-
Notifications
You must be signed in to change notification settings - Fork 215
/
DittoJwtAuthorizationSubjectsProvider.java
118 lines (98 loc) · 4.65 KB
/
DittoJwtAuthorizationSubjectsProvider.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/*
* Copyright (c) 2017 Contributors to the Eclipse Foundation
*
* See the NOTICE file(s) distributed with this work for additional
* information regarding copyright ownership.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.ditto.gateway.service.security.authentication.jwt;
import static org.eclipse.ditto.base.model.common.ConditionChecker.checkNotNull;
import java.util.List;
import java.util.Objects;
import javax.annotation.Nullable;
import javax.annotation.concurrent.Immutable;
import org.eclipse.ditto.base.model.auth.AuthorizationSubject;
import org.eclipse.ditto.gateway.api.GatewayJwtIssuerNotSupportedException;
import org.eclipse.ditto.gateway.service.util.config.DittoGatewayConfig;
import org.eclipse.ditto.gateway.service.util.config.security.OAuthConfig;
import org.eclipse.ditto.internal.utils.config.DefaultScopedConfig;
import org.eclipse.ditto.jwt.model.JsonWebToken;
import org.eclipse.ditto.placeholders.ExpressionResolver;
import org.eclipse.ditto.placeholders.PipelineElement;
import org.eclipse.ditto.placeholders.PlaceholderFactory;
import org.eclipse.ditto.policies.model.SubjectId;
import akka.actor.ActorSystem;
/**
* Implementation of {@link JwtAuthorizationSubjectsProvider} for Google JWTs.
*/
@Immutable
public final class DittoJwtAuthorizationSubjectsProvider implements JwtAuthorizationSubjectsProvider {
private final JwtSubjectIssuersConfig jwtSubjectIssuersConfig;
@SuppressWarnings("unused") //Loaded via reflection by AkkaExtension.
public DittoJwtAuthorizationSubjectsProvider(final ActorSystem actorSystem) {
final OAuthConfig oAuthConfig =
DittoGatewayConfig.of(DefaultScopedConfig.dittoScoped(actorSystem.settings().config()))
.getAuthenticationConfig()
.getOAuthConfig();
jwtSubjectIssuersConfig = JwtSubjectIssuersConfig.fromOAuthConfig(oAuthConfig);
}
private DittoJwtAuthorizationSubjectsProvider(final ActorSystem actorSystem,
final JwtSubjectIssuersConfig jwtSubjectIssuersConfig) {
this.jwtSubjectIssuersConfig = checkNotNull(jwtSubjectIssuersConfig);
}
/**
* Returns a new {@code DittoAuthorizationSubjectsProvider}.
*
* @param actorSystem the actorSystem in which the provider should exist.
* @param jwtSubjectIssuersConfig the subject issuer configuration.
* @return the DittoAuthorizationSubjectsProvider.
* @throws NullPointerException if any argument is {@code null}.
*/
public static DittoJwtAuthorizationSubjectsProvider of(final ActorSystem actorSystem,
final JwtSubjectIssuersConfig jwtSubjectIssuersConfig) {
checkNotNull(actorSystem);
checkNotNull(jwtSubjectIssuersConfig);
return new DittoJwtAuthorizationSubjectsProvider(actorSystem, jwtSubjectIssuersConfig);
}
@Override
public List<AuthorizationSubject> getAuthorizationSubjects(final JsonWebToken jsonWebToken) {
checkNotNull(jsonWebToken);
final String issuer = jsonWebToken.getIssuer();
final JwtSubjectIssuerConfig jwtSubjectIssuerConfig = jwtSubjectIssuersConfig.getConfigItem(issuer)
.orElseThrow(() -> GatewayJwtIssuerNotSupportedException.newBuilder(issuer).build());
final ExpressionResolver expressionResolver = PlaceholderFactory.newExpressionResolver(
PlaceholderFactory.newPlaceholderResolver(JwtPlaceholder.getInstance(), jsonWebToken));
return jwtSubjectIssuerConfig.getAuthorizationSubjectTemplates().stream()
.map(expressionResolver::resolve)
.flatMap(PipelineElement::toStream)
.map(subject -> SubjectId.newInstance(jwtSubjectIssuerConfig.getSubjectIssuer(), subject))
.map(AuthorizationSubject::newInstance)
.toList();
}
@Override
public boolean equals(@Nullable final Object o) {
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
final DittoJwtAuthorizationSubjectsProvider that = (DittoJwtAuthorizationSubjectsProvider) o;
return Objects.equals(jwtSubjectIssuersConfig, that.jwtSubjectIssuersConfig);
}
@Override
public int hashCode() {
return Objects.hash(jwtSubjectIssuersConfig);
}
@Override
public String toString() {
return getClass().getSimpleName() + " [" +
"jwtSubjectIssuersConfig=" + jwtSubjectIssuersConfig +
"]";
}
}