initial commit

Author: guFalcon

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.github/workflows/pipeline.yml

@@ -0,0 +1,28 @@
+name: PIPELINE
+
+on:
+  push:
+    branches:
+      - 'master'
+  workflow_dispatch:
+
+jobs:
+  bump:
+    uses: UnterrainerInformatik/bump-semver-workflow/.github/workflows/workflow.yml@master
+
+  build:
+    name: Build and publish to Maven Central 🚀
+    needs: bump
+    uses: UnterrainerInformatik/maven-central-workflow/.github/workflows/workflow.yml@master
+    with:
+      major_version: ${{ needs.bump.outputs.major_version }}
+      minor_version: ${{ needs.bump.outputs.minor_version }}
+      build_version: ${{ needs.bump.outputs.build_version }}
+      maven_profiles: release-to-sonatype
+      maven_args: -Dmaven.test.skip=true
+    secrets:
+      SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+      SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+      GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }}
+      GPG_OWNERTRUST: ${{ secrets.GPG_OWNERTRUST }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

.gitignore

@@ -21,4 +21,14 @@
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
-replay_pid*
+/target/
+
+src/main/java/info/unterrainer/commons/jreutils/Information.java
+
+.settings/
+
+.classpath
+
+bin/
+
+dependency-reduced-pom.xml

.project

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>serialization</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.m2e.core.maven2Builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+		<nature>org.eclipse.m2e.core.maven2Nature</nature>
+	</natures>
+</projectDescription>

Information.template

@@ -0,0 +1,7 @@
+package @package@;
+
+public class Information {
+	public static final String name = "@name@";
+	public static final String buildTime = "@buildTime@";
+	public static final String pomVersion = "@pomVersion@";
+}

pom.xml

@@ -0,0 +1,67 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+	<parent>
+		<groupId>info.unterrainer.commons</groupId>
+		<artifactId>parent-javalin-pom</artifactId>
+		<version>1.0.2</version>
+	</parent>
+
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>websocket-server</artifactId>
+	<version>1.0.0</version>
+	<name>WebsocketServer</name>
+	<packaging>jar</packaging>
+	
+	<properties>
+		<mainclass>info.unterrainer.commons.websocketserver.WebsocketServer</mainclass>
+		<name>Websocket-Server</name>
+		<package-path>info/unterrainer/commons/websocketserver</package-path>
+		<packg-string>info.unterrainer.commons.websocketserver</packg-string>
+	</properties>
+
+	<dependencies>
+		<!--Websocket Server-->
+		<!-- And add org.keycloak:keycloak-core to ignoredUnused below...-->
+		<dependency>
+			<groupId>org.eclipse.jetty.websocket</groupId>
+			<artifactId>websocket-api</artifactId>
+			<version>9.4.38.v20210224</version>
+			<scope>compile</scope>
+		</dependency>
+		<dependency>
+		    <groupId>org.keycloak</groupId>
+		    <artifactId>keycloak-admin-client</artifactId>
+		    <version>26.0.4</version>
+		</dependency>
+		<dependency>
+			<groupId>info.unterrainer.commons</groupId>
+			<artifactId>http-server</artifactId>
+			<version>1.0.0</version>
+		</dependency>
+	</dependencies>
+	
+	<build>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-dependency-plugin</artifactId>
+					<executions>
+						<execution>
+							<id>analyze</id>
+							<configuration>
+								<ignoredUsedUndeclaredDependencies
+									combine.children="append">
+									<ignoredUsedUndeclaredDependencies>org.keycloak:keycloak-core</ignoredUsedUndeclaredDependencies>
+									<ignoredUsedUndeclaredDependencies>org.keycloak:keycloak-common</ignoredUsedUndeclaredDependencies>
+								</ignoredUsedUndeclaredDependencies>
+							</configuration>
+						</execution>
+					</executions>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+	</build>
+</project>

src/main/java/info/unterrainer/websocketserver/AiComm.java

@@ -0,0 +1,33 @@
+package info.unterrainer.websocketserver;
+
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+import io.javalin.websocket.WsConnectContext;
+import io.javalin.websocket.WsMessageContext;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class AiComm extends WsOauthHandlerBase {
+
+	private Set<WsConnectContext> connectedWsClients = ConcurrentHashMap.newKeySet();
+
+	@Override
+	public void onConnect(WsConnectContext ctx) throws Exception {
+		super.onConnect(ctx);
+		connectedWsClients.add(ctx);
+		ctx.send("Welcome to our websocket-server!");
+	}
+
+	@Override
+	public void onMessage(WsMessageContext ctx) throws Exception {
+		super.onMessage(ctx);
+
+		// Broadcast to all connected WS clients.
+		for (WsConnectContext client : connectedWsClients) {
+			if (client.session.isOpen()) {
+				client.send("Echo from server: [" + ctx.message() + "]");
+			}
+		}
+	}
+}

src/main/java/info/unterrainer/websocketserver/JwtTokenHandler.java

@@ -0,0 +1,136 @@
+package info.unterrainer.websocketserver;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.spec.RSAPublicKeySpec;
+import java.util.Base64;
+
+import org.keycloak.TokenVerifier;
+import org.keycloak.common.VerificationException;
+import org.keycloak.representations.AccessToken;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import info.unterrainer.commons.httpserver.exceptions.ForbiddenException;
+import info.unterrainer.commons.httpserver.exceptions.UnauthorizedException;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+@RequiredArgsConstructor
+public class JwtTokenHandler {
+
+	private final String host;
+	private final String realm;
+
+	private String authUrl;
+	private PublicKey publicKey = null;
+
+	public void initPublicKey() {
+		String correctedHost = host;
+		String correctedRealm = realm;
+
+		if (publicKey != null)
+			return;
+		if (!correctedHost.endsWith("/"))
+			correctedHost += "/";
+		if (!correctedRealm.startsWith("/"))
+			correctedRealm = "/" + correctedRealm;
+
+		authUrl = correctedHost + "realms" + correctedRealm + "/protocol/openid-connect/certs";
+		try {
+			log.info("Getting public key from: [{}]", authUrl);
+			publicKey = fetchPublicKey(authUrl);
+		} catch (Exception e) {
+			log.error("There was an error fetching the PublicKey from the openIdConnect-server [{}].", authUrl);
+			throw new IllegalStateException(e);
+		}
+	}
+
+	private PublicKey fetchPublicKey(String jwksUrl) throws Exception {
+		ObjectMapper objectMapper = new ObjectMapper();
+		HttpClient client = HttpClient.newHttpClient();
+		HttpRequest request = HttpRequest.newBuilder().uri(URI.create(jwksUrl)).GET().build();
+
+		HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+
+		if (response.statusCode() >= 300) {
+			throw new IOException("Failed to fetch JWKS: HTTP " + response.statusCode());
+		}
+
+		JsonNode jwks = objectMapper.readTree(response.body());
+		// Just take the first key for now.
+		JsonNode key = jwks.get("keys").get(0);
+
+		String modulusBase64 = key.get("n").asText();
+		String exponentBase64 = key.get("e").asText();
+
+		byte[] modulusBytes = Base64.getUrlDecoder().decode(modulusBase64);
+		byte[] exponentBytes = Base64.getUrlDecoder().decode(exponentBase64);
+
+		BigInteger modulus = new BigInteger(1, modulusBytes);
+		BigInteger exponent = new BigInteger(1, exponentBytes);
+
+		RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, exponent);
+		KeyFactory factory = KeyFactory.getInstance("RSA");
+		return factory.generatePublic(spec);
+	}
+
+	public void checkAccess(String authorizationHeader) {
+		try {
+			TokenVerifier<AccessToken> tokenVerifier = persistUserInfoInContext(authorizationHeader);
+			if (tokenVerifier == null)
+				throw new UnauthorizedException();
+
+			initPublicKey();
+			tokenVerifier.publicKey(publicKey);
+			try {
+				tokenVerifier.verifySignature();
+			} catch (VerificationException e) {
+				throw new UnauthorizedException(
+						"Error verifying token from user with publicKey obtained from keycloak.", e);
+			}
+
+			try {
+				tokenVerifier.verify();
+				throw new ForbiddenException();
+			} catch (VerificationException e) {
+				throw new ForbiddenException();
+			}
+		} catch (Exception e) {
+			log.error("Error checking token.", e);
+			throw e;
+		}
+	}
+
+	private TokenVerifier<AccessToken> persistUserInfoInContext(String authorizationHeader) {
+		if (authorizationHeader == null || authorizationHeader.isBlank())
+			return null;
+
+		try {
+			TokenVerifier<AccessToken> tokenVerifier = TokenVerifier.create(authorizationHeader, AccessToken.class);
+			AccessToken token = tokenVerifier.getToken();
+			if (!token.isActive()) {
+				log.warn("Token is inactive.");
+				return null;
+			}
+			// Disabled to enable getting token from side-channels like 'localhost'.
+			/*
+			 * if (!token.getIssuer().equalsIgnoreCase(authUrl)) {
+			 * setTokenRejectionReason(ctx, "Token has wrong real-url."); return null; }
+			 */
+			return tokenVerifier;
+
+		} catch (VerificationException e) {
+			log.warn("Token was checked and deemed invalid.", e);
+			return null;
+		}
+	}
+}

src/main/java/info/unterrainer/websocketserver/WebsocketServer.java

@@ -0,0 +1,66 @@
+package info.unterrainer.websocketserver;
+
+import java.util.HashSet;
+import java.util.function.Consumer;
+
+import org.jetbrains.annotations.NotNull;
+
+import io.javalin.Javalin;
+import io.javalin.websocket.WsHandler;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class WebsocketServer {
+
+	private String keycloakHost;
+	private String realm;
+	private JwtTokenHandler tokenHandler;
+
+	private Javalin wss;
+	private boolean isOauthEnabled = false;
+
+	public WebsocketServer() {
+		wss = Javalin.create();
+	}
+
+	public WebsocketServer(String keycloakHost, String keycloakRealm) {
+		this.keycloakHost = keycloakHost;
+		this.realm = keycloakRealm;
+
+		try {
+			tokenHandler = new JwtTokenHandler(this.keycloakHost, this.realm);
+			tokenHandler.initPublicKey();
+			wss = Javalin.create();
+			isOauthEnabled = true;
+		} catch (Exception e) {
+			// Exceptions will terminate a request later on, but should not terminate the
+			// main-thread here.
+		}
+	}
+
+	public WebsocketServer start(int port) {
+		wss.start(port);
+		log.debug("Websocket server started on port: {}", port);
+		return this;
+	}
+
+	public WebsocketServer ws(@NotNull String path, @NotNull Consumer<WsHandler> ws) {
+		wss.ws(path, ws, new HashSet<>());
+		return this;
+	}
+
+	public WebsocketServer wsOauth(@NotNull String path, @NotNull WsOauthHandlerBase handler) {
+		if (!isOauthEnabled) {
+			throw new IllegalStateException("Websocket server is not configured for OAuth2/JWT support.");
+		}
+
+		handler.setTokenHandler(tokenHandler);
+		wss.ws(path, ws -> {
+			ws.onConnect(handler::onConnect);
+			ws.onMessage(handler::onMessage);
+			ws.onClose(handler::onClose);
+			ws.onError(handler::onError);
+		});
+		return this;
+	}
+}