/
OpaMessageConsumer.java
259 lines (203 loc) · 8.39 KB
/
OpaMessageConsumer.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
package io.jans.lock.service.consumer.message.opa;
import static java.time.format.DateTimeFormatter.ISO_INSTANT;
import java.io.IOException;
import java.time.Duration;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import org.apache.http.HttpResponse;
import org.apache.http.HttpStatus;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.slf4j.Logger;
import com.fasterxml.jackson.core.JacksonException;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.jans.lock.model.config.AppConfiguration;
import io.jans.lock.model.config.OpaConfiguration;
import io.jans.lock.service.TokenService;
import io.jans.lock.service.external.ExternalLockService;
import io.jans.lock.service.external.context.ExternalLockContext;
import io.jans.model.token.TokenEntity;
import io.jans.service.EncryptionService;
import io.jans.service.cdi.async.Asynchronous;
import io.jans.service.cdi.qualifier.Implementation;
import io.jans.service.message.consumer.MessageConsumer;
import io.jans.service.net.BaseHttpService;
import io.jans.util.StringHelper;
import jakarta.annotation.PostConstruct;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import net.jodah.expiringmap.ExpirationListener;
import net.jodah.expiringmap.ExpirationPolicy;
import net.jodah.expiringmap.ExpiringMap;
/**
* OPA message consumer
*
* @author Yuriy Movchan Date: 12/25/2023
*/
@Implementation
@ApplicationScoped
public class OpaMessageConsumer extends MessageConsumer {
public static String MESSAGE_CONSUMER_TYPE = "OPA";
@Inject
private Logger log;
@Inject
private AppConfiguration appConfiguration;
@Inject
private ExternalLockService externalLockService;
@Inject
private BaseHttpService httpService;
@Inject
private TokenService tokenService;
@Inject
private EncryptionService encryptionService;
private ObjectMapper objectMapper;
private ExpiringMap<String, String> loadedTokens;
private OpaExpirationListener expirationListener;
@PostConstruct
public void init() {
this.objectMapper = new ObjectMapper();
this.expirationListener = new OpaExpirationListener();
this.loadedTokens = ExpiringMap.builder().expirationPolicy(ExpirationPolicy.CREATED).variableExpiration().expirationListener(expirationListener).build();
}
/*
* Message: {"tknTyp" : "access_token", "tknId": "UUID"}
*/
@Override
@Asynchronous
public void onMessage(String channel, String message) {
log.info("onMessage {} : {}", channel, message);
try {
JsonNode messageNode = objectMapper.readTree(message);
if (!(messageNode.hasNonNull("tknTyp") && messageNode.hasNonNull("tknId") && messageNode.hasNonNull("tknOp"))) {
log.error("Message has missing tknOp or tknTyp, or tknTyp: '{}'", message);
return;
}
String tknOp = messageNode.get("tknOp").asText();
if (StringHelper.equalsIgnoreCase(tknOp, "add")) {
putData(message, messageNode);
} else if (StringHelper.equalsIgnoreCase(tknOp, "del")) {
removeData(messageNode);
} else {
log.error("Message has unsupported operation: '{}'", message);
}
} catch (JacksonException ex) {
log.error("Failed to parse messge: '{}'", message, ex);
}
}
@Override
public void onSubscribe(String channel, int subscribedChannels) {
log.debug("onSubscribe {} : {}", channel, subscribedChannels);
}
@Override
public void onUnsubscribe(String channel, int subscribedChannels) {
log.debug("onUnsubscribe {} : {}", channel, subscribedChannels);
}
@Override
public String getMessageConsumerType() {
return MESSAGE_CONSUMER_TYPE;
}
@Override
public boolean putData(String message, JsonNode messageNode) {
ExternalLockContext lockContext = new ExternalLockContext();
String tknTyp = messageNode.get("tknTyp").asText();
String tknId = messageNode.get("tknId").asText();
TokenEntity tokenEntity = tokenService.findToken(tknId);
log.debug("Token {} loaded successfully", tokenEntity);
lockContext.setTokenEntity(tokenEntity);
ObjectNode dataNode = objectMapper.createObjectNode();
buildBaseTokenObject(tokenEntity, dataNode);
externalLockService.beforeDataPut(messageNode, dataNode, lockContext);
if (lockContext.isCancelPdpOperation()) {
log.debug("DataPut was canceled by script");
return true;
}
// Send rest request to OPA
OpaConfiguration opaConfiguration = appConfiguration.getOpaConfiguration();
String baseUrl = opaConfiguration.getBaseUrl();
HttpPut request = new HttpPut(String.format("%s/data/%s/%s", baseUrl, tknTyp, tknId));
addAccessTokenHeader(request, opaConfiguration);
request.addHeader("Content-Type", ContentType.APPLICATION_JSON.getMimeType());
request.addHeader("If-None-Match", "*");
StringEntity stringEntity = new StringEntity(dataNode.toString(), ContentType.APPLICATION_JSON);
request.setEntity(stringEntity);
boolean result = false;
try {
CloseableHttpClient httpClient = httpService.getHttpsClient();
HttpResponse httpResponse = httpClient.execute(request);
int statusCode = httpResponse.getStatusLine().getStatusCode();
log.debug("Get OPA add data for token '{}' response with status code '{}'", tknId, statusCode);
result = (statusCode == HttpStatus.SC_NO_CONTENT) || (statusCode == HttpStatus.SC_NOT_MODIFIED);
} catch (IOException ex) {
log.error("Failed to execute put data request", ex);
}
if (result) {
loadedTokens.put(tknId, message, ExpirationPolicy.CREATED, getExpirationInSeconds(tokenEntity), TimeUnit.SECONDS);
}
return result;
}
public void buildBaseTokenObject(TokenEntity tokenEntity, ObjectNode dataNode) {
dataNode.put("scope", tokenEntity.getScope());
dataNode.put("creationDate", ISO_INSTANT.format(tokenEntity.getCreationDate().toInstant()));
dataNode.put("expirationDate", ISO_INSTANT.format(tokenEntity.getExpirationDate().toInstant()));
dataNode.put("userId", tokenEntity.getUserId());
dataNode.put("clientId", tokenEntity.getClientId());
}
protected boolean removeData(JsonNode messageNode) {
ExternalLockContext lockContext = new ExternalLockContext();
externalLockService.beforeDataRemoval(messageNode, lockContext);
if (lockContext.isCancelPdpOperation()) {
log.debug("DataRemoval was canceled by script");
return true;
}
// Send rest request to OPA
String tknTyp = messageNode.get("tknTyp").asText();
String tknId = messageNode.get("tknId").asText();
OpaConfiguration opaConfiguration = appConfiguration.getOpaConfiguration();
String baseUrl = opaConfiguration.getBaseUrl();
HttpDelete request = new HttpDelete(String.format("%s/data/%s/%s", baseUrl, tknTyp, tknId));
addAccessTokenHeader(request, opaConfiguration);
boolean result = false;
try {
CloseableHttpClient httpClient = httpService.getHttpsClient();
HttpResponse httpResponse = httpClient.execute(request);
int statusCode = httpResponse.getStatusLine().getStatusCode();
log.debug("Get OPA remove data for token '{}' response with status code '{}'", tknId, statusCode);
result = statusCode == HttpStatus.SC_NO_CONTENT;
} catch (IOException ex) {
log.error("Failed to execute delete data request", ex);
}
return result;
}
protected long getExpirationInSeconds(TokenEntity tokenEntity) {
final Long duration = Duration.between(new Date().toInstant(), tokenEntity.getExpirationDate().toInstant()).getSeconds();
return duration;
}
private void addAccessTokenHeader(HttpRequestBase request, OpaConfiguration opaConfiguration) {
String accessToken = encryptionService.decrypt(opaConfiguration.getAccessToken(), true);
if (StringHelper.isNotEmpty(accessToken)) {
request.setHeader("Authorization", "Bearer " + accessToken);
}
}
protected class OpaExpirationListener implements ExpirationListener<String, String> {
public void expired(String key, String message) {
log.debug("Deleting expired token {}", key);
JsonNode messageNode;
try {
messageNode = objectMapper.readTree(message);
removeData(messageNode);
} catch (JacksonException ex) {
log.error("Failed to parse messge: '{}'", message, ex);
}
}
}
@Override
public void destroy() {
log.debug("Destory Messages");
}
}