirect handlerRedirect) {
        this.handlerRedirect = handlerRedirect;
    }

    protected void unbindHandlerRedirect(HandlerRedirect handlerRedirect) {
        if (this.handlerRedirect == handlerRedirect) {
            this.handlerRedirect = null;
        }
    }

    /*
     * This class specifies class file version 49.0 but uses Java 6 signatures.  Assumed Java 6.
     */
    private static class DataFutureWithUrl {
        String url;
        Future<Map<String, String>> future;

        DataFutureWithUrl(String url, Future<Map<String, String>> future) {
            this.url = url;
            this.future = future;
        }
    }

}