Java tutorial
/* * ***************************************************************************** * Cloud Foundry * Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved. * This product is licensed to you under the Apache License, Version 2.0 (the "License"). * You may not use this product except in compliance with the License. * * This product includes a number of subcomponents with * separate copyright notices and license terms. Your use of these * subcomponents is subject to the terms and conditions of the * subcomponent's license, as noted in the LICENSE file. * ***************************************************************************** */ package org.cloudfoundry.identity.client; import org.apache.http.HttpRequest; import org.apache.http.HttpResponse; import org.apache.http.ProtocolException; import org.apache.http.client.RedirectStrategy; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.conn.ssl.SSLContextBuilder; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.DefaultRedirectStrategy; import org.apache.http.impl.client.HttpClients; import org.apache.http.protocol.HttpContext; import org.cloudfoundry.identity.client.token.TokenRequest; import org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpMethod; import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; import org.springframework.http.client.ClientHttpRequestFactory; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; import org.springframework.security.crypto.codec.Base64; import org.springframework.security.oauth2.client.DefaultOAuth2ClientContext; import org.springframework.security.oauth2.client.OAuth2RestTemplate; import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails; import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails; import org.springframework.security.oauth2.client.token.AccessTokenProvider; import org.springframework.security.oauth2.client.token.AccessTokenProviderChain; import org.springframework.security.oauth2.client.token.AccessTokenRequest; import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport; import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider; import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsResourceDetails; import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider; import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails; import org.springframework.security.oauth2.client.token.grant.implicit.ImplicitAccessTokenProvider; import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordAccessTokenProvider; import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordResourceDetails; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException; import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; import org.springframework.web.client.HttpMessageConverterExtractor; import org.springframework.web.client.ResponseExtractor; import org.springframework.web.client.RestTemplate; import org.springframework.web.util.UriComponentsBuilder; import javax.net.ssl.SSLContext; import java.io.UnsupportedEncodingException; import java.net.URI; import java.security.KeyManagementException; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Objects; import static java.lang.String.format; import static org.cloudfoundry.identity.client.token.GrantType.AUTHORIZATION_CODE; import static org.cloudfoundry.identity.client.token.GrantType.PASSWORD_WITH_PASSCODE; import static org.springframework.security.oauth2.common.AuthenticationScheme.header; public class UaaContextFactory { /** * UAA Base URI */ private final URI uaaURI; /** * Instantiates a context factory to authenticate against the UAA * @param uaaURI the UAA base URI */ private UaaContextFactory(URI uaaURI) { this.uaaURI = uaaURI; } private String tokenPath = "/oauth/token"; private String authorizePath = "/oauth/authorize"; /** * Instantiates a context factory to authenticate against the UAA * The default token path, /oauth/token, and authorize path, /oauth/authorize are set. * @param uaaURI the UAA base URI */ public static UaaContextFactory factory(URI uaaURI) { return new UaaContextFactory(uaaURI); } /** * Sets the token endpoint path. If not invoked, the default is /oauth/token * @param path the path for the token endpoint. * @return this mutable object */ public UaaContextFactory tokenPath(String path) { this.tokenPath = path; return this; } /** * Sets the authorize endpoint path. If not invoked, the default is /oauth/authorize * @param path the path for the authorize endpoint. * @return this mutable object */ public UaaContextFactory authorizePath(String path) { this.authorizePath = path; return this; } /** * Returns the authorize URI * @return the UAA authorization URI */ public URI getAuthorizeUri() { UriComponentsBuilder authorizationURI = UriComponentsBuilder.newInstance(); authorizationURI.uri(uaaURI); authorizationURI.path(authorizePath); return authorizationURI.build().toUri(); } /** * Returns the URI * @return */ public URI getTokenUri() { UriComponentsBuilder tokenURI = UriComponentsBuilder.newInstance(); tokenURI.uri(uaaURI); tokenURI.path(tokenPath); return tokenURI.build().toUri(); } /** * Creates a new {@link TokenRequest} object. * The object will have the token an authorize endpoints already configured. * @return the new token request that can be used for an access token request. */ public TokenRequest tokenRequest() { return new TokenRequest(getTokenUri(), getAuthorizeUri()); } /** * Authenticates the client and optionally the user and retrieves an access token * Token request must be valid, see {@link TokenRequest#isValid()} * @param request - a fully configured token request * @return an authenticated UAA context with * @throws NullPointerException if the request object is null * @throws IllegalArgumentException if the token request is invalid */ public UaaContext authenticate(TokenRequest request) { if (request == null) { throw new NullPointerException(TokenRequest.class.getName() + " cannot be null."); } if (!request.isValid()) { throw new IllegalArgumentException("Invalid token request."); } switch (request.getGrantType()) { case CLIENT_CREDENTIALS: return authenticateClientCredentials(request); case PASSWORD: case PASSWORD_WITH_PASSCODE: return authenticatePassword(request); case AUTHORIZATION_CODE: return authenticateAuthCode(request); case AUTHORIZATION_CODE_WITH_TOKEN: return authenticateAuthCodeWithToken(request); case FETCH_TOKEN_FROM_CODE: return fetchTokenFromCode(request); case SAML2_BEARER: return authenticateSaml2BearerAssertion(request); default: throw new UnsupportedGrantTypeException("Not implemented:" + request.getGrantType()); } } protected UaaContext fetchTokenFromCode(final TokenRequest request) { String clientBasicAuth = getClientBasicAuthHeader(request); RestTemplate template = new RestTemplate(); if (request.isSkipSslValidation()) { template.setRequestFactory(getNoValidatingClientHttpRequestFactory()); } HttpHeaders headers = new HttpHeaders(); headers.add(HttpHeaders.AUTHORIZATION, clientBasicAuth); headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON)); headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED); MultiValueMap<String, String> form = new LinkedMultiValueMap<>(); form.add(OAuth2Utils.GRANT_TYPE, "authorization_code"); form.add(OAuth2Utils.REDIRECT_URI, request.getRedirectUri().toString()); String responseType = "token"; if (request.wantsIdToken()) { responseType += " id_token"; } form.add(OAuth2Utils.RESPONSE_TYPE, responseType); form.add("code", request.getAuthorizationCode()); ResponseEntity<CompositeAccessToken> token = template.exchange(request.getTokenEndpoint(), HttpMethod.POST, new HttpEntity<>(form, headers), CompositeAccessToken.class); return new UaaContextImpl(request, null, token.getBody()); } /** * Not yet implemented * @param tokenRequest - a configured TokenRequest * @return an authenticated {@link UaaContext} */ protected UaaContext authenticateAuthCode(final TokenRequest tokenRequest) { AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails(); details.setPreEstablishedRedirectUri(tokenRequest.getRedirectUri().toString()); details.setUserAuthorizationUri(tokenRequest.getAuthorizationEndpoint().toString()); configureResourceDetails(tokenRequest, details); setClientCredentials(tokenRequest, details); setRequestScopes(tokenRequest, details); //begin - work around for not having UI for now DefaultOAuth2ClientContext oAuth2ClientContext = new DefaultOAuth2ClientContext(); oAuth2ClientContext.getAccessTokenRequest().setStateKey(tokenRequest.getState()); oAuth2ClientContext.setPreservedState(tokenRequest.getState(), details.getPreEstablishedRedirectUri()); oAuth2ClientContext.getAccessTokenRequest().setCurrentUri(details.getPreEstablishedRedirectUri()); //end - work around for not having UI for now OAuth2RestTemplate template = new OAuth2RestTemplate(details, oAuth2ClientContext); skipSslValidation(tokenRequest, template, null); template.getAccessToken(); throw new UnsupportedOperationException(AUTHORIZATION_CODE + " is not yet implemented"); } /** * Performs and authorization_code grant, but uses a token to assert the user's identity. * @param tokenRequest - a configured TokenRequest * @return an authenticated {@link UaaContext} */ protected UaaContext authenticateAuthCodeWithToken(final TokenRequest tokenRequest) { List<OAuth2AccessTokenSupport> providers = Collections .singletonList(new AuthorizationCodeAccessTokenProvider() { @Override protected ResponseExtractor<OAuth2AccessToken> getResponseExtractor() { getRestTemplate(); // force initialization MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter(); return new HttpMessageConverterExtractor<OAuth2AccessToken>(CompositeAccessToken.class, Arrays.asList(converter)); } }); enhanceRequestParameters(tokenRequest, providers.get(0)); AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails(); details.setPreEstablishedRedirectUri(tokenRequest.getRedirectUri().toString()); configureResourceDetails(tokenRequest, details); setClientCredentials(tokenRequest, details); setRequestScopes(tokenRequest, details); details.setUserAuthorizationUri(tokenRequest.getAuthorizationEndpoint().toString()); DefaultOAuth2ClientContext oAuth2ClientContext = new DefaultOAuth2ClientContext(); oAuth2ClientContext.getAccessTokenRequest().setStateKey(tokenRequest.getState()); oAuth2ClientContext.setPreservedState(tokenRequest.getState(), details.getPreEstablishedRedirectUri()); oAuth2ClientContext.getAccessTokenRequest().setCurrentUri(details.getPreEstablishedRedirectUri()); Map<String, List<String>> headers = (Map<String, List<String>>) oAuth2ClientContext.getAccessTokenRequest() .getHeaders(); headers.put("Authorization", Arrays.asList("bearer " + tokenRequest.getAuthCodeAPIToken())); OAuth2RestTemplate template = new OAuth2RestTemplate(details, oAuth2ClientContext); skipSslValidation(tokenRequest, template, providers); OAuth2AccessToken token = template.getAccessToken(); return new UaaContextImpl(tokenRequest, template, (CompositeAccessToken) token); } protected UaaContext authenticateSaml2BearerAssertion(final TokenRequest request) { RestTemplate template = new RestTemplate(); if (request.isSkipSslValidation()) { template.setRequestFactory(getNoValidatingClientHttpRequestFactory()); } HttpHeaders headers = new HttpHeaders(); headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON)); headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED); MultiValueMap<String, String> form = new LinkedMultiValueMap<>(); form.add(OAuth2Utils.CLIENT_ID, request.getClientId()); form.add("client_secret", request.getClientSecret()); form.add(OAuth2Utils.GRANT_TYPE, "urn:ietf:params:oauth:grant-type:saml2-bearer"); form.add("assertion", request.getAuthCodeAPIToken()); ResponseEntity<CompositeAccessToken> token = template.exchange(request.getTokenEndpoint(), HttpMethod.POST, new HttpEntity<>(form, headers), CompositeAccessToken.class); return new UaaContextImpl(request, null, token.getBody()); } protected String getClientBasicAuthHeader(TokenRequest request) { try { byte[] autbytes = Base64 .encode(format("%s:%s", request.getClientId(), request.getClientSecret()).getBytes("UTF-8")); String base64 = new String(autbytes); return format("Basic %s", base64); } catch (UnsupportedEncodingException e) { throw new IllegalArgumentException(e); } } /** * Performs a {@link org.cloudfoundry.identity.client.token.GrantType#PASSWORD authentication} * @param tokenRequest - a configured TokenRequest * @return an authenticated {@link UaaContext} */ protected UaaContext authenticatePassword(final TokenRequest tokenRequest) { List<OAuth2AccessTokenSupport> providers = Collections .singletonList(new ResourceOwnerPasswordAccessTokenProvider() { @Override protected ResponseExtractor<OAuth2AccessToken> getResponseExtractor() { getRestTemplate(); // force initialization MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter(); return new HttpMessageConverterExtractor<OAuth2AccessToken>(CompositeAccessToken.class, Arrays.asList(converter)); } }); enhanceRequestParameters(tokenRequest, providers.get(0)); ResourceOwnerPasswordResourceDetails details = new ResourceOwnerPasswordResourceDetails(); configureResourceDetails(tokenRequest, details); setUserCredentials(tokenRequest, details); setClientCredentials(tokenRequest, details); setRequestScopes(tokenRequest, details); OAuth2RestTemplate template = new OAuth2RestTemplate(details, new DefaultOAuth2ClientContext()); skipSslValidation(tokenRequest, template, providers); OAuth2AccessToken token = template.getAccessToken(); return new UaaContextImpl(tokenRequest, template, (CompositeAccessToken) token); } /** * Adds a request enhancer to the provider. * Currently only two request parameters are being enhanced * 1. If the {@link TokenRequest} wants an id_token the <code>id_token token</code> values are added as a response_type parameter * 2. If the {@link TokenRequest} is a {@link org.cloudfoundry.identity.client.token.GrantType#PASSWORD_WITH_PASSCODE} * the <code>passcode</code> parameter will be added to the request * @param tokenRequest the token request, expected to be a password grant * @param provider the provider to enhance */ protected void enhanceRequestParameters(TokenRequest tokenRequest, OAuth2AccessTokenSupport provider) { provider.setTokenRequestEnhancer( //add id_token to the response type if requested. (AccessTokenRequest request, OAuth2ProtectedResourceDetails resource, MultiValueMap<String, String> form, HttpHeaders headers) -> { if (tokenRequest.wantsIdToken()) { form.put(OAuth2Utils.RESPONSE_TYPE, Arrays.asList("id_token token")); } if (tokenRequest.getGrantType() == PASSWORD_WITH_PASSCODE) { form.put("passcode", Arrays.asList(tokenRequest.getPasscode())); } }); } /** * Performs a {@link org.cloudfoundry.identity.client.token.GrantType#CLIENT_CREDENTIALS authentication} * @param request - a configured TokenRequest * @return an authenticated {@link UaaContext} */ protected UaaContext authenticateClientCredentials(TokenRequest request) { ClientCredentialsResourceDetails details = new ClientCredentialsResourceDetails(); configureResourceDetails(request, details); setClientCredentials(request, details); setRequestScopes(request, details); OAuth2RestTemplate template = new OAuth2RestTemplate(details, new DefaultOAuth2ClientContext()); skipSslValidation(request, template, null); OAuth2AccessToken token = template.getAccessToken(); CompositeAccessToken result = new CompositeAccessToken(token); return new UaaContextImpl(request, template, result); } /** * Sets the token endpoint on the resource details * Sets the authentication scheme to be {@link org.springframework.security.oauth2.common.AuthenticationScheme#header} * @param tokenRequest the token request containing the token endpoint * @param details the details object that will be configured */ protected void configureResourceDetails(TokenRequest tokenRequest, BaseOAuth2ProtectedResourceDetails details) { details.setAuthenticationScheme(header); details.setAccessTokenUri(tokenRequest.getTokenEndpoint().toString()); } /** * Sets the requested scopes on the resource details, if and only if the requested scopes are not null * @param tokenRequest the token request containing the requested scopes, if any * @param details the details object that will be configured */ protected void setRequestScopes(TokenRequest tokenRequest, BaseOAuth2ProtectedResourceDetails details) { if (!Objects.isNull(tokenRequest.getScopes())) { details.setScope(new LinkedList(tokenRequest.getScopes())); } } /** * Sets the client_id and client_secret on the resource details object * @param tokenRequest the token request containing the client_id and client_secret * @param details the details object that. will be configured */ protected void setClientCredentials(TokenRequest tokenRequest, BaseOAuth2ProtectedResourceDetails details) { details.setClientId(tokenRequest.getClientId()); details.setClientSecret(tokenRequest.getClientSecret()); } /** * Sets the username and password on the resource details object * @param tokenRequest the token request containing the client_id and client_secret * @param details the details object that. will be configured */ protected void setUserCredentials(TokenRequest tokenRequest, ResourceOwnerPasswordResourceDetails details) { details.setUsername(tokenRequest.getUsername()); details.setPassword(tokenRequest.getPassword()); } /** * If the {@link TokenRequest#isSkipSslValidation()} returns true, the rest template * will be configured * @param tokenRequest * @param template */ protected void skipSslValidation(TokenRequest tokenRequest, OAuth2RestTemplate template, List<OAuth2AccessTokenSupport> existingProviders) { ClientHttpRequestFactory requestFactory = null; if (tokenRequest.isSkipSslValidation()) { requestFactory = getNoValidatingClientHttpRequestFactory(); } List<OAuth2AccessTokenSupport> accessTokenProviders = existingProviders != null ? existingProviders : Arrays.<OAuth2AccessTokenSupport>asList(new AuthorizationCodeAccessTokenProvider(), new ImplicitAccessTokenProvider(), new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider()); List<AccessTokenProvider> providers = new ArrayList<>(); for (OAuth2AccessTokenSupport provider : accessTokenProviders) { if (requestFactory != null) { provider.setRequestFactory(requestFactory); } providers.add((AccessTokenProvider) provider); } AccessTokenProviderChain chain = new AccessTokenProviderChain(providers); template.setAccessTokenProvider(chain); } public static ClientHttpRequestFactory getNoValidatingClientHttpRequestFactory() { return getNoValidatingClientHttpRequestFactory(true); } public static ClientHttpRequestFactory getNoValidatingClientHttpRequestFactory(boolean followRedirects) { ClientHttpRequestFactory requestFactory; SSLContext sslContext; try { sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustSelfSignedStrategy()).build(); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); } catch (KeyManagementException e) { throw new RuntimeException(e); } catch (KeyStoreException e) { throw new RuntimeException(e); } // CloseableHttpClient httpClient = HttpClients.custom().setSslcontext(sslContext) .setRedirectStrategy(followRedirects ? new DefaultRedirectStrategy() : new RedirectStrategy() { @Override public boolean isRedirected(HttpRequest request, HttpResponse response, HttpContext context) throws ProtocolException { return false; } @Override public HttpUriRequest getRedirect(HttpRequest request, HttpResponse response, HttpContext context) throws ProtocolException { return null; } }).build(); requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient); return requestFactory; } }