1   /*
2    * Copyright 2017 LINE Corporation
3    *
4    * LINE Corporation licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  
17  package com.linecorp.centraldogma.server.internal.api.auth;
18  
19  import static com.linecorp.armeria.common.util.Functions.voidFunction;
20  import static java.util.Objects.requireNonNull;
21  import static java.util.concurrent.CompletableFuture.completedFuture;
22  
23  import java.net.InetSocketAddress;
24  import java.net.SocketAddress;
25  import java.util.concurrent.CompletableFuture;
26  import java.util.concurrent.CompletionStage;
27  import java.util.function.Function;
28  
29  import org.slf4j.Logger;
30  import org.slf4j.LoggerFactory;
31  
32  import com.linecorp.armeria.common.HttpRequest;
33  import com.linecorp.armeria.common.auth.OAuth2Token;
34  import com.linecorp.armeria.common.util.Exceptions;
35  import com.linecorp.armeria.server.ServiceRequestContext;
36  import com.linecorp.armeria.server.auth.AuthTokenExtractors;
37  import com.linecorp.armeria.server.auth.Authorizer;
38  import com.linecorp.centraldogma.internal.CsrfToken;
39  import com.linecorp.centraldogma.server.internal.admin.auth.AuthUtil;
40  import com.linecorp.centraldogma.server.metadata.Token;
41  import com.linecorp.centraldogma.server.metadata.Tokens;
42  import com.linecorp.centraldogma.server.metadata.User;
43  import com.linecorp.centraldogma.server.metadata.UserWithToken;
44  
45  /**
46   * A decorator which finds an application token from a request and validates it.
47   */
48  public class ApplicationTokenAuthorizer implements Authorizer<HttpRequest> {
49  
50      private static final Logger logger = LoggerFactory.getLogger(
51              ApplicationTokenAuthorizer.class);
52  
53      private final Function<String, CompletionStage<Token>> tokenLookupFunc;
54  
55      public ApplicationTokenAuthorizer(Function<String, CompletionStage<Token>> tokenLookupFunc) {
56          this.tokenLookupFunc = requireNonNull(tokenLookupFunc, "tokenLookupFunc");
57      }
58  
59      @Override
60      public CompletionStage<Boolean> authorize(ServiceRequestContext ctx, HttpRequest data) {
61          final OAuth2Token token = AuthTokenExtractors.oAuth2().apply(data.headers());
62          if (token != null && token.accessToken().equals(CsrfToken.ANONYMOUS)) {
63              AuthUtil.setCurrentUser(ctx, User.ANONYMOUS);
64              return completedFuture(true);
65          }
66  
67          if (token == null || !Tokens.isValidSecret(token.accessToken())) {
68              return completedFuture(false);
69          }
70  
71          final CompletableFuture<Boolean> res = new CompletableFuture<>();
72          tokenLookupFunc.apply(token.accessToken())
73                         .thenAccept(appToken -> {
74                             if (appToken != null && appToken.isActive()) {
75                                 final String appId = appToken.appId();
76                                 final StringBuilder login = new StringBuilder(appId);
77                                 final SocketAddress ra = ctx.remoteAddress();
78                                 if (ra instanceof InetSocketAddress) {
79                                     login.append('@').append(((InetSocketAddress) ra).getHostString());
80                                 }
81                                 ctx.logBuilder().authenticatedUser("app/" + appId);
82                                 AuthUtil.setCurrentUser(
83                                         ctx, new UserWithToken(login.toString(), appToken));
84                                 res.complete(true);
85                             } else {
86                                 res.complete(false);
87                             }
88                         })
89                         // Should be authorized by the next authorizer.
90                         .exceptionally(voidFunction(cause -> {
91                             cause = Exceptions.peel(cause);
92                             if (!(cause instanceof IllegalArgumentException)) {
93                                 logger.warn("Application token authorization failed: token={}, addr={}",
94                                             token.accessToken(), ctx.clientAddress(), cause);
95                             }
96                             res.complete(false);
97                         }));
98  
99          return res;
100     }
101 }