OAuthRequestPathAuthenticator.java

/*
 * Copyright (c) 2013, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * WSO2 Inc. licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
 * in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.wso2.carbon.identity.application.authenticator.requestpath.oauth;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.base.MultitenantConstants;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.RequestPathApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO.OAuth2AccessToken;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map;


public class OAuthRequestPathAuthenticator extends AbstractApplicationAuthenticator implements RequestPathApplicationAuthenticator {

    private static final long serialVersionUID = 634910519658720780L;
    private static final String AUTHORIZATION_HEADER_NAME = "Authorization";
    private static final String BEARER_SCHEMA = "Bearer";
    private static final String AUTHENTICATOR_NAME = "OAuthRequestPathAuthenticator";
    private static final String ACCESS_TOKEN = "access_token";
    private static Log log = LogFactory.getLog(OAuthRequestPathAuthenticator.class);

    @Override
    public boolean canHandle(HttpServletRequest request) {

        if (log.isTraceEnabled()) {
            log.trace("Inside canHandle()");
        }

        String headerValue = (String) request.getSession().getAttribute(AUTHORIZATION_HEADER_NAME);

        if (headerValue != null && !"".equals(headerValue.trim())) {
            String[] headerPart = headerValue.trim().split(" ");
            if (BEARER_SCHEMA.equals(headerPart[0])) {
                return true;
            }
        } else if (request.getParameter(ACCESS_TOKEN) != null) {
            return true;
        }

        return false;
    }

    @Override
    protected void processAuthenticationResponse(HttpServletRequest request,
                                                 HttpServletResponse response, AuthenticationContext context)
            throws AuthenticationFailedException {

        String headerValue = (String) request.getSession().getAttribute(AUTHORIZATION_HEADER_NAME);

        String token = null;
        if (headerValue != null) {
            token = headerValue.trim().split(" ")[1];
        } else {
            token = request.getParameter(ACCESS_TOKEN);
        }


        try {
            OAuth2TokenValidationService validationService = new OAuth2TokenValidationService();
            OAuth2TokenValidationRequestDTO validationReqDTO = new OAuth2TokenValidationRequestDTO();
            OAuth2AccessToken accessToken = validationReqDTO.new OAuth2AccessToken();
            accessToken.setIdentifier(token);
            accessToken.setTokenType("bearer");
            validationReqDTO.setAccessToken(accessToken);
            OAuth2TokenValidationResponseDTO validationResponse = validationService.validate(validationReqDTO);

            if (!validationResponse.isValid()) {
                log.error("RequestPath OAuth authentication failed");
                throw new AuthenticationFailedException("Authentication Failed");
            }

            String user = validationResponse.getAuthorizedUser();
            String tenantDomain = MultitenantUtils.getTenantDomain(user);

            if (MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
                user = MultitenantUtils.getTenantAwareUsername(user);
            }

            Map<String, Object> authProperties = context.getProperties();

            if (authProperties == null) {
                authProperties = new HashMap<String, Object>();
                context.setProperties(authProperties);
            }

            // TODO: user tenant domain has to be an attribute in the
            // AuthenticationContext
            authProperties.put("user-tenant-domain", tenantDomain);

            if (log.isDebugEnabled()) {
                log.debug("Authenticated user " + user);
            }

            context.setSubject(AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(user));
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            throw new AuthenticationFailedException(e.getMessage(), e);
        }
    }

    @Override
    public String getContextIdentifier(HttpServletRequest request) {
        return null;
    }

    @Override
    public String getFriendlyName() {
        return "oauth-bearer";
    }

    @Override
    public String getName() {
        return AUTHENTICATOR_NAME;
    }
}