OAuth filter customization per request

This commit is contained in:
Ignasi Barrera 2017-11-24 17:08:22 +01:00
parent a03e047da6
commit 3bdc25c373
5 changed files with 122 additions and 57 deletions

View File

@ -0,0 +1,79 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jclouds.oauth.v2.config;
import static org.jclouds.oauth.v2.config.OAuthProperties.AUDIENCE;
import static org.jclouds.oauth.v2.config.OAuthProperties.RESOURCE;
import java.util.List;
import javax.inject.Named;
import org.jclouds.http.HttpRequest;
import org.jclouds.javax.annotation.Nullable;
import com.google.auto.value.AutoValue;
import com.google.common.annotations.Beta;
import com.google.inject.ImplementedBy;
import com.google.inject.Inject;
/**
* Provides all OAuth configuration. Implementations are api-specific.
*/
@Beta
@ImplementedBy(OAuthConfigFactory.OAuthConfigFromProperties.class)
public interface OAuthConfigFactory {
@AutoValue
public abstract static class OAuthConfig {
public abstract List<String> scopes();
@Nullable public abstract String audience();
@Nullable public abstract String resource();
public static OAuthConfig create(List<String> scopes, String audience, String resource) {
return new AutoValue_OAuthConfigFactory_OAuthConfig(scopes, audience, resource);
}
}
/**
* Returns the OAuth configuration to be used to authenticate the gicen
* request.
*/
OAuthConfig forRequest(HttpRequest input);
public static class OAuthConfigFromProperties implements OAuthConfigFactory {
private final OAuthScopes scopes;
@Inject(optional = true)
@Named(AUDIENCE)
private String audience;
@Inject(optional = true)
@Named(RESOURCE)
private String resource;
@Inject
OAuthConfigFromProperties(OAuthScopes scopes) {
this.scopes = scopes;
}
@Override
public OAuthConfig forRequest(HttpRequest input) {
return OAuthConfig.create(scopes.forRequest(input), audience, resource);
}
}
}

View File

@ -18,20 +18,19 @@ package org.jclouds.oauth.v2.filters;
import static java.util.concurrent.TimeUnit.SECONDS;
import static org.jclouds.Constants.PROPERTY_SESSION_INTERVAL;
import static org.jclouds.oauth.v2.config.OAuthProperties.AUDIENCE;
import static org.jclouds.oauth.v2.config.OAuthProperties.RESOURCE;
import java.util.UUID;
import javax.inject.Inject;
import javax.inject.Named;
import java.util.List;
import java.util.UUID;
import org.jclouds.domain.Credentials;
import org.jclouds.http.HttpException;
import org.jclouds.http.HttpRequest;
import org.jclouds.location.Provider;
import org.jclouds.oauth.v2.AuthorizationApi;
import org.jclouds.oauth.v2.config.OAuthScopes;
import org.jclouds.oauth.v2.config.OAuthConfigFactory;
import org.jclouds.oauth.v2.config.OAuthConfigFactory.OAuthConfig;
import org.jclouds.oauth.v2.domain.ClientCredentialsAuthArgs;
import org.jclouds.oauth.v2.domain.ClientCredentialsClaims;
import org.jclouds.oauth.v2.domain.Token;
@ -54,22 +53,16 @@ import com.google.common.cache.LoadingCache;
public class ClientCredentialsJWTBearerTokenFlow implements OAuthFilter {
private static final Joiner ON_SPACE = Joiner.on(" ");
private final String resource;
private final String audience;
private final Supplier<Credentials> credentialsSupplier;
private final OAuthScopes scopes;
private final OAuthConfigFactory oauthConfigFactory;
private final LoadingCache<ClientCredentialsAuthArgs, Token> tokenCache;
@Inject
ClientCredentialsJWTBearerTokenFlow(AuthorizeToken loader, @Named(PROPERTY_SESSION_INTERVAL) long tokenDuration,
@Provider Supplier<Credentials> credentialsSupplier,
OAuthScopes scopes,
@Named(AUDIENCE) String audience,
@Named(RESOURCE) String resource) {
OAuthConfigFactory oauthConfigFactory) {
this.credentialsSupplier = credentialsSupplier;
this.scopes = scopes;
this.audience = audience;
this.resource = resource;
this.oauthConfigFactory = oauthConfigFactory;
// since the session interval is also the token expiration time requested to the server make the token expire a
// bit before the deadline to make sure there aren't session expiration exceptions
long cacheExpirationSeconds = tokenDuration > 30 ? tokenDuration - 30 : tokenDuration;
@ -104,11 +97,11 @@ public class ClientCredentialsJWTBearerTokenFlow implements OAuthFilter {
}
@Override public HttpRequest filter(HttpRequest request) throws HttpException {
List<String> configuredScopes = scopes.forRequest(request);
OAuthConfig oauthConfig = oauthConfigFactory.forRequest(request);
ClientCredentialsClaims claims = ClientCredentialsClaims.create( //
credentialsSupplier.get().identity, // iss
credentialsSupplier.get().identity, // sub
audience, // aud
oauthConfig.audience(), // aud
-1, // placeholder exp for the cache
-1, // placeholder nbf for the cache
null // placeholder jti for the cache
@ -116,8 +109,8 @@ public class ClientCredentialsJWTBearerTokenFlow implements OAuthFilter {
ClientCredentialsAuthArgs authArgs = ClientCredentialsAuthArgs.create(
credentialsSupplier.get().identity,
claims,
resource == null ? "" : resource,
configuredScopes.isEmpty() ? null : ON_SPACE.join(configuredScopes)
oauthConfig.resource(),
oauthConfig.scopes().isEmpty() ? null : ON_SPACE.join(oauthConfig.scopes())
);
Token token = tokenCache.getUnchecked(authArgs);

View File

@ -16,31 +16,28 @@
*/
package org.jclouds.oauth.v2.filters;
import java.util.List;
import static java.util.concurrent.TimeUnit.SECONDS;
import static org.jclouds.Constants.PROPERTY_SESSION_INTERVAL;
import javax.inject.Named;
import org.jclouds.domain.Credentials;
import org.jclouds.http.HttpException;
import org.jclouds.http.HttpRequest;
import org.jclouds.location.Provider;
import org.jclouds.oauth.v2.AuthorizationApi;
import org.jclouds.oauth.v2.config.OAuthConfigFactory;
import org.jclouds.oauth.v2.config.OAuthConfigFactory.OAuthConfig;
import org.jclouds.oauth.v2.domain.ClientSecret;
import org.jclouds.oauth.v2.domain.Token;
import com.google.common.base.Joiner;
import com.google.common.base.Supplier;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import org.jclouds.oauth.v2.AuthorizationApi;
import org.jclouds.oauth.v2.domain.ClientSecret;
import org.jclouds.oauth.v2.config.OAuthScopes;
import org.jclouds.oauth.v2.domain.Token;
import org.jclouds.domain.Credentials;
import org.jclouds.http.HttpException;
import org.jclouds.http.HttpRequest;
import org.jclouds.location.Provider;
import javax.inject.Named;
import com.google.inject.Inject;
import static java.util.concurrent.TimeUnit.SECONDS;
import static org.jclouds.Constants.PROPERTY_SESSION_INTERVAL;
import static org.jclouds.oauth.v2.config.OAuthProperties.RESOURCE;
/**
* Authorizes new Bearer Tokens at runtime by sending up for the http request.
*
@ -56,16 +53,14 @@ public class ClientCredentialsSecretFlow implements OAuthFilter {
private final Supplier<Credentials> credentialsSupplier;
private final LoadingCache<ClientSecret, Token> tokenCache;
private final String resource;
private final OAuthScopes scopes;
private final OAuthConfigFactory oauthConfigFactory;
@Inject
ClientCredentialsSecretFlow(AuthorizeToken loader, @Named(PROPERTY_SESSION_INTERVAL) long tokenDuration,
@Provider Supplier<Credentials> credentialsSupplier, OAuthScopes scopes,
@Named(RESOURCE) String resource) {
@Provider Supplier<Credentials> credentialsSupplier,
OAuthConfigFactory oauthConfigFactory) {
this.credentialsSupplier = credentialsSupplier;
this.scopes = scopes;
this.resource = resource;
this.oauthConfigFactory = oauthConfigFactory;
// since the session interval is also the token expiration time requested to the server make the token expire a
// bit before the deadline to make sure there aren't session expiration exceptions
long cacheExpirationSeconds = tokenDuration > 30 ? tokenDuration - 30 : tokenDuration;
@ -85,12 +80,12 @@ public class ClientCredentialsSecretFlow implements OAuthFilter {
}
@Override public HttpRequest filter(HttpRequest request) throws HttpException {
List<String> configuredScopes = scopes.forRequest(request);
OAuthConfig oauthConfig = oauthConfigFactory.forRequest(request);
ClientSecret client = ClientSecret.create(
credentialsSupplier.get().identity,
credentialsSupplier.get().credential,
resource == null ? "" : resource,
configuredScopes.isEmpty() ? null : ON_SPACE.join(configuredScopes)
oauthConfig.resource(),
oauthConfig.scopes().isEmpty() ? null : ON_SPACE.join(oauthConfig.scopes())
);
Token token = tokenCache.getUnchecked(client);
String authorization = String.format("%s %s", token.tokenType(), token.accessToken());

View File

@ -18,7 +18,6 @@ package org.jclouds.oauth.v2.filters;
import static java.util.concurrent.TimeUnit.SECONDS;
import static org.jclouds.Constants.PROPERTY_SESSION_INTERVAL;
import static org.jclouds.oauth.v2.config.OAuthProperties.AUDIENCE;
import javax.inject.Inject;
import javax.inject.Named;
@ -28,7 +27,8 @@ import org.jclouds.http.HttpException;
import org.jclouds.http.HttpRequest;
import org.jclouds.location.Provider;
import org.jclouds.oauth.v2.AuthorizationApi;
import org.jclouds.oauth.v2.config.OAuthScopes;
import org.jclouds.oauth.v2.config.OAuthConfigFactory;
import org.jclouds.oauth.v2.config.OAuthConfigFactory.OAuthConfig;
import org.jclouds.oauth.v2.domain.Claims;
import org.jclouds.oauth.v2.domain.Token;
@ -51,16 +51,14 @@ import com.google.common.cache.LoadingCache;
public class JWTBearerTokenFlow implements OAuthFilter {
private static final Joiner ON_COMMA = Joiner.on(",");
private final String audience;
private final Supplier<Credentials> credentialsSupplier;
private final OAuthScopes scopes;
private final OAuthConfigFactory oauthConfigFactory;
private final LoadingCache<TokenCacheKey, Token> tokenCache;
@Inject JWTBearerTokenFlow(AuthorizeToken loader, @Named(PROPERTY_SESSION_INTERVAL) long tokenDuration,
@Provider Supplier<Credentials> credentialsSupplier, OAuthScopes scopes, @Named(AUDIENCE) String audience) {
@Provider Supplier<Credentials> credentialsSupplier, OAuthConfigFactory oauthConfigFactory) {
this.credentialsSupplier = credentialsSupplier;
this.scopes = scopes;
this.audience = audience;
this.oauthConfigFactory = oauthConfigFactory;
// since the session interval is also the token expiration time requested to the server make the token expire a
// bit before the deadline to make sure there aren't session expiration exceptions
long cacheExpirationSeconds = tokenDuration > 30 ? tokenDuration - 30 : tokenDuration;
@ -89,10 +87,11 @@ public class JWTBearerTokenFlow implements OAuthFilter {
@Override public HttpRequest filter(HttpRequest request) throws HttpException {
long now = currentTimeSeconds();
OAuthConfig oauthConfig = oauthConfigFactory.forRequest(request);
Claims claims = Claims.create( //
credentialsSupplier.get().identity, // iss
ON_COMMA.join(scopes.forRequest(request)), // scope
audience, // aud
ON_COMMA.join(oauthConfig.scopes()), // scope
oauthConfig.audience(), // aud
-1, // placeholder exp for the cache
-1 // placeholder iat for the cache
);

View File

@ -17,22 +17,21 @@
package org.jclouds.oauth.v2.filters;
import static org.jclouds.Constants.PROPERTY_SESSION_INTERVAL;
import static org.jclouds.oauth.v2.config.OAuthProperties.AUDIENCE;
import javax.inject.Inject;
import javax.inject.Named;
import org.jclouds.domain.Credentials;
import org.jclouds.location.Provider;
import org.jclouds.oauth.v2.config.OAuthScopes;
import org.jclouds.oauth.v2.config.OAuthConfigFactory;
import com.google.common.base.Supplier;
public class TestJWTBearerTokenFlow extends JWTBearerTokenFlow {
@Inject TestJWTBearerTokenFlow(AuthorizeToken loader, @Named(PROPERTY_SESSION_INTERVAL) long tokenDuration,
@Provider Supplier<Credentials> credentialsSupplier, OAuthScopes scopes, @Named(AUDIENCE) String audience) {
super(loader, tokenDuration, credentialsSupplier, scopes, audience);
@Provider Supplier<Credentials> credentialsSupplier, OAuthConfigFactory oauthConfigFactory) {
super(loader, tokenDuration, credentialsSupplier, oauthConfigFactory);
}
/** Constant time for testing. */