java source code of MultiAppProxyClient

bouncr-master
- .circleci
  - config.yml
- bouncr-hook-license
  - src
    - main
      - java
        net
        unit8
        bouncr
        hook
        license
        LicenseUpdateHook.java
        LicenseCheckHook.java
        entity
        UserLicense.java
        LicenseLastActivity.java
        LicenseDeleteHook.java
        migration
        V1__CreateUserLicense.java
        LicenseConfig.java
        LicenseKey.java
    - test
      - java
        net
        unit8
        bouncr
        hook
        license
        LicenseKeyTest.java
  - pom.xml
- bouncr-components
  - src
    - main
      - resources
        ValidationMessages.properties
        MEAT-INF
        misconfiguration.properties
        messages_ja.properties
        messages.properties
        ValidationMessages_ja.properties
      - java
        db
        migration
        V20__CreateCerts.java
        V12__CreateUserActions.java
        V1__CreateUsers.java
        V8__CreateRolePermissions.java
        V25__AddRedirectUriToOidcProvider.java
        V5__CreatePermissions.java
        V15__CreateOidcUsers.java
        V17__CreateInvitations.java
        V6__CreateRealms.java
        V22__AlterInvitations.java
        V10__CreatePasswordCredentials.java
        V23__InsertAdminUser.java
        V2__CreateGroups.java
        V16__CreateOidcApplications.java
        V4__CreateRoles.java
        V14__CreateCertificateCredentials.java
        V13__CreateOidcProviders.java
        V9__CreateAssinments.java
        V21__CreateUserProfiles.java
        V24__AddAccountLowerToUser.java
        V18__CreateUserLocks.java
        V7__CreateMemberships.java
        V3__CreateApplications.java
        V19__CreateUserSessions.java
        net
        unit8
        bouncr
        entity
        Assignment.java
        OAuth2Error.java
        ActionType.java
        UserProfileValue.java
        Invitation.java
        RolePermission.java
        OidcApplication.java
        TokenEndpointAuthMethod.java
        ResponseType.java
        UserProfileField.java
        UserSession.java
        Realm.java
        UserLock.java
        OidcInvitation.java
        PasswordResetChallenge.java
        Role.java
        PasswordCredential.java
        Permission.java
        UserAction.java
        OidcUser.java
        LockLevel.java
        User.java
        GroupInvitation.java
        OidcProvider.java
        Application.java
        OtpKey.java
        Cert.java
        Action.java
        UserProfileVerification.java
        Group.java
        hook
        HookRuntimeException.java
        Hook.java
        HookRepository.java
        WebHook.java
        util
        KeyUtils.java
        RandomUtils.java
        DigestUtils.java
        Base32Utils.java
        PasswordUtils.java
        UriInterpolator.java
        interpolator
        FragmentUriInterpolator.java
        QueryUriInterpolator.java
        data
        OidcSession.java
        InitialPassword.java
        domain
        VerificationTargetSet.java
        component
        StoreProvider.java
        MessageResource.java
        RealmCache.java
        config
        KvsSettings.java
        PasswordPolicy.java
        VerificationPolicy.java
        CertConfiguration.java
        HookPoint.java
        OidcConfiguration.java
        BouncrConfiguration.java
        Flake.java
        json
        IndirectListFilter.java
    - test
      - java
        net
        unit8
        bouncr
        entity
        UserTest.java
        hook
        HookRepositoryTest.java
        util
        PasswordUtilsTest.java
        RandomUtilsTest.java
        Base32UtilsTest.java
        component
        StoreProviderTest.java
        FlakeTest.java
  - pom.xml
- examples
  - with_ldap.jsh
- pom.xml
- LICENSE
- bouncr-api-server
  - src
    - main
      - resources
        hazelcast-client.xml
        bouncr-spec.yaml
        META-INF
        reload.xml
        misconfiguration.properties
        bouncr-spec.js
      - java
        net
        unit8
        bouncr
        api
        authn
        ClientAuthenticateMiddleware.java
        OneTimePasswordGenerator.java
        resource
        UsersResource.java
        OidcProviderResource.java
        AssignmentResource.java
        OidcSignInResource.java
        ApplicationsResource.java
        GroupResource.java
        InvitationsResource.java
        RealmResource.java
        UserSessionResource.java
        OidcProvidersResource.java
        AssignmentsResource.java
        PermissionResource.java
        PasswordResetChallengeResource.java
        PasswordSignInResource.java
        PermissionsResource.java
        SignUpResource.java
        UserActionsResource.java
        RolesResource.java
        GroupUsersResource.java
        ApplicationResource.java
        PasswordCredentialResource.java
        PreSignInResource.java
        RolePermissionsResource.java
        UserProfileVerificationResource.java
        UserResource.java
        GroupsResource.java
        RealmsResource.java
        OidcApplicationsResoruce.java
        UserSessionsResource.java
        PasswordResetResource.java
        ProblemResource.java
        OidcApplicationResource.java
        OtpKeyResource.java
        InvitationResource.java
        RoleResource.java
        hook
        GrantBouncrUserRole.java
        constraints
        StringEnumeration.java
        validator
        StringEnumerationValidator.java
        boundary
        RealmSearchParams.java
        OidcApplicationCreateRequest.java
        UserSearchParams.java
        AssignmentsRequest.java
        PermissionUpdateRequest.java
        ApplicationUpdateRequest.java
        RoleSearchParams.java
        OidcApplicationSearchParams.java
        RoleUpdateRequest.java
        PasswordSignInRequest.java
        UserCreateRequest.java
        PermissionSearchParams.java
        BouncrProblem.java
        PasswordCredentialDeleteRequest.java
        RolePermissionsRequest.java
        ApplicationCreateRequest.java
        UserUpdateRequest.java
        RoleCreateRequest.java
        SignUpCreateRequest.java
        InvitationCreateRequest.java
        UserActionSearchParams.java
        GroupUpdateRequest.java
        PasswordResetResponse.java
        RealmCreateRequest.java
        ApplicationSearchParams.java
        OidcProviderSearchParams.java
        GroupCreateRequest.java
        GroupSearchParams.java
        PermissionCreateRequest.java
        AssignmentRequest.java
        RealmUpdateRequest.java
        OidcProviderUpdateRequest.java
        UserSessionSearchParams.java
        PasswordResetRequest.java
        SignUpResponse.java
        GroupUsersRequest.java
        PasswordCredentialUpdateRequest.java
        PasswordResetChallengeCreateRequest.java
        OidcApplicationUpdateRequest.java
        PasswordCredentialCreateRequest.java
        OidcProviderCreateRequest.java
        service
        UniquenessCheckService.java
        OAuthService.java
        UserLockService.java
        PasswordPolicyService.java
        SignInService.java
        PasswordCredentialService.java
        UserProfileService.java
        Main.java
        BouncrBaseResource.java
        component
        CertificateProvider.java
        BouncrApplicationFactory.java
        logging
        ActionRecordable.java
        ActionRecord.java
        ActionRecordInjector.java
        ActionLoggingMiddleware.java
        BouncrApiEnkanSystemFactory.java
    - test
      - java
        net
        unit8
        bouncr
        authn
        OneTimePasswordGeneratorTest.java
        BouncrTestSystemFactory.java
        JacksonTest.java
        api
        resource
        UsersResourceWithDbTest.java
        RolePermissionsResourceTest.java
        UsersResourceTest.java
        UserResourceTest.java
        GroupUsersResourceTest.java
        PasswordCredentialResourceTest.java
        AssignmentsRequestTest.java
        PasswordSignInResourceTest.java
        MockFactory.java
        service
        OAuthServiceTest.java
    - dev
      - resources
        ldap
        microsoft.ldif
        users.ldif
        README.md
        TEST.md
      - java
        backendexample
        ldap
        InMemoryDirectoryServiceFactory.java
        InMemorySchemaPartition.java
        LdapStandaloneServer.java
        cert
        JdbcKeyStoreSpi.java
        BouncrProvider.java
        KeyStoreLoader.java
        Certificate.java
        ReplMain.java
        MainWithLdapClient.java
      - bin
        mysql.sh
  - pom.xml
  - package.json
- bouncr-hook-email
  - src
    - main
      - resources
        bouncr-spec.yaml
      - java
        net
        unit8
        bouncr
        extention
        app
        resource
        VerificationEmailResource.java
        MagicLinkSignInResource.java
        EmailApplicationCustomizer.java
        boundary
        MagicLinkSignInRequest.java
        hook
        NormalizeMailAddressHook.java
        AbstractSendMailHook.java
        email
        config
        MailMetaConfig.java
        MailConfig.java
        MailServerConfig.java
        service
        SendMailService.java
        SendPasswordResetHook.java
        SendVerificationHook.java
        SendPasswordResetChallengeHook.java
    - test
      - resources
        templates
        email_verification.html
      - java
        net
        unit8
        bouncr
        hook
        SendVerificationHookTest.java
  - pom.xml
- model.puml
- elm-package.json
- bouncr-proxy
  - src
    - main
      - resources
        hazelcast-client.xml
        META-INF
        services
        org.eclipse.microprofile.health.spi.HealthCheckResponseProvider
        misconfiguration.properties
      - java
        net
        unit8
        bouncr
        proxy
        CacheRefreshHandler.java
        health
        HealthCheckResponseProviderImpl.java
        HealthCheckResponseBuilderImpl.java
        HealthCheckResponseImpl.java
        MultiAppProxyClient.java
        HealthCheckHandler.java
        cert
        ReloadableTrustManager.java
        Main.java
        ReverseProxyComponent.java
        ssl
        BouncrSSLSocketFactory.java
        BouncrProxyEnkanSystemFactory.java
    - test
      - resources
        mockito-extensions
        org.mockito.plugins.MockMaker
      - java
        net
        unit8
        bouncr
        proxy
        HealthCheckHandlerTest.java
    - dev
      - java
        HazelCastMain.java
  - pom.xml
- README.md
- .gitignore
- docker-compose.yml

package net.unit8.bouncr.proxy;

import enkan.exception.MisconfigurationException;
import enkan.middleware.session.KeyValueStore;
import enkan.util.BeanBuilder;
import io.undertow.client.ClientCallback;
import io.undertow.client.ClientConnection;
import io.undertow.client.UndertowClient;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.ServerConnection;
import io.undertow.server.handlers.Cookie;
import io.undertow.server.handlers.proxy.ProxyCallback;
import io.undertow.server.handlers.proxy.ProxyClient;
import io.undertow.server.handlers.proxy.ProxyConnection;
import io.undertow.util.AttachmentKey;
import io.undertow.util.HttpString;
import net.unit8.bouncr.component.BouncrConfiguration;
import net.unit8.bouncr.component.RealmCache;
import net.unit8.bouncr.entity.Application;
import net.unit8.bouncr.entity.Realm;
import net.unit8.bouncr.sign.JsonWebToken;
import net.unit8.bouncr.sign.JwtHeader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xnio.ChannelListener;
import org.xnio.IoUtils;
import org.xnio.OptionMap;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.channels.Channel;
import java.util.*;
import java.util.concurrent.TimeUnit;

/**
 * Proxy Client for Bouncr multiple applications.
 *
 * @author kawasima
 */
public class MultiAppProxyClient implements ProxyClient {
    private static final Logger LOG = LoggerFactory.getLogger(MultiAppProxyClient.class);

    private static final ProxyTarget PROXY_TARGET = new ProxyTarget() {
    };
    private final AttachmentKey<ClientConnection> clientAttachmentKey = AttachmentKey.create(ClientConnection.class);
    private final UndertowClient client;
    private final KeyValueStore store;
    private final RealmCache realmCache;
    private final BouncrConfiguration config;
    private final JsonWebToken jwt;
    private final JwtHeader jwtHeader;
    private boolean connectionCache = false;

    public MultiAppProxyClient(BouncrConfiguration config, KeyValueStore store, RealmCache realmCache, JsonWebToken jwt) {
        client = UndertowClient.getInstance();
        this.config = config;
        this.store = store;
        this.realmCache = realmCache;
        this.jwt = jwt;
        this.jwtHeader = BeanBuilder.builder(new JwtHeader())
                .set(JwtHeader::setAlg, "none")
                .build();
    }

    public void setConnectionCache(boolean enabled) {
        this.connectionCache = enabled;
    }

    @Override
    public ProxyTarget findTarget(HttpServerExchange exchange) {
        return PROXY_TARGET;
    }


    private String calculatePathTo(String path, Application application) {
        String passTo = application.getUriToPass().getPath();
        if (passTo != null && passTo.endsWith("/")) {
            passTo = passTo.substring(0, passTo.length() - 1);
        }
        return passTo + path.substring(application.getVirtualPath().length());
    }

    @Override
    public void getConnection(ProxyTarget target, HttpServerExchange exchange, ProxyCallback<ProxyConnection> callback, long timeout, TimeUnit timeUnit) {
        Realm realm = realmCache.matches(exchange.getRequestPath());
        if (realm == null) {
            exchange.setStatusCode(404);
            exchange.endExchange();
            return;
        }

        parseToken(exchange).ifPresent(token -> {
            Optional<HashMap<String, Object>> userCache = authenticate(token);

            userCache.ifPresent(u -> {
                Map<String, List<String>> permissionsByRealm = (Map<String, List<String>>) u.remove("permissionsByRealm");
                List<String> permissions = permissionsByRealm.get(realm.getId().toString());

                Map<String, Object> body = new HashMap<>(u);
                body.put("permissions", Optional.ofNullable(permissions).orElse(Collections.emptyList()));
                exchange.getRequestHeaders().put(HttpString.tryFromString(config.getBackendHeaderName()),
                        jwt.sign(body, jwtHeader, (byte[]) null));
            });
        });

        Application application = realmCache.getApplication(realm);
        if (connectionCache) {
            ClientConnection existing = exchange.getConnection().getAttachment(clientAttachmentKey);
            if (existing != null) {
                if (existing.isOpen()) {
                    //this connection already has a client, re-use it
                    String path = exchange.getRequestURI();
                    if (path.startsWith(application.getVirtualPath())) {
                        String passTo = calculatePathTo(path, application);
                        exchange.setRequestPath(passTo);
                        exchange.setRequestURI(passTo);
                    }
                    callback.completed(exchange, new ProxyConnection(existing, "/"));
                    return;
                } else {
                    exchange.getConnection().removeAttachment(clientAttachmentKey);
                }
            }
        }

        try {
            URI uri = application.getUriToPass();
            LOG.debug("PASS: {}", uri);
            client.connect(new ConnectNotifier(callback, exchange),
                    new URI(uri.getScheme(), /*userInfo*/null, uri.getHost(), uri.getPort(),
                            /*path*/null, /*query*/null, /*fragment*/null),
                    exchange.getIoThread(),
                    exchange.getConnection().getByteBufferPool(), OptionMap.EMPTY);
        } catch (URISyntaxException e) {
            throw new MisconfigurationException("bouncr.proxy.WRONG_URI", application.getUriToPass(), e);
        }
    }

    private Optional<String> parseToken(HttpServerExchange exchange) {
        if (exchange.getRequestHeaders().contains("Authorization")) {
            String authorizationValue = exchange.getRequestHeaders().getFirst("Authorization");
            String[] tokens = authorizationValue.split("\\s+", 2);
            if (tokens[0].equalsIgnoreCase("Bearer") && tokens.length == 2) {
                return Optional.of(tokens[1])
                        .map(String::strip);
            } else {
                return Optional.empty();
            }
        } else if (exchange.getRequestCookies().containsKey(config.getTokenName())) {
            Cookie tokenCookie = exchange.getRequestCookies().get(config.getTokenName());
            return Optional.of(tokenCookie.getValue());
        } else {
            return Optional.empty();
        }
    }

    private Optional<HashMap<String, Object>> authenticate(String token) {
        return Optional.ofNullable((HashMap<String, Object>) store.read(token));
    }

    private final class ConnectNotifier implements ClientCallback<ClientConnection> {
        private final ProxyCallback<ProxyConnection> callback;
        private final HttpServerExchange exchange;

        private ConnectNotifier(ProxyCallback<ProxyConnection> callback, HttpServerExchange exchange) {
            this.callback = callback;
            this.exchange = exchange;
        }

        @Override
        public void completed(final ClientConnection connection) {
            final ServerConnection serverConnection = exchange.getConnection();
            //we attach to the connection so it can be re-used
            if (connectionCache) {
                serverConnection.putAttachment(clientAttachmentKey, connection);
            }
            serverConnection.addCloseListener(serverConnection1 -> IoUtils.safeClose(connection));
            connection.getCloseSetter().set((ChannelListener<Channel>) channel -> serverConnection.removeAttachment(clientAttachmentKey));

            exchange.setRelativePath("/");
            Realm realm = realmCache.matches(exchange.getRequestPath());
            Application application = realmCache.getApplication(realm);
            String path = exchange.getRequestURI();
            if (path.startsWith(application.getVirtualPath())) {
                String passTo = calculatePathTo(path, application);
                exchange.setRequestPath(passTo);
                exchange.setRequestURI(passTo);
            }
            callback.completed(exchange, new ProxyConnection(connection, "/"));
        }

        @Override
        public void failed(IOException e) {
            callback.failed(exchange);
        }
    }

}