1   /*
2    * Copyright 2017 LINE Corporation
3    *
4    * LINE Corporation licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  
17  package com.linecorp.centraldogma.server.internal.admin.auth;
18  
19  import static com.linecorp.centraldogma.server.metadata.User.LEVEL_SYSTEM_ADMIN;
20  import static com.linecorp.centraldogma.server.metadata.User.LEVEL_USER;
21  import static java.util.Objects.requireNonNull;
22  import static java.util.concurrent.CompletableFuture.completedFuture;
23  
24  import java.util.List;
25  import java.util.Set;
26  import java.util.concurrent.CompletionStage;
27  
28  import com.linecorp.armeria.common.HttpRequest;
29  import com.linecorp.armeria.common.auth.OAuth2Token;
30  import com.linecorp.armeria.server.ServiceRequestContext;
31  import com.linecorp.armeria.server.auth.AuthTokenExtractors;
32  import com.linecorp.armeria.server.auth.Authorizer;
33  import com.linecorp.centraldogma.server.auth.SessionManager;
34  import com.linecorp.centraldogma.server.internal.api.HttpApiUtil;
35  import com.linecorp.centraldogma.server.metadata.User;
36  
37  /**
38   * A decorator to check whether the request holds a valid token. If it holds a valid token, this
39   * decorator would find a session belonging to the token and attach it to the service context attributes.
40   */
41  public class SessionTokenAuthorizer implements Authorizer<HttpRequest> {
42  
43      private final SessionManager sessionManager;
44      private final Set<String> systemAdministrators;
45  
46      public SessionTokenAuthorizer(SessionManager sessionManager, Set<String> systemAdministrators) {
47          this.sessionManager = requireNonNull(sessionManager, "sessionManager");
48          this.systemAdministrators = requireNonNull(systemAdministrators, "systemAdministrators");
49      }
50  
51      @Override
52      public CompletionStage<Boolean> authorize(ServiceRequestContext ctx, HttpRequest data) {
53          final OAuth2Token token = AuthTokenExtractors.oAuth2().apply(data.headers());
54          if (token == null) {
55              return completedFuture(false);
56          }
57          return sessionManager.get(token.accessToken())
58                               .thenApply(session -> {
59                                   if (session == null) {
60                                       return false;
61                                   }
62                                   final String username = session.username();
63                                   final List<String> roles =
64                                           systemAdministrators.contains(username) ? LEVEL_SYSTEM_ADMIN
65                                                                                   : LEVEL_USER;
66                                   final User user = new User(username, roles);
67                                   ctx.logBuilder().authenticatedUser("user/" + username);
68                                   AuthUtil.setCurrentUser(ctx, user);
69                                   HttpApiUtil.setVerboseResponses(ctx, user);
70                                   return true;
71                               });
72      }
73  }