Get basepath for token exchange from bookmark.

Author: chenkins

hub/src/main/java/cloud/katta/protocols/hub/serializer/HubConfigDtoDeserializer.java

@@ -13,7 +13,6 @@
 import com.dd.plist.NSDictionary;
 
 import static ch.cyberduck.core.Profile.*;
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID;
 
 public class HubConfigDtoDeserializer extends ProxyDeserializer<NSDictionary> {
 
@@ -33,9 +32,6 @@ public <L> List<L> listForKey(final String key) {
         switch(key) {
             case PROPERTIES_KEY:
                 final List<String> properties = new ArrayList<>(super.listForKey(key));
-                if(dto.getKeycloakClientIdCryptomatorVaults() != null) {
-                    properties.add(String.format("%s=%s", OAUTH_TOKENEXCHANGE_CLIENT_ID, dto.getKeycloakClientIdCryptomatorVaults()));
-                }
                 return (List<L>) properties;
             case SCOPES_KEY:
                 return (List<L>) Collections.singletonList("openid");

hub/src/main/java/cloud/katta/protocols/hub/serializer/StorageProfileDtoWrapperDeserializer.java

@@ -56,7 +56,6 @@ public <L> List<L> listForKey(final String key) {
                     if(dto.getStsDurationSeconds() != null) {
                         properties.add(String.format("%s=%s", S3AssumeRoleProtocol.S3_ASSUMEROLE_DURATIONSECONDS, dto.getStsDurationSeconds().toString()));
                     }
-                    properties.add(String.format("%s=%s", S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_SECRET, ""));
                 }
                 log.debug("Return properties {} from {}", properties, dto);
                 return (List<L>) properties;

hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleProtocol.java

@@ -15,9 +15,8 @@ public class S3AssumeRoleProtocol extends S3Protocol {
 
     // Token exchange
     public static final String OAUTH_TOKENEXCHANGE = "oauth.tokenexchange";
-    public static final String OAUTH_TOKENEXCHANGE_CLIENT_ID = "oauth.tokenexchange.client_id";
-    public static final String OAUTH_TOKENEXCHANGE_CLIENT_SECRET = "oauth.tokenexchange.audience.client_secret";
-    public static final String OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES = "oauth.tokenexchange.additional_scopes";
+    public static final String OAUTH_TOKENEXCHANGE_VAULT = "oauth.tokenexchange.vault";
+    public static final String OAUTH_TOKENEXCHANGE_BASEPATH = "oauth.tokenexchange.basepath";
 
     // STS assume role with web identity from Cyberduck core (AWS + MinIO)
     public static final String S3_ASSUMEROLE_ROLEARN = "s3.assumerole.rolearn";

hub/src/main/java/cloud/katta/protocols/s3/STSChainedAssumeRoleRequestInterceptor.java

@@ -114,7 +114,7 @@ public void refresh() {
         if(StringUtils.isNotBlank(preferences.getProperty("s3.assumerole.tag"))) {
             request.setTags(Collections.singletonList(new Tag()
                     .withKey(preferences.getProperty("s3.assumerole.tag"))
-                    .withValue(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES))));
+                    .withValue(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT))));
         }
         try {
             log.debug("Use request {}", request);

hub/src/main/java/cloud/katta/protocols/s3/TokenExchangeRequestInterceptor.java

@@ -15,6 +15,8 @@
 import ch.cyberduck.core.preferences.HostPreferences;
 import ch.cyberduck.core.preferences.PreferencesReader;
 
+import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_BASEPATH;
+
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.client.HttpClient;
 import org.apache.logging.log4j.LogManager;
@@ -70,19 +72,19 @@ public OAuthTokens refresh(final OAuthTokens previous) throws BackgroundExceptio
      *
      * @param previous Input tokens retrieved to exchange at the token endpoint
      * @return New tokens
-     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_CLIENT_ID
-     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES
+     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_VAULT
+     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_BASEPATH
      */
     public OAuthTokens exchange(final OAuthTokens previous) throws BackgroundException {
         log.info("Exchange tokens {} for {}", previous, bookmark);
         final PreferencesReader preferences = new HostPreferences(bookmark);
         final ApiClient apiClient = new ApiClient(Collections.singletonMap("bearer", new HttpBearerAuth("bearer")));
         apiClient.addDefaultHeader("Authorization",String.format("Bearer %s", previous.getAccessToken()));
-        apiClient.setBasePath("http://localhost:8280/");
+        apiClient.setBasePath(preferences.getProperty(OAUTH_TOKENEXCHANGE_BASEPATH));
 
         final StorageResourceApi api = new StorageResourceApi(apiClient);
         try {
-            AccessTokenResponse tokenExchangeResponse = api.apiStorageS3TokenPost(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES));
+            AccessTokenResponse tokenExchangeResponse = api.apiStorageS3TokenPost(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT));
             // N.B. token exchange with Id token does not work!
             final OAuthTokens tokens = new OAuthTokens(tokenExchangeResponse.getAccessToken(),
                     tokenExchangeResponse.getRefreshToken(),
@@ -100,12 +102,6 @@ public Credentials validate() throws BackgroundException {
         final Credentials credentials = super.validate();
         final OAuthTokens tokens = credentials.getOauth();
         final String accessToken = tokens.getAccessToken();
-        final PreferencesReader preferences = new HostPreferences(bookmark);
-        final String tokenExchangeClientId = preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID);
-        if(StringUtils.isEmpty(tokenExchangeClientId)) {
-            log.warn("Found {} empty, although {} is set to {} - misconfiguration?", S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID, OAUTH_TOKENEXCHANGE, preferences.getBoolean(OAUTH_TOKENEXCHANGE));
-            return credentials;
-        }
         try {
             final DecodedJWT jwt = JWT.decode(accessToken);
 

hub/src/main/java/cloud/katta/workflows/VaultServiceImpl.java

@@ -38,8 +38,7 @@
 import com.nimbusds.jose.jwk.OctetSequenceKey;
 
 import static cloud.katta.crypto.uvf.UvfMetadataPayload.UniversalVaultFormatJWKS.memberKeyFromRawKey;
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES;
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN;
+import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.*;
 
 public class VaultServiceImpl implements VaultService {
     private static final Logger log = LogManager.getLogger(VaultServiceImpl.class);
@@ -123,7 +122,8 @@ public Host getStorageBackend(final ProtocolFactory protocols, final ConfigDto c
             credentials.setPassword(vaultMetadata.getPassword());
         }
         if(protocol.getProperties().get(S3_ASSUMEROLE_ROLEARN) != null) {
-            bookmark.setProperty(OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES, vaultId.toString());
+            bookmark.setProperty(OAUTH_TOKENEXCHANGE_VAULT, vaultId.toString());
+            bookmark.setProperty(OAUTH_TOKENEXCHANGE_BASEPATH, this.vaultResource.getApiClient().getBasePath());
         }
         // region as chosen by user upon vault creation (STS) or as retrieved from bucket (permanent)
         bookmark.setRegion(vaultMetadata.getRegion());