package com.devicehive.model.oauth; /* * #%L * DeviceHive Java Server Common business logic * %% * Copyright (C) 2016 DataArt * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * #L% */ import com.devicehive.configuration.Constants; import com.devicehive.configuration.Messages; import com.devicehive.exceptions.HiveException; import com.devicehive.model.enums.UserStatus; import com.devicehive.service.IdentityProviderService; import com.devicehive.service.OAuthTokenService; import com.devicehive.service.UserService; import com.devicehive.service.configuration.ConfigurationService; import com.devicehive.vo.*; import com.google.api.client.auth.oauth2.BearerToken; import com.google.api.client.http.javanet.NetHttpTransport; import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonObject; import org.apache.http.NameValuePair; import org.apache.http.client.utils.URLEncodedUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.env.Environment; import org.springframework.stereotype.Component; import javax.annotation.PostConstruct; import javax.validation.constraints.NotNull; import javax.ws.rs.core.Response; import java.nio.charset.Charset; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; import static javax.ws.rs.core.Response.Status.UNAUTHORIZED; /** * Created by tmatvienko on 1/9/15. */ @Component public class GithubAuthProvider extends AuthProvider { private static final Logger logger = LoggerFactory.getLogger(GithubAuthProvider.class); private static final String GITHUB_PROVIDER_NAME = "Github"; private IdentityProviderVO identityProvider; @Autowired private IdentityProviderService identityProviderService; @Autowired private Environment env; @Autowired private ConfigurationService configurationService; @Autowired private UserService userService; @Autowired private OAuthTokenService tokenService; @Autowired private IdentityProviderUtils identityProviderUtils; @PostConstruct private void initialize() { identityProvider = identityProviderService.find(Constants.GITHUB_IDENTITY_PROVIDER_ID); } @Override public boolean isIdentityProviderAllowed() { return Boolean.valueOf(configurationService.get(Constants.GITHUB_IDENTITY_ALLOWED)); } @Override public JwtTokenVO createAccessKey(@NotNull final OauthJwtRequestVO request) { if (isIdentityProviderAllowed()) { if (request.getCode() != null) { final String accessToken = getAccessToken(request.getCode()); final String email = getIdentityProviderEmail(accessToken); final UserVO user = findUser(email); return tokenService.authenticate(user); } logger.error(Messages.INVALID_AUTH_CODE); throw new HiveException(Messages.INVALID_AUTH_CODE, Response.Status.BAD_REQUEST.getStatusCode()); } else { logger.error(String.format(Messages.IDENTITY_PROVIDER_NOT_ALLOWED, GITHUB_PROVIDER_NAME)); throw new HiveException(String.format(Messages.IDENTITY_PROVIDER_NOT_ALLOWED, GITHUB_PROVIDER_NAME), Response.Status.UNAUTHORIZED.getStatusCode()); } } private String getAccessToken(final String code) { final String endpoint = identityProvider.getTokenEndpoint(); Map<String, String> params = new HashMap<>(); params.put("code", code); params.put("client_id", configurationService.get(Constants.GITHUB_IDENTITY_CLIENT_ID)); params.put("client_secret", configurationService.get(Constants.GITHUB_IDENTITY_CLIENT_SECRET)); final String response = identityProviderUtils.executePost(new NetHttpTransport(), params, endpoint, GITHUB_PROVIDER_NAME); List<NameValuePair> responseParams = URLEncodedUtils.parse(response, Charset.forName(Constants.UTF8)); if (!"access_token".equals(responseParams.get(0).getName())) { logger.error("Exception has been caught during Identity Provider GET request execution", response); throw new HiveException(String.format(Messages.GETTING_OAUTH_ACCESS_TOKEN_FAILED, GITHUB_PROVIDER_NAME, response), Response.Status.UNAUTHORIZED.getStatusCode()); } return responseParams.get(0).getValue(); } private String getIdentityProviderEmail(final String accessToken) { final JsonElement jsonElement = identityProviderUtils.executeGet(new NetHttpTransport(), BearerToken.authorizationHeaderAccessMethod(), accessToken, identityProvider.getApiEndpoint(), GITHUB_PROVIDER_NAME); JsonArray jsonArray = jsonElement.getAsJsonArray(); Iterator<JsonElement> iterator = jsonArray.iterator(); JsonObject jsonObject; while (iterator.hasNext()) { jsonObject = iterator.next().getAsJsonObject(); if (jsonObject.get("primary").getAsBoolean()) { return jsonObject.get("email").getAsString(); } } return null; } private UserVO findUser(final String email) { final UserVO user = userService.findGithubUser(email); if (user == null) { logger.error("No user with email {} found for identity provider {}", email, GITHUB_PROVIDER_NAME); throw new HiveException(Messages.USER_NOT_FOUND, Response.Status.UNAUTHORIZED.getStatusCode()); } else if (user.getStatus() != UserStatus.ACTIVE) { logger.error("User {} is locked, disabled or deleted", email); throw new HiveException(Messages.USER_NOT_ACTIVE, UNAUTHORIZED.getStatusCode()); } return user; } }