Merge pull request #158 from shift7-ch/feature/token-endpoint

Use token exchange proxy via POST `/api/storage/s3-token`

Author: chenkins

hub/src/main/java/cloud/katta/protocols/hub/HubVaultListService.java

@@ -96,7 +96,7 @@ public AttributedList<Path> list(final Path directory, final ListProgressListene
                         }
                         throw e;
                     }
-                    final Host bookmark = vaultService.getStorageBackend(protocols, configDto, vaultDto.getId(),
+                    final Host bookmark = vaultService.getStorageBackend(protocols, session, configDto, vaultDto.getId(),
                             vaultMetadata.storage(), tokens);
                     log.debug("Configured {} for vault {}", bookmark, vaultDto);
                     final Session<?> storage = SessionFactory.create(bookmark, trust, key);

hub/src/main/java/cloud/katta/protocols/hub/serializer/HubConfigDtoDeserializer.java

@@ -13,7 +13,6 @@
 import com.dd.plist.NSDictionary;
 
 import static ch.cyberduck.core.Profile.*;
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID;
 
 public class HubConfigDtoDeserializer extends ProxyDeserializer<NSDictionary> {
 
@@ -33,9 +32,6 @@ public <L> List<L> listForKey(final String key) {
         switch(key) {
             case PROPERTIES_KEY:
                 final List<String> properties = new ArrayList<>(super.listForKey(key));
-                if(dto.getKeycloakClientIdCryptomatorVaults() != null) {
-                    properties.add(String.format("%s=%s", OAUTH_TOKENEXCHANGE_CLIENT_ID, dto.getKeycloakClientIdCryptomatorVaults()));
-                }
                 return (List<L>) properties;
             case SCOPES_KEY:
                 return (List<L>) Collections.singletonList("openid");

hub/src/main/java/cloud/katta/protocols/hub/serializer/StorageProfileDtoWrapperDeserializer.java

@@ -56,7 +56,6 @@ public <L> List<L> listForKey(final String key) {
                     if(dto.getStsDurationSeconds() != null) {
                         properties.add(String.format("%s=%s", S3AssumeRoleProtocol.S3_ASSUMEROLE_DURATIONSECONDS, dto.getStsDurationSeconds().toString()));
                     }
-                    properties.add(String.format("%s=%s", S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_SECRET, ""));
                 }
                 log.debug("Return properties {} from {}", properties, dto);
                 return (List<L>) properties;

hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleProtocol.java

@@ -15,9 +15,8 @@ public class S3AssumeRoleProtocol extends S3Protocol {
 
     // Token exchange
     public static final String OAUTH_TOKENEXCHANGE = "oauth.tokenexchange";
-    public static final String OAUTH_TOKENEXCHANGE_CLIENT_ID = "oauth.tokenexchange.client_id";
-    public static final String OAUTH_TOKENEXCHANGE_CLIENT_SECRET = "oauth.tokenexchange.audience.client_secret";
-    public static final String OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES = "oauth.tokenexchange.additional_scopes";
+    public static final String OAUTH_TOKENEXCHANGE_VAULT = "oauth.tokenexchange.vault";
+    public static final String OAUTH_TOKENEXCHANGE_BASEPATH = "oauth.tokenexchange.basepath";
 
     // STS assume role with web identity from Cyberduck core (AWS + MinIO)
     public static final String S3_ASSUMEROLE_ROLEARN = "s3.assumerole.rolearn";

hub/src/main/java/cloud/katta/protocols/s3/STSChainedAssumeRoleRequestInterceptor.java

@@ -114,7 +114,7 @@ public void refresh() {
         if(StringUtils.isNotBlank(preferences.getProperty("s3.assumerole.tag"))) {
             request.setTags(Collections.singletonList(new Tag()
                     .withKey(preferences.getProperty("s3.assumerole.tag"))
-                    .withValue(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES))));
+                    .withValue(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT))));
         }
         try {
             log.debug("Use request {}", request);

hub/src/main/java/cloud/katta/protocols/s3/TokenExchangeRequestInterceptor.java

@@ -5,66 +5,49 @@
 package cloud.katta.protocols.s3;
 
 import ch.cyberduck.core.Credentials;
-import ch.cyberduck.core.DefaultIOExceptionMappingService;
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.LoginCallback;
 import ch.cyberduck.core.OAuthTokens;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.exception.LoginCanceledException;
 import ch.cyberduck.core.exception.LoginFailureException;
-import ch.cyberduck.core.http.DefaultHttpResponseExceptionMappingService;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
-import ch.cyberduck.core.oauth.OAuthExceptionMappingService;
 import ch.cyberduck.core.preferences.HostPreferences;
 import ch.cyberduck.core.preferences.PreferencesReader;
 
-import org.apache.commons.lang3.StringUtils;
 import org.apache.http.client.HttpClient;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import java.io.IOException;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
+import cloud.katta.client.ApiException;
+import cloud.katta.client.api.StorageResourceApi;
+import cloud.katta.client.model.AccessTokenResponse;
+import cloud.katta.protocols.hub.HubSession;
+import cloud.katta.protocols.hub.exceptions.HubExceptionMappingService;
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.exceptions.JWTDecodeException;
 import com.auth0.jwt.interfaces.DecodedJWT;
-import com.google.api.client.auth.oauth2.TokenRequest;
-import com.google.api.client.auth.oauth2.TokenResponse;
-import com.google.api.client.auth.oauth2.TokenResponseException;
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpResponseException;
-import com.google.api.client.http.apache.v2.ApacheHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
-
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE;
 
 /**
  * Exchange OIDC token to scoped token using OAuth 2.0 Token Exchange. Used for S3-STS in Katta.
  */
 public class TokenExchangeRequestInterceptor extends OAuth2RequestInterceptor {
     private static final Logger log = LogManager.getLogger(TokenExchangeRequestInterceptor.class);
 
-    // https://datatracker.ietf.org/doc/html/rfc8693#name-request
-    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange";
-    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_ID = "client_id";
-    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_SECRET = "client_secret";
-    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN = "subject_token";
-    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE = "subject_token_type";
-    public static final String OAUTH_TOKEN_TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token";
-    // https://openid.net/specs/openid-connect-core-1_0.html
+    /**
+     * The party to which the ID Token was issued
+     * <a href="https://openid.net/specs/openid-connect-core-1_0.html">...</a>
+     */
     public static final String OIDC_AUTHORIZED_PARTY = "azp";
 
-
     private final Host bookmark;
-    private final HttpClient client;
 
     public TokenExchangeRequestInterceptor(final HttpClient client, final Host bookmark, final LoginCallback prompt) throws LoginCanceledException {
         super(client, bookmark, prompt);
         this.bookmark = bookmark;
-        this.client = client;
     }
 
     @Override
@@ -82,49 +65,26 @@ public OAuthTokens refresh(final OAuthTokens previous) throws BackgroundExceptio
      *
      * @param previous Input tokens retrieved to exchange at the token endpoint
      * @return New tokens
-     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_CLIENT_ID
-     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES
+     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_VAULT
+     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_BASEPATH
      */
     public OAuthTokens exchange(final OAuthTokens previous) throws BackgroundException {
         log.info("Exchange tokens {} for {}", previous, bookmark);
-        final TokenRequest request = new TokenRequest(
-                new ApacheHttpTransport(client),
-                new GsonFactory(),
-                new GenericUrl(bookmark.getProtocol().getOAuthTokenUrl()),
-                OAUTH_GRANT_TYPE_TOKEN_EXCHANGE
-        );
-        request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_ID, bookmark.getProtocol().getOAuthClientId());
         final PreferencesReader preferences = new HostPreferences(bookmark);
-        if(!StringUtils.isEmpty(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID))) {
-            request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_ID, preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID));
-            request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_SECRET, preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_SECRET));
-        }
-        request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN, previous.getAccessToken());
-        request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE, OAUTH_TOKEN_TYPE_ACCESS_TOKEN);
-        final ArrayList<String> scopes = new ArrayList<>(bookmark.getProtocol().getOAuthScopes());
-        if(!StringUtils.isEmpty(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES))) {
-            scopes.addAll(Arrays.asList(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES).split(" ")));
-        }
-        request.setScopes(scopes);
-        log.debug("Token exchange request {} for {}", request, bookmark);
+        final HubSession hub = bookmark.getProtocol().getFeature(HubSession.class);
+        log.debug("Exchange token with hub {}", hub);
+        final StorageResourceApi api = new StorageResourceApi(hub.getClient());
         try {
-            final TokenResponse tokenExchangeResponse = request.execute();
+            AccessTokenResponse tokenExchangeResponse = api.apiStorageS3TokenPost(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_VAULT));
             // N.B. token exchange with Id token does not work!
             final OAuthTokens tokens = new OAuthTokens(tokenExchangeResponse.getAccessToken(),
                     tokenExchangeResponse.getRefreshToken(),
-                    System.currentTimeMillis() + tokenExchangeResponse.getExpiresInSeconds() * 1000);
+                    System.currentTimeMillis() + tokenExchangeResponse.getExpiresIn() * 1000);
             log.debug("Received exchanged token {} for {}", tokens, bookmark);
             return tokens;
         }
-        catch(TokenResponseException e) {
-            throw new OAuthExceptionMappingService().map(e);
-        }
-        catch(HttpResponseException e) {
-            throw new DefaultHttpResponseExceptionMappingService().map(new org.apache.http.client
-                    .HttpResponseException(e.getStatusCode(), e.getStatusMessage()));
-        }
-        catch(IOException e) {
-            throw new DefaultIOExceptionMappingService().map(e);
+        catch(ApiException e) {
+            throw new HubExceptionMappingService().map(e);
         }
     }
 
@@ -133,12 +93,6 @@ public Credentials validate() throws BackgroundException {
         final Credentials credentials = super.validate();
         final OAuthTokens tokens = credentials.getOauth();
         final String accessToken = tokens.getAccessToken();
-        final PreferencesReader preferences = new HostPreferences(bookmark);
-        final String tokenExchangeClientId = preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID);
-        if(StringUtils.isEmpty(tokenExchangeClientId)) {
-            log.warn("Found {} empty, although {} is set to {} - misconfiguration?", S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID, OAUTH_TOKENEXCHANGE, preferences.getBoolean(OAUTH_TOKENEXCHANGE));
-            return credentials;
-        }
         try {
             final DecodedJWT jwt = JWT.decode(accessToken);
 

hub/src/main/java/cloud/katta/workflows/CreateVaultService.java

@@ -134,7 +134,7 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
 
             final OAuthTokens tokens = keychain.findOAuthTokens(hubSession.getHost());
             final Host bookmark = new VaultServiceImpl(vaultResource, storageProfileResource).getStorageBackend(ProtocolFactory.get(),
-                    configResource.apiConfigGet(), vaultDto.getId(), metadataPayload.storage(), tokens);
+                    hubSession, configResource.apiConfigGet(), vaultDto.getId(), metadataPayload.storage(), tokens);
             if(storageProfileWrapper.getProtocol() == Protocol.S3) {
                 // permanent: template upload into existing bucket from client (not backend)
                 templateUploadService.uploadTemplate(bookmark, metadataPayload, storageDto, hashedRootDirId);

hub/src/main/java/cloud/katta/workflows/VaultService.java

@@ -5,18 +5,18 @@
 package cloud.katta.workflows;
 
 import ch.cyberduck.core.Host;
-
-import java.util.UUID;
-
 import ch.cyberduck.core.OAuthTokens;
 import ch.cyberduck.core.ProtocolFactory;
 
+import java.util.UUID;
+
 import cloud.katta.client.ApiException;
 import cloud.katta.client.model.ConfigDto;
 import cloud.katta.crypto.UserKeys;
 import cloud.katta.crypto.uvf.UvfAccessTokenPayload;
 import cloud.katta.crypto.uvf.UvfMetadataPayload;
 import cloud.katta.crypto.uvf.VaultMetadataJWEBackendDto;
+import cloud.katta.protocols.hub.HubSession;
 import cloud.katta.workflows.exceptions.AccessException;
 import cloud.katta.workflows.exceptions.SecurityFailure;
 
@@ -47,13 +47,15 @@ public interface VaultService {
 
     /**
      * Prepares (virtual) bookmark for vault to access its configured storage backend.
+     *
      * @param protocols Registered protocol implementations to access backend storage
+     * @param hub       Hub API Connection
      * @param configDto Hub configuration
-     * @param vaultId Vault ID
-     * @param metadata Storage Backend configuration
+     * @param vaultId   Vault ID
+     * @param metadata  Storage Backend configuration
      * @return Configuration
      * @throws AccessException Unsupported backend storage protocol
-     * @throws ApiException Server error accessing storage profile
+     * @throws ApiException    Server error accessing storage profile
      */
-    Host getStorageBackend(final ProtocolFactory protocols, final ConfigDto configDto, UUID vaultId, VaultMetadataJWEBackendDto metadata, final OAuthTokens tokens) throws AccessException, ApiException;
+    Host getStorageBackend(final ProtocolFactory protocols, final HubSession hub, final ConfigDto configDto, UUID vaultId, VaultMetadataJWEBackendDto metadata, final OAuthTokens tokens) throws AccessException, ApiException;
 }

hub/src/main/java/cloud/katta/workflows/VaultServiceImpl.java

@@ -38,8 +38,7 @@
 import com.nimbusds.jose.jwk.OctetSequenceKey;
 
 import static cloud.katta.crypto.uvf.UvfMetadataPayload.UniversalVaultFormatJWKS.memberKeyFromRawKey;
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES;
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN;
+import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.*;
 
 public class VaultServiceImpl implements VaultService {
     private static final Logger log = LogManager.getLogger(VaultServiceImpl.class);
@@ -85,7 +84,7 @@ public UvfAccessTokenPayload getVaultAccessTokenJWE(final UUID vaultId, final Us
     }
 
     @Override
-    public Host getStorageBackend(final ProtocolFactory protocols, final ConfigDto configDto, final UUID vaultId, final VaultMetadataJWEBackendDto vaultMetadata, final OAuthTokens tokens) throws ApiException, AccessException {
+    public Host getStorageBackend(final ProtocolFactory protocols, final HubSession hub, final ConfigDto configDto, final UUID vaultId, final VaultMetadataJWEBackendDto vaultMetadata, final OAuthTokens tokens) throws ApiException, AccessException {
         if(null == protocols.forName(vaultMetadata.getProvider())) {
             log.debug("Load missing profile {}", vaultMetadata.getProvider());
             final StorageProfileDtoWrapper storageProfile = StorageProfileDtoWrapper.coerce(storageProfileResourceApi
@@ -94,8 +93,8 @@ public Host getStorageBackend(final ProtocolFactory protocols, final ConfigDto c
             switch(storageProfile.getProtocol()) {
                 case S3:
                 case S3_STS:
-                    final Profile profile = new Profile(protocols.forType(protocols.find(ProtocolFactory.BUNDLED_PROFILE_PREDICATE), Protocol.Type.s3), new StorageProfileDtoWrapperDeserializer(
-                            new HubConfigDtoDeserializer(configDto), storageProfile));
+                    final Profile profile = new HubAwareProfile(hub, protocols.forType(protocols.find(ProtocolFactory.BUNDLED_PROFILE_PREDICATE), Type.s3),
+                            configDto, storageProfile);
                     log.debug("Register storage profile {}", profile);
                     protocols.register(profile);
                     break;
@@ -123,10 +122,30 @@ public Host getStorageBackend(final ProtocolFactory protocols, final ConfigDto c
             credentials.setPassword(vaultMetadata.getPassword());
         }
         if(protocol.getProperties().get(S3_ASSUMEROLE_ROLEARN) != null) {
-            bookmark.setProperty(OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES, vaultId.toString());
+            bookmark.setProperty(OAUTH_TOKENEXCHANGE_VAULT, vaultId.toString());
+            bookmark.setProperty(OAUTH_TOKENEXCHANGE_BASEPATH, this.vaultResource.getApiClient().getBasePath());
         }
         // region as chosen by user upon vault creation (STS) or as retrieved from bucket (permanent)
         bookmark.setRegion(vaultMetadata.getRegion());
         return bookmark;
     }
+
+    private static final class HubAwareProfile extends Profile {
+        private final HubSession hub;
+
+        public HubAwareProfile(final HubSession hub, final Protocol parent, final ConfigDto configDto, final StorageProfileDtoWrapper storageProfile) {
+            super(parent, new StorageProfileDtoWrapperDeserializer(
+                    new HubConfigDtoDeserializer(configDto), storageProfile));
+            this.hub = hub;
+        }
+
+        @SuppressWarnings("unchecked")
+        @Override
+        public <T> T getFeature(final Class<T> type) {
+            if(type == HubSession.class) {
+                return (T) hub;
+            }
+            return super.getFeature(type);
+        }
+    }
 }