mirror of
https://github.com/scm-manager/scm-manager.git
synced 2025-11-09 06:55:47 +01:00
Merged in feature/changes-for-cas-plugin (pull request #146)
Feature/changes for cas plugin
This commit is contained in:
Philipp Czora
@@ -31,35 +31,20 @@
|
||||
|
||||
package sonia.scm.security;
|
||||
|
||||
//~--- non-JDK imports --------------------------------------------------------
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
|
||||
import io.jsonwebtoken.Claims;
|
||||
import io.jsonwebtoken.JwtException;
|
||||
import io.jsonwebtoken.Jwts;
|
||||
|
||||
import org.apache.shiro.authc.AuthenticationException;
|
||||
import org.apache.shiro.authc.AuthenticationInfo;
|
||||
import org.apache.shiro.authc.AuthenticationToken;
|
||||
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
|
||||
import org.apache.shiro.realm.AuthenticatingRealm;
|
||||
|
||||
import sonia.scm.group.GroupDAO;
|
||||
import sonia.scm.plugin.Extension;
|
||||
import sonia.scm.user.UserDAO;
|
||||
|
||||
import static com.google.common.base.Preconditions.checkArgument;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
//~--- JDK imports ------------------------------------------------------------
|
||||
|
||||
import javax.inject.Inject;
|
||||
import javax.inject.Singleton;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import static com.google.common.base.Preconditions.checkArgument;
|
||||
|
||||
|
||||
/**
|
||||
* Realm for authentication with {@link BearerToken}.
|
||||
@@ -71,34 +56,29 @@ import org.slf4j.LoggerFactory;
|
||||
@Extension
|
||||
public class BearerRealm extends AuthenticatingRealm
|
||||
{
|
||||
|
||||
/**
|
||||
* the logger for BearerRealm
|
||||
*/
|
||||
private static final Logger LOG = LoggerFactory.getLogger(BearerRealm.class);
|
||||
|
||||
/** realm name */
|
||||
@VisibleForTesting
|
||||
static final String REALM = "BearerRealm";
|
||||
|
||||
//~--- constructors ---------------------------------------------------------
|
||||
|
||||
/** dao realm helper */
|
||||
private final DAORealmHelper helper;
|
||||
|
||||
/** access token resolver **/
|
||||
private final AccessTokenResolver tokenResolver;
|
||||
|
||||
/**
|
||||
* Constructs ...
|
||||
*
|
||||
* @param helperFactory dao realm helper factory
|
||||
* @param resolver key resolver
|
||||
* @param validators token claims validators
|
||||
* @param tokenResolver resolve access token from bearer
|
||||
*/
|
||||
@Inject
|
||||
public BearerRealm(
|
||||
DAORealmHelperFactory helperFactory, SecureKeyResolver resolver, Set<TokenClaimsValidator> validators
|
||||
)
|
||||
{
|
||||
public BearerRealm(DAORealmHelperFactory helperFactory, AccessTokenResolver tokenResolver) {
|
||||
this.helper = helperFactory.create(REALM);
|
||||
this.resolver = resolver;
|
||||
this.validators = validators;
|
||||
|
||||
this.tokenResolver = tokenResolver;
|
||||
|
||||
setCredentialsMatcher(new AllowAllCredentialsMatcher());
|
||||
setAuthenticationTokenClass(BearerToken.class);
|
||||
}
|
||||
@@ -106,71 +86,26 @@ public class BearerRealm extends AuthenticatingRealm
|
||||
//~--- methods --------------------------------------------------------------
|
||||
|
||||
/**
|
||||
* Validates the given jwt token and retrieves authentication data from
|
||||
* Validates the given bearer token and retrieves authentication data from
|
||||
* {@link UserDAO} and {@link GroupDAO}.
|
||||
*
|
||||
*
|
||||
* @param token jwt token
|
||||
* @param token bearer token
|
||||
*
|
||||
* @return authentication data from user and group dao
|
||||
*/
|
||||
@Override
|
||||
protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token)
|
||||
{
|
||||
checkArgument(token instanceof BearerToken, "%s is required",
|
||||
BearerToken.class);
|
||||
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
|
||||
checkArgument(token instanceof BearerToken, "%s is required", BearerToken.class);
|
||||
|
||||
BearerToken bt = (BearerToken) token;
|
||||
Claims c = checkToken(bt);
|
||||
AccessToken accessToken = tokenResolver.resolve(bt);
|
||||
|
||||
return helper.getAuthenticationInfo(c.getSubject(), bt.getCredentials(), Scopes.fromClaims(c));
|
||||
return helper.getAuthenticationInfo(
|
||||
accessToken.getSubject(),
|
||||
bt.getCredentials(),
|
||||
Scopes.fromClaims(accessToken.getClaims())
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates the jwt token.
|
||||
*
|
||||
*
|
||||
* @param token jwt token
|
||||
*
|
||||
* @return claim
|
||||
*/
|
||||
private Claims checkToken(BearerToken token)
|
||||
{
|
||||
Claims claims;
|
||||
|
||||
try
|
||||
{
|
||||
//J-
|
||||
claims = Jwts.parser()
|
||||
.setSigningKeyResolver(resolver)
|
||||
.parseClaimsJws(token.getCredentials())
|
||||
.getBody();
|
||||
//J+
|
||||
|
||||
// check all registered claims validators
|
||||
validators.forEach((validator) -> {
|
||||
if (!validator.validate(claims)) {
|
||||
LOG.warn("token claims is invalid, marked by validator {}", validator.getClass());
|
||||
throw new AuthenticationException("token claims is invalid");
|
||||
}
|
||||
});
|
||||
}
|
||||
catch (JwtException ex)
|
||||
{
|
||||
throw new AuthenticationException("signature is invalid", ex);
|
||||
}
|
||||
|
||||
return claims;
|
||||
}
|
||||
|
||||
//~--- fields ---------------------------------------------------------------
|
||||
|
||||
/** token claims validators **/
|
||||
private final Set<TokenClaimsValidator> validators;
|
||||
|
||||
/** dao realm helper */
|
||||
private final DAORealmHelper helper;
|
||||
|
||||
/** secure key resolver */
|
||||
private final SecureKeyResolver resolver;
|
||||
}
|
||||
|
||||
@@ -55,37 +55,48 @@ public final class JwtAccessTokenResolver implements AccessTokenResolver {
|
||||
private static final Logger LOG = LoggerFactory.getLogger(JwtAccessTokenResolver.class);
|
||||
|
||||
private final SecureKeyResolver keyResolver;
|
||||
private final Set<TokenClaimsValidator> validators;
|
||||
private final Set<AccessTokenValidator> validators;
|
||||
|
||||
@Inject
|
||||
public JwtAccessTokenResolver(SecureKeyResolver keyResolver, Set<TokenClaimsValidator> validators) {
|
||||
public JwtAccessTokenResolver(SecureKeyResolver keyResolver, Set<AccessTokenValidator> validators) {
|
||||
this.keyResolver = keyResolver;
|
||||
this.validators = validators;
|
||||
}
|
||||
|
||||
@Override
|
||||
public JwtAccessToken resolve(BearerToken bearerToken) {
|
||||
Claims claims;
|
||||
|
||||
try {
|
||||
// parse and validate
|
||||
claims = Jwts.parser()
|
||||
String compact = bearerToken.getCredentials();
|
||||
|
||||
Claims claims = Jwts.parser()
|
||||
.setSigningKeyResolver(keyResolver)
|
||||
.parseClaimsJws(bearerToken.getCredentials())
|
||||
.parseClaimsJws(compact)
|
||||
.getBody();
|
||||
|
||||
// check all registered claims validators
|
||||
validators.forEach((validator) -> {
|
||||
if (!validator.validate(claims)) {
|
||||
LOG.warn("token claims is invalid, marked by validator {}", validator.getClass());
|
||||
throw new AuthenticationException("token claims is invalid");
|
||||
}
|
||||
});
|
||||
|
||||
JwtAccessToken token = new JwtAccessToken(claims, compact);
|
||||
validate(token);
|
||||
|
||||
return token;
|
||||
} catch (JwtException ex) {
|
||||
throw new AuthenticationException("signature is invalid", ex);
|
||||
}
|
||||
|
||||
return new JwtAccessToken(claims, bearerToken.getCredentials());
|
||||
}
|
||||
|
||||
|
||||
private void validate(AccessToken accessToken) {
|
||||
validators.forEach(validator -> validate(validator, accessToken));
|
||||
}
|
||||
|
||||
private void validate(AccessTokenValidator validator, AccessToken accessToken) {
|
||||
if (!validator.validate(accessToken)) {
|
||||
String msg = createValidationFailedMessage(validator, accessToken);
|
||||
LOG.debug(msg);
|
||||
throw new AuthenticationException(msg);
|
||||
}
|
||||
}
|
||||
|
||||
private String createValidationFailedMessage(AccessTokenValidator validator, AccessToken accessToken) {
|
||||
return String.format("token %s is invalid, marked by validator %s", accessToken.getId(), validator.getClass());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -47,7 +47,7 @@ import org.apache.shiro.authz.SimpleAuthorizationInfo;
|
||||
import org.apache.shiro.authz.permission.PermissionResolver;
|
||||
|
||||
/**
|
||||
* Utile methods for {@link Scope}.
|
||||
* Util methods for {@link Scope}.
|
||||
*
|
||||
* @author Sebastian Sdorra
|
||||
* @since 2.0.0
|
||||
|
||||
@@ -44,7 +44,7 @@ import sonia.scm.util.HttpUtil;
|
||||
/**
|
||||
* Xsrf access token enricher will add an xsrf custom field to the access token. The enricher will only
|
||||
* add the xsrf field, if the authentication request is issued from the web interface and xsrf protection is
|
||||
* enabled. The xsrf field will be validated on every request by the {@link XsrfTokenClaimsValidator}. Xsrf protection
|
||||
* enabled. The xsrf field will be validated on every request by the {@link XsrfAccessTokenValidator}. Xsrf protection
|
||||
* can be disabled with {@link ScmConfiguration#setEnabledXsrfProtection(boolean)}.
|
||||
*
|
||||
* @see <a href="https://goo.gl/s67xO3">Issue 793</a>
|
||||
|
||||
@@ -30,30 +30,23 @@
|
||||
*/
|
||||
package sonia.scm.security;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
import java.util.Map;
|
||||
import sonia.scm.plugin.Extension;
|
||||
|
||||
import javax.inject.Inject;
|
||||
import javax.inject.Provider;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import sonia.scm.plugin.Extension;
|
||||
import java.util.Optional;
|
||||
|
||||
/**
|
||||
* Validates xsrf protected token claims. The validator check if the current request contains an xsrf key which is
|
||||
* equal to the token in the claims. If the claims does not contain a xsrf key, the check is passed by. The xsrf keys
|
||||
* are added by the {@link XsrfTokenClaimsEnricher}.
|
||||
* Validates xsrf protected access tokens. The validator check if the current request contains an xsrf key which is
|
||||
* equal to the one in the access token. If the token does not contain a xsrf key, the check is passed by. The xsrf keys
|
||||
* are added by the {@link XsrfAccessTokenEnricher}.
|
||||
*
|
||||
* @author Sebastian Sdorra
|
||||
* @since 2.0.0
|
||||
*/
|
||||
@Extension
|
||||
public class XsrfTokenClaimsValidator implements TokenClaimsValidator {
|
||||
|
||||
/**
|
||||
* the logger for XsrfTokenClaimsEnricher
|
||||
*/
|
||||
private static final Logger LOG = LoggerFactory.getLogger(XsrfTokenClaimsValidator.class);
|
||||
public class XsrfAccessTokenValidator implements AccessTokenValidator {
|
||||
|
||||
private final Provider<HttpServletRequest> requestProvider;
|
||||
|
||||
@@ -64,16 +57,16 @@ public class XsrfTokenClaimsValidator implements TokenClaimsValidator {
|
||||
* @param requestProvider http request provider
|
||||
*/
|
||||
@Inject
|
||||
public XsrfTokenClaimsValidator(Provider<HttpServletRequest> requestProvider) {
|
||||
public XsrfAccessTokenValidator(Provider<HttpServletRequest> requestProvider) {
|
||||
this.requestProvider = requestProvider;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean validate(Map<String, Object> claims) {
|
||||
String xsrfClaimValue = (String) claims.get(Xsrf.TOKEN_KEY);
|
||||
if (!Strings.isNullOrEmpty(xsrfClaimValue)) {
|
||||
public boolean validate(AccessToken accessToken) {
|
||||
Optional<String> xsrfClaim = accessToken.getCustom(Xsrf.TOKEN_KEY);
|
||||
if (xsrfClaim.isPresent()) {
|
||||
String xsrfHeaderValue = requestProvider.get().getHeader(Xsrf.HEADER_KEY);
|
||||
return xsrfClaimValue.equals(xsrfHeaderValue);
|
||||
return xsrfClaim.get().equals(xsrfHeaderValue);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
Reference in New Issue
Block a user