From 59cd06df0f4d8bf630ea0f33b00708adfe091d48 Mon Sep 17 00:00:00 2001 From: Gimhan-minion Date: Tue, 12 Mar 2024 01:41:28 +0530 Subject: [PATCH 1/2] Handle default authdata in oauth2token handler --- .../DefaultOauth2TokenHandler.java | 144 +++++++++++------- .../interceptor/util/HandlerConstants.java | 1 + .../request/interceptor/util/HandlerUtil.java | 54 +++++-- 3 files changed, 129 insertions(+), 70 deletions(-) diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultOauth2TokenHandler.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultOauth2TokenHandler.java index 343a9c620d..dac8f541ee 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultOauth2TokenHandler.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultOauth2TokenHandler.java @@ -22,6 +22,8 @@ import com.google.gson.Gson; import com.google.gson.JsonElement; import com.google.gson.JsonObject; import com.google.gson.JsonParser; +import io.entgra.device.mgt.core.device.mgt.core.config.DeviceConfigurationManager; +import io.entgra.device.mgt.core.device.mgt.core.config.DeviceManagementConfig; import io.entgra.device.mgt.core.ui.request.interceptor.beans.AuthData; import io.entgra.device.mgt.core.ui.request.interceptor.util.HandlerConstants; import io.entgra.device.mgt.core.ui.request.interceptor.util.HandlerUtil; @@ -31,9 +33,11 @@ import org.apache.commons.logging.LogFactory; import org.apache.http.HttpHeaders; import org.apache.http.HttpStatus; import org.apache.http.client.methods.HttpGet; +import org.apache.http.client.methods.HttpPost; import org.apache.http.client.utils.URIBuilder; import org.apache.http.entity.ContentType; import io.entgra.device.mgt.core.ui.request.interceptor.beans.ProxyResponse; +import org.apache.http.entity.StringEntity; import javax.servlet.annotation.MultipartConfig; import javax.servlet.annotation.WebServlet; @@ -42,85 +46,53 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import java.io.IOException; +import java.util.Base64; @MultipartConfig @WebServlet("/default-oauth2-credentials") public class DefaultOauth2TokenHandler extends HttpServlet { private static final Log log = LogFactory.getLog(DefaultTokenHandler.class); - @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) { try { HttpSession httpSession = req.getSession(false); - if (httpSession != null) { AuthData authData = (AuthData) httpSession.getAttribute(HandlerConstants.SESSION_AUTH_DATA_KEY); if (authData == null) { HandlerUtil.sendUnAuthorizeResponse(resp); return; } - AuthData defaultAuthData = (AuthData) httpSession .getAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY); if (defaultAuthData != null) { - HandlerUtil.handleSuccess(resp, constructSuccessProxyResponse(defaultAuthData.getAccessToken())); - return; - } - - String clientId = authData.getClientId(); - String clientSecret = authData.getClientSecret(); - - String queryString = req.getQueryString(); - String scopeString = ""; - if (StringUtils.isNotEmpty(queryString)) { - scopeString = req.getParameter("scopes"); - if (scopeString != null) { - scopeString = "?scopes=" + scopeString; + String accessToken = defaultAuthData.getAccessToken(); + String accessTokenWithoutPrefix = accessToken.substring(accessToken.indexOf("_") + 1); + + HttpPost tokenEndpoint = new HttpPost(HandlerUtil.getKeyManagerUrl(req.getScheme()) + HandlerConstants.INTROSPECT_ENDPOINT); + tokenEndpoint.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); + DeviceManagementConfig dmc = DeviceConfigurationManager.getInstance().getDeviceManagementConfig(); + String adminUsername = dmc.getKeyManagerConfigurations().getAdminUsername(); + String adminPassword = dmc.getKeyManagerConfigurations().getAdminPassword(); + tokenEndpoint.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BASIC + Base64.getEncoder() + .encodeToString((adminUsername + HandlerConstants.COLON + adminPassword).getBytes())); + StringEntity tokenEPPayload = new StringEntity("token=" + accessTokenWithoutPrefix, + ContentType.APPLICATION_FORM_URLENCODED); + tokenEndpoint.setEntity(tokenEPPayload); + ProxyResponse tokenStatus = HandlerUtil.execute(tokenEndpoint); + + if (HandlerConstants.DEFAULT_TOKEN_IS_EXPIRED.equals(tokenStatus.getData())) { + tokenStatus = HandlerUtil.retryRequestWithRefreshedToken(req, tokenEndpoint, HandlerUtil.getKeyManagerUrl(req.getScheme()), true); + if (!HandlerUtil.isResponseSuccessful(tokenStatus)) { + HandlerUtil.handleError(resp, tokenStatus); + return; + } + } else { + HandlerUtil.handleSuccess(resp, constructSuccessProxyResponse(defaultAuthData.getAccessToken())); + return; } } - - String iotsCoreUrl = req.getScheme() + HandlerConstants.SCHEME_SEPARATOR - + System.getProperty(HandlerConstants.IOT_GW_HOST_ENV_VAR) - + HandlerConstants.COLON + HandlerUtil.getGatewayPort(req.getScheme()); - String tokenUrl = iotsCoreUrl + "/api/device-mgt/v1.0/devices/" + clientId - + "/" + clientSecret + "/default-token" + scopeString; - - HttpGet defaultTokenRequest = new HttpGet(tokenUrl); - defaultTokenRequest - .setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BEARER + authData.getAccessToken()); - defaultTokenRequest - .setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); - ProxyResponse tokenResultResponse = HandlerUtil.execute(defaultTokenRequest); - - if (tokenResultResponse.getExecutorResponse().contains(HandlerConstants.EXECUTOR_EXCEPTION_PREFIX)) { - log.error("Error occurred while invoking the API to get default token data."); - HandlerUtil.handleError(resp, tokenResultResponse); - return; - } - String tokenResult = tokenResultResponse.getData(); - if (tokenResult == null) { - log.error("Invalid default token response is received."); - HandlerUtil.handleError(resp, tokenResultResponse); - return; - } - - JsonParser jsonParser = new JsonParser(); - JsonElement jTokenResult = jsonParser.parse(tokenResult); - if (jTokenResult.isJsonObject()) { - JsonObject jTokenResultAsJsonObject = jTokenResult.getAsJsonObject(); - AuthData newDefaultAuthData = new AuthData(); - newDefaultAuthData.setClientId(clientId); - newDefaultAuthData.setClientSecret(clientSecret); - - String defaultToken = jTokenResultAsJsonObject.get("accessToken").getAsString(); - newDefaultAuthData.setAccessToken(defaultToken); - newDefaultAuthData.setRefreshToken(jTokenResultAsJsonObject.get("refreshToken").getAsString()); - newDefaultAuthData.setScope(jTokenResultAsJsonObject.get("scopes").getAsString()); - httpSession.setAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY, newDefaultAuthData); - - HandlerUtil.handleSuccess(resp, constructSuccessProxyResponse(defaultToken)); - } + processDefaultTokenRequest(httpSession, authData, req, resp); } else { HandlerUtil.sendUnAuthorizeResponse(resp); } @@ -129,6 +101,62 @@ public class DefaultOauth2TokenHandler extends HttpServlet { } } + private void processDefaultTokenRequest(HttpSession httpSession, AuthData authData, HttpServletRequest req, HttpServletResponse resp) throws IOException { + String clientId = authData.getClientId(); + String clientSecret = authData.getClientSecret(); + + String queryString = req.getQueryString(); + String scopeString = ""; + if (StringUtils.isNotEmpty(queryString)) { + scopeString = req.getParameter("scopes"); + if (scopeString != null) { + scopeString = "?scopes=" + scopeString; + } + } + + String iotsCoreUrl = req.getScheme() + HandlerConstants.SCHEME_SEPARATOR + + System.getProperty(HandlerConstants.IOT_GW_HOST_ENV_VAR) + + HandlerConstants.COLON + HandlerUtil.getGatewayPort(req.getScheme()); + String tokenUrl = iotsCoreUrl + "/api/device-mgt/v1.0/devices/" + clientId + + "/" + clientSecret + "/default-token" + scopeString; + + HttpGet defaultTokenRequest = new HttpGet(tokenUrl); + defaultTokenRequest + .setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BEARER + authData.getAccessToken()); + defaultTokenRequest + .setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); + ProxyResponse tokenResultResponse = HandlerUtil.execute(defaultTokenRequest); + + if (tokenResultResponse.getExecutorResponse().contains(HandlerConstants.EXECUTOR_EXCEPTION_PREFIX)) { + log.error("Error occurred while invoking the API to get default token data."); + HandlerUtil.handleError(resp, tokenResultResponse); + return; + } + String tokenResult = tokenResultResponse.getData(); + if (tokenResult == null) { + log.error("Invalid default token response is received."); + HandlerUtil.handleError(resp, tokenResultResponse); + return; + } + + JsonParser jsonParser = new JsonParser(); + JsonElement jTokenResult = jsonParser.parse(tokenResult); + if (jTokenResult.isJsonObject()) { + JsonObject jTokenResultAsJsonObject = jTokenResult.getAsJsonObject(); + AuthData newDefaultAuthData = new AuthData(); + newDefaultAuthData.setClientId(clientId); + newDefaultAuthData.setClientSecret(clientSecret); + + String defaultToken = jTokenResultAsJsonObject.get("accessToken").getAsString(); + newDefaultAuthData.setAccessToken(defaultToken); + newDefaultAuthData.setRefreshToken(jTokenResultAsJsonObject.get("refreshToken").getAsString()); + newDefaultAuthData.setScope(jTokenResultAsJsonObject.get("scopes").getAsString()); + httpSession.setAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY, newDefaultAuthData); + + HandlerUtil.handleSuccess(resp, constructSuccessProxyResponse(defaultToken)); + } + } + /** * Get Success Proxy Response * @param defaultAccessToken Access token which has default scope diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java index 44aedaafe5..d38b9942d3 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java @@ -52,6 +52,7 @@ public class HandlerConstants { public static final String API_COMMON_CONTEXT = "/api"; public static final String EXECUTOR_EXCEPTION_PREFIX = "ExecutorException-"; public static final String TOKEN_IS_EXPIRED = "ACCESS_TOKEN_IS_EXPIRED"; + public static final String DEFAULT_TOKEN_IS_EXPIRED = "{\"active\":false}"; public static final String REPORTS = "Reports"; public static final String APP_NAME = "App-Name"; public static final String[] SSO_LOGOUT_COOKIE_PATHS = new String[]{"/", "/entgra-ui-request-handler", diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java index 0fca3811c0..2dfd63a79d 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java @@ -73,6 +73,7 @@ import java.io.PrintWriter; import java.io.StringWriter; import java.math.BigInteger; import java.security.SecureRandom; +import java.util.Base64; import java.util.Enumeration; import java.util.List; @@ -613,26 +614,32 @@ public class HandlerUtil { * @throws IOException If an error occurs when try to retry the request. */ public static ProxyResponse retryRequestWithRefreshedToken(HttpServletRequest req, HttpRequestBase httpRequest, - String apiEndpoint) throws IOException { - ProxyResponse retryResponse = refreshToken(req, apiEndpoint); + String apiEndpoint, boolean isDefaultAuthToken) throws IOException { + ProxyResponse retryResponse = refreshToken(req, apiEndpoint, isDefaultAuthToken); if (isResponseSuccessful(retryResponse)) { HttpSession session = req.getSession(false); if (session == null) { log.error("Unauthorized, You are not logged in. Please log in to the portal"); return constructProxyResponseByErrorCode(HttpStatus.SC_UNAUTHORIZED); } - httpRequest.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BEARER + authData.getAccessToken()); - ProxyResponse proxyResponse = HandlerUtil.execute(httpRequest); - if (proxyResponse.getExecutorResponse().contains(HandlerConstants.EXECUTOR_EXCEPTION_PREFIX)) { - log.error("Error occurred while invoking the API after refreshing the token."); + if(!isDefaultAuthToken){ + httpRequest.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BEARER + authData.getAccessToken()); + ProxyResponse proxyResponse = HandlerUtil.execute(httpRequest); + if (proxyResponse.getExecutorResponse().contains(HandlerConstants.EXECUTOR_EXCEPTION_PREFIX)) { + log.error("Error occurred while invoking the API after refreshing the token."); + return proxyResponse; + } return proxyResponse; } - return proxyResponse; - } return retryResponse; } + public static ProxyResponse retryRequestWithRefreshedToken(HttpServletRequest req, HttpRequestBase httpRequest, + String apiEndpoint) throws IOException { + return retryRequestWithRefreshedToken(req, httpRequest, apiEndpoint, false); + } + /*** * This method is responsible to get the refresh token * @@ -640,7 +647,7 @@ public class HandlerUtil { * @return If successfully renew tokens, returns TRUE otherwise return FALSE * @throws IOException If an error occurs while witting error response to client side or invoke token renewal API */ - private static ProxyResponse refreshToken(HttpServletRequest req, String keymanagerUrl) + private static ProxyResponse refreshToken(HttpServletRequest req, String keymanagerUrl, boolean isDefaultAuthToken) throws IOException { if (log.isDebugEnabled()) { log.debug("refreshing the token"); @@ -653,8 +660,11 @@ public class HandlerUtil { // handleError(resp, HttpStatus.SC_UNAUTHORIZED); return tokenResultResponse; } - - authData = (AuthData) session.getAttribute(HandlerConstants.SESSION_AUTH_DATA_KEY); + if(isDefaultAuthToken){ + authData = (AuthData) session.getAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY); + } else { + authData = (AuthData) session.getAttribute(HandlerConstants.SESSION_AUTH_DATA_KEY); + } tokenResultResponse = getTokenResult(authData, keymanagerUrl); if (tokenResultResponse.getExecutorResponse().contains(HandlerConstants.EXECUTOR_EXCEPTION_PREFIX)) { log.error("Error occurred while refreshing access token."); @@ -666,7 +676,11 @@ public class HandlerUtil { JsonElement jTokenResult = jsonParser.parse(tokenResultResponse.getData()); if (jTokenResult.isJsonObject()) { - setNewAuthData(constructAuthDataFromTokenResult(jTokenResult, authData), session); + if(isDefaultAuthToken){ + setNewDefaultAuthData(constructAuthDataFromTokenResult(jTokenResult, authData), session); + } else { + setNewAuthData(constructAuthDataFromTokenResult(jTokenResult, authData), session); + } return tokenResultResponse; } @@ -675,6 +689,11 @@ public class HandlerUtil { // handleError(resp, HttpStatus.SC_INTERNAL_SERVER_ERROR); return tokenResultResponse; } + + private static ProxyResponse refreshToken(HttpServletRequest req, String keymanagerUrl) throws IOException { + return refreshToken(req, keymanagerUrl, false); + } + public static ProxyResponse getTokenResult(AuthData authData, String keymanagerUrl) throws IOException { HttpPost tokenEndpoint = new HttpPost(keymanagerUrl + HandlerConstants.OAUTH2_TOKEN_ENDPOINT); StringEntity tokenEndpointPayload = new StringEntity( @@ -683,6 +702,12 @@ public class HandlerUtil { tokenEndpoint.setEntity(tokenEndpointPayload); String encodedClientApp = authData.getEncodedClientApp(); + if(encodedClientApp == null){ + String clientId = authData.getClientId(); + String clientSecret = authData.getClientSecret(); + String toEncode = clientId + ":" + clientSecret; + encodedClientApp = Base64.getEncoder().encodeToString(toEncode.getBytes()); + } tokenEndpoint.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BASIC + encodedClientApp); tokenEndpoint.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); @@ -694,6 +719,11 @@ public class HandlerUtil { session.setAttribute(HandlerConstants.SESSION_AUTH_DATA_KEY, newAuthData); } + public static void setNewDefaultAuthData(AuthData newAuthData, HttpSession session) { + authData = newAuthData; + session.setAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY, newAuthData); + } + public static AuthData constructAuthDataFromTokenResult(JsonElement tokenResult, AuthData authData) { JsonObject jTokenResultAsJsonObject = tokenResult.getAsJsonObject(); AuthData newAuthData = new AuthData(); -- 2.36.3 From 291249f80fb979a21526fc58755dbe70d5a2b6f2 Mon Sep 17 00:00:00 2001 From: Gimhan-minion Date: Wed, 13 Mar 2024 14:46:02 +0530 Subject: [PATCH 2/2] Fix formatting issues --- .../mgt/core/ui/request/interceptor/util/HandlerUtil.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java index 2dfd63a79d..0d991c8693 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java @@ -622,7 +622,7 @@ public class HandlerUtil { log.error("Unauthorized, You are not logged in. Please log in to the portal"); return constructProxyResponseByErrorCode(HttpStatus.SC_UNAUTHORIZED); } - if(!isDefaultAuthToken){ + if (!isDefaultAuthToken) { httpRequest.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BEARER + authData.getAccessToken()); ProxyResponse proxyResponse = HandlerUtil.execute(httpRequest); if (proxyResponse.getExecutorResponse().contains(HandlerConstants.EXECUTOR_EXCEPTION_PREFIX)) { @@ -660,7 +660,7 @@ public class HandlerUtil { // handleError(resp, HttpStatus.SC_UNAUTHORIZED); return tokenResultResponse; } - if(isDefaultAuthToken){ + if (isDefaultAuthToken) { authData = (AuthData) session.getAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY); } else { authData = (AuthData) session.getAttribute(HandlerConstants.SESSION_AUTH_DATA_KEY); @@ -676,7 +676,7 @@ public class HandlerUtil { JsonElement jTokenResult = jsonParser.parse(tokenResultResponse.getData()); if (jTokenResult.isJsonObject()) { - if(isDefaultAuthToken){ + if (isDefaultAuthToken) { setNewDefaultAuthData(constructAuthDataFromTokenResult(jTokenResult, authData), session); } else { setNewAuthData(constructAuthDataFromTokenResult(jTokenResult, authData), session); @@ -702,7 +702,7 @@ public class HandlerUtil { tokenEndpoint.setEntity(tokenEndpointPayload); String encodedClientApp = authData.getEncodedClientApp(); - if(encodedClientApp == null){ + if (encodedClientApp == null) { String clientId = authData.getClientId(); String clientSecret = authData.getClientSecret(); String toEncode = clientId + ":" + clientSecret; -- 2.36.3