introduce TokenClaimsEnricher and TokenClaimsValidator api

2025-11-14 17:26:22 +01:00 · 2017-01-12 22:04:19 +01:00
parent 0a22bc9919
commit 46d8b58810
6 changed files with 201 additions and 10 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java
@@ -50,11 +50,14 @@ import sonia.scm.plugin.Extension;
 import sonia.scm.user.UserDAO;

 import static com.google.common.base.Preconditions.checkArgument;
+import java.util.Set;

 //~--- JDK imports ------------------------------------------------------------

 import javax.inject.Inject;
 import javax.inject.Singleton;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 /**
 * Realm for authentication with {@link BearerAuthenticationToken}.
@@ -67,6 +70,11 @@ import javax.inject.Singleton;
 public class BearerRealm extends AuthenticatingRealm
 {

+  /**
+   * the logger for BearerRealm
+   */
+  private static final Logger LOG = LoggerFactory.getLogger(BearerRealm.class);
+  
  /** realm name */
  @VisibleForTesting
  static final String REALM = "BearerRealm";
@@ -80,13 +88,16 @@ public class BearerRealm extends AuthenticatingRealm
   * @param resolver key resolver
   * @param userDAO user dao
   * @param groupDAO group dao
+   * @param validators token claims validators
   */
  @Inject
  public BearerRealm(SecureKeyResolver resolver, UserDAO userDAO,
-    GroupDAO groupDAO)
+    GroupDAO groupDAO, Set<TokenClaimsValidator> validators)
  {
    this.resolver = resolver;
    this.helper = new DAORealmHelper(REALM, userDAO, groupDAO);
+    this.validators = validators;
+    
    setCredentialsMatcher(new AllowAllCredentialsMatcher());
    setAuthenticationTokenClass(BearerAuthenticationToken.class);
  }
@@ -135,6 +146,14 @@ public class BearerRealm extends AuthenticatingRealm
        .parseClaimsJws(token.getCredentials())
        .getBody();
      //J+
+      
+      // check all registered claims validators
+      validators.forEach((validator) -> {
+        if (!validator.validate(claims)) {
+          LOG.warn("token claims is invalid, marked by validator {}", validator.getClass());
+          throw new AuthenticationException("token claims is invalid");
+        }
+      });
    }
    catch (JwtException ex)
    {
@@ -146,6 +165,9 @@ public class BearerRealm extends AuthenticatingRealm

  //~--- fields ---------------------------------------------------------------

+  /** token claims validators **/
+  private final Set<TokenClaimsValidator> validators;
+  
  /** dao realm helper */
  private final DAORealmHelper helper;

--- a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
@@ -43,9 +43,13 @@ import sonia.scm.user.User;

 import static com.google.common.base.Preconditions.*;

+import com.google.common.collect.Maps;
+
 //~--- JDK imports ------------------------------------------------------------

 import java.util.Date;
+import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;

 import javax.inject.Inject;
@@ -58,7 +62,7 @@ import javax.inject.Inject;
 */
 public final class BearerTokenGenerator
 {
-
+  
  /**
   * the logger for BearerTokenGenerator
   */
@@ -73,13 +77,15 @@ public final class BearerTokenGenerator
   *
   * @param keyGenerator key generator
   * @param keyResolver secure key resolver
+   * @param enrichers token claims modifier
   */
  @Inject
-  public BearerTokenGenerator(KeyGenerator keyGenerator,
-    SecureKeyResolver keyResolver)
-  {
+  public BearerTokenGenerator(
+    KeyGenerator keyGenerator, SecureKeyResolver keyResolver, Set<TokenClaimsEnricher> enrichers
+  ) {
    this.keyGenerator = keyGenerator;
    this.keyResolver = keyResolver;
+    this.enrichers = enrichers;
  }

  //~--- methods --------------------------------------------------------------
@@ -92,8 +98,7 @@ public final class BearerTokenGenerator
   *
   * @return bearer token
   */
-  public String createBearerToken(User user)
-  {
+  public String createBearerToken(User user) {
    checkNotNull(user, "user is required");

    String username = user.getName();
@@ -109,8 +114,16 @@ public final class BearerTokenGenerator
    // TODO: should be configurable
    long expiration = TimeUnit.MILLISECONDS.convert(10, TimeUnit.HOURS);

+    Map<String,Object> claim = Maps.newHashMap();
+    
+    // enrich claims with registered enrichers
+    enrichers.forEach((enricher) -> {
+      enricher.enrich(claim);
+    });
+    
    //J-
    return Jwts.builder()
+      .setClaims(claim)
      .setSubject(username)
      .setId(id)
      .signWith(SignatureAlgorithm.HS256, key.getBytes())
@@ -122,6 +135,9 @@ public final class BearerTokenGenerator

  //~--- fields ---------------------------------------------------------------

+  /** token claims modifier **/
+  private final Set<TokenClaimsEnricher> enrichers;
+  
  /** key generator */
  private final KeyGenerator keyGenerator;