/* * The contents of this file are subject to the terms of the Common Development and * Distribution License (the License). You may not use this file except in compliance with the * License. * * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the * specific language governing permission and limitations under the License. * * When distributing Covered Software, include this CDDL Header Notice in each file and include * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL * Header, with the fields enclosed by brackets [] replaced by your own identifying * information: "Portions Copyright [year] [name of copyright owner]". * * Copyright 2016 ForgeRock AS. */ package org.forgerock.opendj.rest2ldap.authz; import static org.forgerock.opendj.rest2ldap.Rest2ldapMessages.*; import static java.util.concurrent.TimeUnit.SECONDS; import static org.forgerock.opendj.rest2ldap.authz.Utils.newAccessTokenException; import static org.forgerock.util.Reject.checkNotNull; import java.io.IOException; import java.net.URI; import java.util.Arrays; import java.util.HashSet; import java.util.Set; import org.forgerock.http.Handler; import org.forgerock.http.oauth2.AccessTokenException; import org.forgerock.http.oauth2.AccessTokenInfo; import org.forgerock.http.oauth2.AccessTokenResolver; import org.forgerock.http.protocol.Responses; import org.forgerock.http.protocol.Entity; import org.forgerock.http.protocol.Form; import org.forgerock.http.protocol.Headers; import org.forgerock.http.protocol.Request; import org.forgerock.http.protocol.Response; import org.forgerock.http.protocol.Status; import org.forgerock.json.JsonValue; import org.forgerock.json.JsonValueException; import org.forgerock.services.context.Context; import org.forgerock.util.Function; import org.forgerock.util.encode.Base64; import org.forgerock.util.promise.Promise; /** * An {@link AccessTokenResolver} which is RFC 7662 compliant. *

* @see RFC-7662 */ final class Rfc7662AccessTokenResolver implements AccessTokenResolver { /** RFC 7662 defined fields for token introspection request. */ private static final String RFC_7662_FORM_TOKEN_FIELD = "token"; private static final String RFC_7662_FORM_TOKEN_TYPE_HINT_FIELD = "token_type_hint"; private static final String RFC_7662_FORM_TOKEN_TYPE_HINT_ACCESS_TOKEN = "access_token"; /** RFC 7662 defined fields for token introspection response. */ private static final String RFC_7662_RESPONSE_SCOPE_FIELD = "scope"; private static final String RFC_7662_RESPONSE_EXPIRE_TIME_FIELD = "exp"; /** Rest2Ldap fields name for the RFC 7662 access token resolver. */ private static final String RFC_7662_RESPONSE_ACTIVE_FIELD = "active"; private final Handler httpClient; private final URI introspectionEndPointURI; private final String clientAppId; private final String clientAppSecret; Rfc7662AccessTokenResolver(final Handler httpClient, final URI introspectionEndPointURI, final String clientAppId, final String clientAppSecret) { this.httpClient = checkNotNull(httpClient); this.introspectionEndPointURI = checkNotNull(introspectionEndPointURI); this.clientAppId = checkNotNull(clientAppId); this.clientAppSecret = checkNotNull(clientAppSecret); } @Override public Promise resolve(final Context context, final String token) { final Request request = new Request().setUri(introspectionEndPointURI); final Headers headers = request.getHeaders(); headers.put("Accept", "application/json"); headers.put("Authorization", "Basic " + Base64.encode((clientAppId + ":" + clientAppSecret).getBytes())); final Form form = new Form(); form.add(RFC_7662_FORM_TOKEN_FIELD, token); form.add(RFC_7662_FORM_TOKEN_TYPE_HINT_FIELD, RFC_7662_FORM_TOKEN_TYPE_HINT_ACCESS_TOKEN); form.toRequestEntity(request); return httpClient.handle(context, request) .then(buildAccessToken(token), Responses. noopExceptionFunction()); } private Function buildAccessToken(final String tokenSent) { return new Function() { @Override public AccessTokenInfo apply(final Response response) throws AccessTokenException { final Status status = response.getStatus(); if (!Status.OK.equals(status)) { throw newAccessTokenException( ERR_OAUTH2_RFC7662_RETURNED_ERROR.get(status), response.getCause()); } try (final Entity entity = response.getEntity()) { final JsonValue jsonResponse = asJson(entity); if (!jsonResponse.get(RFC_7662_RESPONSE_ACTIVE_FIELD).defaultTo(Boolean.FALSE).asBoolean()) { throw newAccessTokenException(ERR_OAUTH2_RFC7662_TOKEN_NOT_ACTIVE.get()); } return buildAccessTokenFromJson(jsonResponse, tokenSent); } catch (final JsonValueException e) { throw newAccessTokenException(ERR_OAUTH2_RFC7662_INVALID_JSON_TOKEN.get(e.getMessage()), e); } } }; } private AccessTokenInfo buildAccessTokenFromJson(final JsonValue jsonToken, final String token) { final Set tokenScopes = new HashSet<>(Arrays.asList( jsonToken.get(RFC_7662_RESPONSE_SCOPE_FIELD).required().asString().trim().split(" +"))); final Long expiresAt = jsonToken.get(RFC_7662_RESPONSE_EXPIRE_TIME_FIELD).required().asLong(); return new AccessTokenInfo(jsonToken, token, tokenScopes, SECONDS.toMillis(expiresAt)); } private JsonValue asJson(final Entity entity) throws AccessTokenException { try { return new JsonValue(entity.getJson()); } catch (final IOException e) { // Do not use Entity.toString(), we probably don't want to fully output the content here throw newAccessTokenException(ERR_OAUTH2_RFC7662_CANNOT_READ_RESPONSE.get(), e); } } }