start implementation of jwt based authentication

scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java

@@ -0,0 +1,154 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import com.google.common.annotations.VisibleForTesting;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
+import org.apache.shiro.realm.AuthenticatingRealm;
+
+import sonia.scm.group.GroupDAO;
+import sonia.scm.plugin.Extension;
+import sonia.scm.user.UserDAO;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+
+/**
+ * Realm for authentication with {@link BearerAuthenticationToken}.
+ *
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+@Singleton
+@Extension
+public class BearerRealm extends AuthenticatingRealm
+{
+
+  /** realm name */
+  @VisibleForTesting
+  static final String REALM = "BearerRealm";
+
+  //~--- constructors ---------------------------------------------------------
+
+  /**
+   * Constructs ...
+   *
+   *
+   * @param resolver key resolver
+   * @param userDAO user dao
+   * @param groupDAO group dao
+   */
+  @Inject
+  public BearerRealm(SecureKeyResolver resolver, UserDAO userDAO,
+    GroupDAO groupDAO)
+  {
+    this.resolver = resolver;
+    this.helper = new DAORealmHelper(REALM, userDAO, groupDAO);
+    setCredentialsMatcher(new AllowAllCredentialsMatcher());
+    setAuthenticationTokenClass(BearerAuthenticationToken.class);
+  }
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Validates the given jwt token and retrieves authentication data from
+   * {@link UserDAO} and {@link GroupDAO}.
+   *
+   *
+   * @param token jwt token
+   *
+   * @return authentication data from user and group dao
+   */
+  @Override
+  protected AuthenticationInfo doGetAuthenticationInfo(
+    AuthenticationToken token)
+  {
+    checkArgument(token instanceof BearerAuthenticationToken, "%s is required",
+      BearerAuthenticationToken.class);
+
+    BearerAuthenticationToken bt = (BearerAuthenticationToken) token;
+    Claims c = checkToken(bt);
+
+    return helper.getAuthenticationInfo(c.getSubject(), bt.getCredentials());
+  }
+
+  /**
+   * Validates the jwt token.
+   *
+   *
+   * @param token jwt token
+   *
+   * @return claim
+   */
+  private Claims checkToken(BearerAuthenticationToken token)
+  {
+    Claims claims;
+
+    try
+    {
+      //J-
+      claims = Jwts.parser()
+        .setSigningKeyResolver(resolver)
+        .parseClaimsJws(token.getCredentials())
+        .getBody();
+      //J+
+    }
+    catch (JwtException ex)
+    {
+      throw new AuthenticationException("signature is invalid", ex);
+    }
+
+    return claims;
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** dao realm helper */
+  private final DAORealmHelper helper;
+
+  /** secure key resolver */
+  private final SecureKeyResolver resolver;
+}

scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java

@@ -0,0 +1,105 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
+import sonia.scm.user.User;
+
+import static com.google.common.base.Preconditions.*;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.inject.Inject;
+
+/**
+ * Creates bearer token for a given user.
+ *
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+public final class BearerTokenGenerator
+{
+
+  /**
+   * Constructs a new token generator.
+   *
+   *
+   * @param keyGenerator key generator
+   * @param keyResolver secure key resolver
+   */
+  @Inject
+  public BearerTokenGenerator(KeyGenerator keyGenerator,
+    SecureKeyResolver keyResolver)
+  {
+    this.keyGenerator = keyGenerator;
+    this.keyResolver = keyResolver;
+  }
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Creates a new bearer token for the given user.
+   *
+   *
+   * @param user user
+   *
+   * @return bearer token
+   */
+  public String createBearerToken(User user)
+  {
+    checkNotNull(user, "user is required");
+
+    SecureKey key = keyResolver.getSecureKey(user.getName());
+
+    // TODO add expiration date
+    
+    //J-
+    return Jwts.builder()
+      .setSubject(user.getName())
+      .setId(keyGenerator.createKey())
+      .signWith(SignatureAlgorithm.HS256, key.getBytes())
+      .compact();
+    //J+
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** key generator */
+  private final KeyGenerator keyGenerator;
+
+  /** secure key resolver */
+  private final SecureKeyResolver keyResolver;
+}

scm-webapp/src/main/java/sonia/scm/security/SecureKey.java

@@ -0,0 +1,139 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import com.google.common.base.Objects;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * Secure key can be used for singing messages and tokens.
+ *
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+@XmlRootElement(name = "secure-key")
+@XmlAccessorType(XmlAccessType.FIELD)
+public final class SecureKey
+{
+
+  /**
+   * Constructs a new secure key.
+   * This constructor should only be used by jaxb.
+   *
+   */
+  SecureKey() {}
+
+  /**
+   * Constructs a new secure key.
+   *
+   *
+   * @param bytes bytes of key
+   * @param creationDate creation date
+   */
+  public SecureKey(byte[] bytes, long creationDate)
+  {
+    this.bytes = bytes;
+    this.creationDate = creationDate;
+  }
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public boolean equals(Object obj)
+  {
+    if (obj == null)
+    {
+      return false;
+    }
+
+    if (getClass() != obj.getClass())
+    {
+      return false;
+    }
+
+    final SecureKey other = (SecureKey) obj;
+
+    return Objects.equal(bytes, other.bytes)
+      && Objects.equal(creationDate, other.creationDate);
+  }
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public int hashCode()
+  {
+    return Objects.hashCode(bytes, creationDate);
+  }
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Returns the bytes of the key.
+   *
+   *
+   * @return bytes of key
+   */
+  public byte[] getBytes()
+  {
+    return bytes;
+  }
+
+  /**
+   * Returns the creation date of the key.
+   *
+   *
+   * @return key creation date
+   */
+  public long getCreationDate()
+  {
+    return creationDate;
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** bytes of key */
+  private byte[] bytes;
+
+  /** creation date */
+  private long creationDate;
+}

scm-webapp/src/main/java/sonia/scm/security/SecureKeyResolver.java

@@ -0,0 +1,164 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Strings;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import sonia.scm.store.ConfigurationEntryStore;
+import sonia.scm.store.ConfigurationEntryStoreFactory;
+
+import static com.google.common.base.Preconditions.*;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import java.security.SecureRandom;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+
+/**
+ * Resolve secure keys which can be used for signing token and messages.
+ *
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+@Singleton
+public class SecureKeyResolver extends SigningKeyResolverAdapter
+{
+
+  /** key length */
+  private static final int KEY_LENGTH = 64;
+
+  /** name of the configuration store */
+  @VisibleForTesting
+  static final String STORE_NAME = "keys";
+
+  /**
+   * the logger for SecureKeyResolver
+   */
+  private static final Logger logger =
+    LoggerFactory.getLogger(SecureKeyResolver.class);
+
+  //~--- constructors ---------------------------------------------------------
+
+  /**
+   * Constructs a new SecureKeyResolver
+   *
+   *
+   * @param storeFactory store factory
+   */
+  @Inject
+  public SecureKeyResolver(ConfigurationEntryStoreFactory storeFactory)
+  {
+    this.store = storeFactory.getStore(SecureKey.class, STORE_NAME);
+  }
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims)
+  {
+    checkNotNull(claims, "claims is required");
+    
+    String subject = claims.getSubject();
+
+    checkArgument(!Strings.isNullOrEmpty(subject), "subject is required");
+
+    SecureKey key = store.get(subject);
+
+    checkState(key != null, "could not resolve key for subject %s", subject);
+
+    return key.getBytes();
+  }
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Returns the secure key for the given subject, if there is no key for the
+   * subject a new key is generated.
+   *
+   * @param subject subject
+   *
+   * @return secure key
+   */
+  public SecureKey getSecureKey(String subject)
+  {
+    SecureKey key = store.get(subject);
+
+    if (key == null)
+    {
+      logger.trace("create new key for subject");
+      key = createNewKey();
+      store.put(subject, key);
+    }
+
+    return key;
+  }
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Creates a new secure key.
+   *
+   *
+   * @return new secure key
+   */
+  private SecureKey createNewKey()
+  {
+    byte[] bytes = new byte[KEY_LENGTH];
+
+    random.nextBytes(bytes);
+
+    return new SecureKey(bytes, System.currentTimeMillis());
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** secure randon */
+  private final SecureRandom random = new SecureRandom();
+
+  /** configuration entry store */
+  private final ConfigurationEntryStore<SecureKey> store;
+}