• Example Search
• Project Search

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

• play-zhewbacca-master
  • src
    • main
      • scala
        • org
          • zalando
            • zhewbacca
              • SecurityRulesRepository.scala
              • SecurityRule.scala
              • AuthProvider.scala
              • Scope.scala
              • TokenInfoConverter.scala
              • OAuth2Token.scala
              • IAMClient.scala
              • RequestValidator.scala
              • SecurityFilter.scala
              • OAuth2AuthProvider.scala
              • TokenInfo.scala
              • metrics
                • PluggableMetrics.scala
                • NoOpPluggableMetrics.scala
              • AuthResult.scala
              • AlwaysPassAuthProvider.scala
    • test
      • resources
        • access-token-not-valid.json
        • token-with-missed-token-type.json
        • security_unknown-http-method.conf
        • security_no-scopes.conf
        • logback.xml
        • security_filter.conf
        • security_custom-security.conf
        • security_rules.conf
        • valid-token-with-client-id.json
        • not-a-json-at-all.json
        • security_pass-through.conf
        • security_commented.conf
        • valid-token-with-unknown-field.json
        • valid-token-with-uid-scope.json
      • scala
        • org
          • zalando
            • zhewbacca
              • SecurityRulesRepositorySpec.scala
              • TestingFilters.scala
              • TokenInfoConverterSpec.scala
              • OAuth2AuthProviderSpec.scala
              • SecurityRuleSpec.scala
              • AlwaysPassAuthProviderSpec.scala
              • OAuth2TokenSpec.scala
              • RequestValidatorSpec.scala
              • SecurityFilterSpec.scala
              • IAMClientSpec.scala
              • ScopeTestSpec.scala
  • scalastyle-config.xml
  • LICENSE
  • project
    • build.properties
    • plugins.sbt
  • MAINTAINERS
  • CONTRIBUTING.md
  • CHANGELOG.md
  • SECURITY.md
  • .travis.yml
  • README.md
  • build.sbt
  • .zappr.yaml
  • .gitignore

package org.zalando.zhewbacca

import java.util.concurrent.atomic.AtomicInteger
import javax.inject.{Inject, Singleton}

import akka.actor.ActorSystem
import akka.pattern.CircuitBreaker
import org.zalando.zhewbacca.metrics.PluggableMetrics
import play.api.http.Status._
import play.api.libs.ws.WSClient
import play.api.{Configuration, Logger}

import scala.concurrent.duration._
import scala.concurrent.{ExecutionContext, Future}
import scala.util.control.NonFatal

import atmos.dsl._
import atmos.dsl.Slf4jSupport._

/**
  * Retrieves TokenInfo for given OAuth2 token using IAM API.
  *
  * Class applies a Circuit Breaker pattern, so it must be a singleton in the client's code. Implementation
  * depends on Play infrastructure so it will work only in a context of running application.
  *
  * @param config Play config to get configuration parameters for WS client and circuit breaker
  */
@Singleton
class IAMClient @Inject() (
    config: Configuration,
    pluggableMetrics: PluggableMetrics,
    ws: WSClient,
    actorSystem: ActorSystem,
    implicit val ec: ExecutionContext) extends (OAuth2Token => Future[Option[TokenInfo]]) {

  val logger: Logger = Logger("security.IAMClient")

  val METRICS_BREAKER_CLOSED = 0
  val METRICS_BREAKER_OPEN = 1
  val circuitStatus = new AtomicInteger()

  pluggableMetrics.gauge {
    circuitStatus.get
  }

  val authEndpoint: String = config.getOptional[String]("authorisation.iam.endpoint").getOrElse(
    throw new IllegalArgumentException("Authorisation: IAM endpoint is not configured"))

  val breakerMaxFailures: Int = config.getOptional[Int]("authorisation.iam.cb.maxFailures").getOrElse(
    throw new IllegalArgumentException("Authorisation: Circuit Breaker max failures is not configured"))

  val breakerCallTimeout: FiniteDuration = config.getOptional[FiniteDuration]("authorisation.iam.cb.callTimeout").getOrElse(
    throw new IllegalArgumentException("Authorisation: Circuit Breaker call timeout is not configured"))

  val breakerResetTimeout: FiniteDuration = config.getOptional[FiniteDuration]("authorisation.iam.cb.resetTimeout").getOrElse(
    throw new IllegalArgumentException("Authorisation: Circuit Breaker reset timeout is not configured"))

  val breakerMaxRetries: TerminationPolicy = config.getOptional[Int]("authorisation.iam.maxRetries").getOrElse(
    throw new IllegalArgumentException("Authorisation: Circuit Breaker max retries is not configured")).attempts

  val breakerRetryBackoff: FiniteDuration = config.getOptional[FiniteDuration]("authorisation.iam.retry.backoff.duration").getOrElse(
    throw new IllegalArgumentException("Authorisation: Circuit Breaker the duration of exponential backoff is not configured"))

  lazy val breaker: CircuitBreaker = new CircuitBreaker(
    actorSystem.scheduler,
    breakerMaxFailures,
    breakerCallTimeout,
    breakerResetTimeout).onHalfOpen {
    circuitStatus.set(METRICS_BREAKER_OPEN)
  }.onOpen {
    circuitStatus.set(METRICS_BREAKER_OPEN)
  }.onClose {
    circuitStatus.set(METRICS_BREAKER_CLOSED)
  }

  implicit val retryRecover = retryFor { breakerMaxRetries } using {
    exponentialBackoff { breakerRetryBackoff }
  } monitorWith {
    logger.logger onRetrying logNothing onInterrupted logWarning onAborted logError
  }

  override def apply(token: OAuth2Token): Future[Option[TokenInfo]] = {
    breaker.withCircuitBreaker(
      pluggableMetrics.timing(
        retryAsync(s"Calling $authEndpoint") {
          ws.url(authEndpoint).withQueryStringParameters(("access_token", token.value)).get()
        })).map { response =>
        response.status match {
          case OK => Some(response.json.as[TokenInfo])
          case _ => None
        }
      } recover {
        case NonFatal(e) =>
          logger.error(s"Exception occurred during validation of token '${token.toSafeString}': $e")
          None // consider any exception as invalid token
      }
  }

}