HttpCallTask implementation lack OAuth authentication support

Author: treblereel

api/src/test/java/io/serverlessworkflow/api/ApiTest.java

@@ -63,6 +63,23 @@ void testCallHTTPAPI() throws IOException {
     }
   }
 
+  @Test
+  void testCallHttpOauthAPI() throws IOException {
+    Workflow workflow = readWorkflowFromClasspath("features/authentication-oauth2.yaml");
+    assertThat(workflow.getDo()).isNotEmpty();
+    assertThat(workflow.getDo().get(0).getName()).isNotNull();
+    assertThat(workflow.getDo().get(0).getTask()).isNotNull();
+    Task task = workflow.getDo().get(0).getTask();
+    if (task.get() instanceof CallTask) {
+      CallTask callTask = task.getCallTask();
+      assertThat(callTask).isNotNull();
+      assertThat(task.getDoTask()).isNull();
+      CallHTTP httpCall = callTask.getCallHTTP();
+      assertThat(httpCall).isNotNull();
+      assertThat(httpCall.getWith().getMethod()).isEqualTo("get");
+    }
+  }
+
   @Test
   void testCallFunctionAPIWithoutArguments() throws IOException {
     Workflow workflow = readWorkflowFromClasspath("features/callFunction.yaml");

impl/core/src/main/java/io/serverlessworkflow/impl/WorkflowError.java

@@ -27,9 +27,11 @@ public static Builder error(String type, int status) {
   }
 
   public static Builder communication(int status, TaskContext context, Exception ex) {
-    return new Builder(COMM_TYPE, status)
-        .instance(context.position().jsonPointer())
-        .title(ex.getMessage());
+    return communication(status, context, ex.getMessage());
+  }
+
+  public static Builder communication(int status, TaskContext context, String title) {
+    return new Builder(COMM_TYPE, status).instance(context.position().jsonPointer()).title(title);
   }
 
   public static Builder runtime(int status, TaskContext context, Exception ex) {

impl/http/pom.xml

@@ -24,6 +24,10 @@
             <groupId>org.glassfish.jersey.core</groupId>
             <artifactId>jersey-client</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.serverlessworkflow</groupId>
             <artifactId>serverlessworkflow-api</artifactId>

impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/AuthProvider.java

@@ -20,8 +20,17 @@
 import io.serverlessworkflow.impl.WorkflowModel;
 import jakarta.ws.rs.client.Invocation;
 
-@FunctionalInterface
 interface AuthProvider {
+
+  default void preRequest(
+      Invocation.Builder builder, WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+    // Default implementation does nothing
+  }
+
+  default void postRequest(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+    // Default implementation does nothing
+  }
+
   Invocation.Builder build(
       Invocation.Builder builder, WorkflowContext workflow, TaskContext task, WorkflowModel model);
 }

impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/HttpExecutor.java

@@ -154,7 +154,10 @@ public CompletableFuture<WorkflowModel> apply(
     return CompletableFuture.supplyAsync(
         () -> {
           try {
-            return requestFunction.apply(request, workflow, taskContext, input);
+            authProvider.ifPresent(auth -> auth.preRequest(request, workflow, taskContext, input));
+            WorkflowModel result = requestFunction.apply(request, workflow, taskContext, input);
+            authProvider.ifPresent(auth -> auth.postRequest(workflow, taskContext, input));
+            return result;
           } catch (WebApplicationException exception) {
             throw new WorkflowException(
                 WorkflowError.communication(

impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/OAuth2AuthProvider.java

@@ -16,24 +16,55 @@
 package io.serverlessworkflow.impl.executors.http;
 
 import io.serverlessworkflow.api.types.OAuth2AuthenticationPolicy;
+import io.serverlessworkflow.api.types.Oauth2;
 import io.serverlessworkflow.api.types.Workflow;
 import io.serverlessworkflow.impl.TaskContext;
 import io.serverlessworkflow.impl.WorkflowApplication;
 import io.serverlessworkflow.impl.WorkflowContext;
 import io.serverlessworkflow.impl.WorkflowModel;
+import io.serverlessworkflow.impl.executors.http.oauth.JWT;
+import io.serverlessworkflow.impl.executors.http.oauth.OAuthRequestBuilder;
+import jakarta.ws.rs.client.Invocation;
 import jakarta.ws.rs.client.Invocation.Builder;
 
 public class OAuth2AuthProvider implements AuthProvider {
 
+  private Oauth2 oauth2;
+
+  private WorkflowApplication workflowApplication;
+
+  private static final String BEARER_TOKEN = "%s %s";
+
   public OAuth2AuthProvider(
-      WorkflowApplication app, Workflow workflow, OAuth2AuthenticationPolicy authPolicy) {
-    throw new UnsupportedOperationException("Oauth2 auth not supported yet");
+      WorkflowApplication application, Workflow workflow, OAuth2AuthenticationPolicy authPolicy) {
+    this.workflowApplication = application;
+    Oauth2 oauth2 = authPolicy.getOauth2();
+
+    if (oauth2.getOAuth2ConnectAuthenticationProperties() != null) {
+      this.oauth2 = oauth2;
+    } else if (oauth2.getOAuth2AuthenticationPolicySecret() != null) {
+      throw new UnsupportedOperationException("Secrets are still not supported");
+    }
   }
 
   @Override
   public Builder build(
       Builder builder, WorkflowContext workflow, TaskContext task, WorkflowModel model) {
-    // TODO Auto-generated method stub
     return builder;
   }
+
+  @Override
+  public void preRequest(
+      Invocation.Builder builder, WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+    JWT token =
+        new OAuthRequestBuilder(workflowApplication, oauth2)
+            .build(workflow, task, model)
+            .validateAndGet();
+
+    String tokenType = (String) token.getClaim("typ");
+
+    builder.header(
+        AuthProviderFactory.AUTH_HEADER_NAME,
+        String.format(BEARER_TOKEN, tokenType, token.getToken()));
+  }
 }

impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/oauth/AccessTokenProvider.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.serverlessworkflow.impl.executors.http.oauth;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonNode;
+import io.serverlessworkflow.impl.TaskContext;
+import java.net.http.HttpRequest;
+import java.util.List;
+
+public class AccessTokenProvider {
+
+  private final TokenResponseHandler tokenResponseHandler = new TokenResponseHandler();
+
+  private final TaskContext context;
+  private final List<String> issuers;
+  private final HttpRequest requestBuilder;
+
+  public AccessTokenProvider(
+      HttpRequest requestBuilder, TaskContext context, List<String> issuers) {
+    this.requestBuilder = requestBuilder;
+    this.issuers = issuers;
+    this.context = context;
+  }
+
+  public JWT validateAndGet() {
+    JsonNode token = tokenResponseHandler.apply(requestBuilder, context);
+    JWT jwt;
+    try {
+      jwt = JWT.fromString(token.get("access_token").asText());
+    } catch (JsonProcessingException e) {
+      throw new RuntimeException("Failed to parse JWT token: " + e.getMessage(), e);
+    }
+    if (!(issuers == null || issuers.isEmpty())) {
+      String tokenIssuer = (String) jwt.getClaim("iss");
+      if (tokenIssuer == null || tokenIssuer.isEmpty() || !issuers.contains(tokenIssuer)) {
+        throw new RuntimeException("Token issuer is not valid: " + tokenIssuer);
+      }
+    }
+    return jwt;
+  }
+}

impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/oauth/ClientSecretBasic.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.serverlessworkflow.impl.executors.http.oauth;
+
+import static io.serverlessworkflow.api.types.OAuth2AutenthicationData.OAuth2AutenthicationDataGrant.CLIENT_CREDENTIALS;
+import static io.serverlessworkflow.api.types.OAuth2AutenthicationData.OAuth2AutenthicationDataGrant.PASSWORD;
+
+import io.serverlessworkflow.api.types.OAuth2AutenthicationData;
+import io.serverlessworkflow.api.types.Oauth2;
+import java.util.Base64;
+
+class ClientSecretBasic {
+
+  private final Oauth2 oauth2;
+
+  public ClientSecretBasic(Oauth2 oauth2) {
+    this.oauth2 = oauth2;
+  }
+
+  public void execute(HttpRequestBuilder requestBuilder) {
+    OAuth2AutenthicationData authenticationData =
+        oauth2.getOAuth2ConnectAuthenticationProperties().getOAuth2AutenthicationData();
+
+    if (authenticationData.getGrant().equals(PASSWORD)) {
+      password(requestBuilder);
+    } else if (authenticationData.getGrant().equals(CLIENT_CREDENTIALS)) {
+      clientCredentials(requestBuilder);
+    } else {
+      throw new UnsupportedOperationException(
+          "Unsupported grant type: " + authenticationData.getGrant());
+    }
+  }
+
+  private void clientCredentials(HttpRequestBuilder requestBuilder) {
+    OAuth2AutenthicationData authenticationData =
+        oauth2.getOAuth2ConnectAuthenticationProperties().getOAuth2AutenthicationData();
+    if (authenticationData.getClient() == null
+        || authenticationData.getClient().getId() == null
+        || authenticationData.getClient().getSecret() == null) {
+      throw new IllegalArgumentException(
+          "Client ID and secret must be provided for client authentication");
+    }
+
+    String idAndSecret =
+        authenticationData.getClient().getId() + ":" + authenticationData.getClient().getSecret();
+    String encodedAuth = Base64.getEncoder().encodeToString(idAndSecret.getBytes());
+
+    requestBuilder
+        .addHeader("Authorization", "Basic " + encodedAuth)
+        .withMethod("POST")
+        .addQueryParam("grant_type", "client_credentials");
+  }
+
+  private void password(HttpRequestBuilder requestBuilder) {
+    OAuth2AutenthicationData authenticationData =
+        oauth2.getOAuth2ConnectAuthenticationProperties().getOAuth2AutenthicationData();
+    if (authenticationData.getUsername() == null || authenticationData.getPassword() == null) {
+      throw new IllegalArgumentException(
+          "Username and password must be provided for password grant type");
+    }
+    if (authenticationData.getClient() == null
+        || authenticationData.getClient().getId() == null
+        || authenticationData.getClient().getSecret() == null) {
+      throw new IllegalArgumentException(
+          "Client ID and secret must be provided for client authentication");
+    }
+
+    String idAndSecret =
+        authenticationData.getClient().getId() + ":" + authenticationData.getClient().getSecret();
+    String encodedAuth = Base64.getEncoder().encodeToString(idAndSecret.getBytes());
+
+    requestBuilder
+        .withMethod("POST")
+        .addHeader("Authorization", "Basic " + encodedAuth)
+        .addQueryParam("grant_type", "password")
+        .addQueryParam("username", authenticationData.getUsername())
+        .addQueryParam("password", authenticationData.getPassword());
+  }
+}

impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/oauth/ClientSecretPostStep.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.serverlessworkflow.impl.executors.http.oauth;
+
+import static io.serverlessworkflow.api.types.OAuth2AutenthicationData.OAuth2AutenthicationDataGrant.CLIENT_CREDENTIALS;
+import static io.serverlessworkflow.api.types.OAuth2AutenthicationData.OAuth2AutenthicationDataGrant.PASSWORD;
+
+import io.serverlessworkflow.api.types.OAuth2AutenthicationData;
+import io.serverlessworkflow.api.types.Oauth2;
+
+class ClientSecretPostStep {
+  private final Oauth2 oauth2;
+
+  public ClientSecretPostStep(Oauth2 oauth2) {
+    this.oauth2 = oauth2;
+  }
+
+  public void execute(HttpRequestBuilder requestBuilder) {
+    OAuth2AutenthicationData authenticationData =
+        oauth2.getOAuth2ConnectAuthenticationProperties().getOAuth2AutenthicationData();
+
+    if (authenticationData.getGrant().equals(PASSWORD)) {
+      password(requestBuilder);
+    } else if (authenticationData.getGrant().equals(CLIENT_CREDENTIALS)) {
+      clientCredentials(requestBuilder);
+    } else {
+      throw new UnsupportedOperationException(
+          "Unsupported grant type: " + authenticationData.getGrant());
+    }
+  }
+
+  private void clientCredentials(HttpRequestBuilder requestBuilder) {
+    OAuth2AutenthicationData authenticationData =
+        oauth2.getOAuth2ConnectAuthenticationProperties().getOAuth2AutenthicationData();
+    if (authenticationData.getClient() == null
+        || authenticationData.getClient().getId() == null
+        || authenticationData.getClient().getSecret() == null) {
+      throw new IllegalArgumentException(
+          "Client ID and secret must be provided for client authentication");
+    }
+
+    requestBuilder
+        .withMethod("POST")
+        .addQueryParam("grant_type", "client_credentials")
+        .addQueryParam("client_id", authenticationData.getClient().getId())
+        .addQueryParam("client_secret", authenticationData.getClient().getSecret());
+  }
+
+  private void password(HttpRequestBuilder requestBuilder) {
+    OAuth2AutenthicationData authenticationData =
+        oauth2.getOAuth2ConnectAuthenticationProperties().getOAuth2AutenthicationData();
+    if (authenticationData.getUsername() == null || authenticationData.getPassword() == null) {
+      throw new IllegalArgumentException(
+          "Username and password must be provided for password grant type");
+    }
+    if (authenticationData.getClient() == null
+        || authenticationData.getClient().getId() == null
+        || authenticationData.getClient().getSecret() == null) {
+      throw new IllegalArgumentException(
+          "Client ID and secret must be provided for client authentication");
+    }
+
+    requestBuilder
+        .withMethod("POST")
+        .addQueryParam("grant_type", "password")
+        .addQueryParam("client_id", authenticationData.getClient().getId())
+        .addQueryParam("client_secret", authenticationData.getClient().getSecret())
+        .addQueryParam("username", authenticationData.getUsername())
+        .addQueryParam("password", authenticationData.getPassword());
+  }
+}