WIP: support for locally refreshing access tokens

i.e. without Jira knowing (since it cannot deal with that in version 7.x)

This has become necessary since GitLab 15 enforces access token expiry
after 2h, which need to be refreshed, then.

Author: cpfeiffer

pom.xml

@@ -4,7 +4,7 @@
 
 	<groupId>com.dkaedv</groupId>
 	<artifactId>glghproxy</artifactId>
-	<version>0.5.3-SNAPSHOT</version>
+	<version>0.6.0-SNAPSHOT</version>
 	<packaging>war</packaging>
 
 	<name>glghproxy</name>

src/main/java/com/dkaedv/glghproxy/Utils.java

@@ -8,21 +8,39 @@
 //
 package com.dkaedv.glghproxy;
 
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.attribute.PosixFilePermissions;
 import java.util.List;
 import java.util.Optional;
+import java.util.Properties;
+
+import javax.validation.constraints.NotNull;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.gitlab.api.models.GitlabUser;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import com.dkaedv.glghproxy.githubentity.AccessToken;
 
 /**
  * A place for some helper methods.
  */
+@Component
 public class Utils {
 
 	private final static Log LOG = LogFactory.getLog(Utils.class);
 
-	private Utils() {}
+	@Value("${stateFile}")
+	private String stateFilePath;
 
 	/**
 	 * Returns the first user of the given list matching the givern email or username.
@@ -57,4 +75,72 @@ public static GitlabUser findSingleUser(List<GitlabUser> users, String emailOrUs
 //		LOG.warn("input user: " + users.get(0).getUsername() + " : " + users.get(0).getEmail());
 		return null;
 	}
+
+	public synchronized void storeTokenToProperties(@NotNull AccessToken token) throws IllegalStateException {
+		Properties properties = new Properties();
+		properties.setProperty("accessToken", token.getAccess_token());
+		properties.setProperty("refreshToken", token.getRefresh_token());
+		properties.setProperty("expiresIn", String.valueOf(token.getExpires_in()));
+		properties.setProperty("createdAt", String.valueOf(token.getCreated_at()));
+		properties.setProperty("clientId", token.getClientId());
+		properties.setProperty("clientSecret", token.getClientSecret());
+		properties.setProperty("originalToken", token.getOriginalToken());
+		properties.setProperty("redirectUri", token.getRedirectUri());
+
+		try {
+			File stateFile = new File(stateFilePath);
+			stateFile.getCanonicalFile().getParentFile().mkdirs();
+			// ensure the file is created, so that we can set the permissions prior to writing it
+			stateFile.createNewFile();
+			Files.setPosixFilePermissions(stateFile.toPath(), PosixFilePermissions.fromString("rw-------"));
+			properties.store(new BufferedOutputStream(new FileOutputStream(stateFile)), "glghproxy state");
+		} catch (IOException e) {
+			throw new IllegalStateException("Unable to store state file", e);
+		};
+	}
+
+	/**
+	 * Returns the token loaded from state, or <code>null</code> if there is no state yet
+	 * (which means, Jira must perform the OAuth dance, first).
+	 * @return the token or <code>null</code>
+	 * @throws IllegalStateException
+	 */
+	public synchronized AccessToken loadTokenFromProperties() throws IllegalStateException {
+		Properties properties = new Properties();
+		File stateFile = new File(stateFilePath);
+		try {
+			properties.load(new BufferedInputStream(new FileInputStream(stateFile)));
+			AccessToken token = new AccessToken(
+					properties.getProperty("accessToken"),
+					properties.getProperty("refreshToken"),
+					Long.valueOf(properties.getProperty("expiresIn")),
+					Long.valueOf(properties.getProperty("createdAt"))
+					);
+			token.setClientId(properties.getProperty("clientId"));
+			token.setClientSecret(properties.getProperty("clientSecret"));
+			token.setOriginalToken(properties.getProperty("originalToken"));
+			token.setRedirectUri(properties.getProperty("redirectUri"));
+
+			return token;
+		} catch (FileNotFoundException e) {
+			// no state file present, must login first
+			try {
+				LOG.warn("No state file present at " + stateFile.getCanonicalPath() + ", Jira will have to perform OAuth login first");
+			} catch (IOException e1) {
+				LOG.warn("No state file present at " + stateFile.toString() + ", Jira will have to perform OAuth login first", e1);
+			}
+			return null;
+		} catch (IOException e) {
+			throw new IllegalStateException("Unable to load state file " + stateFile.toString(), e);
+		}
+	}
+
+	public void deleteStateFile() {
+		File stateFile = new File(stateFilePath);
+		if (stateFile.exists()) {
+			if (!stateFile.delete()) {
+				throw new IllegalStateException("unable to delete state file");
+			}
+		}
+	}
 }

src/main/java/com/dkaedv/glghproxy/controller/LoginController.java

@@ -14,6 +14,8 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import com.dkaedv.glghproxy.githubentity.AccessToken;
+import com.dkaedv.glghproxy.gitlabclient.GitlabSessionProvider;
 import com.dkaedv.glghproxy.gitlabclient.OAuthClient;
 
 @Controller
@@ -25,6 +27,9 @@ public class LoginController {
 	@Autowired
 	private OAuthClient oauthClient;
 
+	@Autowired
+	private GitlabSessionProvider gitlab;
+
 	private String redirectUri;
 
 	/**
@@ -76,6 +81,8 @@ public String accessToken(
 			HttpServletRequest request
 			) throws MalformedURLException {
 
-		return oauthClient.requestAccessToken(client_id, client_secret, code, buildCallbackUrl(request)).toString();
+		AccessToken token = oauthClient.requestAccessToken(client_id, client_secret, code, buildCallbackUrl(request));
+		gitlab.setToken(token);
+		return token.toString();
 	}
 }

src/main/java/com/dkaedv/glghproxy/githubentity/AccessToken.java

@@ -1,27 +1,104 @@
 package com.dkaedv.glghproxy.githubentity;
 
+import javax.validation.constraints.NotNull;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
 public class AccessToken {
-	private String access_token;
-	private String scope = "repo";
-	private String token_type = "bearer";
-	
-	public AccessToken() {}
+	@NotNull
+	private final String access_token;
+	@NotNull
+	private final String refresh_token;
+	@NotNull
+	private final Long expires_in;
+	@NotNull
+	private final Long created_at;
+
+	private String originalToken;
+	private String clientId;
+	private String clientSecret;
+	private String redirectUri;
+
+	// constants -- these are in GitHub API
+	private final String scope = "repo";
+	private final String token_type = "bearer";
+
+//	public AccessToken() {}
 
-	public AccessToken(String access_token) {
+	@JsonCreator(mode = JsonCreator.Mode.PROPERTIES)
+	public AccessToken(
+			@JsonProperty("access_token") String access_token,
+			@JsonProperty("refresh_token") String refresh_token,
+			@JsonProperty("expires_in") Long expires_in,
+			@JsonProperty("created_at") Long created_at
+		) {
 		this.access_token = access_token;
+		this.refresh_token = refresh_token;
+		this.expires_in = expires_in;
+		this.created_at = created_at;
 	}
 	public String getAccess_token() {
 		return access_token;
 	}
+	public String getRefresh_token() {
+		return refresh_token;
+	}
+	/**
+	 * Returns an offset to @{@link #getCreated_at()} in seconds.
+	 */
+	public Long getExpires_in() {
+		return expires_in;
+	}
+	/**
+	 * Returns a Unix timestamp in seconds, of when this token was issued.
+	 */
+	public Long getCreated_at() {
+		return created_at;
+	}
 	public String getScope() {
 		return scope;
 	}
 	public String getToken_type() {
 		return token_type;
 	}
 
+	/**
+	 * Returns back the token for Jira, so in GitHub API style
+	 */
 	@Override
 	public String toString() {
 		return "access_token=" + access_token + "&scope=" + scope + "&token_type=" + token_type;
 	}
+
+	public void setClientId(String client_id) {
+		clientId = client_id;
+	}
+	public String getClientId() {
+		return clientId;
+	}
+	public void setClientSecret(String client_secret) {
+		clientSecret = client_secret;
+	}
+	public String getClientSecret() {
+		return clientSecret;
+	}
+	public void setRedirectUri(String redirect_uri) {
+		redirectUri = redirect_uri;
+	}
+	public String getRedirectUri() {
+		return redirectUri;
+	}
+	public void setOriginalToken(String originalToken) {
+		if (originalToken == null) {
+			throw new IllegalArgumentException("originalToken must not be null");
+		}
+		if (this.originalToken != null) {
+			throw new IllegalStateException("original token already set");
+		}
+		this.originalToken = originalToken;
+	}
+	public String getOriginalToken() {
+		return originalToken;
+	}
 }

src/main/java/com/dkaedv/glghproxy/gitlabclient/GitlabSessionProvider.java

@@ -1,15 +1,19 @@
 package com.dkaedv.glghproxy.gitlabclient;
 
 import javax.annotation.PostConstruct;
+import javax.validation.constraints.NotNull;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.gitlab.api.GitlabAPI;
 import org.gitlab.api.TokenType;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
 import com.dkaedv.glghproxy.Constants;
+import com.dkaedv.glghproxy.Utils;
+import com.dkaedv.glghproxy.githubentity.AccessToken;
 
 @Component
 public class GitlabSessionProvider {
@@ -18,14 +22,71 @@ public class GitlabSessionProvider {
 	@Value("${gitlabUrl}")
 	private String gitlabUrl;
 
-	public GitlabAPI connect(String authorizationHeader) {
-		String token = authorizationHeader.replaceAll("token ", "");
-		
-		GitlabAPI api = GitlabAPI.connect(gitlabUrl, token, TokenType.ACCESS_TOKEN);
+	private AccessToken token;
+
+	@Autowired
+	private OAuthClient oauthClient;
+
+	@Autowired
+	private Utils utils;
+
+	@PostConstruct
+	private void init() {
+		token = utils.loadTokenFromProperties();
+	}
+
+	/**
+	 * Called only once during initial login
+	 * @param token
+	 */
+	public void setToken(@NotNull AccessToken token) {
+		this.token = token;
+		utils.storeTokenToProperties(token);
+	}
+
+	public synchronized GitlabAPI connect(String authorizationHeader) {
+		if (token == null) {
+			throw new IllegalStateException("AccessToken token must not be null at this point");
+		}
+
+		// Note: since GitLab 15 invalidates tokens every 2h, and Jira doesn't support this flow, we
+		// - verify that the token provided by Jira "would be valid"
+		// - use our own, refreshed token instead of the one provided by Jira
+		String providedToken = authorizationHeader.replaceAll("token ", "");
+		if (!isValidOriginalToken(providedToken)) {
+			throw new IllegalArgumentException("the provided token does not match the original token from the oauth2 initialization");
+		}
+
+		if (isExpired()) {
+			LOG.info("Refreshing oauth2 token");
+			token = refreshToken();
+			utils.storeTokenToProperties(token);
+		}
+
+		GitlabAPI api = GitlabAPI.connect(gitlabUrl, token.getAccess_token(), TokenType.ACCESS_TOKEN);
 		api.ignoreCertificateErrors(Constants.IGNORE_SSL_ERRORS);
+
 		return api;
 	}
 
+	private boolean isValidOriginalToken(String providedToken) {
+		return token.getOriginalToken().equals(providedToken);
+	}
+
+	private boolean isExpired() {
+		long expiration = token.getCreated_at() + token.getExpires_in();
+		long now = System.currentTimeMillis() / 1000;
+		long extraBuffer = 10 * 60; // 10min
+		if (now >= expiration - extraBuffer) {
+			return true;
+		}
+		return false;
+	}
+
+	private AccessToken refreshToken() {
+		return oauthClient.refreshAccessToken(token);
+	}
+
 	@PostConstruct
 	public void logUrl() {
 		LOG.info("Using Gitlab Base URL: " + gitlabUrl);