From 160c463672034ff3978795234fecd9f695391879 Mon Sep 17 00:00:00 2001 From: inoshperera Date: Sun, 26 Jul 2020 23:05:01 +0530 Subject: [PATCH] Add token validation with one time token This is to validate one time tokens in the APIM handlers and in the valve --- .../handlers/AuthenticationHandler.java | 9 ++ .../apimgt/handlers/utils/AuthConstants.java | 1 + .../authenticator/framework/Constants.java | 1 + .../OneTimeTokenAuthenticator.java | 93 +++++++++++++++++++ .../AuthenticatorFrameworkDataHolder.java | 11 +++ ...uthenticatorFrameworkServiceComponent.java | 23 +++++ 6 files changed, 138 insertions(+) create mode 100644 components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java index c9873629b7..415ec06304 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/AuthenticationHandler.java @@ -182,6 +182,15 @@ public class AuthenticationHandler extends AbstractHandler { if (log.isDebugEnabled()) { log.debug("Verify response:" + response.getContent()); } + } else if (headers.containsKey(AuthConstants.ONE_TIME_TOKEN_HEADER)) { + String token = headers.get(AuthConstants.ONE_TIME_TOKEN_HEADER); + //TODO: validate token service. Since this is getting validated in the valve, + // this may not even be necessery +// if (log.isDebugEnabled()) { +// log.debug("One time time :" + token + ", status : " + ); +// } + return true; + } else { log.warn("Unauthorized request for api: " + ctxPath); return false; diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java index f2a9f7a42b..d9a9ef8a7b 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.handlers/src/main/java/org/wso2/carbon/apimgt/handlers/utils/AuthConstants.java @@ -24,6 +24,7 @@ public class AuthConstants { public static final String MDM_SIGNATURE = "mdm-signature"; public static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header"; public static final String MUTUAL_AUTH_HEADER = "mutual-auth-header"; + public static final String ONE_TIME_TOKEN_HEADER = "one-time-token"; public static final String ENCODED_PEM = "encoded-pem"; public static final String CALLBACK_URL = ""; public static final String CLIENT_NAME = "IOT-API-MANAGER"; diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Constants.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Constants.java index 2694ea069a..6426c53f47 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Constants.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/Constants.java @@ -31,6 +31,7 @@ public final class Constants { public static final String HEADER_HTTP_ACCEPT = "Accept"; public static final String HEADER_HTTP_AUTHORIZATION = "Authorization"; + public static final String ONE_TIME_TOKEN_HEADER = "one-time-token"; } public static final class ContentTypes { diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java new file mode 100644 index 0000000000..7b207aa034 --- /dev/null +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2020, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved. + * + * Entgra (Pvt) Ltd. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.wso2.carbon.webapp.authenticator.framework.authenticator; + +import org.apache.catalina.connector.Response; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.buf.MessageBytes; +import org.wso2.carbon.device.mgt.common.general.OneTimeTokenDetails; +import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException; +import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo; +import org.wso2.carbon.webapp.authenticator.framework.Constants; +import org.wso2.carbon.webapp.authenticator.framework.Utils.Utils; +import org.wso2.carbon.webapp.authenticator.framework.authenticator.oauth.OAuth2TokenValidator; +import org.wso2.carbon.webapp.authenticator.framework.authenticator.oauth.OAuthTokenValidationException; +import org.wso2.carbon.webapp.authenticator.framework.authenticator.oauth.OAuthValidationResponse; + +import java.util.Properties; +import java.util.StringTokenizer; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +public class OneTimeTokenAuthenticator implements WebappAuthenticator { + private static final Log log = LogFactory.getLog(OneTimeTokenAuthenticator.class); + + + @Override + public void init() { + + } + + public boolean canHandle(org.apache.catalina.connector.Request request) { + return request.getHeader(Constants.HTTPHeaders.ONE_TIME_TOKEN_HEADER) != null; + } + + public AuthenticationInfo authenticate(org.apache.catalina.connector.Request request, Response response) { + + String token = request.getHeader(Constants.HTTPHeaders.ONE_TIME_TOKEN_HEADER); +// DeviceMgtAPIUtils.getDeviceManagementService();//TODO: call token validate service in core + OneTimeTokenDetails tokenDetails = new OneTimeTokenDetails();//TODO: use token details + + AuthenticationInfo authenticationInfo = new AuthenticationInfo(); + + try { + authenticationInfo.setTenantDomain(tokenDetails.getDomain()); + authenticationInfo.setStatus(Status.CONTINUE); + //authenticationInfo.setUsername(tokenDetails.get); //TODO: set username + //authenticationInfo.setTenantId();//TODO: set tenant Id + } catch (Exception e) { // TODO: remove this if not needed + authenticationInfo.setStatus(Status.FAILURE); + authenticationInfo.setMessage("Could not identify tenant domain."); + } + + return null; + } + + public String getName() { + return "One-Time-Token"; + } + + @Override + public void setProperties(Properties properties) { + + } + + @Override + public Properties getProperties() { + return null; + } + + @Override + public String getProperty(String name) { + return null; + } + + +} diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/AuthenticatorFrameworkDataHolder.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/AuthenticatorFrameworkDataHolder.java index 8607d02239..0bfbcc8f43 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/AuthenticatorFrameworkDataHolder.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/AuthenticatorFrameworkDataHolder.java @@ -20,6 +20,7 @@ package org.wso2.carbon.webapp.authenticator.framework.internal; import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; +import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService; import org.wso2.carbon.registry.core.service.TenantRegistryLoader; import org.wso2.carbon.registry.indexing.service.TenantIndexingLoader; @@ -35,6 +36,7 @@ public class AuthenticatorFrameworkDataHolder { private OAuth2TokenValidationService oAuth2TokenValidationService; private TenantIndexingLoader tenantIndexingLoader; private TenantRegistryLoader tenantRegistryLoader; + private DeviceManagementProviderService deviceManagementService; private static AuthenticatorFrameworkDataHolder thisInstance = new AuthenticatorFrameworkDataHolder(); @@ -114,4 +116,13 @@ public class AuthenticatorFrameworkDataHolder { public TenantRegistryLoader getTenantRegistryLoader() { return tenantRegistryLoader; } + + + public DeviceManagementProviderService getDeviceManagementService() { + return deviceManagementService; + } + + public void setDeviceManagementService(DeviceManagementProviderService deviceManagementService) { + this.deviceManagementService = deviceManagementService; + } } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java index 36dd1c09c6..1fc7ba2bb9 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java @@ -25,6 +25,7 @@ import org.osgi.framework.BundleContext; import org.osgi.service.component.ComponentContext; import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager; import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService; +import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService; import org.wso2.carbon.registry.core.service.TenantRegistryLoader; import org.wso2.carbon.registry.indexing.service.TenantIndexingLoader; @@ -80,6 +81,12 @@ import java.util.Properties; * cardinality="1..1" policy="dynamic" * bind="setTenantRegistryLoader" * unbind="unsetTenantRegistryLoader" + * @scr.reference name="org.wso2.carbon.device.manager" + * interface="org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService" + * cardinality="1..1" + * policy="dynamic" + * bind="setDeviceManagementService" + * unbind="unsetDeviceManagementService" */ public class WebappAuthenticatorFrameworkServiceComponent { private static final Log log = LogFactory.getLog(WebappAuthenticatorFrameworkServiceComponent.class); @@ -211,4 +218,20 @@ public class WebappAuthenticatorFrameworkServiceComponent { protected void unsetTenantRegistryLoader(TenantRegistryLoader tenantRegistryLoader) { AuthenticatorFrameworkDataHolder.getInstance().setTenantRegistryLoader(null); } + + @SuppressWarnings("unused") + protected void setDeviceManagementService(DeviceManagementProviderService deviceManagementProviderService) { + if (log.isDebugEnabled()) { + log.debug("Setting ApplicationDTO Management OSGI Manager"); + } + AuthenticatorFrameworkDataHolder.getInstance().setDeviceManagementService(deviceManagementProviderService); + } + + @SuppressWarnings("unused") + protected void unsetDeviceManagementService(DeviceManagementProviderService deviceManagementProviderService) { + if (log.isDebugEnabled()) { + log.debug("Removing ApplicationDTO Management OSGI Manager"); + } + AuthenticatorFrameworkDataHolder.getInstance().setDeviceManagementService(null); + } }