Enforce scope claim as authorization bitmask

pom.xml

@@ -52,7 +52,7 @@
 
     <nukleus.plugin.version>0.33</nukleus.plugin.version>
 
-    <nukleus.oauth.spec.version>0.21</nukleus.oauth.spec.version>
+    <nukleus.oauth.spec.version>0.22</nukleus.oauth.spec.version>
     <reaktor.version>0.92</reaktor.version>
   </properties>
 

src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthElektron.java

@@ -23,6 +23,7 @@
 import java.util.function.ToLongFunction;
 
 import org.jose4j.jwk.JsonWebKey;
+import org.jose4j.jws.JsonWebSignature;
 import org.reaktivity.nukleus.Elektron;
 import org.reaktivity.nukleus.oauth.internal.stream.OAuthProxyFactoryBuilder;
 import org.reaktivity.nukleus.route.RouteKind;
@@ -34,7 +35,7 @@ final class OAuthElektron implements Elektron
 
     OAuthElektron(
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm)
+        ToLongFunction<JsonWebSignature> resolveRealm)
     {
         this.streamFactoryBuilders = singletonMap(PROXY, new OAuthProxyFactoryBuilder(supplyKey, resolveRealm));
     }

src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthNukleus.java

@@ -16,13 +16,17 @@
 package org.reaktivity.nukleus.oauth.internal;
 
 import java.nio.file.Path;
+import java.util.LinkedList;
+import java.util.List;
 
 import org.agrona.DirectBuffer;
 import org.agrona.MutableDirectBuffer;
 import org.agrona.collections.Int2ObjectHashMap;
 import org.reaktivity.nukleus.Nukleus;
 import org.reaktivity.nukleus.function.CommandHandler;
 import org.reaktivity.nukleus.function.MessageConsumer;
+import org.reaktivity.nukleus.oauth.internal.types.ListFW;
+import org.reaktivity.nukleus.oauth.internal.types.StringFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.ErrorFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.auth.ResolveFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.auth.ResolvedFW;
@@ -33,6 +37,8 @@ final class OAuthNukleus implements Nukleus
 {
     static final String NAME = "oauth";
 
+    private static final String[] EMPTY_STRING_ARRAY = new String[0];
+
     private final ResolveFW resolveRO = new ResolveFW();
     private final ResolvedFW.Builder resolvedRW = new ResolvedFW.Builder();
     private final UnresolveFW unresolveRO = new UnresolveFW();
@@ -81,7 +87,7 @@ public CommandHandler commandHandler(
     @Override
     public OAuthElektron supplyElektron()
     {
-        return new OAuthElektron(realms::supplyKey, realms::resolve);
+        return new OAuthElektron(realms::supplyKey, realms::lookup);
     }
 
     private void onResolve(
@@ -95,7 +101,11 @@ private void onResolve(
         final long correlationId = resolve.correlationId();
         final String realm = resolve.realm().asString();
 
-        long authorization = realms.resolve(realm);
+        final ListFW<StringFW> roles = resolve.roles();
+        final List<String> collectedRoles = new LinkedList<>();
+        roles.forEach(r -> collectedRoles.add(r.asString()));
+        final long authorization = realms.resolve(realm, collectedRoles.toArray(EMPTY_STRING_ARRAY));
+
         if (authorization != 0L)
         {
             final ResolvedFW resolved = resolvedRW.wrap(replyBuffer, 0, replyBuffer.capacity())

src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthRealms.java

@@ -28,21 +28,26 @@
 
 import org.jose4j.jwk.JsonWebKey;
 import org.jose4j.jwk.JsonWebKeySet;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwt.JwtClaims;
+import org.jose4j.jwt.consumer.InvalidJwtException;
 import org.jose4j.lang.JoseException;
 import org.reaktivity.nukleus.internal.CopyOnWriteHashMap;
 
 public class OAuthRealms
 {
+    private static final String[] EMPTY_STRING_ARRAY = new String[0];
+    private static final String SCOPE_CLAIM = "scope";
     private static final Long NO_AUTHORIZATION = 0L;
 
-    // To optimize authorization checks we use a single distinct bit per realm
+    // To optimize authorization checks we use a single distinct bit per realm and per scope
     private static final int MAX_REALMS = Short.SIZE;
 
-    private static final long SCOPE_MASK = 0xFFFF_000000000000L;
+    private static final long REALM_MASK = 0xFFFF_000000000000L;
 
-    private final Map<String, Long> realmsIdsByName = new CopyOnWriteHashMap<>();
+    private final Map<String, OAuthRealm> realmsIdsByName = new CopyOnWriteHashMap<>();
 
-    private int nextRealmBitShift = 48;
+    private int nextRealmBit = 0;
 
     private final Map<String, JsonWebKey> keysByKid;
 
@@ -66,40 +71,56 @@ public OAuthRealms(
     private OAuthRealms(
         Map<String, JsonWebKey> keysByKid)
     {
-        keysByKid.forEach((k, v) -> add(v.getKeyId()));
         this.keysByKid = keysByKid;
     }
 
-    public void add(
-        String realm)
+    public long resolve(
+        String realmName,
+        String[] scopeNames)
     {
-        if (realmsIdsByName.size() == MAX_REALMS)
+        long authorization = NO_AUTHORIZATION;
+        if(nextRealmBit < MAX_REALMS)
         {
-            throw new IllegalStateException("Too many realms");
+            final OAuthRealm realm = realmsIdsByName.computeIfAbsent(realmName, OAuthRealm::new);
+            authorization = realm.resolve(scopeNames);
         }
-        realmsIdsByName.put(realm, 1L << nextRealmBitShift++);
+        return authorization;
     }
-
     public long resolve(
-        String realm)
+        String realmName)
     {
-        return realmsIdsByName.getOrDefault(realm, NO_AUTHORIZATION);
+        return resolve(realmName, EMPTY_STRING_ARRAY);
     }
 
-    public boolean unresolve(
-        long authorization)
+    public long lookup(
+        JsonWebSignature verified)
     {
-        long scope = authorization & SCOPE_MASK;
-        boolean result;
-        if (Long.bitCount(scope) > 1)
-        {
-            result = false;
-        }
-        else
+        final OAuthRealm realm = realmsIdsByName.get(verified.getKeyIdHeaderValue());
+        long authorization = NO_AUTHORIZATION;
+        if(realm != null)
         {
-            result = realmsIdsByName.entrySet().removeIf(e -> (e.getValue() == scope));
+            try
+            {
+                final JwtClaims claims = JwtClaims.parse(verified.getPayload());
+                final Object scopeClaim = claims.getClaimValue(SCOPE_CLAIM);
+                final String[] scopeNames = scopeClaim != null ?
+                        scopeClaim.toString().split("\\s+")
+                        : EMPTY_STRING_ARRAY;
+                authorization = realm.lookup(scopeNames);
+            }
+            catch (JoseException | InvalidJwtException e)
+            {
+                // TODO: diagnostics?
+            }
         }
-        return result;
+        return authorization;
+    }
+
+    public boolean unresolve(
+        long authorization)
+    {
+        final long realmId = authorization & REALM_MASK;
+        return Long.bitCount(realmId) <= 1 && realmsIdsByName.entrySet().removeIf(e -> e.getValue().realmId == realmId);
     }
 
     public JsonWebKey supplyKey(
@@ -167,4 +188,63 @@ private static Map<String, JsonWebKey> toKeyMap(
 
         return keysByKid;
     }
+
+    private final class OAuthRealm
+    {
+        private static final int MAX_SCOPES = 48;
+
+        private final Map<String, Long> scopeBitsByName = new CopyOnWriteHashMap<>();
+
+        private final long realmId;
+        private final String realmName;
+
+        private long nextScopeBit;
+
+        private OAuthRealm(
+            String realmName)
+        {
+            assert nextRealmBit < MAX_REALMS;
+            this.realmName = realmName;
+            this.realmId = 1L << nextRealmBit++ << MAX_SCOPES;
+        }
+
+        private long resolve(
+            String[] scopeNames)
+        {
+            long authorization = NO_AUTHORIZATION;
+            if(nextScopeBit + scopeNames.length < MAX_SCOPES)
+            {
+                authorization = realmId;
+                for (int i = 0; i < scopeNames.length; i++)
+                {
+                    authorization |= scopeBitsByName.computeIfAbsent(scopeNames[i], this::assignScopeBit);
+                }
+            }
+            return authorization;
+        }
+
+        private long lookup(
+            String[] scopeNames)
+        {
+            long authorization = realmId;
+            for (int i = 0; i < scopeNames.length; i++)
+            {
+                authorization |= scopeBitsByName.getOrDefault(scopeNames[i], 0L);
+            }
+            return authorization;
+        }
+
+        private long assignScopeBit(
+            String scopeName)
+        {
+            assert nextScopeBit < MAX_SCOPES;
+            return 1L << nextScopeBit++;
+        }
+
+        @Override
+        public String toString()
+        {
+            return String.format("Realm name: %s\n\tRealm id: %s\n\tScope bits: %s", realmName, realmId, scopeBitsByName);
+        }
+    }
 }

src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory.java

@@ -90,7 +90,7 @@ public class OAuthProxyFactory implements StreamFactory
     private final LongSupplier supplyTrace;
     private final LongUnaryOperator supplyReplyId;
     private final Function<String, JsonWebKey> supplyKey;
-    private final ToLongFunction<String> resolveRealm;
+    private final ToLongFunction<JsonWebSignature> resolveRealm;
     private final SignalingExecutor executor;
 
     private final Long2ObjectHashMap<OAuthProxy> correlations;
@@ -106,7 +106,7 @@ public OAuthProxyFactory(
         LongUnaryOperator supplyReplyId,
         Long2ObjectHashMap<OAuthProxy> correlations,
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm,
+        ToLongFunction<JsonWebSignature> resolveRealm,
         SignalingExecutor executor)
     {
         this.router = requireNonNull(router);
@@ -155,14 +155,12 @@ private MessageConsumer newInitialStream(
         long connectAuthorization = acceptAuthorization;
         if (verified != null)
         {
-            final String kid = verified.getKeyIdHeaderValue();
-            connectAuthorization = resolveRealm.applyAsLong(kid);
+            connectAuthorization = resolveRealm.applyAsLong(verified);
         }
 
         final long acceptRouteId = begin.routeId();
         final MessagePredicate filter = (t, b, o, l) -> true;
         final RouteFW route = router.resolve(acceptRouteId, connectAuthorization, filter, this::wrapRoute);
-
         MessageConsumer newStream = null;
 
         if (route != null)

src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactoryBuilder.java

@@ -26,6 +26,7 @@
 import org.agrona.MutableDirectBuffer;
 import org.agrona.collections.Long2ObjectHashMap;
 import org.jose4j.jwk.JsonWebKey;
+import org.jose4j.jws.JsonWebSignature;
 import org.reaktivity.nukleus.buffer.BufferPool;
 import org.reaktivity.nukleus.concurrent.SignalingExecutor;
 import org.reaktivity.nukleus.oauth.internal.stream.OAuthProxyFactory.OAuthProxy;
@@ -36,7 +37,7 @@
 public class OAuthProxyFactoryBuilder implements StreamFactoryBuilder
 {
     private final Function<String, JsonWebKey> supplyKey;
-    private final ToLongFunction<String> resolveRealm;
+    private final ToLongFunction<JsonWebSignature> resolveRealm;
     private final Long2ObjectHashMap<OAuthProxy> correlations;
 
     private RouteManager router;
@@ -48,7 +49,7 @@ public class OAuthProxyFactoryBuilder implements StreamFactoryBuilder
 
     public OAuthProxyFactoryBuilder(
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm)
+        ToLongFunction<JsonWebSignature> resolveRealm)
     {
         this.supplyKey = supplyKey;
         this.resolveRealm = resolveRealm;