1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.syncope.core.spring.security;
20
21 import com.fasterxml.jackson.core.type.TypeReference;
22 import com.nimbusds.jose.JOSEException;
23 import com.nimbusds.jose.JWSAlgorithm;
24 import com.nimbusds.jose.JWSHeader;
25 import com.nimbusds.jose.jca.JCAContext;
26 import com.nimbusds.jose.util.Base64URL;
27 import com.nimbusds.jwt.JWTClaimsSet;
28 import java.util.Set;
29 import org.apache.commons.lang3.tuple.Pair;
30 import org.apache.syncope.common.lib.types.CipherAlgorithm;
31 import org.apache.syncope.core.persistence.api.dao.AccessTokenDAO;
32 import org.apache.syncope.core.persistence.api.dao.UserDAO;
33 import org.apache.syncope.core.persistence.api.entity.AccessToken;
34 import org.apache.syncope.core.persistence.api.entity.user.User;
35 import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
36 import org.apache.syncope.core.spring.security.jws.AccessTokenJWSVerifier;
37 import org.slf4j.Logger;
38 import org.slf4j.LoggerFactory;
39 import org.springframework.transaction.annotation.Transactional;
40
41
42
43
44 public class SyncopeJWTSSOProvider implements JWTSSOProvider {
45
46 protected static final Logger LOG = LoggerFactory.getLogger(SyncopeJWTSSOProvider.class);
47
48 protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
49
50 protected final SecurityProperties securityProperties;
51
52 protected final AccessTokenJWSVerifier delegate;
53
54 protected final UserDAO userDAO;
55
56 protected final AccessTokenDAO accessTokenDAO;
57
58 public SyncopeJWTSSOProvider(
59 final SecurityProperties securityProperties,
60 final AccessTokenJWSVerifier delegate,
61 final UserDAO userDAO,
62 final AccessTokenDAO accessTokenDAO) {
63
64 this.securityProperties = securityProperties;
65 this.delegate = delegate;
66 this.userDAO = userDAO;
67 this.accessTokenDAO = accessTokenDAO;
68 }
69
70 @Override
71 public String getIssuer() {
72 return securityProperties.getJwtIssuer();
73 }
74
75 @Override
76 public Set<JWSAlgorithm> supportedJWSAlgorithms() {
77 return delegate.supportedJWSAlgorithms();
78 }
79
80 @Override
81 public JCAContext getJCAContext() {
82 return delegate.getJCAContext();
83 }
84
85 @Override
86 public boolean verify(
87 final JWSHeader header,
88 final byte[] signingInput,
89 final Base64URL signature) throws JOSEException {
90
91 return delegate.verify(header, signingInput, signature);
92 }
93
94 @Transactional(readOnly = true)
95 @Override
96 public Pair<User, Set<SyncopeGrantedAuthority>> resolve(final JWTClaimsSet jwtClaims) {
97 User user = userDAO.findByUsername(jwtClaims.getSubject());
98 Set<SyncopeGrantedAuthority> authorities = Set.of();
99 if (user != null) {
100 AccessToken accessToken = accessTokenDAO.find(jwtClaims.getJWTID());
101 if (accessToken != null && accessToken.getAuthorities() != null) {
102 try {
103 authorities = POJOHelper.deserialize(
104 ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES),
105 new TypeReference<>() {
106 });
107 } catch (Throwable t) {
108 LOG.error("Could not read stored authorities", t);
109 }
110 }
111 }
112
113 return Pair.of(user, authorities);
114 }
115 }