From 1442170a01d56dc2f2789374e11620dbd9e9dda4 Mon Sep 17 00:00:00 2001
From: brasseld <brasseld@gmail.com>
Date: Fri, 13 Oct 2017 14:01:47 +0200
Subject: [PATCH] feat(openid): Initial implementation of UserInfo policy

Closes gravitee-io/issues#803
---
 pom.xml                                       | 151 ++++++++++++++++++
 src/assembly/policy-assembly.xml              |  59 +++++++
 .../openid/userinfo/UserInfoPolicy.java       | 119 ++++++++++++++
 .../UserInfoPolicyConfiguration.java          |  45 ++++++
 src/main/resources/plugin.properties          |   6 +
 src/main/resources/schemas/schema-form.json   |  20 +++
 6 files changed, 400 insertions(+)
 create mode 100644 pom.xml
 create mode 100644 src/assembly/policy-assembly.xml
 create mode 100644 src/main/java/io/gravitee/policy/openid/userinfo/UserInfoPolicy.java
 create mode 100644 src/main/java/io/gravitee/policy/openid/userinfo/configuration/UserInfoPolicyConfiguration.java
 create mode 100644 src/main/resources/plugin.properties
 create mode 100644 src/main/resources/schemas/schema-form.json

diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..4c678e1
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+            http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>io.gravitee.policy</groupId>
+    <artifactId>gravitee-policy-openid-connect-userinfo</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+
+    <name>Gravitee.io APIM - Policy - OpenID Connect - UserInfo</name>
+    <description>Description of the OpenID Connect - UserInfo  Gravitee Policy</description>
+
+    <parent>
+        <groupId>io.gravitee</groupId>
+        <artifactId>gravitee-parent</artifactId>
+        <version>7</version>
+    </parent>
+
+    <properties>
+        <gravitee-gateway-api.version>1.5.0</gravitee-gateway-api.version>
+        <gravitee-policy-api.version>1.2.0</gravitee-policy-api.version>
+        <gravitee-resource-api.version>1.0.0</gravitee-resource-api.version>
+        <gravitee-common.version>1.5.0</gravitee-common.version>
+        <gravitee-resource-oauth2-provider-api.version>1.1.0-SNAPSHOT</gravitee-resource-oauth2-provider-api.version>
+        <maven-assembly-plugin.version>2.5.5</maven-assembly-plugin.version>
+        <jackson.version>2.5.3</jackson.version>
+    </properties>
+
+    <dependencies>
+        <!-- Provided scope -->
+        <dependency>
+            <groupId>io.gravitee.gateway</groupId>
+            <artifactId>gravitee-gateway-api</artifactId>
+            <version>${gravitee-gateway-api.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>io.gravitee.resource</groupId>
+            <artifactId>gravitee-resource-api</artifactId>
+            <version>${gravitee-resource-api.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>io.gravitee.policy</groupId>
+            <artifactId>gravitee-policy-api</artifactId>
+            <version>${gravitee-policy-api.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>io.gravitee.common</groupId>
+            <artifactId>gravitee-common</artifactId>
+            <version>${gravitee-common.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>io.gravitee.resource</groupId>
+            <artifactId>gravitee-resource-oauth2-provider-api</artifactId>
+            <version>${gravitee-resource-oauth2-provider-api.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>${slf4j.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-context</artifactId>
+            <version>${spring.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Jackson dependencies -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${jackson.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Test scope -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <filtering>true</filtering>
+            </resource>
+        </resources>
+        <plugins>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>${maven-assembly-plugin.version}</version>
+                <configuration>
+                    <appendAssemblyId>false</appendAssemblyId>
+                    <descriptors>
+                        <descriptor>src/assembly/policy-assembly.xml</descriptor>
+                    </descriptors>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-policy-assembly</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/src/assembly/policy-assembly.xml b/src/assembly/policy-assembly.xml
new file mode 100644
index 0000000..d75e5ba
--- /dev/null
+++ b/src/assembly/policy-assembly.xml
@@ -0,0 +1,59 @@
+<!--
+
+    Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+            http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<assembly xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3 http://maven.apache.org/xsd/assembly-1.1.3.xsd">
+    <id>policy</id>
+    <formats>
+        <format>zip</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+
+    <!-- Include the main Policy Jar file -->
+    <files>
+        <file>
+            <source>${project.build.directory}/${project.build.finalName}.jar</source>
+        </file>
+    </files>
+
+    <fileSets>
+        <!-- Then include Policy configuration schemas -->
+        <fileSet>
+            <directory>src/main/resources/schemas</directory>
+            <outputDirectory>schemas</outputDirectory>
+        </fileSet>
+
+        <!-- Create the empty lib directory in case of no libraries is required -->
+        <!-- As there is no maven-assembly-plugin's method do to that, we hack it ourself -->
+        <fileSet>
+            <directory>${project.basedir}/src/assembly</directory>
+            <outputDirectory>lib</outputDirectory>
+            <excludes>
+                <exclude>*</exclude>
+            </excludes>
+        </fileSet>
+    </fileSets>
+
+    <!-- Finally include Policy dependencies -->
+    <dependencySets>
+        <dependencySet>
+            <outputDirectory>lib</outputDirectory>
+            <useProjectArtifact>false</useProjectArtifact>
+        </dependencySet>
+    </dependencySets>
+</assembly>
\ No newline at end of file
diff --git a/src/main/java/io/gravitee/policy/openid/userinfo/UserInfoPolicy.java b/src/main/java/io/gravitee/policy/openid/userinfo/UserInfoPolicy.java
new file mode 100644
index 0000000..6d5d067
--- /dev/null
+++ b/src/main/java/io/gravitee/policy/openid/userinfo/UserInfoPolicy.java
@@ -0,0 +1,119 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.gravitee.policy.openid.userinfo;
+
+import io.gravitee.common.http.HttpHeaders;
+import io.gravitee.common.http.HttpStatusCode;
+import io.gravitee.common.http.MediaType;
+import io.gravitee.gateway.api.ExecutionContext;
+import io.gravitee.gateway.api.Request;
+import io.gravitee.gateway.api.Response;
+import io.gravitee.gateway.api.handler.Handler;
+import io.gravitee.policy.api.PolicyChain;
+import io.gravitee.policy.api.PolicyResult;
+import io.gravitee.policy.api.annotations.OnRequest;
+import io.gravitee.policy.openid.userinfo.configuration.UserInfoPolicyConfiguration;
+import io.gravitee.resource.api.ResourceManager;
+import io.gravitee.resource.oauth2.api.OAuth2Resource;
+import io.gravitee.resource.oauth2.api.openid.UserInfoResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Optional;
+
+/**
+ * @author David BRASSELY (david.brassely at graviteesource.com)
+ * @author GraviteeSource Team
+ */
+public class UserInfoPolicy {
+
+    private final static Logger logger = LoggerFactory.getLogger(UserInfoPolicy.class);
+
+    private static final String BEARER_TYPE = "Bearer";
+
+    static final String CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN = "oauth.access_token";
+    static final String CONTEXT_ATTRIBUTE_OPENID_USERINFO_PAYLOAD = "openid.userinfo.payload";
+    private UserInfoPolicyConfiguration userInfoPolicyConfiguration;
+
+    public UserInfoPolicy (UserInfoPolicyConfiguration userInfoPolicyConfiguration) {
+        this.userInfoPolicyConfiguration = userInfoPolicyConfiguration;
+    }
+
+    @OnRequest
+    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
+        logger.debug("Read access_token from request {}", request.id());
+
+        OAuth2Resource oauth2 = executionContext.getComponent(ResourceManager.class).getResource(
+                userInfoPolicyConfiguration.getOauthResource(), OAuth2Resource.class);
+
+        if (oauth2 == null) {
+            policyChain.failWith(PolicyResult.failure(HttpStatusCode.UNAUTHORIZED_401,
+                    "No OpenID Connect authorization server has been configured"));
+            return;
+        }
+
+        if (request.headers() == null || request.headers().get(HttpHeaders.AUTHORIZATION) == null || request.headers().get(HttpHeaders.AUTHORIZATION).isEmpty()) {
+            response.headers().add(HttpHeaders.WWW_AUTHENTICATE, BEARER_TYPE+" realm=gravitee.io - No OAuth authorization header was supplied");
+            policyChain.failWith(PolicyResult.failure(HttpStatusCode.UNAUTHORIZED_401,
+                    "No OAuth authorization header was supplied"));
+            return;
+        }
+
+        Optional<String> optionalHeaderAccessToken = request.headers().get(HttpHeaders.AUTHORIZATION).stream().filter(h -> h.startsWith("Bearer")).findFirst();
+        if (!optionalHeaderAccessToken.isPresent()) {
+            response.headers().add(HttpHeaders.WWW_AUTHENTICATE, BEARER_TYPE+" realm=gravitee.io - No OAuth authorization header was supplied");
+            policyChain.failWith(PolicyResult.failure(HttpStatusCode.UNAUTHORIZED_401,
+                    "No OAuth authorization header was supplied"));
+            return;
+        }
+
+        String accessToken = optionalHeaderAccessToken.get().substring(BEARER_TYPE.length()).trim();
+        if (accessToken.isEmpty()) {
+            response.headers().add(HttpHeaders.WWW_AUTHENTICATE, BEARER_TYPE+" realm=gravitee.io - No OAuth access token was supplied");
+            policyChain.failWith(PolicyResult.failure(HttpStatusCode.UNAUTHORIZED_401,
+                    "No OAuth access token was supplied"));
+            return;
+        }
+
+        // Set access_token in context
+        executionContext.setAttribute(CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN, accessToken);
+
+        // Validate access token
+        oauth2.userInfo(accessToken, handleResponse(policyChain, request, response, executionContext));
+    }
+
+    private Handler<UserInfoResponse> handleResponse(PolicyChain policyChain, Request request, Response response, ExecutionContext executionContext) {
+        return userInfoResponse -> {
+            if (userInfoResponse.isSuccess()) {
+                if (userInfoPolicyConfiguration.isExtractPayload()) {
+                    executionContext.setAttribute(CONTEXT_ATTRIBUTE_OPENID_USERINFO_PAYLOAD, userInfoResponse.getPayload());
+                }
+
+                policyChain.doNext(request, response);
+            } else {
+                response.headers().add(HttpHeaders.WWW_AUTHENTICATE, BEARER_TYPE+" realm=gravitee.io " + userInfoResponse.getPayload());
+
+                if (userInfoResponse.getThrowable() == null) {
+                    policyChain.failWith(PolicyResult.failure(HttpStatusCode.UNAUTHORIZED_401,
+                            userInfoResponse.getPayload(), MediaType.APPLICATION_JSON));
+                } else {
+                    policyChain.failWith(PolicyResult.failure(HttpStatusCode.SERVICE_UNAVAILABLE_503,
+                            "Service Unavailable"));
+                }
+            }
+        };
+    }
+}
diff --git a/src/main/java/io/gravitee/policy/openid/userinfo/configuration/UserInfoPolicyConfiguration.java b/src/main/java/io/gravitee/policy/openid/userinfo/configuration/UserInfoPolicyConfiguration.java
new file mode 100644
index 0000000..8630bac
--- /dev/null
+++ b/src/main/java/io/gravitee/policy/openid/userinfo/configuration/UserInfoPolicyConfiguration.java
@@ -0,0 +1,45 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.gravitee.policy.openid.userinfo.configuration;
+
+import io.gravitee.policy.api.PolicyConfiguration;
+
+/**
+ * @author David BRASSELY (david.brassely at graviteesource.com)
+ * @author GraviteeSource Team
+ */
+public class UserInfoPolicyConfiguration implements PolicyConfiguration {
+
+    private String oauthResource;
+
+    private boolean extractPayload = false;
+
+    public String getOauthResource() {
+        return oauthResource;
+    }
+
+    public void setOauthResource(String oauthResource) {
+        this.oauthResource = oauthResource;
+    }
+
+    public boolean isExtractPayload() {
+        return extractPayload;
+    }
+
+    public void setExtractPayload(boolean extractPayload) {
+        this.extractPayload = extractPayload;
+    }
+}
diff --git a/src/main/resources/plugin.properties b/src/main/resources/plugin.properties
new file mode 100644
index 0000000..c1bca13
--- /dev/null
+++ b/src/main/resources/plugin.properties
@@ -0,0 +1,6 @@
+id=policy-openid-userinfo
+name=OpenID Connect - UserInfo
+version=${project.version}
+description=${project.description}
+class=io.gravitee.policy.openid.userinfo.UserInfoPolicy
+type=policy
diff --git a/src/main/resources/schemas/schema-form.json b/src/main/resources/schemas/schema-form.json
new file mode 100644
index 0000000..264c8f0
--- /dev/null
+++ b/src/main/resources/schemas/schema-form.json
@@ -0,0 +1,20 @@
+{
+  "type" : "object",
+  "id" : "urn:jsonschema:io:gravitee:policy:openid:userinfo:configuration:UserInfoPolicyConfiguration",
+  "properties" : {
+    "oauthResource" : {
+      "title": "OpenID Connect resource",
+      "description": "OpenID Connect resource used to validate token.",
+      "type" : "string"
+    },
+    "extractPayload" : {
+      "title": "Extract UserInfo payload",
+      "description": "Extract UserInfo response and put it into the 'openid.userinfo.payload' context attribute.",
+      "type" : "boolean",
+      "default": false
+    }
+  },
+  "required": [
+    "oauthResource"
+  ]
+}
\ No newline at end of file