All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.networknt.graphql.security.JwtVerifyHandler Maven / Gradle / Ivy

There is a newer version: 2.1.37
Show newest version
/*
 * Copyright (c) 2016 Network New Technologies Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * You may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.networknt.graphql.security;

import com.networknt.config.Config;
import com.networknt.graphql.common.GraphqlUtil;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.security.IJwtVerifyHandler;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.security.JwtVerifier;
import com.networknt.security.SecurityConfig;
import com.networknt.utility.Constants;
import com.networknt.utility.ModuleRegistry;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/**
 * This is the JWT token verifier for GraphQL. Given there is no OpenAPI spec available for
 * scopes, we have to verify the scope just based on query and mutation which is read and write.
 *
 * Regarding to the authorization, GraphQL spec doesn't have anything built-in and it is
 * recommended to handle at the business logic layer. As we are trying to address the cross-cutting
 * concerns at middleware level within the framework, we don't want to inject anything extra into
 * the schema for authorization.
 *
 * @author Steve Hu
 *
 */
public class JwtVerifyHandler implements MiddlewareHandler, IJwtVerifyHandler {
    private static final Logger logger = LoggerFactory.getLogger(JwtVerifyHandler.class);

    private static final String GRAPHQL_SECURITY_CONFIG = "graphql-security";
    private static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    private static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    private static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    private static final String STATUS_INVALID_SCOPE_TOKEN = "ERR10003";
    private static final String STATUS_SCOPE_TOKEN_EXPIRED = "ERR10004";
    private static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    private static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";

    static SecurityConfig config;
    static JwtVerifier jwtVerifier;

    private volatile HttpHandler next;

    public JwtVerifyHandler() {
        config = SecurityConfig.load(GRAPHQL_SECURITY_CONFIG);
        jwtVerifier = new JwtVerifier(config);
        if(logger.isDebugEnabled()) logger.debug("JwtVerifyHandler is constructed");
    }

    @Override
    public void handleRequest(final HttpServerExchange exchange) throws Exception {
        String reqPath = exchange.getRequestPath();
        if(logger.isTraceEnabled()) logger.debug("handleRequest with request path {}", reqPath);
        // if request path is in the skipPathPrefixes in the config, call the next handler directly to skip the security check.
        if (config.getSkipPathPrefixes() != null && config.getSkipPathPrefixes().stream().anyMatch(reqPath::startsWith)) {
            if(logger.isTraceEnabled())
                logger.trace("Skip request path base on skipPathPrefixes for " + reqPath);
            Handler.next(exchange, next);
            if (logger.isDebugEnabled())
                logger.debug("JwtVerifyHandler.handleRequest ends.");
            return;
        }

        HeaderMap headerMap = exchange.getRequestHeaders();
        String authorization = headerMap.getFirst(Headers.AUTHORIZATION);
        String jwt = jwtVerifier.getTokenFromAuthorization(authorization);
        if(jwt != null) {
            try {
                JwtClaims claims = jwtVerifier.verifyJwt(jwt, false, true, null, reqPath, null);
                Map auditInfo = new HashMap<>();
                auditInfo.put(Constants.ENDPOINT_STRING, GraphqlUtil.config.getPath());
                String clientId = claims.getStringClaimValue(Constants.CLIENT_ID_STRING);
                // try to get the cid as some OAuth tokens name it as cid like Okta.
                if(clientId == null) clientId = claims.getStringClaimValue(Constants.CID_STRING);
                auditInfo.put(Constants.CLIENT_ID_STRING, clientId);
                String userId = claims.getStringClaimValue(Constants.USER_ID_STRING);
                // try to get the uid as some OAuth tokens name it as uid like Okta.
                if(userId == null) userId = claims.getStringClaimValue(Constants.UID_STRING);
                auditInfo.put(Constants.USER_ID_STRING, userId);
                auditInfo.put(Constants.SUBJECT_CLAIMS, claims);
                String callerId = headerMap.getFirst(HttpStringConstants.CALLER_ID);
                if(callerId != null) auditInfo.put(Constants.CALLER_ID_STRING, callerId);
                exchange.putAttachment(AttachmentConstants.AUDIT_INFO, auditInfo);
                if(config != null && config.isEnableVerifyScope()) {
                    // need a way to figure out this is query or mutation, is it possible to have multiple queries
                    // and mutations? If yes, then each one will have a scope with operation_name.r or operation_name.w


                    // is there a scope token
                    String scopeHeader = headerMap.getFirst(HttpStringConstants.SCOPE_TOKEN);
                    String scopeJwt = jwtVerifier.getTokenFromAuthorization(scopeHeader);
                    List secondaryScopes = null;
                    if(scopeJwt != null) {
                        try {
                            JwtClaims scopeClaims = jwtVerifier.verifyJwt(scopeJwt, false,  true, null, reqPath, null);
                            Object scopeClaim = scopeClaims.getClaimValue(Constants.SCOPE_STRING);
                            if(scopeClaim instanceof String) {
                                secondaryScopes = Arrays.asList(scopeClaims.getStringClaimValue(Constants.SCOPE_STRING).split(" "));
                            } else if(scopeClaim instanceof List) {
                                secondaryScopes = scopeClaims.getStringListClaimValue(Constants.SCOPE_STRING);
                            }
                            if(secondaryScopes == null || secondaryScopes.isEmpty()) {
                                // some IDPs like Okta and Microsoft call scope claim "scp" instead of "scope"
                                Object scpClaim = scopeClaims.getClaimValue(Constants.SCP_STRING);
                                if(scpClaim instanceof String) {
                                    secondaryScopes = Arrays.asList(scopeClaims.getStringClaimValue(Constants.SCP_STRING).split(" "));
                                } else if(scpClaim instanceof List) {
                                    secondaryScopes = scopeClaims.getStringListClaimValue(Constants.SCP_STRING);
                                }
                            }
                            auditInfo.put(Constants.SCOPE_CLIENT_ID_STRING, scopeClaims.getStringClaimValue(Constants.CLIENT_ID_STRING));
                            auditInfo.put(Constants.ACCESS_CLAIMS, scopeClaims);
                        } catch (InvalidJwtException | MalformedClaimException e) {
                            logger.error("InvalidJwtException", e);
                            setExchangeStatus(exchange, STATUS_INVALID_SCOPE_TOKEN);
                            return;
                        } catch (ExpiredTokenException e) {
                            logger.error("ExpiredTokenException", e);
                            setExchangeStatus(exchange, STATUS_SCOPE_TOKEN_EXPIRED);
                            return;
                        }
                    }

                    // TODO find out which operation is accessed and what is the scope based one the convention.
                    List specScopes = null;

                    // validate scope
                    if (scopeHeader != null) {
                        if (secondaryScopes == null || !matchedScopes(secondaryScopes, specScopes)) {
                            setExchangeStatus(exchange, STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, secondaryScopes, specScopes);
                            return;
                        }
                    } else {
                        // no scope token, verify scope from auth token.
                        List primaryScopes = null;
                        try {
                            Object scopeClaim = claims.getClaimValue(Constants.SCOPE_STRING);
                            if(scopeClaim instanceof String) {
                                primaryScopes = Arrays.asList(claims.getStringClaimValue(Constants.SCOPE_STRING).split(" "));
                            } else if(scopeClaim instanceof List) {
                                primaryScopes = claims.getStringListClaimValue(Constants.SCOPE_STRING);
                            }
                            if(primaryScopes == null || primaryScopes.isEmpty()) {
                                // some IDPs like Okta and Microsoft call scope claim "scp" instead of "scope"
                                Object scpClaim = claims.getClaimValue(Constants.SCP_STRING);
                                if(scpClaim instanceof String) {
                                    primaryScopes = Arrays.asList(claims.getStringClaimValue(Constants.SCP_STRING).split(" "));
                                } else if(scpClaim instanceof List) {
                                    primaryScopes = claims.getStringListClaimValue(Constants.SCP_STRING);
                                }
                            }
                        } catch (MalformedClaimException e) {
                            logger.error("MalformedClaimException", e);
                            setExchangeStatus(exchange, STATUS_INVALID_AUTH_TOKEN);
                            return;
                        }
                        if (!matchedScopes(primaryScopes, specScopes)) {
                            setExchangeStatus(exchange, STATUS_AUTH_TOKEN_SCOPE_MISMATCH, primaryScopes, specScopes);
                            return;
                        }
                    }
                }
                Handler.next(exchange, next);
            } catch (InvalidJwtException e) {
                // only log it and unauthorized is returned.
                logger.error("InvalidJwtException: ", e);
                setExchangeStatus(exchange, STATUS_INVALID_AUTH_TOKEN);
            } catch (ExpiredTokenException e) {
                logger.error("ExpiredTokenException", e);
                setExchangeStatus(exchange, STATUS_AUTH_TOKEN_EXPIRED);
            }
        } else {
            setExchangeStatus(exchange, STATUS_MISSING_AUTH_TOKEN);
        }
    }

    protected boolean matchedScopes(List jwtScopes, List specScopes) {
        boolean matched = false;
        if(specScopes != null && specScopes.size() > 0) {
            if(jwtScopes != null && jwtScopes.size() > 0) {
                for(String scope: specScopes) {
                    if(jwtScopes.contains(scope)) {
                        matched = true;
                        break;
                    }
                }
            }
        } else {
            matched = true;
        }
        return matched;
    }

    @Override
    public HttpHandler getNext() {
        return next;
    }

    @Override
    public MiddlewareHandler setNext(final HttpHandler next) {
        Handlers.handlerNotNull(next);
        this.next = next;
        return this;
    }

    @Override
    public boolean isEnabled() {
        return config.isEnableVerifyJwt();
    }

    @Override
    public void register() {
        ModuleRegistry.registerModule(GRAPHQL_SECURITY_CONFIG, JwtVerifyHandler.class.getName(), Config.getNoneDecryptedInstance().getJsonMapConfigNoCache(GRAPHQL_SECURITY_CONFIG), null);
    }

    @Override
    public void reload() {
        config.reload(GRAPHQL_SECURITY_CONFIG);
        ModuleRegistry.registerModule(GRAPHQL_SECURITY_CONFIG, JwtVerifyHandler.class.getName(), Config.getNoneDecryptedInstance().getJsonMapConfigNoCache(GRAPHQL_SECURITY_CONFIG), null);
    }

    @Override
    public JwtVerifier getJwtVerifier() {
        return jwtVerifier;
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy