/** * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.pulsar.manager.service.impl; import io.jsonwebtoken.*; import io.jsonwebtoken.security.Keys; import org.apache.pulsar.manager.service.JwtService; import lombok.extern.slf4j.Slf4j; import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils; import org.apache.pulsar.common.util.RelativeTimeUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Service; import java.io.IOException; import java.security.Key; import java.util.Date; import java.util.Map; import java.util.Optional; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.TimeUnit; @Slf4j @Service public class JwtServiceImpl implements JwtService { private int sessionTime; @Value("${jwt.broker.token.mode}") private String jwtBrokerTokenMode; @Value("${jwt.broker.secret.key}") private String jwtBrokerSecretKey; @Value("${jwt.broker.private.key}") private String jwtBrokerPrivateKey; @Value("${jwt.broker.public.key}") private String jwtBrokerPublicKey; private final Map<String, String> tokens = new ConcurrentHashMap<>(); private final Key key = Keys.secretKeyFor(SignatureAlgorithm.HS256); @Autowired public JwtServiceImpl(@Value("${jwt.sessionTime}") int sessionTime) { this.sessionTime = sessionTime; } @Override public String toToken(String id) { return Jwts.builder() .setSubject(id) .setExpiration(expireTimeFromNow()) .signWith(key) .compact(); } @Override public Optional<String> getSubFromToken(String token) { try { Jws<Claims> claimsJws = Jwts.parser().setSigningKey(key).parseClaimsJws(token); return Optional.ofNullable(claimsJws.getBody().getSubject()); } catch (Exception e) { return Optional.empty(); } } private Date expireTimeFromNow() { return new Date(System.currentTimeMillis() + sessionTime * 1000); } @Override public void setToken(String key, String value) { synchronized (this.tokens) { this.tokens.put(key, value); } } @Override public String getToken(String key) { return this.tokens.get(key); } @Override public void removeToken(String key) { synchronized (this.tokens) { this.tokens.remove(key); } } private Key decodeBySecretKey() { try { byte[] encodedKey = AuthTokenUtils.readKeyFromUrl(jwtBrokerSecretKey); return AuthTokenUtils.decodeSecretKey(encodedKey); } catch (IOException e) { log.error("Decode failed by secrete key, error: {}", e.getMessage()); return null; } } public String createBrokerToken(String role, String expiryTime) { Key signingKey; if (jwtBrokerTokenMode.equals("SECRET")) { signingKey = decodeBySecretKey(); } else if (jwtBrokerTokenMode.equals("PRIVATE")){ signingKey = decodeByPrivateKey(); } else { log.info("Default disable JWT auth, please set jwt.broker.token.mode."); return null; } if (signingKey == null) { log.error("JWT Auth failed, signingKey is not empty"); return null; } Optional<Date> optExpiryTime = Optional.empty(); if (expiryTime != null) { long relativeTimeMillis = TimeUnit.SECONDS .toMillis(RelativeTimeUtil.parseRelativeTimeInSeconds(expiryTime)); optExpiryTime = Optional.of(new Date(System.currentTimeMillis() + relativeTimeMillis)); } return AuthTokenUtils.createToken(signingKey, role, optExpiryTime); } private Key decodeByPrivateKey() { try { byte[] encodedKey = AuthTokenUtils.readKeyFromUrl(jwtBrokerPrivateKey); SignatureAlgorithm algorithm = SignatureAlgorithm.RS256; return AuthTokenUtils.decodePrivateKey(encodedKey, algorithm); } catch (IOException e) { log.error("Decode failed by private key, error: {}", e.getMessage()); return null; } } public Claims validateBrokerToken(String token) { Key validationKey; if (jwtBrokerTokenMode.equals("SECRET")) { validationKey = decodeBySecretKey(); } else if (jwtBrokerTokenMode.equals("PRIVATE")){ validationKey = decodeByPrivateKey(); } else { log.info("Default disable JWT auth, please set jwt.broker.token.mode."); return null; } Jwt<?, Claims> jwt = Jwts.parser() .setSigningKey(validationKey) .parse(token); return jwt.getBody(); } }