All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.vertx.serviceproxy.impl.AuthorizationInterceptorImpl Maven / Gradle / Ivy

/*
 * Copyright 2021 Red Hat, Inc.
 *
 *  All rights reserved. This program and the accompanying materials
 *  are made available under the terms of the Eclipse Public License v1.0
 *  and Apache License v2.0 which accompanies this distribution.
 *
 *  The Eclipse Public License is available at
 *  http://www.eclipse.org/legal/epl-v10.html
 *
 *  The Apache License v2.0 is available at
 *  http://www.opensource.org/licenses/apache2.0.php
 *
 *  You may elect to redistribute this code under either of these licenses.
 */
package io.vertx.serviceproxy.impl;

import io.vertx.core.Future;
import io.vertx.core.Vertx;
import io.vertx.core.eventbus.Message;
import io.vertx.core.eventbus.ReplyException;
import io.vertx.core.eventbus.ReplyFailure;
import io.vertx.core.impl.ContextInternal;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authorization.Authorization;
import io.vertx.ext.auth.authorization.AuthorizationContext;
import io.vertx.ext.auth.authorization.AuthorizationProvider;
import io.vertx.serviceproxy.AuthorizationInterceptor;

import java.util.HashSet;
import java.util.Map;
import java.util.Set;

/**
 * Create an event bus service interceptor that will provide an authorization check
 */
public class AuthorizationInterceptorImpl implements AuthorizationInterceptor {
  private final AuthorizationProvider authorizationProvider;

  private Set authorizations;

  public AuthorizationInterceptorImpl(AuthorizationProvider authorizationProvider) {
    this.authorizationProvider = authorizationProvider;
  }

  /**
   * Set the required authorities for the service, once a JWT is validated it will be
   * queried for these authorities. If authorities are missing a error 403 is returned.
   *
   * @param authorizations set of authorities
   * @return self
   */
  @Override
  public AuthorizationInterceptorImpl setAuthorizations(Set authorizations) {
    this.authorizations = authorizations;
    return this;
  }

  /**
   * Add a single authority to the authorities set.
   *
   * @param authorization authority
   * @return self
   */
  @Override
  public AuthorizationInterceptorImpl addAuthorization(Authorization authorization) {
    if (authorizations == null) {
      authorizations = new HashSet<>();
    }
    authorizations.add(authorization);
    return this;
  }

  @Override
  public Future> intercept(Vertx vertx, Map interceptorContext,
                                               Message body) {
    final ContextInternal vertxContext = (ContextInternal) vertx.getOrCreateContext();
    //for some reasons user hasn't been added neither by authn interceptor nor somehow else
    if (!interceptorContext.containsKey("user")) {
      return vertxContext.succeededFuture(body);
    }
    if (authorizations == null || authorizations.isEmpty()) {
      return vertxContext.succeededFuture(body);
    }
    User user = (User) interceptorContext.get("user");
    return authorizationProvider.getAuthorizations(user)
      .recover(err -> vertxContext.failedFuture(
        new ReplyException(ReplyFailure.RECIPIENT_FAILURE, 500, err.getMessage())))
      .compose(voidResult -> {
        AuthorizationContext userAuthorizationContext = AuthorizationContext.create(user);
        for (Authorization authorization : authorizations) {
          // authorization failed
          if (!authorization.match(userAuthorizationContext)) {
            return vertxContext.failedFuture(new ReplyException(ReplyFailure.RECIPIENT_FAILURE, 403, "Forbidden"));
          }
        }
        // all authorities have passed
        return vertxContext.succeededFuture(body);
      });
  }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy