Re: [PR] KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN [knox]

via GitHub Sat, 13 Apr 2024 13:30:04 -0700


lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564239406



##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -780,26 +782,98 @@ private X509Certificate 
extractCertificate(HttpServletRequest req) {
     return null;
   }
 
-  private Response getAuthenticationToken() {
-    if (clientCertRequired) {
-      X509Certificate cert = extractCertificate(request);
-      if (cert != null) {
-        if 
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
-          return Response.status(Response.Status.FORBIDDEN)
-                         .entity("{ \"Unable to get token - untrusted client 
cert.\" }")
-                         .build();
-        }
+  protected Response getAuthenticationToken() {
+    Response response = enforceClientCertIfRequired();
+    if (response != null) { return response; }
+
+    response = onlyAllowGroupsToBeAddedWhenEnabled();
+    if (response != null) { return response; }
+
+    UserContext context = buildUserContext(request);
+
+    response = enforceTokenLimitsAsRequired(context.userName);
+    if (response != null) { return response; }
+
+    TokenResponse resp = getTokenResponse(context);
+    return resp.build();
+  }
+
+  protected TokenResponse getTokenResponse(UserContext context) {
+    TokenResponse response = null;
+    long expires = getExpiry();
+    setupPublicCertPEM();
+    String jku = getJku();
+    try
+    {
+      JWT token = getJWT(context.userName, expires, jku);
+      if (token != null) {
+        ResponseMap result = buildResponseMap(token, expires);
+        String jsonResponse = JsonUtils.renderAsJsonString(result.map);
+        persistTokenDetails(result, expires, context.userName, 
context.createdBy);
+
+        response = new TokenResponse(result, jsonResponse, Response.ok());
       } else {
-        return Response.status(Response.Status.FORBIDDEN)
-                       .entity("{ \"Unable to get token - client cert 
required.\" }")
-                       .build();
+        response = new TokenResponse(null, null, Response.serverError());
+      }
+    } catch (TokenServiceException e) {
+      log.unableToIssueToken(e);
+      response = new TokenResponse(null
+              , "{ \"Unable to acquire token.\" }"
+              , Response.serverError());
+    }
+    return response;
+  }
+
+  protected static class TokenResponse {
+    public ResponseMap responseMap;
+    public String responseStr;
+    public Response.ResponseBuilder responseBuilder;
+
+    public TokenResponse(ResponseMap respMap, String resp, 
Response.ResponseBuilder builder) {
+      responseMap = respMap;
+      responseStr = resp;
+      responseBuilder = builder;
+    }
+
+    public Response build() {
+      Response response = null;
+      if (responseStr != null) {
+        response = responseBuilder.entity(responseStr).build();
       }
+      else {

Review Comment:
   again, always this way. Which is why it isn't a codestyle violation.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN [knox]

Reply via email to