#2379 implemented JWT token auth features in IdentityManager class

subutai-io · Apr 4, 2018 · 4bc68d7 · 4bc68d7
1 parent a6cc6be
commit 4bc68d7
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 14 deletions.
diff --git a/...ager/identity-manager-api/src/main/java/io/subutai/core/identity/api/IdentityManager.java b/...ager/identity-manager-api/src/main/java/io/subutai/core/identity/api/IdentityManager.java
@@ -12,6 +12,8 @@
 import io.subutai.common.security.objects.PermissionOperation;
 import io.subutai.common.security.objects.PermissionScope;
 import io.subutai.core.identity.api.dao.IdentityDataService;
+import io.subutai.core.identity.api.exception.TokenCreateException;
+import io.subutai.core.identity.api.exception.TokenParseException;
 import io.subutai.core.identity.api.exception.UserExistsException;
 import io.subutai.core.identity.api.model.Permission;
 import io.subutai.core.identity.api.model.Role;
@@ -26,16 +28,33 @@
  */
 public interface IdentityManager
 {
+    int JWT_TOKEN_EXPIRATION_TIME = 3600;
+    String TOKEN_ISSUER = "Subutai Peer OS";
     String SYSTEM_USERNAME = "internal";
     String ADMIN_USERNAME = "admin";
     String TOKEN_ID = "token";
+
+
     String ADMIN_DEFAULT_PWD = "secret";
 
     String ENV_MANAGER_ROLE = "Environment-Manager";
     String TEMPLATE_MANAGER_ROLE = "Template-Manager";
     //    String ENV_OWNER_ROLE = "Environment-Owner";
 
 
+    void init();
+
+    void destroy();
+
+    /**
+     * Bearer token login
+     *
+     * @param bearerToken bearer token
+     *
+     * @return Session @see Session
+     */
+    Session login( String bearerToken );
+
     /* *************************************************
      */
     void removeRolePermission( long roleId, Permission permission );
@@ -92,7 +111,7 @@ public interface IdentityManager
     String updateUserAuthId( User user, String authId ) throws SystemSecurityException;
 
     /* *************************************************
-         */
+     */
     String getEncryptedUserAuthId( User user ) throws SystemSecurityException;
 
 
@@ -167,7 +186,7 @@ public interface IdentityManager
 
 
     /* *************************************************
-      */
+     */
     User getUser( long userId );
 
 
@@ -211,7 +230,7 @@ public interface IdentityManager
 
 
     /* *************************************************
-    */
+     */
     User createUser( String userName, String password, String fullName, String email, int type, int trustLevel,
                      boolean generateKeyPair, boolean createUserDelegate )
             throws SystemSecurityException, UserExistsException;
@@ -245,7 +264,7 @@ boolean changeUserPassword( String userName, String oldPassword, String newPassw
             throws SystemSecurityException;
 
     /* *************************************************
-         */
+     */
     boolean changeUserPassword( long userId, String oldPassword, String newPassword ) throws SystemSecurityException;
 
 
@@ -265,7 +284,7 @@ boolean changeUserPassword( String userName, String oldPassword, String newPassw
     String getSignToken();
 
     /* *************************************************
-         */
+     */
     void updateUser( User user );
 
     /*
@@ -312,6 +331,10 @@ boolean isUserPermitted( User user, PermissionObject permObj, PermissionScope pe
     Session loginSystemUser();
 
 
+    String issueJWTToken( String environmentId, String containerId ) throws TokenCreateException;
+
+    boolean verifyJWTToken( String token ) throws TokenParseException;
+
     /* *************************************************
      *
      */
@@ -372,7 +395,7 @@ boolean isUserPermitted( User user, PermissionObject permObj, PermissionScope pe
 
 
     /* *************************************************
-    */
+     */
     UserToken createUserToken( User user, String token, String secret, String issuer, int tokenType, Date validDate );
 
 

diff --git a/...dentity-manager-impl/src/main/java/io/subutai/core/identity/impl/IdentityManagerImpl.java b/...dentity-manager-impl/src/main/java/io/subutai/core/identity/impl/IdentityManagerImpl.java
@@ -20,7 +20,6 @@
 
 import javax.annotation.security.PermitAll;
 import javax.annotation.security.RolesAllowed;
-import javax.persistence.EntityExistsException;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -32,6 +31,7 @@
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.joda.time.DateTime;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -69,6 +69,8 @@
 import io.subutai.core.identity.api.SecurityController;
 import io.subutai.core.identity.api.SessionManager;
 import io.subutai.core.identity.api.dao.IdentityDataService;
+import io.subutai.core.identity.api.exception.TokenCreateException;
+import io.subutai.core.identity.api.exception.TokenParseException;
 import io.subutai.core.identity.api.exception.UserExistsException;
 import io.subutai.core.identity.api.model.Permission;
 import io.subutai.core.identity.api.model.Role;
@@ -84,6 +86,7 @@
 import io.subutai.core.identity.impl.model.UserEntity;
 import io.subutai.core.identity.impl.model.UserTokenEntity;
 import io.subutai.core.identity.impl.utils.SecurityUtil;
+import io.subutai.core.identity.impl.utils.TokenHelper;
 import io.subutai.core.security.api.SecurityManager;
 import io.subutai.core.security.api.crypto.EncryptionTool;
 import io.subutai.core.security.api.crypto.KeyManager;
@@ -117,6 +120,7 @@ public class IdentityManagerImpl implements IdentityManager
 
     private Cache<String, Boolean> signTokensCache =
             CacheBuilder.newBuilder().expireAfterWrite( SIGN_TOKEN_TTL_SEC, TimeUnit.SECONDS ).build();
+    private Cache<String, String> jwtTokenCache;
 
 
     /* *************************************************
@@ -128,12 +132,16 @@ public IdentityManagerImpl()
 
 
     //*****************************************
+    @Override
     public void init()
     {
         identityDataService = new IdentityDataServiceImpl( daoManager );
         sessionManager = new SessionManagerImpl( identityDataService );
         securityController = new SecurityControllerImpl();
         sessionManager.startSessionController();
+        jwtTokenCache =
+                CacheBuilder.newBuilder().expireAfterWrite( JWT_TOKEN_EXPIRATION_TIME, TimeUnit.SECONDS ).build();
+
 
         try
         {
@@ -147,8 +155,10 @@ public void init()
 
 
     //*****************************************
+    @Override
     public void destroy()
     {
+        jwtTokenCache.invalidateAll();
         sessionManager.stopSessionController();
     }
 
@@ -287,21 +297,55 @@ else if ( callback instanceof PasswordCallback )
     @Override
     public Session loginSystemUser()
     {
-        String sptoken = getSystemUserToken();
-        Session session = login( TOKEN_ID, sptoken );
+        return login( TOKEN_ID, getSystemUserToken() );
+    }
 
-        if ( session != null )
+
+    @PermitAll
+    @Override
+    public Session login( String bearerToken )
+    {
+        try
         {
-            return session;
+            return verifyJWTToken( bearerToken ) ? loginSystemUser() : null;
         }
-
-        else
+        catch ( TokenParseException e )
         {
             return null;
         }
     }
 
 
+    @Override
+    public String issueJWTToken( String environmentId, String containerId ) throws TokenCreateException
+
+    {
+        final String secret = UUID.randomUUID().toString();
+        DateTime issueDate = DateTime.now();
+        DateTime expireDate = issueDate.plusSeconds( JWT_TOKEN_EXPIRATION_TIME );
+        String token =
+                new TokenHelper( TOKEN_ISSUER, environmentId, containerId, issueDate.toDate(), expireDate.toDate(),
+                        secret ).getToken();
+
+        this.jwtTokenCache.put( containerId, secret );
+        return token;
+    }
+
+
+    @Override
+    public boolean verifyJWTToken( String token ) throws TokenParseException
+
+    {
+        final TokenHelper signedToken = new TokenHelper( token );
+        if ( signedToken.getExpirationTime().before( new Date() ) )
+        {
+            return false;
+        }
+        String secret = this.jwtTokenCache.getIfPresent( signedToken.getSubject() );
+        return secret != null && signedToken.verify( secret );
+    }
+
+
     /* *************************************************
      */
     @PermitAll
@@ -1701,7 +1745,7 @@ public boolean isAdmin()
 
 
     /* *************************************************
-             */
+     */
     @PermitAll
     @Override
     public boolean isUserPermitted( User user, PermissionObject permObj, PermissionScope permScope,