reaktivity · jfallows · Jun 11, 2019 · May 25, 2019 · May 28, 2019 · May 29, 2019
diff --git a/pom.xml b/pom.xml
@@ -52,7 +52,7 @@
 
     <nukleus.plugin.version>0.33</nukleus.plugin.version>
 
-    <nukleus.oauth.spec.version>0.21</nukleus.oauth.spec.version>
+    <nukleus.oauth.spec.version>develop-SNAPSHOT</nukleus.oauth.spec.version>
     <reaktor.version>0.92</reaktor.version>
   </properties>
 

diff --git a/src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthElektron.java b/src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthElektron.java
@@ -20,7 +20,7 @@
 
 import java.util.Map;
 import java.util.function.Function;
-import java.util.function.ToLongFunction;
+import java.util.function.ToLongBiFunction;
 
 import org.jose4j.jwk.JsonWebKey;
 import org.reaktivity.nukleus.Elektron;
@@ -34,7 +34,7 @@ final class OAuthElektron implements Elektron
 
     OAuthElektron(
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm)
+        ToLongBiFunction<String, String[]> resolveRealm)
     {
         this.streamFactoryBuilders = singletonMap(PROXY, new OAuthProxyFactoryBuilder(supplyKey, resolveRealm));
     }

diff --git a/src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthNukleus.java b/src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthNukleus.java
@@ -23,6 +23,8 @@
 import org.reaktivity.nukleus.Nukleus;
 import org.reaktivity.nukleus.function.CommandHandler;
 import org.reaktivity.nukleus.function.MessageConsumer;
+import org.reaktivity.nukleus.oauth.internal.types.ListFW;
+import org.reaktivity.nukleus.oauth.internal.types.StringFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.ErrorFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.auth.ResolveFW;
 import org.reaktivity.nukleus.oauth.internal.types.control.auth.ResolvedFW;
@@ -95,7 +97,19 @@ private void onResolve(
         final long correlationId = resolve.correlationId();
         final String realm = resolve.realm().asString();
 
-        long authorization = realms.resolve(realm);
+        final ListFW<StringFW> rolesRO = resolve.roles();
+        final long authorization;
+        if(rolesRO.isEmpty())
+        {
+            authorization = realms.resolveAndPutIfAbsent(realm, null);
+        }
+        else
+        {
+            final StringBuilder rolesBuilder = new StringBuilder();
+            rolesRO.forEach(role -> rolesBuilder.append(role.asString()).append(" "));
+            authorization = realms.resolveAndPutIfAbsent(realm, rolesBuilder.toString().split("\\s+"));
+        }
+
         if (authorization != 0L)
         {
             final ResolvedFW resolved = resolvedRW.wrap(replyBuffer, 0, replyBuffer.capacity())

diff --git a/src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthRealms.java b/src/main/java/org/reaktivity/nukleus/oauth/internal/OAuthRealms.java
@@ -22,9 +22,7 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.Collections;
-import java.util.LinkedHashMap;
-import java.util.Map;
+import java.util.*;
 
 import org.jose4j.jwk.JsonWebKey;
 import org.jose4j.jwk.JsonWebKeySet;
@@ -40,7 +38,7 @@ public class OAuthRealms
 
     private static final long SCOPE_MASK = 0xFFFF_000000000000L;
 
-    private final Map<String, Long> realmsIdsByName = new CopyOnWriteHashMap<>();
+    private final Map<String, OAuthRealmObject> realmsIdsByName = new CopyOnWriteHashMap<>();
 
     private int nextRealmBitShift = 48;
 
@@ -77,13 +75,66 @@ public void add(
         {
             throw new IllegalStateException("Too many realms");
         }
-        realmsIdsByName.put(realm, 1L << nextRealmBitShift++);
+        realmsIdsByName.put(realm, new OAuthRealmObject(1L << nextRealmBitShift++));
+    }
+
+    public long resolveAndPutIfAbsent(
+        String realm,
+        String[] scopes)
+    {
+        final OAuthRealmObject realmObject = realmsIdsByName.get(realm);
+        if(realmObject == null)
+        {
+            return NO_AUTHORIZATION;
+        }
+        long realmBit = realmObject.realmBit;
+        if(scopes == null || scopes.length <= 0)
+        {
+            return realmBit;
+        }
+        // if not already there, add the scope to the map, assign each scope a bit
+        // which determines which low bit will be flipped if that scope is present
+        for (int i = 0; i < scopes.length; i++)
+        {
+            final String scope = scopes[i];
+            // check if scope's bit has been set and if scope can be added
+            if(!realmObject.scopeBitAssigned(scope) && !realmObject.addScopeBit(scope))
+            {
+                throw new IllegalStateException("Too many scopes");
+            }
+            final long bit = realmObject.getScopeBit(scope);
+            if(bit >= 0)
+            {
+                realmBit |= bit;
+            }
+        }
+        return realmBit;
     }
 
     public long resolve(
-        String realm)
+        String realm,
+        String[] scopes)
     {
-        return realmsIdsByName.getOrDefault(realm, NO_AUTHORIZATION);
+        final OAuthRealmObject realmObject = realmsIdsByName.get(realm);
+        if(realmObject == null)
+        {
+             return NO_AUTHORIZATION;
+        }
+        long authorizationBits = realmObject.realmBit;
+        if(scopes == null || scopes.length <= 0)
+        {
+            return authorizationBits;
+        }
+        for (int i = 0; i < scopes.length; i++)
+        {
+            final String scope = scopes[i];
+            final long bit = realmObject.getScopeBit(scope);
+            if(bit >= 0)
+            {
+                authorizationBits |= bit;
+            }
+        }
+        return authorizationBits;
     }
 
     public boolean unresolve(
@@ -97,7 +148,7 @@ public boolean unresolve(
         }
         else
         {
-            result = realmsIdsByName.entrySet().removeIf(e -> (e.getValue() == scope));
+            result = realmsIdsByName.entrySet().removeIf(e -> (e.getValue().realmBit == scope));
         }
         return result;
     }
@@ -167,4 +218,43 @@ private static Map<String, JsonWebKey> toKeyMap(
 
         return keysByKid;
     }
+
+    private final class OAuthRealmObject
+    {
+        private static final int MAX_SCOPES = 48;
+
+        private final Map<String, Long> scopeBitsByName = new CopyOnWriteHashMap<>();
+
+        private long realmBit;
+        private long nextScopeBitShift;
+
+        private OAuthRealmObject(long realmBit)
+        {
+            this.realmBit = realmBit;
+        }
+
+        private boolean scopeBitAssigned(
+            String scope)
+        {
+            return scopeBitsByName.containsKey(scope);
+        }
+
+        private boolean addScopeBit(
+            String scope)
+        {
+            final long nextScopeBit = scopeBitsByName.size() < MAX_SCOPES ? (1L << nextScopeBitShift++) : -1;
+            if(nextScopeBit < 0)
+            {
+                return false;
+            }
+            scopeBitsByName.put(scope, nextScopeBit);
+            return true;
+        }
+
+        private long getScopeBit(
+            String scope)
+        {
+            return scopeBitsByName.getOrDefault(scope, -1L);
+        }
+    }
 }
diff --git a/src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory.java b/src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory.java
@@ -21,10 +21,7 @@
 import static org.reaktivity.nukleus.oauth.internal.util.BufferUtil.indexOfBytes;
 
 import java.util.concurrent.Future;
-import java.util.function.Function;
-import java.util.function.LongSupplier;
-import java.util.function.LongUnaryOperator;
-import java.util.function.ToLongFunction;
+import java.util.function.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -59,6 +56,8 @@
 
 public class OAuthProxyFactory implements StreamFactory
 {
+    private static final String SCOPES_CLAIM = "scopes";
+
     private static final long EXPIRES_NEVER = Long.MAX_VALUE;
     private static final long EXPIRES_IMMEDIATELY = 0L;
 
@@ -90,7 +89,7 @@ public class OAuthProxyFactory implements StreamFactory
     private final LongSupplier supplyTrace;
     private final LongUnaryOperator supplyReplyId;
     private final Function<String, JsonWebKey> supplyKey;
-    private final ToLongFunction<String> resolveRealm;
+    private final ToLongBiFunction<String, String[]> resolveRealm;
     private final SignalingExecutor executor;
 
     private final Long2ObjectHashMap<OAuthProxy> correlations;
@@ -106,7 +105,7 @@ public OAuthProxyFactory(
         LongUnaryOperator supplyReplyId,
         Long2ObjectHashMap<OAuthProxy> correlations,
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm,
+        ToLongBiFunction<String, String[]> resolveRealm,
         SignalingExecutor executor)
     {
         this.router = requireNonNull(router);
@@ -145,6 +144,12 @@ public MessageConsumer newStream(
         return newStream;
     }
 
+    private String[] splitScopes(
+            String scopes)
+    {
+        return scopes.split("\\s+");
+    }
+
     private MessageConsumer newInitialStream(
         final BeginFW begin,
         final MessageConsumer acceptReply)
@@ -155,8 +160,20 @@ private MessageConsumer newInitialStream(
         long connectAuthorization = acceptAuthorization;
         if (verified != null)
         {
-            final String kid = verified.getKeyIdHeaderValue();
-            connectAuthorization = resolveRealm.applyAsLong(kid);
+            // Try to parse the scopes claim if it exists.
+            try
+            {
+                final String kid = verified.getKeyIdHeaderValue();
+                final JwtClaims claims = JwtClaims.parse(signature.getPayload());
+                final Object scopeClaim = claims.getClaimValue(SCOPES_CLAIM);
+                connectAuthorization = scopeClaim != null ?
+                                resolveRealm.applyAsLong(kid, splitScopes(scopeClaim.toString()))
+                                : resolveRealm.applyAsLong(kid, null);
+            }
+            catch (JoseException | InvalidJwtException ex)
+            {
+                // TODO: diagnostics?
+            }
         }
 
         final long acceptRouteId = begin.routeId();
@@ -480,6 +497,7 @@ private JsonWebSignature verifiedSignature(
                     final JwtClaims claims = JwtClaims.parse(signature.getPayload());
                     final NumericDate expirationTime = claims.getExpirationTime();
                     final NumericDate notBefore = claims.getNotBefore();
+//                    System.out.println("verifying signature - scopes: "+claims.getClaimValue(SCOPES_CLAIM));
 
                     final long now = System.currentTimeMillis();
                     if ((expirationTime == null || now <= expirationTime.getValueInMillis()) &&

diff --git a/src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactoryBuilder.java b/src/main/java/org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactoryBuilder.java
@@ -15,13 +15,7 @@
  */
 package org.reaktivity.nukleus.oauth.internal.stream;
 
-import java.util.function.Function;
-import java.util.function.IntUnaryOperator;
-import java.util.function.LongFunction;
-import java.util.function.LongSupplier;
-import java.util.function.LongUnaryOperator;
-import java.util.function.Supplier;
-import java.util.function.ToLongFunction;
+import java.util.function.*;
 
 import org.agrona.MutableDirectBuffer;
 import org.agrona.collections.Long2ObjectHashMap;
@@ -36,7 +30,7 @@
 public class OAuthProxyFactoryBuilder implements StreamFactoryBuilder
 {
     private final Function<String, JsonWebKey> supplyKey;
-    private final ToLongFunction<String> resolveRealm;
+    private final ToLongBiFunction<String, String[]> resolveRealm;
     private final Long2ObjectHashMap<OAuthProxy> correlations;
 
     private RouteManager router;
@@ -48,7 +42,7 @@ public class OAuthProxyFactoryBuilder implements StreamFactoryBuilder
 
     public OAuthProxyFactoryBuilder(
         Function<String, JsonWebKey> supplyKey,
-        ToLongFunction<String> resolveRealm)
+        ToLongBiFunction<String, String[]> resolveRealm)
     {
         this.supplyKey = supplyKey;
         this.resolveRealm = resolveRealm;

diff --git a/src/test/java/org/reaktivity/nukleus/oauth/internal/OAuthRealmsTest.java b/src/test/java/org/reaktivity/nukleus/oauth/internal/OAuthRealmsTest.java
@@ -51,15 +51,15 @@ public void shouldResolveKnownRealms() throws Exception
         OAuthRealms realms = new OAuthRealms();
         realms.add("realm one");
         realms.add("realm two");
-        assertEquals(0x0001_000000000000L, realms.resolve("realm one"));
-        assertEquals(0x0002_000000000000L, realms.resolve("realm two"));
+        assertEquals(0x0001_000000000000L, realms.resolve("realm one", null));
+        assertEquals(0x0002_000000000000L, realms.resolve("realm two", null));
     }
 
     @Test
     public void shouldNotResolveUnknownRealm() throws Exception
     {
         OAuthRealms realms = new OAuthRealms();
-        assertEquals(0L, realms.resolve("realm one"));
+        assertEquals(0L, realms.resolve("realm one", null));
     }
 
     @Test
@@ -72,7 +72,7 @@ public void shouldUnresolveAllKnownRealms() throws Exception
         }
         for (int i=0; i < Short.SIZE; i++)
         {
-            assertTrue(realms.unresolve(realms.resolve("realm" + i)));
+            assertTrue(realms.unresolve(realms.resolve("realm" + i, null)));
 
         }
     }

diff --git a/src/test/java/org/reaktivity/nukleus/oauth/internal/control/ControllerIT.java b/src/test/java/org/reaktivity/nukleus/oauth/internal/control/ControllerIT.java
@@ -133,9 +133,10 @@ public void shouldResolveWithRoles() throws Exception
         k3po.start();
 
         long authorization = reaktor.controller(OAuthController.class)
-            .resolve("RS256", "role1", "role2")
+            .resolve("RS256", "scope1", "scope2", "scope3")
             .get();
-        assertEquals(0x0001_00000000000cL, authorization);
+//        System.out.println("authorization: " + authorization);
+        assertEquals(0x0001_000000000007L, authorization);
 
         k3po.finish();
     }
@@ -256,9 +257,9 @@ public void shouldUnresolveWithRoles() throws Exception
         k3po.start();
 
         long authorization = reaktor.controller(OAuthController.class)
-                .resolve("RS256", "role1", "role2")
+                .resolve("RS256", "scope1", "scope2", "scope3")
                 .get();
-        assertEquals(0x0001_00000000000cL, authorization);
+        assertEquals(0x0001_000000000015L, authorization);
 
         reaktor.controller(OAuthController.class)
            .unresolve(authorization)