This repository has been archived by the owner on Jun 23, 2022. It is now read-only.
/
GoogleAuthnAdaptor.java
381 lines (351 loc) · 13.9 KB
/
GoogleAuthnAdaptor.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
// Copyright 2013 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.enterprise.adaptor.googleauthn;
import com.sun.net.httpserver.HttpContext;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.google.enterprise.adaptor.AbstractAdaptor;
import com.google.enterprise.adaptor.AdaptorContext;
import com.google.enterprise.adaptor.AuthnAuthority;
import com.google.enterprise.adaptor.AuthnIdentity;
import com.google.enterprise.adaptor.Config;
import com.google.enterprise.adaptor.DocIdPusher;
import com.google.enterprise.adaptor.GroupPrincipal;
import com.google.enterprise.adaptor.UserPrincipal;
import com.google.enterprise.adaptor.HttpExchanges;
import com.google.enterprise.adaptor.Request;
import com.google.enterprise.adaptor.Response;
import com.google.enterprise.adaptor.Session;
import com.google.gdata.client.authn.oauth.GoogleOAuthParameters;
import com.google.gdata.client.authn.oauth.OAuthException;
import com.google.gdata.client.authn.oauth.OAuthHmacSha1Signer;
import com.google.gdata.client.authn.oauth.OAuthParameters;
import com.google.gdata.client.authn.oauth.OAuthSigner;
import com.google.gdata.data.Link;
import com.google.gdata.util.AuthenticationException;
import com.google.gdata.util.ServiceException;
import com.google.gdata.client.appsforyourdomain.AppsGroupsService;
import com.google.gdata.data.appsforyourdomain.generic.GenericEntry;
import com.google.gdata.data.appsforyourdomain.generic.GenericFeed;
import org.openid4java.OpenIDException;
import org.openid4java.consumer.ConsumerManager;
import org.openid4java.consumer.VerificationResult;
import org.openid4java.discovery.DiscoveryException;
import org.openid4java.discovery.DiscoveryInformation;
import org.openid4java.message.AuthRequest;
import org.openid4java.message.Message;
import org.openid4java.message.MessageException;
import org.openid4java.message.ParameterList;
import org.openid4java.message.ax.AxMessage;
import org.openid4java.message.ax.FetchRequest;
import org.openid4java.message.ax.FetchResponse;
import java.io.IOException;
import java.io.OutputStream;
import java.net.*;
import java.nio.charset.Charset;
import java.util.*;
import java.util.logging.Level;
import java.util.logging.Logger;
/** Adaptor that authenticates users with Google. */
public class GoogleAuthnAdaptor extends AbstractAdaptor
implements AuthnAuthority {
private static final String PROGRAM_NAME = "GoogleAuthnAdaptor/v0.1";
private static final String SESSION_DATA = "authndata";
private static final Logger log
= Logger.getLogger(GoogleAuthnAdaptor.class.getName());
private AdaptorContext context;
private HttpContext responseContext;
private List<DiscoveryInformation> discoveries;
private String consumerKey;
private String consumerSecret;
private String domain;
@Override
public void initConfig(Config config) {
config.addKey("google-authn.consumerKey", null);
config.addKey("google-authn.consumerSecret", null);
config.addKey("google-authn.domain", null);
}
@Override
public void init(AdaptorContext context) throws IOException {
this.context = context;
context.setAuthnAuthority(this);
Config config = context.getConfig();
consumerKey = config.getValue("google-authn.consumerKey");
consumerSecret = context.getSensitiveValueDecoder().decodeValue(
config.getValue("google-authn.consumerSecret"));
domain = config.getValue("google-authn.domain");
log.log(Level.CONFIG, "google-authn.consumerKey: {0}", consumerKey);
log.log(Level.CONFIG, "google-authn.domain: {0}", domain);
try {
@SuppressWarnings("unchecked")
List<DiscoveryInformation> discoveries = new ConsumerManager()
.discover("https://www.google.com/accounts/o8/id");
this.discoveries = discoveries;
} catch (DiscoveryException ex) {
throw new IOException(ex);
}
if (discoveries.isEmpty()) {
throw new RuntimeException("Could not discover openid endpoint");
}
responseContext = context.createHttpContext(
"/google-response", new ResponseHandler());
}
@Override
public void destroy() {
discoveries = null;
responseContext.getServer().removeContext(responseContext);
responseContext = null;
}
@Override
public void authenticateUser(HttpExchange ex, Callback callback)
throws IOException {
ConsumerManager manager = new ConsumerManager();
DiscoveryInformation discovered = manager.associate(discoveries);
URI requestUri = HttpExchanges.getRequestUri(ex);
URI returnUri = requestUri.resolve(responseContext.getPath());
AuthRequest request;
try {
request = manager.authenticate(discovered, returnUri.toASCIIString());
} catch (OpenIDException e) {
log.log(Level.WARNING, "Authn failed: OpenIDException", e);
callback.userAuthenticated(ex, null);
return;
}
FetchRequest fetch = FetchRequest.createFetchRequest();
try {
fetch.addAttribute("email", "http://axschema.org/contact/email", true);
request.addExtension(fetch);
} catch (MessageException e) {
log.log(Level.WARNING, "Authn failed: MessageException", e);
callback.userAuthenticated(ex, null);
return;
}
Session session = context.getUserSession(ex, true);
session.setAttribute(SESSION_DATA,
new SessionData(manager, discovered, callback));
HttpExchanges.sendRedirect(ex, URI.create(request.getDestinationUrl(true)));
}
@Override
public void getDocIds(DocIdPusher pusher) {}
@Override
public void getDocContent(Request request, Response response)
throws IOException {
response.respondNotFound();
}
public static void main(String[] args) throws Exception {
AbstractAdaptor.main(new GoogleAuthnAdaptor(), args);
}
private static Map<String, String[]> convertParameterListsToArrays(
Map<String, List<String>> params) {
Map<String, String[]> newMap = new HashMap<String, String[]>();
String[] zeroArray = new String[0];
for (Map.Entry<String, List<String>> me : params.entrySet()) {
newMap.put(me.getKey(), me.getValue().toArray(zeroArray));
}
return newMap;
}
private List<String> getAllGroups(String username) throws IOException {
// Username known to be valid and trusted.
String userDomain = username.split("@", 2)[1];
AppsGroupsService groupService;
try {
groupService = new AppsGroupsService(userDomain, PROGRAM_NAME);
} catch (AuthenticationException ex) {
throw new IOException("Failed to create groups service", ex);
}
GoogleOAuthParameters oauthParameters = getOAuthParameters();
try {
groupService.setOAuthCredentials(oauthParameters, getOAuthSigner());
} catch (OAuthException e) {
throw new IOException("Failed to set provisioning credentials", e);
}
try {
log.log(Level.FINE, "Getting group entries for {0}", username);
ArrayList<String> groups = new ArrayList<String>();
GenericFeed groupsFeed = groupService.retrieveGroups(username, false);
while (groupsFeed != null) {
for (GenericEntry entry : groupsFeed.getEntries()) {
// Normalize to always lower case (even though we haven't seen
// anything other than lower case).
groups.add(entry.getProperty("groupId").toLowerCase(Locale.ENGLISH));
}
Link nextPage = groupsFeed.getNextLink();
if (nextPage == null) {
groupsFeed = null;
} else {
groupsFeed = groupService.getFeed(
new URL(nextPage.getHref()), GenericFeed.class);
}
}
log.log(Level.FINE, "group count: {0}", groups.size());
log.log(Level.FINER, "all groups: {0}", groups);
return groups;
} catch (ServiceException se) {
throw new IOException("failed to get groups", se);
}
}
private GoogleOAuthParameters getOAuthParameters() {
GoogleOAuthParameters oauthParameters = new GoogleOAuthParameters();
oauthParameters.setOAuthConsumerKey(consumerKey);
oauthParameters.setOAuthConsumerSecret(consumerSecret);
oauthParameters.setOAuthType(OAuthParameters.OAuthType.TWO_LEGGED_OAUTH);
return oauthParameters;
}
private static OAuthSigner getOAuthSigner() {
return new OAuthHmacSha1Signer();
}
private static void respond(HttpExchange ex, int code, String textResponse)
throws IOException {
ex.getResponseHeaders().set("Content-Type", "text/plain");
byte[] bytes = textResponse.getBytes(Charset.forName("UTF-8"));
ex.sendResponseHeaders(code, bytes.length);
OutputStream os = ex.getResponseBody();
os.write(bytes);
os.flush();
os.close();
ex.close();
}
private static class SessionData {
private final ConsumerManager manager;
private final DiscoveryInformation discovered;
private final Callback callback;
public SessionData(ConsumerManager manager, DiscoveryInformation discovered,
Callback callback) {
this.manager = manager;
this.discovered = discovered;
this.callback = callback;
}
}
private class ResponseHandler implements HttpHandler {
@Override
public void handle(HttpExchange ex) throws IOException {
Session session = context.getUserSession(ex, false);
if (session == null) {
log.log(Level.WARNING, "Authn failed: Could not find user's session");
// TODO(ejona): Translate.
respond(ex, HttpURLConnection.HTTP_INTERNAL_ERROR,
"Could not find user's session");
return;
}
SessionData sessionData
= (SessionData) session.removeAttribute(SESSION_DATA);
if (sessionData == null) {
log.log(Level.WARNING, "Authn failed: Could not find session data");
// TODO(ejona): Translate.
respond(ex, HttpURLConnection.HTTP_INTERNAL_ERROR,
"Could not find session data");
return;
}
ConsumerManager manager = sessionData.manager;
DiscoveryInformation discovered = sessionData.discovered;
Callback callback = sessionData.callback;
URI requestUri = HttpExchanges.getRequestUri(ex);
@SuppressWarnings("unchecked")
Map<String, List<String>> params
= manager.extractQueryParams(requestUri.toURL());
ParameterList openidResp = new ParameterList(
convertParameterListsToArrays(params));
// TODO(ejona): compute requestUri directly from the exchange
VerificationResult verification;
try {
verification = manager.verify(
requestUri.toASCIIString(), openidResp, discovered);
} catch (OpenIDException e) {
log.log(Level.WARNING, "Authn failed: OpenIDException", e);
callback.userAuthenticated(ex, null);
return;
}
if (verification.getVerifiedId() == null) {
if (Message.OPENID2_NS.equals(verification.getAuthResponse()
.getParameterValue("openid.ns"))
&& Message.MODE_CANCEL.equals(verification.getAuthResponse()
.getParameterValue("openid.mode"))) {
log.log(Level.WARNING, "Authn failed: user canceled");
} else {
log.log(Level.WARNING, "Authn failed: verification failed");
}
callback.userAuthenticated(ex, null);
return;
}
Message response = verification.getAuthResponse();
FetchResponse ax;
try {
ax = (FetchResponse) response.getExtension(AxMessage.OPENID_NS_AX);
} catch (MessageException e) {
log.log(Level.WARNING, "Authn failed: MessageException", e);
callback.userAuthenticated(ex, null);
return;
}
if (ax == null) {
log.log(Level.WARNING, "Authn failed: No ax extension");
callback.userAuthenticated(ex, null);
return;
}
final String email = ax.getAttributeValue("email");
if (email == null) {
log.log(Level.WARNING, "Authn failed: No email attribute");
callback.userAuthenticated(ex, null);
return;
}
log.log(Level.FINE, "User {0} authenticated", email);
String[] parts = email.split("@", 2);
if (parts.length != 2) {
log.log(Level.WARNING,
"Authn failed: Could not determine user's domain: {0}", email);
callback.userAuthenticated(ex, null);
return;
}
if (!domain.equals(parts[1])) {
log.log(Level.WARNING,
"Authn failed: User {0} has domain {1} which is not the expected "
+ "domain {2}", new Object[] {email, parts[1], domain});
callback.userAuthenticated(ex, null);
return;
}
List<String> stringGroups;
try {
stringGroups = getAllGroups(email);
} catch (IOException e) {
log.log(Level.WARNING, "Authn failed: Error getting groups", e);
callback.userAuthenticated(ex, null);
return;
}
final UserPrincipal user = new UserPrincipal(email);
final Set<GroupPrincipal> groups;
{
Set<GroupPrincipal> tmpGroups
= new HashSet<GroupPrincipal>(stringGroups.size() * 2);
for (String group : stringGroups) {
tmpGroups.add(new GroupPrincipal(group));
}
groups = Collections.unmodifiableSet(tmpGroups);
}
AuthnIdentity identity = new AuthnIdentity() {
@Override
public UserPrincipal getUser() {
return user;
}
@Override
public String getPassword() {
return null;
}
@Override
public Set<GroupPrincipal> getGroups() {
return groups;
}
};
callback.userAuthenticated(ex, identity);
}
}
}