package nl.knaw.huygens.alexandria.jaxrs;
/*
* #%L
* alexandria-main
* =======
* Copyright (C) 2015 - 2017 Huygens ING (KNAW)
* =======
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public
* License along with this program. If not, see
* <http://www.gnu.org/licenses/gpl-3.0.html>.
* #L%
*/
import static javax.ws.rs.core.SecurityContext.CLIENT_CERT_AUTH;
import static nl.knaw.huygens.alexandria.jaxrs.AlexandriaRoles.ANONYMOUS;
import static nl.knaw.huygens.alexandria.jaxrs.AlexandriaRoles.CERTIFIED;
import static nl.knaw.huygens.alexandria.jaxrs.AlexandriaRoles.JANITOR;
import java.net.URI;
import java.util.Map;
import javax.inject.Inject;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.StringUtils;
import nl.knaw.huygens.alexandria.config.AlexandriaConfiguration;
public class AlexandriaSecurityContextFactory {
private final Map<String, String> keyMap; // authKey -> username
@Inject
public AlexandriaSecurityContextFactory(AlexandriaConfiguration config) {
keyMap = config.getAuthKeyIndex();
}
public SecurityContext fromCertificate(URI requestURI, String userName) {
setDefaultUserName(userName);
final SecurityContextBuilder builder = SecurityContextBuilder.targeting(requestURI);
builder.withAuthenticationScheme(CLIENT_CERT_AUTH).forPrincipalNamed(userName).granting(CERTIFIED);
return builder.build();
}
public SecurityContext fromAuthHeader(URI requestURI, String headerString) {
if (StringUtils.isEmpty(headerString)) {
notAuthorized();
}
final String[] parts = headerString.split(" ");
if (parts.length != 2) {
notAuthorized();
}
final String scheme = parts[0];
final String authKey = parts[1];
if (!keyMap.containsKey(authKey)) {
notAuthorized();
}
final String userName = keyMap.get(authKey);
setDefaultUserName(userName);
final SecurityContextBuilder builder = SecurityContextBuilder.targeting(requestURI);
builder.withAuthenticationScheme(scheme).forPrincipalNamed(userName).granting(JANITOR);
return builder.build();
}
public SecurityContext anonymous(URI requestURI) {
setDefaultUserName("unknown");
return SecurityContextBuilder.targeting(requestURI).forUnknownPrincipal().granting(ANONYMOUS).build();
}
private void notAuthorized() {
throw new NotAuthorizedException(""); // empty 'challenge'
}
private void setDefaultUserName(final String userName) {
// TODO: refactor to get rid of saving userName in a thread local.
// Log.trace("Setting default user name to: [{}]", userName);
ThreadContext.setUserName(userName);
}
}