Enforce scope claim as authorization bitmask

pom.xml

@@ -52,7 +52,7 @@
 
     <nukleus.plugin.version>0.33</nukleus.plugin.version>
 
-    <nukleus.oauth.spec.version>0.21</nukleus.oauth.spec.version>
+    <nukleus.oauth.spec.version>develop-SNAPSHOT</nukleus.oauth.spec.version>
     <reaktor.version>0.92</reaktor.version>
   </properties>
 

src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthElektron.java

@@ -23,6 +23,7 @@
 import java.util.function.ToLongFunction;
 
 import org.jose4j.jwk.JsonWebKey;
+import org.jose4j.jws.JsonWebSignature;
 import org.reaktivity.nukleus.Elektron;
 import org.reaktivity.nukleus.oauth.internal.stream.OAuthProxyFactoryBuilder;
 import org.reaktivity.nukleus.route.RouteKind;
@@ -34,7 +35,7 @@ final class OAuthElektron implements Elektron
 
     OAuthElektron(
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm)
+        ToLongFunction<JsonWebSignature> resolveRealm)
     {
         this.streamFactoryBuilders = singletonMap(PROXY, new OAuthProxyFactoryBuilder(supplyKey, resolveRealm));
     }

src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthNukleus.java

@@ -16,13 +16,17 @@
 package org.reaktivity.nukleus.oauth.internal;
 
 import java.nio.file.Path;
+import java.util.LinkedList;
+import java.util.List;
 
 import org.agrona.DirectBuffer;
 import org.agrona.MutableDirectBuffer;
 import org.agrona.collections.Int2ObjectHashMap;
 import org.reaktivity.nukleus.Nukleus;
 import org.reaktivity.nukleus.function.CommandHandler;
 import org.reaktivity.nukleus.function.MessageConsumer;
+import org.reaktivity.nukleus.oauth.internal.types.ListFW;
+import org.reaktivity.nukleus.oauth.internal.types.StringFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.ErrorFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.auth.ResolveFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.auth.ResolvedFW;
@@ -33,6 +37,8 @@ final class OAuthNukleus implements Nukleus
 {
     static final String NAME = "oauth";
 
+    public static final String[] EMPTY_STRING_ARRAY = new String[0];
+
     private final ResolveFW resolveRO = new ResolveFW();
     private final ResolvedFW.Builder resolvedRW = new ResolvedFW.Builder();
     private final UnresolveFW unresolveRO = new UnresolveFW();
@@ -81,7 +87,7 @@ public CommandHandler commandHandler(
     @Override
     public OAuthElektron supplyElektron()
     {
-        return new OAuthElektron(realms::supplyKey, realms::resolve);
+        return new OAuthElektron(realms::supplyKey, realms::lookup);
     }
 
     private void onResolve(
@@ -95,7 +101,11 @@ private void onResolve(
         final long correlationId = resolve.correlationId();
         final String realm = resolve.realm().asString();
 
-        long authorization = realms.resolve(realm);
+        final ListFW<StringFW> roles = resolve.roles();
+        final List<String> collectedRoles = new LinkedList<>();
+        roles.forEach(r -> collectedRoles.add(r.asString()));
+        final long authorization = realms.resolve(realm, collectedRoles.toArray(EMPTY_STRING_ARRAY));
+
         if (authorization != 0L)
         {
             final ResolvedFW resolved = resolvedRW.wrap(replyBuffer, 0, replyBuffer.capacity())

src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthRealms.java

@@ -28,19 +28,25 @@
 
 import org.jose4j.jwk.JsonWebKey;
 import org.jose4j.jwk.JsonWebKeySet;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwt.JwtClaims;
+import org.jose4j.jwt.consumer.InvalidJwtException;
 import org.jose4j.lang.JoseException;
 import org.reaktivity.nukleus.internal.CopyOnWriteHashMap;
 
 public class OAuthRealms
 {
+    public static final String[] EMPTY_STRING_ARRAY = new String[0];
+
+    private static final String SCOPES_CLAIM = "scopes";
     private static final Long NO_AUTHORIZATION = 0L;
 
     // To optimize authorization checks we use a single distinct bit per realm
     private static final int MAX_REALMS = Short.SIZE;
 
     private static final long SCOPE_MASK = 0xFFFF_000000000000L;
 
-    private final Map<String, Long> realmsIdsByName = new CopyOnWriteHashMap<>();
+    private final Map<String, OAuthRealm> realmsIdsByName = new CopyOnWriteHashMap<>();
 
     private int nextRealmBitShift = 48;
 
@@ -66,7 +72,8 @@ public OAuthRealms(
     private OAuthRealms(
         Map<String, JsonWebKey> keysByKid)
     {
-        keysByKid.forEach((k, v) -> add(v.getKeyId()));
+        // Moved realm assignment from startup to the first RESOLVE call
+//        keysByKid.forEach((k, v) -> add(v.getKeyId()));
         this.keysByKid = keysByKid;
     }
 
@@ -77,13 +84,70 @@ public void add(
         {
             throw new IllegalStateException("Too many realms");
         }
-        realmsIdsByName.put(realm, 1L << nextRealmBitShift++);
+        realmsIdsByName.put(realm, new OAuthRealm(1L << nextRealmBitShift++));
     }
 
     public long resolve(
-        String realm)
+        String realm,
+        String[] scopes)
     {
-        return realmsIdsByName.getOrDefault(realm, NO_AUTHORIZATION);
+        // If realm doesn't exist, add it to realms
+        if(!realmsIdsByName.containsKey(realm))
+        {
+            add(realm);
+        }
+        final OAuthRealm realmObject = realmsIdsByName.get(realm);
+        if(realmObject == null)
+        {
+            return NO_AUTHORIZATION;
+        }
+        long realmBit = realmObject.realmBit;
+        // if not already there, add the scope to the map, assign each scope a bit
+        // which determines which low bit will be flipped if that scope is present
+        for (int i = 0; i < scopes.length; i++)
+        {
+            final String scope = scopes[i];
+            // check if scope's bit has been set and if scope can be added
+            if(!realmObject.scopeBitAssigned(scope) && !realmObject.supplyScopeBit(scope))
+            {
+                throw new IllegalStateException("Too many scopes");
+            }
+            final long bit = realmObject.getScopeBit(scope);
+            realmBit |= bit;
+        }
+        return realmBit;
+    }
+
+    public long lookup(
+        JsonWebSignature verified)
+    {
+        final String realmName = verified.getKeyIdHeaderValue();
+        try
+        {
+            final JwtClaims claims = JwtClaims.parse(verified.getPayload());
+            final Object scopeClaim = claims.getClaimValue(SCOPES_CLAIM);
+            final String[] roleNames = scopeClaim != null ?
+                    splitScopes(scopeClaim.toString())
+                    : EMPTY_STRING_ARRAY;
+            final OAuthRealm realm = realmsIdsByName.get(realmName);
+            if(realm == null)
+            {
+                return NO_AUTHORIZATION;
+            }
+            long authorizationBits = realm.realmBit;
+            for (int i = 0; i < roleNames.length; i++)
+            {
+                final String scope = roleNames[i];
+                final long bit = realm.getScopeBit(scope);
+                authorizationBits |= bit;
+            }
+            return authorizationBits;
+        }
+        catch (JoseException | InvalidJwtException e)
+        {
+            // TODO: diagnostics?
+            return NO_AUTHORIZATION;
+        }
     }
 
     public boolean unresolve(
@@ -97,7 +161,7 @@ public boolean unresolve(
         }
         else
         {
-            result = realmsIdsByName.entrySet().removeIf(e -> (e.getValue() == scope));
+            result = realmsIdsByName.entrySet().removeIf(e -> (e.getValue().realmBit == scope));
         }
         return result;
     }
@@ -108,6 +172,12 @@ public JsonWebKey supplyKey(
         return keysByKid.get(kid);
     }
 
+    private String[] splitScopes(
+            String scopes)
+    {
+        return scopes.split("\\s+");
+    }
+
     private static Map<String, JsonWebKey> parseKeyMap(
         Path keyFile)
     {
@@ -167,4 +237,40 @@ private static Map<String, JsonWebKey> toKeyMap(
 
         return keysByKid;
     }
+
+    private final class OAuthRealm
+    {
+        private static final int MAX_SCOPES = 48;
+
+        private final Map<String, Long> scopeBitsByName = new CopyOnWriteHashMap<>();
+
+        private long realmBit;
+        private long nextScopeBitShift;
+
+        private OAuthRealm(
+            long realmBit)
+        {
+            this.realmBit = realmBit;
+        }
+
+        private boolean scopeBitAssigned(
+            String scope)
+        {
+            return scopeBitsByName.containsKey(scope);
+        }
+
+        private boolean supplyScopeBit(
+            String scope)
+        {
+            // return true if not reach scope cap and scope bit >= 0
+            return scopeBitsByName.size() < MAX_SCOPES &&
+                   scopeBitsByName.computeIfAbsent(scope, s -> 1L << nextScopeBitShift++) >= 0;
+        }
+
+        private long getScopeBit(
+            String scope)
+        {
+            return scopeBitsByName.getOrDefault(scope, 0L);
+        }
+    }
 }

src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory.java

@@ -90,7 +90,7 @@ public class OAuthProxyFactory implements StreamFactory
     private final LongSupplier supplyTrace;
     private final LongUnaryOperator supplyReplyId;
     private final Function<String, JsonWebKey> supplyKey;
-    private final ToLongFunction<String> resolveRealm;
+    private final ToLongFunction<JsonWebSignature> resolveRealm;
     private final SignalingExecutor executor;
 
     private final Long2ObjectHashMap<OAuthProxy> correlations;
@@ -106,7 +106,7 @@ public OAuthProxyFactory(
         LongUnaryOperator supplyReplyId,
         Long2ObjectHashMap<OAuthProxy> correlations,
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm,
+        ToLongFunction<JsonWebSignature> resolveRealm,
         SignalingExecutor executor)
     {
         this.router = requireNonNull(router);
@@ -155,14 +155,12 @@ private MessageConsumer newInitialStream(
         long connectAuthorization = acceptAuthorization;
         if (verified != null)
         {
-            final String kid = verified.getKeyIdHeaderValue();
-            connectAuthorization = resolveRealm.applyAsLong(kid);
+            connectAuthorization = resolveRealm.applyAsLong(verified);
         }
 
         final long acceptRouteId = begin.routeId();
         final MessagePredicate filter = (t, b, o, l) -> true;
         final RouteFW route = router.resolve(acceptRouteId, connectAuthorization, filter, this::wrapRoute);
-
         MessageConsumer newStream = null;
 
         if (route != null)

src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactoryBuilder.java

@@ -15,28 +15,31 @@
  */
 package org.reaktivity.nukleus.oauth.internal.stream;
 
-import java.util.function.Function;
-import java.util.function.IntUnaryOperator;
-import java.util.function.LongFunction;
-import java.util.function.LongSupplier;
-import java.util.function.LongUnaryOperator;
-import java.util.function.Supplier;
-import java.util.function.ToLongFunction;
 
 import org.agrona.MutableDirectBuffer;
 import org.agrona.collections.Long2ObjectHashMap;
 import org.jose4j.jwk.JsonWebKey;
+import org.jose4j.jws.JsonWebSignature;
 import org.reaktivity.nukleus.buffer.BufferPool;
 import org.reaktivity.nukleus.concurrent.SignalingExecutor;
 import org.reaktivity.nukleus.oauth.internal.stream.OAuthProxyFactory.OAuthProxy;
 import org.reaktivity.nukleus.route.RouteManager;
 import org.reaktivity.nukleus.stream.StreamFactory;
 import org.reaktivity.nukleus.stream.StreamFactoryBuilder;
 
+import java.util.function.Function;
+import java.util.function.IntUnaryOperator;
+import java.util.function.LongFunction;
+import java.util.function.LongSupplier;
+import java.util.function.LongUnaryOperator;
+import java.util.function.Supplier;
+import java.util.function.ToLongFunction;
+
 public class OAuthProxyFactoryBuilder implements StreamFactoryBuilder
 {
     private final Function<String, JsonWebKey> supplyKey;
-    private final ToLongFunction<String> resolveRealm;
+    private final ToLongFunction<JsonWebSignature> resolveRealm;
+//    private final ToLongBiFunction<String, String[]> resolveRealm;
     private final Long2ObjectHashMap<OAuthProxy> correlations;
 
     private RouteManager router;
@@ -48,7 +51,8 @@ public class OAuthProxyFactoryBuilder implements StreamFactoryBuilder
 
     public OAuthProxyFactoryBuilder(
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm)
+        ToLongFunction<JsonWebSignature> resolveRealm)
+//        ToLongBiFunction<String, String[]> resolveRealm)
     {
         this.supplyKey = supplyKey;
         this.resolveRealm = resolveRealm;