• Home
• com.hcl.domino
• domino-jnx-jna
• 1.36.0
• source code
• JNAOIDCTokenHandler.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.hcl.domino.jna.security.JNAOIDCTokenHandler Maven / Gradle / Ivy

package com.hcl.domino.jna.security;

import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.AuthenticationException;
import javax.naming.AuthenticationNotSupportedException;
import javax.naming.NameNotFoundException;
import com.hcl.domino.DominoClient;
import com.hcl.domino.DominoClientBuilder;
import com.hcl.domino.DominoException;
import com.hcl.domino.commons.util.NotesErrorUtils;
import com.hcl.domino.jna.internal.DisposableMemory;
import com.hcl.domino.jna.internal.NotesStringUtils;
import com.hcl.domino.jna.internal.capi.INotesCAPI1400;
import com.hcl.domino.jna.internal.capi.NotesCAPI1400;
import com.hcl.domino.jna.internal.structs.JwtValidateOptionalParamsStruct;
import com.hcl.domino.misc.DominoEnumUtil;
import com.hcl.domino.misc.NotesConstants;
import com.hcl.domino.security.CredentialValidationTokenHandler;
import com.hcl.domino.security.DominoOIDCTokenValidation;
import com.sun.jna.Memory;
import com.sun.jna.ptr.LongByReference;

/**
 * Implementation of {@link CredentialValidationTokenHandler} that uses
 * {@link INotesCAPI1400#SECValidateAccessToken} to validate a String
 * beginning with {@code "Bearer "} against the server's token
 * settings.
 * 
 * 
This implementation will attempt to map the email address returned
 * by the underlying method to a DN using the directory API, returning
 * the original email address when not found.
 * 
 * @since 1.29.0
 */
public class JNAOIDCTokenHandler implements CredentialValidationTokenHandler {
  private static final Logger log = Logger.getLogger(JNAOIDCTokenHandler.class.getName());
  
  @Override
  public boolean canProcess(Object token) {
    return token instanceof DominoOIDCTokenValidation;
  }

  @Override
  public Optional getUserDn(DominoOIDCTokenValidation token, String serverName, DominoClient contextDominoClient)
      throws NameNotFoundException, AuthenticationException, AuthenticationNotSupportedException {
    Objects.requireNonNull(token, "token cannot be null");
    
    INotesCAPI1400 api = NotesCAPI1400.get();
    
    Memory memJwt = NotesStringUtils.toLMBCS(token.getToken(), true);
    Memory memProvider = NotesStringUtils.toLMBCS(token.getProviderUrl(), true);
    Memory memScope = NotesStringUtils.toLMBCS(token.getRequiredScope(), true);
    Memory memAud = NotesStringUtils.toLMBCS(token.getAud(), true);
    int dwFlags = DominoEnumUtil.toBitField(DominoOIDCTokenValidation.Flag.class, token.getFlags());
    
    // Check optional parameters to adjust flags and fill in a structure
    JwtValidateOptionalParamsStruct params = JwtValidateOptionalParamsStruct.newInstance();
    String customClaim = token.getCustomClaimName();
    if(customClaim != null && !customClaim.isEmpty()) {
      dwFlags |= NotesConstants.fJWT_validate_UseCustomEmailClaim;
      params.pszCustomClaimName = NotesStringUtils.toLMBCS(customClaim, true);
    }
    Predicate resourceValidator = token.getResourceValidator();
    if(resourceValidator != null) {
      dwFlags |= NotesConstants.fJWT_validate_AllowAlternateAud;
      params.allowedResource = pszAudience -> resourceValidator.test(NotesStringUtils.fromLMBCS(pszAudience, -1));
    }
    Predicate clientIdValidator = token.getClientIdValidator();
    if(clientIdValidator != null) {
      dwFlags |= NotesConstants.fJWT_validate_EnforceAllowedClients;
      params.allowedClientID = pAzp -> clientIdValidator.test(NotesStringUtils.fromLMBCS(pAzp, -1));
    }
    params.write();
    
    try(DisposableMemory memEmail = new DisposableMemory(NotesConstants.MAXUSERNAME)) {
      LongByReference duration = new LongByReference();
      
      Optional e = NotesErrorUtils.toNotesError(api.SECValidateAccessToken(
          memJwt,
          memProvider,
          memScope,
          memAud,
          dwFlags,
          params.getPointer(),
          NotesConstants.MAXUSERNAME,
          memEmail,
          duration
      ));
      if(e.isPresent()) {
        if(log.isLoggable(Level.INFO)) {
          log.log(Level.INFO, "Encountered exception validating OIDC token", e.get());
        }
        
        return Optional.empty();
      } else {
        String email = NotesStringUtils.fromLMBCS(memEmail, -1);
        // Map to the DN if available
        try(DominoClient client = DominoClientBuilder.newDominoClient().asIDUser().build()) {
          Optional>> fullName = client.openUserDirectory(null)
              .lookupUserValue(email, NotesConstants.MAIL_FULLNAME_ITEM);
          String dn = fullName.map(m -> m.get(NotesConstants.MAIL_FULLNAME_ITEM))
              .flatMap(l ->
                l.stream()
                  .map(String::valueOf)
                  .filter(s -> s != null && !s.isEmpty())
                  .findFirst()
               )
              .orElse(email);
          return Optional.of(dn);
        }
      }
    }
  }

}