initial commit

Author: guFalcon

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.gitignore

@@ -21,4 +21,14 @@
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
-replay_pid*
+/target/
+
+src/main/java/info/unterrainer/commons/jreutils/Information.java
+
+.settings/
+
+.classpath
+
+bin/
+
+dependency-reduced-pom.xml

.project

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>Oauth-Token-Manager</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.m2e.core.maven2Builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+		<nature>org.eclipse.m2e.core.maven2Nature</nature>
+	</natures>
+</projectDescription>

Information.template

@@ -0,0 +1,7 @@
+package @package@;
+
+public class Information {
+	public static final String name = "@name@";
+	public static final String buildTime = "@buildTime@";
+	public static final String pomVersion = "@pomVersion@";
+}

pom.xml

@@ -0,0 +1,67 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+	<parent>
+		<groupId>info.unterrainer.commons</groupId>
+		<artifactId>parent-pom</artifactId>
+		<version>1.0.2</version>
+	</parent>
+
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>Oauth-Token-Manager</artifactId>
+	<version>1.0.0</version>
+	<name>OauthTokenManager</name>
+	<packaging>jar</packaging>
+	
+	<properties>
+		<mainclass>info.unterrainer.commons.oauthtokenmanager.OauthTokenManager</mainclass>
+		<name>Oauth-Token-Manager</name>
+		<package-path>info/unterrainer/commons/oauthtokenmanager</package-path>
+		<packg-string>info.unterrainer.commons.oauthtokenmanager</packg-string>
+	</properties>
+
+	<dependencies>
+		<!--Websocket Client-->
+		<!-- And add org.keycloak:keycloak-core to ignoredUnused below...-->
+		<dependency>
+			<groupId>org.eclipse.jetty.websocket</groupId>
+			<artifactId>websocket-api</artifactId>
+			<version>9.4.38.v20210224</version>
+			<scope>compile</scope>
+		</dependency>
+		<dependency>
+		    <groupId>org.keycloak</groupId>
+		    <artifactId>keycloak-admin-client</artifactId>
+		    <version>26.0.4</version>
+		</dependency>
+		<dependency>
+			<groupId>info.unterrainer.commons</groupId>
+			<artifactId>http-server</artifactId>
+			<version>1.0.0</version>
+		</dependency>
+	</dependencies>
+	
+	<build>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-dependency-plugin</artifactId>
+					<executions>
+						<execution>
+							<id>analyze</id>
+							<configuration>
+								<ignoredUsedUndeclaredDependencies
+									combine.children="append">
+									<ignoredUsedUndeclaredDependencies>org.keycloak:keycloak-core</ignoredUsedUndeclaredDependencies>
+									<ignoredUsedUndeclaredDependencies>org.keycloak:keycloak-common</ignoredUsedUndeclaredDependencies>
+								</ignoredUsedUndeclaredDependencies>
+							</configuration>
+						</execution>
+					</executions>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+	</build>
+</project>

src/main/java/info/unterrainer/oauthtokenmanager/OauthTokenManager.java

@@ -0,0 +1,136 @@
+package info.unterrainer.oauthtokenmanager;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.spec.RSAPublicKeySpec;
+import java.util.Base64;
+
+import org.keycloak.TokenVerifier;
+import org.keycloak.common.VerificationException;
+import org.keycloak.representations.AccessToken;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import info.unterrainer.commons.httpserver.exceptions.ForbiddenException;
+import info.unterrainer.commons.httpserver.exceptions.UnauthorizedException;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+@RequiredArgsConstructor
+public class OauthTokenManager {
+
+	private final String host;
+	private final String realm;
+
+	private String authUrl;
+	private PublicKey publicKey = null;
+
+	public void initPublicKey() {
+		String correctedHost = host;
+		String correctedRealm = realm;
+
+		if (publicKey != null)
+			return;
+		if (!correctedHost.endsWith("/"))
+			correctedHost += "/";
+		if (!correctedRealm.startsWith("/"))
+			correctedRealm = "/" + correctedRealm;
+
+		authUrl = correctedHost + "realms" + correctedRealm + "/protocol/openid-connect/certs";
+		try {
+			log.info("Getting public key from: [{}]", authUrl);
+			publicKey = fetchPublicKey(authUrl);
+		} catch (Exception e) {
+			log.error("There was an error fetching the PublicKey from the openIdConnect-server [{}].", authUrl);
+			throw new IllegalStateException(e);
+		}
+	}
+
+	private PublicKey fetchPublicKey(String jwksUrl) throws Exception {
+		ObjectMapper objectMapper = new ObjectMapper();
+		HttpClient client = HttpClient.newHttpClient();
+		HttpRequest request = HttpRequest.newBuilder().uri(URI.create(jwksUrl)).GET().build();
+
+		HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+
+		if (response.statusCode() >= 300) {
+			throw new IOException("Failed to fetch JWKS: HTTP " + response.statusCode());
+		}
+
+		JsonNode jwks = objectMapper.readTree(response.body());
+		// Just take the first key for now.
+		JsonNode key = jwks.get("keys").get(0);
+
+		String modulusBase64 = key.get("n").asText();
+		String exponentBase64 = key.get("e").asText();
+
+		byte[] modulusBytes = Base64.getUrlDecoder().decode(modulusBase64);
+		byte[] exponentBytes = Base64.getUrlDecoder().decode(exponentBase64);
+
+		BigInteger modulus = new BigInteger(1, modulusBytes);
+		BigInteger exponent = new BigInteger(1, exponentBytes);
+
+		RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, exponent);
+		KeyFactory factory = KeyFactory.getInstance("RSA");
+		return factory.generatePublic(spec);
+	}
+
+	public void checkAccess(String accessToken) {
+		try {
+			TokenVerifier<AccessToken> tokenVerifier = persistUserInfoInContext(accessToken);
+			if (tokenVerifier == null)
+				throw new UnauthorizedException();
+
+			initPublicKey();
+			tokenVerifier.publicKey(publicKey);
+			try {
+				tokenVerifier.verifySignature();
+			} catch (VerificationException e) {
+				throw new UnauthorizedException(
+						"Error verifying token from user with publicKey obtained from keycloak.", e);
+			}
+
+			try {
+				tokenVerifier.verify();
+				throw new ForbiddenException();
+			} catch (VerificationException e) {
+				throw new ForbiddenException();
+			}
+		} catch (Exception e) {
+			log.error("Error checking token.", e);
+			throw e;
+		}
+	}
+
+	private TokenVerifier<AccessToken> persistUserInfoInContext(String authorizationHeader) {
+		if (authorizationHeader == null || authorizationHeader.isBlank())
+			return null;
+
+		try {
+			TokenVerifier<AccessToken> tokenVerifier = TokenVerifier.create(authorizationHeader, AccessToken.class);
+			AccessToken token = tokenVerifier.getToken();
+			if (!token.isActive()) {
+				log.warn("Token is inactive.");
+				return null;
+			}
+			// Disabled to enable getting token from side-channels like 'localhost'.
+			/*
+			 * if (!token.getIssuer().equalsIgnoreCase(authUrl)) {
+			 * setTokenRejectionReason(ctx, "Token has wrong real-url."); return null; }
+			 */
+			return tokenVerifier;
+
+		} catch (VerificationException e) {
+			log.warn("Token was checked and deemed invalid.", e);
+			return null;
+		}
+	}
+}

src/main/resources/log4j.properties

@@ -0,0 +1,14 @@
+# Set root logger level to DEBUG and its only appender to A1.
+log4j.rootLogger=DEBUG, A1
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+
+# A1 uses PatternLayout.
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.charset=UTF-8
+log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
+
+# Print only info for imported libraries.
+log4j.logger.io.netty=WARN
+log4j.logger.org.eclipse.milo=WARN

src/test/java/info/unterrainer/oauthtokenmanager/OauthTokenManagerTest.java

@@ -0,0 +1,18 @@
+package info.unterrainer.websocketserver;
+
+public class WebSocketServerTest {
+
+	public static void main(String[] args) {
+		WebsocketServer server = new WebsocketServer("https://keycloak.lan.elite-zettl.at", "Cms");
+		AiComm aiComm;
+
+		aiComm = new AiComm();
+
+		server.wsOauth("/wss", aiComm);
+		server.ws("/ws", ws -> {
+			ws.onConnect(ctx -> ctx.send("Welcome to our websocket-server!"));
+			ws.onMessage(ctx -> ctx.send("Echo from server: [" + ctx.message() + "]"));
+		});
+		server.start(7070);
+	}
+}

src/test/resources/log4j.properties

@@ -0,0 +1,14 @@
+# Set root logger level to DEBUG and its only appender to A1.
+log4j.rootLogger=DEBUG, A1
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+
+# A1 uses PatternLayout.
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.charset=UTF-8
+log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
+
+# Print only info for imported libs.
+log4j.logger.io.netty=WARN
+log4j.logger.org.eclipse.milo=WARN