Support opaque tokens for the first issuer (#75)

Author: jonenst

src/main/java/org/gridsuite/gateway/GatewayConfig.java

@@ -27,6 +27,7 @@ public class GatewayConfig {
     public static final String END_POINT_SERVICE_NAME = "end_point_service_name";
 
     public static final String HEADER_USER_ID = "userId";
+    public static final String HEADER_CLIENT_ID = "clientId";
 
     @Bean
     public RouteLocator myRoutes(RouteLocatorBuilder builder, ApplicationContext context) {

src/main/java/org/gridsuite/gateway/GatewayService.java

@@ -8,7 +8,10 @@
 package org.gridsuite.gateway;
 
 import org.gridsuite.gateway.dto.OpenIdConfiguration;
+import org.gridsuite.gateway.dto.TokenIntrospection;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
+import org.springframework.web.reactive.function.BodyInserters;
 import org.springframework.web.reactive.function.client.WebClient;
 import org.springframework.web.util.DefaultUriBuilderFactory;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -18,6 +21,12 @@
 public class GatewayService {
     private WebClient.Builder webClientBuilder;
 
+    @Value("${client_id}")
+    private String clientId;
+
+    @Value("${client_secret}")
+    private String clientSecret;
+
     public GatewayService() {
         webClientBuilder = WebClient.builder();
     }
@@ -44,4 +53,31 @@ public Mono<String> getJwkSet(String jwkSetUri) {
                 .bodyToMono(String.class)
                 .single();
     }
+
+    public Mono<String> getOpaqueTokenIntrospectionUri(String issBaseUri) {
+        WebClient webClient = webClientBuilder.uriBuilderFactory(new DefaultUriBuilderFactory(issBaseUri)).build();
+
+        String path = UriComponentsBuilder.fromPath("/.well-known/openid-configuration")
+            .toUriString();
+
+        return webClient.get()
+                 .uri(path)
+                 .retrieve()
+                 .bodyToMono(OpenIdConfiguration.class)
+                 .single()
+                 .map(OpenIdConfiguration::getIntrospectionEndpoint);
+    }
+
+    public Mono<TokenIntrospection> getOpaqueTokenIntrospection(String introspectionUri, String token) {
+        WebClient webClient = webClientBuilder.uriBuilderFactory(new DefaultUriBuilderFactory(introspectionUri)).build();
+
+        return webClient.post()
+                .body(BodyInserters
+                        .fromFormData("client_id", clientId)
+                        .with("client_secret", clientSecret)
+                        .with("token", token))
+                 .retrieve()
+                 .bodyToMono(TokenIntrospection.class)
+                 .single();
+    }
 }

src/main/java/org/gridsuite/gateway/dto/OpenIdConfiguration.java

@@ -24,4 +24,17 @@ public String getJwksUri() {
     public void setJwksUri(String jwksUri) {
         this.jwksUri = jwksUri;
     }
+
+    @JsonAlias("introspection_endpoint")
+    String introspectionEndpoint;
+
+    @JsonGetter("introspectionEndpoint")
+    public String getIntrospectionEndpoint() {
+        return introspectionEndpoint;
+    }
+
+    @JsonSetter("introspectionEndpoint")
+    public void setIntrospectionEndpoint(String introspectionEndpoint) {
+        this.introspectionEndpoint = introspectionEndpoint;
+    }
 }

src/main/java/org/gridsuite/gateway/dto/TokenIntrospection.java

@@ -0,0 +1,38 @@
+/**
+ * Copyright (c) 2023, RTE (http://www.rte-france.com)
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+package org.gridsuite.gateway.dto;
+
+import com.fasterxml.jackson.annotation.JsonAlias;
+import com.fasterxml.jackson.annotation.JsonGetter;
+import com.fasterxml.jackson.annotation.JsonSetter;
+
+public class TokenIntrospection {
+
+    boolean active;
+
+    public boolean getActive() {
+        return active;
+    }
+
+    public void setActive(boolean active) {
+        this.active = active;
+    }
+
+    @JsonAlias("client_id")
+    String clientId;
+
+    @JsonGetter("clientId")
+    public String getClientId() {
+        return clientId;
+    }
+
+    @JsonSetter("clientId")
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+}

src/main/java/org/gridsuite/gateway/filters/TokenValidatorGlobalPreFilter.java

@@ -19,6 +19,7 @@
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import org.gridsuite.gateway.GatewayService;
+import org.gridsuite.gateway.dto.TokenIntrospection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -37,14 +38,16 @@
 import java.util.concurrent.ConcurrentHashMap;
 
 import static org.gridsuite.gateway.GatewayConfig.HEADER_USER_ID;
+//TODO add client_id
+//import static org.gridsuite.gateway.GatewayConfig.HEADER_CLIENT_ID;
 
 /**
  * @author Chamseddine Benhamed <chamseddine.benhamed at rte-france.com>
  */
 @Component
 public class TokenValidatorGlobalPreFilter extends AbstractGlobalPreFilter {
 
-    public static final String UNAUTHORIZED_INVALID_PLAIN_JOSE_OBJECT_ENCODING = "{}: 401 Unauthorized, Invalid plain JOSE object encoding";
+    public static final String UNAUTHORIZED_INVALID_PLAIN_JOSE_OBJECT_ENCODING = "{}: 401 Unauthorized, Invalid plain JOSE object encoding or inactive opaque token";
     public static final String PARSING_ERROR = "{}: 500 Internal Server Error, error has been reached unexpectedly while parsing";
 
     private static final Logger LOGGER = LoggerFactory.getLogger(TokenValidatorGlobalPreFilter.class);
@@ -103,33 +106,56 @@ public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
         try {
             jwt = JWTParser.parse(token);
             jwtClaimsSet = jwt.getJWTClaimsSet();
+
+            LOGGER.debug("checking issuer");
+            if (allowedIssuers.stream().noneMatch(iss -> jwtClaimsSet.getIssuer().startsWith(iss))) {
+                LOGGER.info("{}: 401 Unauthorized, {} Issuer is not in the issuers white list", exchange.getRequest().getPath(), jwtClaimsSet.getIssuer());
+                return completeWithCode(exchange, HttpStatus.UNAUTHORIZED);
+            }
+
+            Issuer iss = new Issuer(jwtClaimsSet.getIssuer());
+            ClientID clientID = new ClientID(jwtClaimsSet.getAudience().get(0));
+
+            JWSAlgorithm jwsAlg = JWSAlgorithm.parse(jwt.getHeader().getAlgorithm().getName());
+            return proceedFilter(new FilterInfos(exchange, chain, jwt, jwtClaimsSet, iss, clientID, jwsAlg));
         } catch (java.text.ParseException e) {
             // Invalid plain JOSE object encoding
-            LOGGER.info(UNAUTHORIZED_INVALID_PLAIN_JOSE_OBJECT_ENCODING, exchange.getRequest().getPath());
-            return completeWithCode(exchange, HttpStatus.UNAUTHORIZED);
+            // Don't print the full stacktrace here for less verbose logs,
+            // we have enough context with just the message
+            LOGGER.debug("JWTParser.parse ParseException, will attempt to use as opaque token: ({})", e.getMessage());
+            // TODO try more than just the first issuer here ? get the issuer from the client ?
+            return validateOpaqueReferenceToken(allowedIssuers.get(0), token, exchange, chain);
         }
+    }
 
-        LOGGER.debug("checking issuer");
-        if (allowedIssuers.stream().noneMatch(iss -> jwtClaimsSet.getIssuer().startsWith(iss))) {
-            LOGGER.info("{}: 401 Unauthorized, {} Issuer is not in the issuers white list", exchange.getRequest().getPath(), jwtClaimsSet.getIssuer());
-            return completeWithCode(exchange, HttpStatus.UNAUTHORIZED);
-        }
-
-        Issuer iss = new Issuer(jwtClaimsSet.getIssuer());
-        ClientID clientID = new ClientID(jwtClaimsSet.getAudience().get(0));
-
-        JWSAlgorithm jwsAlg = JWSAlgorithm.parse(jwt.getHeader().getAlgorithm().getName());
-        return proceedFilter(new FilterInfos(exchange, chain, jwt, jwtClaimsSet, iss, clientID, jwsAlg));
+    private Mono<Void> validateOpaqueReferenceToken(String issBaseUri, String token, ServerWebExchange exchange,
+            GatewayFilterChain chain) {
+        // TODO CACHE the two requests
+        return gatewayService.getOpaqueTokenIntrospectionUri(issBaseUri)
+                .flatMap(uri -> gatewayService.getOpaqueTokenIntrospection(uri, token))
+                .flatMap((TokenIntrospection tokenIntrospection) -> {
+                    // TODO really add the client_id header instead of userid
+                    exchange.getRequest().mutate()
+                            .headers(h -> h.set(HEADER_USER_ID, tokenIntrospection.getClientId()));
+                    if (tokenIntrospection.getActive()) {
+                        LOGGER.debug("Opaque Token verified, it can be trusted");
+                        return chain.filter(exchange);
+                    } else {
+                        LOGGER.info(UNAUTHORIZED_INVALID_PLAIN_JOSE_OBJECT_ENCODING, exchange.getRequest().getPath());
+                        return completeWithCode(exchange, HttpStatus.UNAUTHORIZED);
+                    }
+                });
     }
 
     private Mono<Void> validate(FilterInfos filterInfos, JWKSet jwkset) throws BadJOSEException, JOSEException {
 
         // Create validator for signed ID tokens
+        // this works with jwt access tokens too (by chance ?) Do we need to modify this ?
         IDTokenValidator validator = new IDTokenValidator(filterInfos.getIss(), filterInfos.getClientID(), filterInfos.getJwsAlg(), jwkset);
 
         validator.validate(filterInfos.getJwt(), null);
         // we can safely trust the JWT
-        LOGGER.debug("Token verified, it can be trusted");
+        LOGGER.debug("JWT Token verified, it can be trusted");
 
         //we add the subject header
         filterInfos.getExchange().getRequest()

src/main/java/org/gridsuite/gateway/filters/UserAdminControlGlobalPreFilter.java

@@ -18,9 +18,10 @@
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
 
-import java.util.Objects;
+import java.util.List;
 
 import static org.gridsuite.gateway.GatewayConfig.HEADER_USER_ID;
+import static org.gridsuite.gateway.GatewayConfig.HEADER_CLIENT_ID;
 
 /**
  * @author Etienne Homer <etienne.homer at rte-france.com>
@@ -40,9 +41,22 @@ public Mono<Void> filter(@NonNull ServerWebExchange exchange, @NonNull GatewayFi
         LOGGER.debug("Filter : {}", getClass().getSimpleName());
 
         HttpHeaders httpHeaders = exchange.getRequest().getHeaders();
-        String sub = Objects.requireNonNull(httpHeaders.get(HEADER_USER_ID)).get(0);
+        List<String> maybeSubList = httpHeaders.get(HEADER_USER_ID);
+        List<String> maybeClientIdList = httpHeaders.get(HEADER_CLIENT_ID);
 
-        return userAdminService.userExists(sub).flatMap(userExist ->  Boolean.TRUE.equals(userExist) ? chain.filter(exchange) : completeWithCode(exchange, HttpStatus.FORBIDDEN));
+        if (maybeSubList != null) {
+            String sub = maybeSubList.get(0);
+            return userAdminService.userExists(sub).flatMap(userExist ->  Boolean.TRUE.equals(userExist) ? chain.filter(exchange) : completeWithCode(exchange, HttpStatus.FORBIDDEN));
+        }
+
+        if (maybeClientIdList != null) {
+            // String clientId = maybeClientId.get(0);
+            // TODO do something with clientId
+            return chain.filter(exchange);
+        }
+
+        // no sub or no clientid, can't control access
+        return completeWithCode(exchange, HttpStatus.UNAUTHORIZED);
     }
 
     @Override

src/test/java/org/gridsuite/gateway/TokenValidationTest.java

@@ -70,6 +70,7 @@
         "gridsuite.services.network-modification-server.base-uri=http://localhost:${wiremock.server.port}",
         "gridsuite.services.user-admin-server.base-uri=http://localhost:${wiremock.server.port}",
         "gridsuite.services.sensitivity-analysis-server.base-uri=http://localhost:${wiremock.server.port}",
+        "allowed-issuers=http://localhost:${wiremock.server.port}"
     })
 
 @AutoConfigureWireMock(port = 0)
@@ -260,6 +261,12 @@ public void gatewayTest() {
                 .withHeader("Content-Type", "application/json")
                 .withBody("{\"id\": \"report1\", \"reports\" :[{\"date\":\"2001:01:01T11:11\", \"report\": \"Lets Rock\" }]}")));
 
+        testToken(elementUuid, token);
+        //TODO are all requests supposed to work with reference tokens from clients ?
+        testToken(elementUuid, "clientopaquetoken");
+    }
+
+    private void testToken(UUID elementUuid, String token) {
         webClient
                 .get().uri("case/v1/cases")
                 .header("Authorization", "Bearer " + token)
@@ -388,12 +395,21 @@ private void initStubForJwk() {
         stubFor(get(urlEqualTo("/.well-known/openid-configuration"))
             .willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
-                .withBody("{\"jwks_uri\": \"http://localhost:" + port + "/jwks\"}")));
+                .withBody("{"
+                        + "\"jwks_uri\": \"http://localhost:" + port + "/jwks\","
+                                + "\"introspection_endpoint\": \"http://localhost:" + port + "/introspection\""
+                        + "}")));
 
         stubFor(get(urlEqualTo("/jwks"))
             .willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
                 .withBody("{\"keys\" : [ " + rsaKey.toJSONString() + " ] }")));
+
+        stubFor(post(urlEqualTo("/introspection"))
+                .withRequestBody(equalTo("client_id=gridsuite&client_secret=secret&token=clientopaquetoken"))
+                .willReturn(aResponse()
+                    .withHeader("Content-Type", "application/json")
+                    .withBody("{\"active\":true,\"token_type\":\"Bearer\",\"exp\":2673442276,\"client_id\":\"chmits\"}")));
     }
 
     @Test
@@ -409,7 +425,10 @@ public void testJwksUpdate() {
         stubFor(get(urlEqualTo("/.well-known/openid-configuration"))
                 .willReturn(aResponse()
                         .withHeader("Content-Type", "application/json")
-                        .withBody("{\"jwks_uri\": \"http://localhost:" + port + "/jwks\"}")));
+                        .withBody("{"
+                                + "\"jwks_uri\": \"http://localhost:" + port + "/jwks\","
+                                + "\"introspection_endpoint\": \"http://localhost:" + port + "/introspection\""
+                                + "}")));
 
         UUID stubId = UUID.randomUUID();
 
@@ -474,7 +493,15 @@ public void invalidToken() {
         stubFor(get(urlEqualTo("/.well-known/openid-configuration"))
                 .willReturn(aResponse()
                         .withHeader("Content-Type", "application/json")
-                        .withBody("{\"jwks_uri\": \"http://localhost:" + port + "/jwks\"}")));
+                        .withBody("{"
+                                + "\"jwks_uri\": \"http://localhost:" + port + "/jwks\","
+                                + "\"introspection_endpoint\": \"http://localhost:" + port + "/introspection\""
+                                + "}")));
+
+        stubFor(post(urlEqualTo("/introspection"))
+                .willReturn(aResponse()
+                    .withHeader("Content-Type", "application/json")
+                    .withBody("{\"active\":false}")));
 
         stubFor(get(urlEqualTo("/jwks"))
                 .willReturn(aResponse()
@@ -518,7 +545,7 @@ public void invalidToken() {
                 .exchange()
                 .expectStatus().isEqualTo(401);
 
-        //test with non JSON token
+        // test with non JSON token, non valid reference token
         webClient
                 .get().uri("case/v1/cases")
                 .header("Authorization", "Bearer " + "NonValidToken")

src/test/resources/allowed-issuers.yml

@@ -1 +1,3 @@
-allowed-issuers: http://localhost
+allowed-issuers: http://localhost
+client_id: gridsuite
+client_secret: secret