1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package com.linecorp.centraldogma.server.internal.api.auth;
18
19 import static com.linecorp.armeria.common.util.Functions.voidFunction;
20 import static java.util.Objects.requireNonNull;
21 import static java.util.concurrent.CompletableFuture.completedFuture;
22
23 import java.net.InetSocketAddress;
24 import java.net.SocketAddress;
25 import java.util.concurrent.CompletableFuture;
26 import java.util.concurrent.CompletionStage;
27 import java.util.function.Function;
28
29 import org.slf4j.Logger;
30 import org.slf4j.LoggerFactory;
31
32 import com.linecorp.armeria.common.HttpRequest;
33 import com.linecorp.armeria.common.auth.OAuth2Token;
34 import com.linecorp.armeria.common.util.Exceptions;
35 import com.linecorp.armeria.server.ServiceRequestContext;
36 import com.linecorp.armeria.server.auth.AuthTokenExtractors;
37 import com.linecorp.armeria.server.auth.Authorizer;
38 import com.linecorp.centraldogma.internal.CsrfToken;
39 import com.linecorp.centraldogma.server.internal.admin.auth.AuthUtil;
40 import com.linecorp.centraldogma.server.metadata.Token;
41 import com.linecorp.centraldogma.server.metadata.Tokens;
42 import com.linecorp.centraldogma.server.metadata.User;
43 import com.linecorp.centraldogma.server.metadata.UserWithToken;
44
45
46
47
48 public class ApplicationTokenAuthorizer implements Authorizer<HttpRequest> {
49
50 private static final Logger logger = LoggerFactory.getLogger(
51 ApplicationTokenAuthorizer.class);
52
53 private final Function<String, CompletionStage<Token>> tokenLookupFunc;
54
55 public ApplicationTokenAuthorizer(Function<String, CompletionStage<Token>> tokenLookupFunc) {
56 this.tokenLookupFunc = requireNonNull(tokenLookupFunc, "tokenLookupFunc");
57 }
58
59 @Override
60 public CompletionStage<Boolean> authorize(ServiceRequestContext ctx, HttpRequest data) {
61 final OAuth2Token token = AuthTokenExtractors.oAuth2().apply(data.headers());
62 if (token != null && token.accessToken().equals(CsrfToken.ANONYMOUS)) {
63 AuthUtil.setCurrentUser(ctx, User.ANONYMOUS);
64 return completedFuture(true);
65 }
66
67 if (token == null || !Tokens.isValidSecret(token.accessToken())) {
68 return completedFuture(false);
69 }
70
71 final CompletableFuture<Boolean> res = new CompletableFuture<>();
72 tokenLookupFunc.apply(token.accessToken())
73 .thenAccept(appToken -> {
74 if (appToken != null && appToken.isActive()) {
75 final String appId = appToken.appId();
76 final StringBuilder login = new StringBuilder(appId);
77 final SocketAddress ra = ctx.remoteAddress();
78 if (ra instanceof InetSocketAddress) {
79 login.append('@').append(((InetSocketAddress) ra).getHostString());
80 }
81 ctx.logBuilder().authenticatedUser("app/" + appId);
82 AuthUtil.setCurrentUser(
83 ctx, new UserWithToken(login.toString(), appToken));
84 res.complete(true);
85 } else {
86 res.complete(false);
87 }
88 })
89
90 .exceptionally(voidFunction(cause -> {
91 cause = Exceptions.peel(cause);
92 if (!(cause instanceof IllegalArgumentException)) {
93 logger.warn("Application token authorization failed: token={}, addr={}",
94 token.accessToken(), ctx.clientAddress(), cause);
95 }
96 res.complete(false);
97 }));
98
99 return res;
100 }
101 }