-
-
Save jimfromsa/fc88297bf5aca811eba8 to your computer and use it in GitHub Desktop.
TokenEndpoint
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package com.unijunction.ordercloud.security.oauth.rest; | |
import com.unijunction.ordercloud.organisation.dao.UnitDao; | |
import com.unijunction.ordercloud.organisation.model.Unit; | |
import com.unijunction.ordercloud.security.dao.UserUnitLinksDao; | |
import com.unijunction.ordercloud.security.model.User; | |
import com.unijunction.ordercloud.security.model.UserUnitLinks; | |
import com.unijunction.ordercloud.security.oauth.dto.TokenRequestDto; | |
import com.unijunction.ordercloud.security.oauth.model.OAuthAccessToken; | |
import com.unijunction.ordercloud.security.password.OrderCloudPasswordService; | |
import com.unijunction.ordercloud.security.realm.OrderCloudRealm; | |
import com.unijunction.ordercloud.security.utils.DesEncryption; | |
import org.apache.oltu.oauth2.as.issuer.MD5Generator; | |
import org.apache.oltu.oauth2.as.issuer.OAuthIssuer; | |
import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl; | |
import org.apache.oltu.oauth2.as.response.OAuthASResponse; | |
import org.apache.oltu.oauth2.common.error.OAuthError; | |
import org.apache.oltu.oauth2.common.exception.OAuthSystemException; | |
import org.apache.oltu.oauth2.common.message.OAuthResponse; | |
import org.apache.oltu.oauth2.common.message.types.GrantType; | |
import org.slf4j.Logger; | |
import org.slf4j.LoggerFactory; | |
import javax.ejb.EJB; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletResponse; | |
import javax.ws.rs.Consumes; | |
import javax.ws.rs.POST; | |
import javax.ws.rs.Path; | |
import javax.ws.rs.Produces; | |
import javax.ws.rs.core.Context; | |
import javax.ws.rs.core.Response; | |
import java.util.Calendar; | |
/** | |
* | |
* | |
* | |
*/ | |
@Path("/token") | |
public class TokenEndpoint { | |
private Logger log = LoggerFactory.getLogger(TokenEndpoint.class); | |
@EJB | |
UserUnitLinksDao userUnitLinksDao; | |
@EJB | |
OrderCloudRealm orderCloudRealm; | |
@EJB | |
UnitDao unitDao; | |
public static final String INVALID_CLIENT_DESCRIPTION = "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."; | |
@POST | |
@Consumes("application/json") | |
@Produces("application/json") | |
public Response authorize(final TokenRequestDto dto, @Context HttpServletRequest request) throws OAuthSystemException { | |
OAuthIssuer oauthIssuerImpl = new OAuthIssuerImpl(new MD5Generator()); | |
//check if the Unit code exists | |
Unit unit; | |
try{ | |
unit = unitDao.findByCode(dto.getOrganisation_code()); | |
}catch(NullPointerException npe){ | |
return buildInvalidClientIdResponse(); | |
} | |
String decryptedClientSecret = ""; | |
//TODO: Decide if it is safer to encrypt or decrypt to compare | |
try{ | |
decryptedClientSecret = unitDao.decryptClientSecret(unit.getId()); | |
}catch(Exception e){ | |
log.error(e.getMessage(), e); | |
} | |
//encode the password and check against the database version | |
if(!dto.getOrganisation_secret().equals(decryptedClientSecret)){ | |
return buildInvalidClientSecretResponse(); | |
} | |
//for grant type client credentials | |
if (dto.getGrant_type().equals(GrantType.CLIENT_CREDENTIALS.toString())) { | |
User user = checkUserPass(dto.getUsername(), dto.getPassword()); | |
if (user == null) { | |
return buildInvalidUserPassResponse(); | |
} | |
} else if (dto.getGrant_type().equals(GrantType.REFRESH_TOKEN.toString())) { | |
if (!checkRefreshToken(dto.getRefresh_token(), dto.getOrganisation_code())) { | |
return buildBadRefreshCodeResponse(); | |
} | |
} | |
UserUnitLinks userUnitLinks = userUnitLinksDao.findUserByValidRefreshToken(dto.getRefresh_token(),dto.getOrganisation_code()); | |
if(userUnitLinks == null){ | |
return buildClientNotAuthorized(); | |
} | |
//genereate a token | |
final String accessToken = oauthIssuerImpl.accessToken(); | |
OAuthAccessToken oAuthAccessToken; | |
try{ | |
//Add the access token to the database | |
oAuthAccessToken = userUnitLinks.getAccess_token(); | |
}catch(NullPointerException npe){ | |
oAuthAccessToken = new OAuthAccessToken(); | |
} | |
//set the new token | |
oAuthAccessToken.setToken(accessToken); | |
//set token length | |
oAuthAccessToken.setExpires(3600); | |
//calculate expiry time | |
Calendar cal = Calendar.getInstance(); | |
cal.add(Calendar.SECOND, +3600); | |
//set expiry date | |
oAuthAccessToken.setExpiryDate(cal.getTime()); | |
//valid | |
oAuthAccessToken.setValid(true); | |
//update link | |
userUnitLinks.setAccess_token(oAuthAccessToken); | |
userUnitLinksDao.edit(userUnitLinks); | |
OAuthResponse response = OAuthASResponse | |
.tokenResponse(HttpServletResponse.SC_OK) | |
.setAccessToken(accessToken) | |
.setExpiresIn("3600") | |
.buildJSONMessage(); | |
return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); | |
} | |
private Response buildInvalidClientIdResponse() throws OAuthSystemException { | |
OAuthResponse response = | |
OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST) | |
.setError(OAuthError.TokenResponse.INVALID_CLIENT) | |
.setErrorDescription(INVALID_CLIENT_DESCRIPTION) | |
.buildJSONMessage(); | |
return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); | |
} | |
private Response buildInvalidClientSecretResponse() throws OAuthSystemException { | |
OAuthResponse response = | |
OAuthASResponse.errorResponse(HttpServletResponse.SC_UNAUTHORIZED) | |
.setError(OAuthError.TokenResponse.UNAUTHORIZED_CLIENT) | |
.setErrorDescription(INVALID_CLIENT_DESCRIPTION) | |
.buildJSONMessage(); | |
return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); | |
} | |
private Response buildBadAuthCodeResponse() throws OAuthSystemException { | |
OAuthResponse response = OAuthASResponse | |
.errorResponse(HttpServletResponse.SC_BAD_REQUEST) | |
.setError(OAuthError.TokenResponse.INVALID_GRANT) | |
.setErrorDescription("invalid authorization code") | |
.buildJSONMessage(); | |
return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); | |
} | |
private Response buildBadRefreshCodeResponse() throws OAuthSystemException { | |
OAuthResponse response = OAuthASResponse | |
.errorResponse(HttpServletResponse.SC_BAD_REQUEST) | |
.setError(OAuthError.TokenResponse.INVALID_GRANT) | |
.setErrorDescription("invalid refresh token") | |
.buildJSONMessage(); | |
return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); | |
} | |
private Response buildClientNotAuthorized() throws OAuthSystemException { | |
OAuthResponse response = OAuthASResponse | |
.errorResponse(HttpServletResponse.SC_BAD_REQUEST) | |
.setError(OAuthError.TokenResponse.UNAUTHORIZED_CLIENT) | |
.setErrorDescription("Organization not authorized for user") | |
.buildJSONMessage(); | |
return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); | |
} | |
private Response buildInvalidUserPassResponse() throws OAuthSystemException { | |
OAuthResponse response = OAuthASResponse | |
.errorResponse(HttpServletResponse.SC_BAD_REQUEST) | |
.setError(OAuthError.TokenResponse.INVALID_GRANT) | |
.setErrorDescription("invalid username or password") | |
.buildJSONMessage(); | |
return Response.status(response.getResponseStatus()).entity(response.getBody()).build(); | |
} | |
private byte[] encodePass(String clientSecret, String salt){ | |
//removed | |
return null; | |
} | |
private boolean checkClientId(String clientId) { | |
//removed | |
return true; | |
} | |
private boolean checkClientSecret(String secret) { | |
//removed | |
return true; | |
} | |
private boolean checkAuthCode(String authCode) { | |
//removed | |
return false; | |
} | |
private boolean checkRefreshToken(String refreshToken, String organizationCode) { | |
//removed | |
return false; | |
} | |
private String encodePassword(String rawPassword) { | |
//removed | |
return ""; | |
} | |
private User checkUserPass(String user, String pass) { | |
//removed | |
return null; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment