Token updates

cnf/releaserepo/index.xml.sha

@@ -1 +1 @@
-ed2e0236c3ccaf84928b95d66048dee2706bad47fcd9af4681292b3ed7c3db61
+ddb43344d88d2a8f2e84bc741897f6fea91e5883c414bbea102c2b3e124c8de9

pnnl.goss.core/core-api.bnd

@@ -1,4 +1,4 @@
 Export-Package: \
 	com.northconcepts.exception,\
 	pnnl.goss.core
-Bundle-Version: 10.0.3.${tstamp}
+Bundle-Version: 10.0.7.${tstamp}

pnnl.goss.core/goss-client.bnd

@@ -1,3 +1,3 @@
 Private-Package:  \
 	pnnl.goss.core.client
-Bundle-Version: 2.0.172.${tstamp}
+Bundle-Version: 2.0.176.${tstamp}

pnnl.goss.core/goss-core-commands.bnd

@@ -1,3 +1,3 @@
 Private-Package:  \
 	pnnl.goss.core.commands
-Bundle-Version: 2.0.113.${tstamp}
+Bundle-Version: 2.0.117.${tstamp}

pnnl.goss.core/goss-core-security.bnd

@@ -4,4 +4,4 @@ Private-Package:  \
 Bundle-Activator: pnnl.goss.core.security.impl.Activator
 Export-Package:  \
 	pnnl.goss.core.security
-Bundle-Version: 6.0.3.${tstamp}
+Bundle-Version: 9.0.1.${tstamp}

pnnl.goss.core/goss-core-server-api.bnd

@@ -1,3 +1,3 @@
 Export-Package:  \
 	pnnl.goss.core.server
-Bundle-Version: 3.0.131.${tstamp}
+Bundle-Version: 3.0.135.${tstamp}

pnnl.goss.core/goss-core-server-registry.bnd

@@ -1,4 +1,4 @@
-Bundle-Version: 1.0.178.${tstamp}
+Bundle-Version: 1.0.182.${tstamp}
 Private-Package:  \
 	pnnl.goss.server.registry
 DynamicImport-Package: *

pnnl.goss.core/goss-core-server.bnd

@@ -3,4 +3,4 @@ Private-Package:  \
 DynamicImport-Package: *
 #Include-Resource: \
 #	OSGI-INF/blueprint/blueprint.xml=config/blueprint.xml
-Bundle-Version: 2.0.196.${tstamp}
+Bundle-Version: 2.0.200.${tstamp}

pnnl.goss.core/security-jwt.bnd

@@ -1,2 +1,2 @@
 Private-Package: pnnl.goss.core.security.jwt
-Bundle-Version: 1.0.143.${tstamp}
+Bundle-Version: 1.0.147.${tstamp}

pnnl.goss.core/security-ldap.bnd

@@ -1,3 +1,3 @@
 Private-Package:  \
 	pnnl.goss.core.security.ldap
-Bundle-Version: 1.0.128.${tstamp}
+Bundle-Version: 1.0.132.${tstamp}

pnnl.goss.core/security-propertyfile.bnd

@@ -1,3 +1,3 @@
 Private-Package:  \
 	pnnl.goss.core.security.propertyfile
-Bundle-Version: 2.0.139.${tstamp}
+Bundle-Version: 2.0.143.${tstamp}

pnnl.goss.core/security-system.bnd

@@ -1,2 +1,2 @@
 Private-Package: pnnl.goss.core.security.system
-Bundle-Version: 2.0.138.${tstamp}
+Bundle-Version: 2.0.142.${tstamp}

pnnl.goss.core/src/pnnl/goss/core/client/GossClient.java

@@ -48,6 +48,7 @@
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Base64;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.UUID;
@@ -88,9 +89,9 @@
 import pnnl.goss.core.GossResponseEvent;
 import pnnl.goss.core.Request.RESPONSE_FORMAT;
 import pnnl.goss.core.security.GossSecurityManager;
+import pnnl.goss.core.security.JWTAuthenticationToken;
 import pnnl.goss.core.security.SecurityConstants;
 import pnnl.goss.core.security.impl.SecurityManagerImpl;
-import pnnl.goss.core.security.jwt.JWTAuthenticationToken;
 import pnnl.goss.core.Response;
 import pnnl.goss.core.ResponseError;
 
@@ -634,7 +635,8 @@ protected String getToken(Credentials credentials) throws JMSException{
 		pwConnection.start();
 
 		Session pwSession = pwConnection.createSession(false, Session.CLIENT_ACKNOWLEDGE);
-		Destination replyDestination = pwSession.createQueue("temp.token_resp."+credentials.getUserPrincipal().getName());
+		String dt = ""+new Date().getTime();
+		Destination replyDestination = pwSession.createQueue("temp.token_resp."+credentials.getUserPrincipal().getName()+"-"+dt);
 		Destination destination = getDestination(GossCoreContants.PROP_TOKEN_QUEUE, pwConnection, pwSession);
 		ClientPublishser pwClientPublisher = new DefaultClientPublisher(credentials
 				.getUserPrincipal().getName(), pwSession);

pnnl.goss.core/src/pnnl/goss/core/security/jwt/JWTAuthenticationToken.java → pnnl.goss.core/src/pnnl/goss/core/security/JWTAuthenticationToken.java

@@ -1,4 +1,4 @@
-package pnnl.goss.core.security.jwt;
+package pnnl.goss.core.security;
 
 import java.util.List;
 

pnnl.goss.core/src/pnnl/goss/core/security/SecurityConfig.java

@@ -1,8 +1,12 @@
 package pnnl.goss.core.security;
 
+import java.util.Set;
+
 public interface SecurityConfig {
 	public String getManagerUser();
 	public String getManagerPassword();
 	public boolean getUseToken();
-	public byte[] getTokenSecret();
+	public boolean validateToken(String token);
+	public JWTAuthenticationToken parseToken(String token);
+	public String createToken(Object userId,  Set<String> roles);
 }

pnnl.goss.core/src/pnnl/goss/core/security/jwt/MACVerifierExtended.java → pnnl.goss.core/src/pnnl/goss/core/security/impl/MACVerifierExtended.java

@@ -1,4 +1,4 @@
-package pnnl.goss.core.security.jwt;
+package pnnl.goss.core.security.impl;
 
 import java.util.Date;
 

pnnl.goss.core/src/pnnl/goss/core/security/impl/SecurityConfigImpl.java

@@ -1,14 +1,30 @@
 package pnnl.goss.core.security.impl;
 
 import java.security.SecureRandom;
+import java.text.ParseException;
+import java.util.ArrayList;
+import java.util.Date;
 import java.util.Dictionary;
+import java.util.Set;
+import java.util.UUID;
 
 import org.apache.felix.dm.annotation.api.Component;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.Payload;
+import com.nimbusds.jose.crypto.MACSigner;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
 import com.northconcepts.exception.SystemException;
 
+import pnnl.goss.core.security.JWTAuthenticationToken;
 import pnnl.goss.core.security.SecurityConfig;
 import pnnl.goss.core.security.SecurityConstants;
 
@@ -19,16 +35,25 @@ public class SecurityConfigImpl implements SecurityConfig {
 	private String managerUser;
 	private String managerPassword;
 	private boolean useToken = false;
-	private byte[] tokenSecret = generateSharedKey();
-	
+	private byte[] sharedKey = generateSharedKey();
+
 	private Dictionary<String, Object> properties;
 	private static final Logger log = LoggerFactory.getLogger(SecurityConfigImpl.class);
+	private static final String ISSUED_BY = "GridOPTICS Software System";
 
 
+
+
 	public SecurityConfigImpl(){
 	}
 
 
+	protected long getExpirationDate() {
+        return 1000 * 60 * 60 * 24 * 5;
+    }
+
+    protected String getIssuer(){return ISSUED_BY;}
+
 
 	void updated(Dictionary<String, Object> properties) {
         if (properties != null) {
@@ -42,7 +67,7 @@ void updated(Dictionary<String, Object> properties) {
 
 			String secret = getProperty(SecurityConstants.PROP_SYSTEM_TOKEN_SECRET, null);
 			if(secret!=null && secret.trim().length()>0){
-				this.tokenSecret = secret.getBytes();
+				this.sharedKey = secret.getBytes();
 			}
 
 			String useTokenString = getProperty(SecurityConstants.PROP_SYSTEM_USE_TOKEN
@@ -100,18 +125,83 @@ public boolean getUseToken() {
 	}
 
 
-
-	@Override
-	public byte[] getTokenSecret() {
-		return tokenSecret;
-	}
-
 
     private byte[] generateSharedKey() {
         SecureRandom random = new SecureRandom();
         byte[] sharedKey = new byte[32];
         random.nextBytes(sharedKey);
         return sharedKey;
     }
+
+    private byte[] getSharedKey(){
+    	if (sharedKey==null )
+    		sharedKey = generateSharedKey();
+		return sharedKey;
+	}
+
+    public boolean validateToken(String token) {
+    	log.debug("Validate token "+token);
+        try {
+            SignedJWT signed = SignedJWT.parse(token);
+            JWSVerifier verifier = new MACVerifierExtended(getSharedKey(), signed.getJWTClaimsSet());
+            boolean verified = signed.verify(verifier);
+            log.debug("Verified: "+verified);
+            return verified;
+        } catch (ParseException ex) {
+            return false;
+        } catch (JOSEException ex) {
+            return false;
+        }
 
+    }
+
+    public String createToken(Object userId,  Set<String> roles) {
+    	log.info("Creating token for user "+userId);
+        try {
+        	//TODO, should also include roles(permissions)
+
+            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
+            builder.issuer(getIssuer());
+            builder.subject(userId.toString());
+            builder.issueTime(new Date());
+            builder.notBeforeTime(new Date());
+            builder.expirationTime(new Date(new Date().getTime() + getExpirationDate()));
+            builder.jwtID(UUID.randomUUID().toString());
+
+            JWTAuthenticationToken tokenObj = new JWTAuthenticationToken();
+            tokenObj.setIss(getIssuer());
+            tokenObj.setSub(userId.toString());
+            tokenObj.setIat(new Date().getTime());
+            tokenObj.setNbf(new Date().getTime());
+            tokenObj.setExp(new Date(new Date().getTime() + getExpirationDate()).getTime());
+            tokenObj.setJti(UUID.randomUUID().toString());
+            tokenObj.setRoles(new ArrayList<String>(roles));
+            Payload payload = new Payload(tokenObj.toString());
+
+//            JWTClaimsSet claimsSet = builder.build();
+            JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);
+            JWSObject jwsObject = new JWSObject(header, payload);
+
+            JWSSigner signer = new MACSigner(getSharedKey());
+            jwsObject.sign(signer);
+            return jwsObject.serialize();
+        } catch (JOSEException ex) {
+            return null;
+        }
+    }
+
+    public JWTAuthenticationToken parseToken(String token){
+    	try{
+	    	SignedJWT signed = SignedJWT.parse(token);
+			Payload payload = signed.getPayload();
+			String jsonToken = payload.toJSONObject().toJSONString();
+			log.info("Json token: "+jsonToken);
+			// look up permissions based on roles and add them
+			JWTAuthenticationToken tokenObj = JWTAuthenticationToken.parse(jsonToken);
+			return tokenObj;
+    	}catch (ParseException e) {
+			// TODO: handle exception
+    		return null;
+		}
+    }
 }

pnnl.goss.core/src/pnnl/goss/core/security/jwt/UnauthTokenBasedRealm.java

@@ -1,12 +1,8 @@
 package pnnl.goss.core.security.jwt;
 
 import java.text.ParseException;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Dictionary;
-import java.util.Enumeration;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
@@ -24,18 +20,15 @@
 import org.apache.shiro.authz.permission.PermissionResolver;
 import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
-import org.apache.shiro.util.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.nimbusds.jose.JWSVerifier;
-import com.nimbusds.jose.Payload;
-import com.nimbusds.jwt.SignedJWT;
 import com.northconcepts.exception.SystemException;
 
 import pnnl.goss.core.GossCoreContants;
 import pnnl.goss.core.security.GossPermissionResolver;
 import pnnl.goss.core.security.GossRealm;
+import pnnl.goss.core.security.JWTAuthenticationToken;
 import pnnl.goss.core.security.RoleManager;
 import pnnl.goss.core.security.SecurityConfig;
 
@@ -70,9 +63,6 @@ public class UnauthTokenBasedRealm extends AuthorizingRealm implements GossRealm
 	@ServiceDependency
     private volatile SecurityConfig securityConfig;
 
-	@ServiceDependency 
-	private volatile UserRepository userRepository;
-
 	@ServiceDependency
 	private volatile RoleManager roleManager;
 
@@ -119,7 +109,7 @@ protected AuthorizationInfo doGetAuthorizationInfo(
         String username = (String) getAvailablePrincipal(principals);
         AuthorizationInfo accnt = tokenMap.get(username);
         if(accnt==null){
-        	log.debug("No authrorization info found for "+username);
+        	log.debug("No authorization info found for "+username);
         }
         return accnt;
 	}
@@ -139,20 +129,15 @@ protected AuthenticationInfo doGetAuthenticationInfo(
         //If it receives a token
         if (username!=null && username.length()>250 && pw.length==0) {
         	//Validate token
-        	boolean verified = userRepository.validateToken(username);
+        	boolean verified = securityConfig.validateToken(username);
         	log.info("Recieved token: "+username+"  verified: "+verified);
         	if(verified){
         	//TODO get username from token, get permissions for username
 
-        		SignedJWT signed;
 				try {
-					signed = SignedJWT.parse(username);
-					Payload payload = signed.getPayload();
-					String jsonToken = payload.toJSONObject().toJSONString();
-					log.info("Json token: "+jsonToken);
 					// look up permissions based on roles and add them
 					Set<String> permissions = new HashSet<String>();
-					JWTAuthenticationToken tokenObj = JWTAuthenticationToken.parse(jsonToken);
+					JWTAuthenticationToken tokenObj = securityConfig.parseToken(username);
 		        	log.info("Has token roles: "+tokenObj.getRoles());
 
 					if(roleManager!=null){
@@ -192,9 +177,11 @@ protected AuthenticationInfo doGetAuthenticationInfo(
         	acnt.addStringPermission("topic:ActiveMQ.Advisory.Connection:create");
         	acnt.addStringPermission("topic:ActiveMQ.Advisory.Queue:create");
         	acnt.addStringPermission("topic:ActiveMQ.Advisory.Consumer.Queue.temp.token_resp."+userName);
+        	acnt.addStringPermission("topic:ActiveMQ.Advisory.Consumer.Queue.temp.token_resp."+userName+"-*");
         	acnt.addStringPermission("topic:"+GossCoreContants.PROP_TOKEN_QUEUE+":write");
         	acnt.addStringPermission("topic:"+GossCoreContants.PROP_TOKEN_QUEUE+":create");
         	acnt.addStringPermission("queue:temp.token_resp."+userName);
+        	acnt.addStringPermission("queue:temp.token_resp."+userName+"-*");
 
 
         	tokenMap.put(username, acnt);

pnnl.goss.core/src/pnnl/goss/core/security/jwt/UserRepository.java

@@ -8,14 +8,14 @@ public interface UserRepository {
 
 //    public byte[] generateSharedKey();
 
-    public long getExpirationDate() ;
-
-    public String getIssuer();
+//    public long getExpirationDate() ;
+//
+//    public String getIssuer();
 
 
 //    public TokenResponse createToken(UserDefault user) ;
 
-    public String createToken(Object userId) ;
+//    public String createToken(Object userId) ;
 
-    public boolean validateToken(String token);
+//    public boolean validateToken(String token);
 }