/*************************************************************************
* (c) Copyright 2016 Hewlett Packard Enterprise Development Company LP
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 3 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see http://www.gnu.org/licenses/.
************************************************************************/
package com.eucalyptus.auth.tokens;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import com.eucalyptus.auth.Accounts;
import com.eucalyptus.auth.principal.AccessKey;
import com.eucalyptus.auth.principal.TemporaryAccessKey;
import com.eucalyptus.auth.principal.User;
import com.eucalyptus.auth.principal.UserPrincipal;
import com.eucalyptus.context.Context;
import com.eucalyptus.context.Contexts;
import com.eucalyptus.context.IllegalContextAccessException;
import com.eucalyptus.util.Parameters;
import com.google.common.base.Optional;
import com.google.common.collect.ImmutableMap;
/**
*
*/
@SuppressWarnings( "Guava" )
public class RoleSecurityTokenAttributes {
private final String sessionName;
private RoleSecurityTokenAttributes(
final String sessionName
) {
Parameters.checkParamNotNullOrEmpty( "sessionName", sessionName );
this.sessionName = sessionName;
}
public static <T extends RoleSecurityTokenAttributes> Optional<T> fromContext( Class<T> type ) {
try {
final Context context = Contexts.lookup( );
final UserPrincipal principal = context.getUser( );
if ( principal != null ) {
final Optional<RoleSecurityTokenAttributes> attributes = RoleSecurityTokenAttributes.forUser( principal );
if ( attributes.isPresent( ) && type.isInstance( attributes.get( ) ) ) {
return Optional.of( type.cast( attributes.get( ) ) );
}
}
} catch ( final IllegalContextAccessException e ) {
// absent
}
return Optional.absent( );
}
public static Optional<RoleSecurityTokenAttributes> forUser( final User user ) {
if ( user instanceof UserPrincipal ) {
final UserPrincipal principal = (UserPrincipal) user;
if ( Accounts.isRoleIdentifier( principal.getAuthenticatedId( ) ) ) {
final List<AccessKey> keys = principal.getKeys( );
if ( keys.size( ) == 1 ) {
return forKey( keys.get( 0 ) );
}
}
}
return Optional.absent( );
}
public static Optional<RoleSecurityTokenAttributes> forKey( final AccessKey accessKey ) {
if ( accessKey instanceof TemporaryAccessKey ) {
final TemporaryAccessKey temporaryAccessKey = (TemporaryAccessKey) accessKey;
if ( temporaryAccessKey.getType( ) == TemporaryAccessKey.TemporaryKeyType.Role ) {
return forMap( temporaryAccessKey.getAttributes( ) );
}
}
return Optional.absent( );
}
public static Optional<RoleSecurityTokenAttributes> forMap( final Map<String,String> attributes ) {
final String sessionName = attributes.get( "ses" );
final String instanceArn = attributes.get( "ins" );
final String providerUrl = attributes.get( "url" );
final String aud = attributes.get( "aud" );
final String sub = attributes.get( "sub" );
try {
if ( instanceArn != null ) {
return Optional.of( instance( sessionName, instanceArn ) );
} else if ( providerUrl != null ) {
return Optional.of( webIdentity( sessionName, providerUrl, aud, sub ) );
} else if ( sessionName != null ) {
return Optional.of( basic( sessionName ) );
}
} catch ( final IllegalArgumentException e ) {
// so absent
}
return Optional.absent( );
}
public static RoleSecurityTokenAttributes basic(
@Nonnull final String sessionName
) {
return new RoleSecurityTokenAttributes( sessionName );
}
public static RoleSecurityTokenAttributes instance(
@Nonnull final String sessionName,
@Nonnull final String instanceArn
) {
return new RoleInstanceProfileSecurityTokenAttributes( sessionName, instanceArn );
}
public static RoleSecurityTokenAttributes webIdentity(
@Nonnull final String sessionName,
@Nonnull final String providerUrl,
@Nonnull final String aud,
@Nonnull final String sub
) {
return new RoleWithWebIdSecurityTokenAttributes( sessionName, providerUrl, aud, sub );
}
public final String getSessionName( ) {
return sessionName;
}
public final Map<String,String> asMap( ) {
return populate( ImmutableMap.builder( ) ).build( );
}
protected ImmutableMap.Builder<String, String> populate( final ImmutableMap.Builder<String, String> builder ) {
return builder.put( "ses", sessionName );
}
public static class RoleInstanceProfileSecurityTokenAttributes extends RoleSecurityTokenAttributes {
private final String instanceArn;
public RoleInstanceProfileSecurityTokenAttributes(
final String sessionName,
final String instanceArn
) {
super( sessionName );
Parameters.checkParamNotNullOrEmpty( "instanceArn", instanceArn );
this.instanceArn = instanceArn;
}
@Override
protected ImmutableMap.Builder<String, String> populate( final ImmutableMap.Builder<String, String> builder ) {
return super.populate( builder )
.put( "ins", instanceArn );
}
public String getInstanceArn( ) {
return instanceArn;
}
}
public static class RoleWithWebIdSecurityTokenAttributes extends RoleSecurityTokenAttributes {
private final String providerUrl;
private final String aud;
private final String sub;
public RoleWithWebIdSecurityTokenAttributes(
final String sessionName,
final String providerUrl,
final String aud,
final String sub
) {
super( sessionName );
Parameters.checkParamNotNullOrEmpty( "providerUrl", providerUrl );
Parameters.checkParamNotNullOrEmpty( "aud", aud );
Parameters.checkParamNotNullOrEmpty( "sub", sub);
this.providerUrl = providerUrl;
this.aud = aud;
this.sub = sub;
}
@Override
protected ImmutableMap.Builder<String, String> populate( final ImmutableMap.Builder<String, String> builder ) {
return super.populate( builder )
.put( "url", providerUrl )
.put( "aud", aud )
.put( "sub", sub );
}
public String getProviderUrl( ) {
return providerUrl;
}
public String getAud( ) {
return aud;
}
public String getSub( ) {
return sub;
}
}
}