org.smallmind.web.oauth.v1.OAuthResource Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of web-oauth Show documentation
OAuth Client/Server
There is a newer version: 3.3.24
/*
 * Copyright (c) 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 David Berkman
 * 
 * This file is part of the SmallMind Code Project.
 * 
 * The SmallMind Code Project is free software, you can redistribute
 * it and/or modify it under either, at your discretion...
 * 
 * 1) The terms of GNU Affero General Public License as published by the
 * Free Software Foundation, either version 3 of the License, or (at
 * your option) any later version.
 * 
 * ...or...
 * 
 * 2) The terms of the Apache License, Version 2.0.
 * 
 * The SmallMind Code Project is distributed in the hope that it will
 * be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License or Apache License for more details.
 * 
 * You should have received a copy of the GNU Affero General Public License
 * and the Apache License along with the SmallMind Code Project. If not, see
 *  or .
 * 
 * Additional permission under the GNU Affero GPL version 3 section 7
 * ------------------------------------------------------------------
 * If you modify this Program, or any covered work, by linking or
 * combining it with other code, such other code is not for that reason
 * alone subject to any of the requirements of the GNU Affero GPL
 * version 3.
 */
package org.smallmind.web.oauth.v1;

import java.net.URI;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import org.smallmind.nutsnbolts.http.HexCodec;
import org.smallmind.nutsnbolts.time.Duration;
import org.smallmind.scribe.pen.LoggerManager;
import org.smallmind.web.oauth.GrantType;
import org.smallmind.web.oauth.OAuthProtocolException;
import org.smallmind.web.oauth.ResponseType;
import org.smallmind.web.oauth.ServerAccessTokenRequest;
import org.smallmind.web.oauth.ServerAccessTokenResponse;
import org.smallmind.web.oauth.ServerAuthorizationRedirectResponse;
import org.smallmind.web.oauth.ServerAuthorizationRequest;
import org.smallmind.web.oauth.ServerErrorJsonResponse;
import org.smallmind.web.oauth.ServerErrorRedirectResponse;
import org.smallmind.web.oauth.ServerLoginRedirectRequest;
import org.smallmind.web.oauth.TokenType;

@Path("/v1/oauth")
public class OAuthResource {

  private OAuthConfiguration oauthConfiguration;

  @Context
  private HttpServletRequest request;

  public void setOauthConfiguration (OAuthConfiguration oauthConfiguration) {

    this.oauthConfiguration = oauthConfiguration;
  }

  private Response.ResponseBuilder crossSiteAnoint (Response.ResponseBuilder responseBuilder) {

    return responseBuilder.header("Access-Control-Allow-Origin", "*").header("Access-Control-Allow-Headers", "Origin, Content-Type, X-Requested-With");
  }

  @Path("/authorization")
  @GET
  @Produces(MediaType.APPLICATION_FORM_URLENCODED)
  public Response authorization () {

    ServerAuthorizationRequest serverAuthorizationRequest = null;

    try {

      serverAuthorizationRequest = new ServerAuthorizationRequest(request);
      OAuthRegistration oauthRegistration;

      if (!ResponseType.CODE.getParameter().equals(serverAuthorizationRequest.getResponseType())) {
        return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("unsupported_response_type").setErrorDescription("only 'code' response types are supported").setState(serverAuthorizationRequest.getState()).build())).build();
      } else if ((oauthRegistration = oauthConfiguration.getRegistrationMap().get(serverAuthorizationRequest.getClientId())) == null) {
        return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("unauthorized_client").setErrorDescription("unregistered client id").setState(serverAuthorizationRequest.getState()).build())).build();
      } else if ((!oauthRegistration.isUnsafeRedirection()) && (!oauthRegistration.getRedirectUri().equals(serverAuthorizationRequest.getRedirectUri()))) {
        return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("unauthorized_client").setErrorDescription("mismatching redirect uri").setState(serverAuthorizationRequest.getState()).build())).build();
      }

      JWTToken jwtToken = null;
      SSOAuthData ssoAuthData = null;
      String cookieValue = null;
      String userName = null;

      if ((serverAuthorizationRequest.getAuthData() != null) && (!serverAuthorizationRequest.getAuthData().isEmpty())) {
        try {
          ssoAuthData = MungedCodec.decrypt(SSOAuthData.class, cookieValue = serverAuthorizationRequest.getAuthData());
        } catch (Exception exception) {
          LoggerManager.getLogger(OAuthResource.class).error(exception);

          return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("server_error").setErrorDescription(exception.getMessage()).setState(serverAuthorizationRequest.getState()).build())).build();
        }
      } else {

        Cookie[] cookies;

        if (((cookies = request.getCookies()) != null) && (cookies.length > 0)) {
          for (Cookie cookie : request.getCookies()) {
            if (cookie.getName().equals(oauthConfiguration.getSsoCookieName())) {
              try {
                ssoAuthData = MungedCodec.decrypt(SSOAuthData.class, cookieValue = HexCodec.hexDecode(cookie.getValue()));
              } catch (Exception exception) {
                LoggerManager.getLogger(OAuthResource.class).error(exception);

                return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("server_error").setErrorDescription(exception.getMessage()).setState(serverAuthorizationRequest.getState()).build())).build();
              }
              break;
            }
          }
        }
      }

      if (ssoAuthData != null) {
        if (System.currentTimeMillis() - ssoAuthData.getCreated() <= oauthConfiguration.getOauthProtocolLeaseDuration().toMilliseconds()) {
          try {
            jwtToken = oauthConfiguration.getSecretService().validate(userName = ssoAuthData.getUser(), ssoAuthData.getPassword());
          } catch (Exception exception) {
            LoggerManager.getLogger(OAuthResource.class).error(exception);

            return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("server_error").setErrorDescription(exception.getMessage()).setState(serverAuthorizationRequest.getState()).build())).build();
          }
        }
      }

      if (jwtToken == null) {

        String loginUri;

        return Response.status(Response.Status.FOUND).location(URI.create(ServerLoginRedirectRequest.loginUri(((loginUri = serverAuthorizationRequest.getLoginUri()) != null) ? loginUri : oauthRegistration.getLoginUri()).setAuthorizationUri(oauthRegistration.getOauthUri()).setUserName(userName).setResponseType(serverAuthorizationRequest.getResponseType()).setClientId(serverAuthorizationRequest.getClientId()).setRedirectUri(serverAuthorizationRequest.getRedirectUri()).setState(serverAuthorizationRequest.getState()).build())).build();
      } else {

        String code;

        jwtToken.setSub(serverAuthorizationRequest.getClientId());
        jwtToken.setExp(System.currentTimeMillis() / 1000);

        try {
          code = JWTCodec.encode(jwtToken, oauthRegistration.getSecret());
        } catch (Exception exception) {
          LoggerManager.getLogger(OAuthResource.class).error(exception);

          return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("server_error").setErrorDescription(exception.getMessage()).setState(serverAuthorizationRequest.getState()).build())).build();
        }

        return Response.status(Response.Status.FOUND).cookie(new NewCookie(oauthConfiguration.getSsoCookieName(), HexCodec.hexEncode(cookieValue))).location(URI.create(ServerAuthorizationRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setCode(code).setState(serverAuthorizationRequest.getState()).build())).build();
      }
    } catch (OAuthProtocolException oauthProtocolException) {
      LoggerManager.getLogger(OAuthResource.class).error(oauthProtocolException);

      if (serverAuthorizationRequest != null) {

        return Response.status(Response.Status.FOUND).location(URI.create(ServerErrorRedirectResponse.redirectUri(serverAuthorizationRequest.getRedirectUri()).setError("server_error").setErrorDescription(oauthProtocolException.getMessage()).setState(serverAuthorizationRequest.getState()).build())).build();
      }

      return null;
    }
  }

  @Path("/token")
  @OPTIONS
  public Response options () {

    return crossSiteAnoint(Response.status(Response.Status.OK)).build();
  }

  @Path("/token")
  @POST
  @Produces(MediaType.APPLICATION_JSON)
  public Response token () {

    ServerAccessTokenRequest serverAccessTokenRequest;

    try {
      serverAccessTokenRequest = new ServerAccessTokenRequest(request);
      OAuthRegistration oauthRegistration;

      if ((oauthRegistration = oauthConfiguration.getRegistrationMap().get(serverAccessTokenRequest.getClientId())) == null) {
        return crossSiteAnoint(Response.status(Response.Status.BAD_REQUEST)).entity(ServerErrorJsonResponse.instance().setError("invalid_client").setErrorDescription("unregistered client id").build()).type(MediaType.APPLICATION_JSON).build();
      } else if ((!oauthRegistration.isUnsafeRedirection()) && (!oauthRegistration.getRedirectUri().equals(serverAccessTokenRequest.getRedirectUri()))) {
        return crossSiteAnoint(Response.status(Response.Status.UNAUTHORIZED)).entity(ServerErrorJsonResponse.instance().setError("invalid_client").setErrorDescription("mismatching redirect uri").build()).type(MediaType.APPLICATION_JSON).build();
      }

      if (oauthRegistration.getSecret() != null) {
        try {
          if (!oauthRegistration.getSecret().equals(MungedCodec.decrypt(String.class, serverAccessTokenRequest.getClientSecret()))) {
            return crossSiteAnoint(Response.status(Response.Status.UNAUTHORIZED)).entity(ServerErrorJsonResponse.instance().setError("invalid_client").setErrorDescription("failed client application authentication").build()).type(MediaType.APPLICATION_JSON).build();
          }
        } catch (Exception exception) {
          LoggerManager.getLogger(OAuthResource.class).error(exception);

          return crossSiteAnoint(Response.status(Response.Status.BAD_REQUEST)).entity(ServerErrorJsonResponse.instance().setError("server_error").setErrorDescription(exception.getMessage()).build()).type(MediaType.APPLICATION_JSON).build();
        }
      }

      if (GrantType.AUTHORIZATION_CODE.getParameter().equals(serverAccessTokenRequest.getGrantType())) {

        JWTToken jwtToken;

        try {
          jwtToken = (JWTToken)JWTCodec.decode(serverAccessTokenRequest.getCode(), serverAccessTokenRequest.getClientSecret(), oauthConfiguration.getSecretService().getSecretClass());
        } catch (Exception exception) {
          LoggerManager.getLogger(OAuthResource.class).error(exception);

          return crossSiteAnoint(Response.status(Response.Status.UNAUTHORIZED)).entity(ServerErrorJsonResponse.instance().setError("invalid_client").setErrorDescription("could not parse code").build()).type(MediaType.APPLICATION_JSON).build();
        }

        if (!jwtToken.getSub().equals(serverAccessTokenRequest.getClientId())) {

          return crossSiteAnoint(Response.status(Response.Status.UNAUTHORIZED)).entity(ServerErrorJsonResponse.instance().setError("invalid_client").setErrorDescription("code does not belong to this client").build()).type(MediaType.APPLICATION_JSON).build();
        }
        if (System.currentTimeMillis() - (jwtToken.getExp() * 1000) > oauthConfiguration.getOauthTokenGrantDuration().toMilliseconds()) {

          return crossSiteAnoint(Response.status(Response.Status.UNAUTHORIZED)).entity(ServerErrorJsonResponse.instance().setError("invalid_client").setErrorDescription("stale code").build()).type(MediaType.APPLICATION_JSON).build();
        }

        return emitAccessToken(jwtToken, oauthConfiguration.getOauthTokenGrantDuration(), serverAccessTokenRequest.getClientSecret());
      } else if (GrantType.REFRESH_TOKEN.getParameter().equals(serverAccessTokenRequest.getGrantType())) {

        JWTToken jwtToken;

        try {
          jwtToken = (JWTToken)JWTCodec.decode(serverAccessTokenRequest.getRefreshToken(), serverAccessTokenRequest.getClientSecret(), oauthConfiguration.getSecretService().getSecretClass());
        } catch (Exception exception) {
          LoggerManager.getLogger(OAuthResource.class).error(exception);

          return crossSiteAnoint(Response.status(Response.Status.UNAUTHORIZED)).entity(ServerErrorJsonResponse.instance().setError("invalid_client").setErrorDescription("could not parse refresh token").build()).type(MediaType.APPLICATION_JSON).build();
        }

        return emitAccessToken(jwtToken, oauthConfiguration.getOauthTokenGrantDuration(), serverAccessTokenRequest.getClientSecret());
      } else {

        return crossSiteAnoint(Response.status(Response.Status.BAD_REQUEST)).entity(ServerErrorJsonResponse.instance().setError("unsupported_grant_type").setErrorDescription("only 'authorization_code' and 'refresh_token' grant types are supported").build()).type(MediaType.APPLICATION_JSON).build();
      }
    } catch (OAuthProtocolException oauthProtocolException) {
      LoggerManager.getLogger(OAuthResource.class).error(oauthProtocolException);

      return crossSiteAnoint(Response.status(Response.Status.BAD_REQUEST)).entity(ServerErrorJsonResponse.instance().setError("server_error").setErrorDescription(oauthProtocolException.getMessage()).build()).type(MediaType.APPLICATION_JSON).build();
    }
  }

  private Response emitAccessToken (JWTToken jwtToken, Duration grantDuration, String key)
    throws OAuthProtocolException {

    String accessToken;
    String refreshToken;
    long now = System.currentTimeMillis();

    try {
      jwtToken.setExp((now + grantDuration.toMilliseconds()) / 1000);
      accessToken = JWTCodec.encode(jwtToken, key);
      jwtToken.setExp(now / 1000);
      refreshToken = JWTCodec.encode(jwtToken, key);
    } catch (Exception exception) {
      LoggerManager.getLogger(OAuthResource.class).error(exception);

      return crossSiteAnoint(Response.status(Response.Status.BAD_REQUEST)).entity(ServerErrorJsonResponse.instance().setError("server_error").setErrorDescription(exception.getMessage()).build()).type(MediaType.APPLICATION_JSON).build();
    }

    return crossSiteAnoint(Response.ok(ServerAccessTokenResponse.instance().setTokenType(TokenType.BEARER.getParameter()).setAccessToken(accessToken).setRefreshToken(refreshToken).setExpiresIn(String.valueOf(oauthConfiguration.getOauthTokenGrantDuration().getTimeUnit().toSeconds(oauthConfiguration.getOauthTokenGrantDuration().getTime()))).build(), MediaType.APPLICATION_JSON)).build();
  }
}