/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at * docs/licenses/cddl.txt * or http://www.opensource.org/licenses/cddl1.php. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at * docs/licenses/cddl.txt. If applicable, * add the following below this CDDL HEADER, with the fields enclosed * by brackets "[]" replaced with your own identifying information: * Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * * Portions Copyright 2012-2023 Ping Identity Corporation */ package com.unboundid.directory.sdk.examples.groovy; import com.unboundid.directory.sdk.http.scripting.ScriptedOAuthTokenHandler; import com.unboundid.directory.sdk.http.config.OAuthTokenHandlerConfig; import com.unboundid.directory.sdk.http.types.HTTPServerContext; import com.unboundid.ldap.sdk.DN; import com.unboundid.ldap.sdk.Entry; import com.unboundid.ldap.sdk.Filter; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchScope; import com.unboundid.scim.sdk.DeleteResourceRequest; import com.unboundid.scim.sdk.GetResourceRequest; import com.unboundid.scim.sdk.GetResourcesRequest; import com.unboundid.scim.sdk.OAuthToken; import com.unboundid.scim.sdk.OAuthTokenStatus; import com.unboundid.scim.sdk.PatchResourceRequest; import com.unboundid.scim.sdk.PostResourceRequest; import com.unboundid.scim.sdk.PutResourceRequest; import com.unboundid.scim.sdk.SCIMRequest; import com.unboundid.util.args.ArgumentException; import com.unboundid.util.args.ArgumentParser; import com.unboundid.util.args.DNArgument; import com.unboundid.util.args.FileArgument; import java.security.GeneralSecurityException; import java.security.KeyFactory; import java.security.PublicKey; import java.security.Signature; import java.security.spec.X509EncodedKeySpec /** * This class provides a simple implementation of a OAuth Token Handler * that validates access tokens from an authorization server encoded in the * following format: * <pre> * bearer_token := * [expiration_date][audience][scope][auth_user_id][signature] * * expiration_date := * encoded timestamp representing milliseconds since midnight, January 1, * 1970 UTC. (8 bytes) * * audience := * server UUID of the target resource server (16 bytes) * * scope := * an 16-bit (2 byte) mask, starting with the most significant bit: * * bit1: allow GET operations * bit2: allow SEARCH operations * bit3: allow POST operations * bit4: allow PUT operations * bit5: allow PATCH operations * bit6: allow DELETE operations * bits7-16: unused * * auth_user_id := * the entryUUID of the authorization entry for which to apply access * controls (16 bytes) * * signature := * an RSA-SHA1 signature of the * [expiration_date][audience][scope][auth_user_id], using the * authorization server's 1024-bit private RSA key (128 bytes) * </pre> * * Note this is a simplistic token encoding and is used only for the purpose of * demonstration. Production implementations should be sure to follow the * guidelines in the "OAuth 2.0 Threat Model and Security Considerations" * (<i>RFC 6819</i>). * <p> * Also note that the OAuth "scope" is implementation-defined, and thus needs * to be evaluated and applied within this extension, whereas standard LDAP * access controls will be applied automatically within the Directory Server * using the authorization entity (auth_user_id) from the token. This will * happen <i>after</i> the access token is validated using this extension. * <p> * * This example takes two configuration arguments: * <UL> * <LI>auth-server-public-key-file -- The path to the file containing the * DER-encoded public RSA key from the authorization server. This must be * provided.</LI> * <LI>auth-user-base-dn -- The base DN to use when looking up the DN of the * authorization user specified in the access token.</LI> * </UL> */ public final class ExampleScriptedOAuthTokenHandler extends ScriptedOAuthTokenHandler { // The server context for this extension. private HTTPServerContext serverContext = null; // The Signature object used to verify signed access tokens. private Signature signature = null; // The serverUUID of this server, which is used to verify the access token's // intended audience. private UUID serverUUID = null; // The base DN to use when looking up the DN of the authorization user // specified in the access token. private DN authorizationUserBaseDN = null; // The name of the argument that will be used for the argument used to specify // the file containing the authorization server's public key (in DER format). private static final String ARG_NAME_PUBLIC_KEY_FILE = "auth-server-public-key-file"; // The base DN to use when looking up the DN of the authorization user // specified in the access token. private static final String ARG_NAME_AUTH_USER_BASE_DN = "auth-user-base-dn"; // Constants for bit mask testing with OAuth scope values. private static final int ALLOW_GET = (1 << 31); private static final int ALLOW_SEARCH = (1 << 30); private static final int ALLOW_POST = (1 << 29); private static final int ALLOW_PUT = (1 << 28); private static final int ALLOW_PATCH = (1 << 27); private static final int ALLOW_DELETE = (1 << 26); /** * Creates a new instance of this OAuth Token handler. All token * handler implementations must include a default constructor, but any * initialization should generally be performed in the * {@code initializeTokenHandler()} method. */ public ExampleOAuthTokenHandler() { // No implementation required. } /** * Updates the provided argument parser to define any configuration arguments * which may be used by this token handler. The argument parser may also * be updated to define relationships between arguments (e.g., to specify * required, exclusive, or dependent argument sets). * * @param parser The argument parser to be updated with the configuration * arguments which may be used by this token handler. * * @throws ArgumentException If a problem is encountered while updating the * provided argument parser. */ @Override public void defineConfigArguments(final ArgumentParser parser) throws ArgumentException { String description = "The path to the file containing the DER-encoded public RSA key " + "from the authorization server. This must be provided."; final FileArgument publicKeyFileArg = new FileArgument(null, ARG_NAME_PUBLIC_KEY_FILE, true, 1, "{file-path}", description, true, true, true, false); parser.addArgument(publicKeyFileArg); description = "The base DN to use when looking up the DN of the authorization " + "user specified in the access token. This must be provided."; final DNArgument baseDNArg = new DNArgument(null, ARG_NAME_AUTH_USER_BASE_DN, true, 1, "{base-dn}", description); parser.addArgument(baseDNArg); } /** * Initializes this OAuth Token Handler. * * @param serverContext A handle to the server context for the server in * which this extension is running. * @param config The general configuration for this OAuth Token * Handler. * @param parser The argument parser which has been initialized from * the configuration for this token handler. * * @throws LDAPException If a problem occurs while initializing this token * handler. */ @Override() public void initializeTokenHandler( final HTTPServerContext serverContext, final OAuthTokenHandlerConfig config, final ArgumentParser parser) throws LDAPException { this.serverContext = serverContext; DNArgument baseDNArg = (DNArgument) parser.getNamedArgument(ARG_NAME_AUTH_USER_BASE_DN); this.authorizationUserBaseDN = baseDNArg.getValue(); FileArgument publicKeyFileArg = (FileArgument) parser.getNamedArgument(ARG_NAME_PUBLIC_KEY_FILE); File publicKeyFile = publicKeyFileArg.getValue(); try { signature = Signature.getInstance("SHA1withRSA"); //Read in the public key file RandomAccessFile f = new RandomAccessFile(publicKeyFile, "r"); byte[] publicKeyBytes = new byte[(int)f.length()]; f.read(publicKeyBytes); f.close(); //Initialize the Signature object with the auth server's public key X509EncodedKeySpec spec = new X509EncodedKeySpec(publicKeyBytes); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); PublicKey key = keyFactory.generatePublic(spec); signature.initVerify(key); //Get this server's serverUUID from the base monitor entry Entry entry = serverContext.getInternalRootConnection() .getEntry("cn=monitor", "serverUUID"); String serverUUIDStr = entry.getAttributeValue("serverUUID"); serverUUID = UUID.fromString(serverUUIDStr); } catch (Exception e) { serverContext.debugCaught(e); throw new LDAPException(ResultCode.LOCAL_ERROR, e); } } /** * Creates an {@link OAuthToken} instance from the incoming token value. * <p> * Implementers may choose to return a subclass of {@link OAuthToken} in order * to provide convenience methods for interacting with the token. This can be * helpful because the returned {@link OAuthToken} is passed to all of the * other methods in this class. * * @param base64TokenValue the base64-encoded bearer token value * @return a {@link OAuthToken} instance. This must not be {@code null}. * @throws GeneralSecurityException if there is an error decoding the token */ @Override public OAuthToken decodeOAuthToken(final String base64TokenValue) throws GeneralSecurityException { OAuthToken token = new OAuthToken(base64TokenValue); if(token.getRawTokenBytes().length != 170) { throw new GeneralSecurityException( "The access token was not the correct length"); } return token; } /** * Determines whether the given token is expired. * * @param token the OAuth 2.0 bearer token. * @return {@code true} if the token is already expired, {@code false} if not. * @throws java.security.GeneralSecurityException if there is an error * determining the token's expiration date */ @Override public boolean isTokenExpired(final OAuthToken token) throws GeneralSecurityException { //Extract the first 8 bytes from the raw token byte[] dBytes = new byte[8]; System.arraycopy(token.getRawTokenBytes(), 0, dBytes, 0, dBytes.length); Date expirationDate = new Date(bytesToLong(dBytes)); Date now = new Date(); return expirationDate.before(now); } /** * Determines whether the incoming token is authentic (i.e. that it came from * a trusted authorization server and not an attacker). Implementers are * encouraged to use signed tokens and use this method to verify the * signature, but other methods such as symmetric key encryption (using a * shared secret) can be used as well. * * @param token the OAuth 2.0 bearer token. * @return {@code true} if the bearer token can be verified as authentic and * originating from a trusted source, {@code false} if not. * @throws java.security.GeneralSecurityException * if there is an error determining whether the token is authentic */ @Override public boolean isTokenAuthentic(final OAuthToken token) throws GeneralSecurityException { byte[] tokenBytes = new byte[42]; byte[] signatureBytes = new byte[128]; //Extract the token bytes and the signature bytes from the raw token System.arraycopy(token.getRawTokenBytes(), 0, tokenBytes, 0, tokenBytes.length); System.arraycopy(token.getRawTokenBytes(), tokenBytes.length, signatureBytes, 0, signatureBytes.length); //Synchronize here to make this code thread-safe, since it may be called //simultaneously by multiple threads and is using the shared Signature //object synchronized (this) { signature.update(tokenBytes); return signature.verify(signatureBytes); } } /** * Determines whether the incoming token is targeted for this server. This * allows the implementation to reject the token early in the validation * process if it can see that the intended recipient was not this server. * * @param token the OAuth 2.0 bearer token. * @return {@code true} if the bearer token identifies this server as the * intended recipient, {@code false} if not. * @throws java.security.GeneralSecurityException * if there is an error determining whether the token is for this * server */ @Override public boolean isTokenForThisServer(final OAuthToken token) throws GeneralSecurityException { byte[] mostSignificantBits = new byte[8]; byte[] leastSignificantBits = new byte[8]; //Extract the serverUUID bytes from the raw token System.arraycopy(token.getRawTokenBytes(), 8, mostSignificantBits, 0, mostSignificantBits.length); System.arraycopy(token.getRawTokenBytes(), 16, leastSignificantBits, 0, leastSignificantBits.length); UUID targetServerUUID = new UUID(bytesToLong(mostSignificantBits), bytesToLong(leastSignificantBits)); return targetServerUUID.equals(serverUUID); } /** * Determines whether the incoming token is valid for the given request. This * method should verify that the token is legitimate and grants access to the * requested resource specified in the {@link SCIMRequest}. This typically * involves checking the token scope and any other attributes granted by the * authorization grant. Implementations may need to call back to the * authorization server to verify that the token is still valid and has not * been revoked. * * @param token the OAuth 2.0 bearer token. * @param scimRequest the {@link SCIMRequest} that we are validating. * @return an {@link OAuthTokenStatus} object which indicates whether the * bearer token is valid and grants access to the target resource. * This must not be {@code null}. * @throws java.security.GeneralSecurityException if there is an error * determining whether the token is valid */ @Override public OAuthTokenStatus validateToken(final OAuthToken token, final SCIMRequest scimRequest) throws GeneralSecurityException { //There are 2 bytes allocated to the scope, but we'll extract them into an //array of 4 bytes and convert that to an integer so we can perform bit-wise //arithmetic to check the scope values. byte[] scopeBytes = new byte[4]; //Extract the OAuth scope from the raw token System.arraycopy(token.getRawTokenBytes(), 24, scopeBytes, 0, 2); int scope = 0; for (int i = 0; i < scopeBytes.length; i++) { scope <<= 8; scope |= (scopeBytes[i] & 0xFF); } if (scimRequest instanceof GetResourceRequest) { return checkScope(scope, ALLOW_GET); } else if (scimRequest instanceof GetResourcesRequest) { return checkScope(scope, ALLOW_SEARCH); } else if (scimRequest instanceof PostResourceRequest) { return checkScope(scope, ALLOW_POST); } else if (scimRequest instanceof PutResourceRequest) { return checkScope(scope, ALLOW_PUT); } else if (scimRequest instanceof PatchResourceRequest) { return checkScope(scope, ALLOW_PATCH); } else if (scimRequest instanceof DeleteResourceRequest) { return checkScope(scope, ALLOW_DELETE); } else { return new OAuthTokenStatus(OAuthTokenStatus.ErrorCode.INVALID_TOKEN, "Could not determine request type"); } } /** * Extracts the DN of the authorization entry (for which to apply access * controls) from the incoming token. * <p/> * This may require performing an LDAP search in order to find the DN that * matches a certain attribute value contained in the token. * * @param token the OAuth 2.0 bearer token. * @return the authorization DN to use. This must not return {@code null}. * @throws java.security.GeneralSecurityException * if there is an error determining the authorization user DN */ @Override public DN getAuthzDN(final OAuthToken token) throws GeneralSecurityException { byte[] mostSignificantBits = new byte[8]; byte[] leastSignificantBits = new byte[8]; //Extract the entryUUID bytes from the raw token System.arraycopy(token.getRawTokenBytes(), 26, mostSignificantBits, 0, mostSignificantBits.length); System.arraycopy(token.getRawTokenBytes(), 34, leastSignificantBits, 0, leastSignificantBits.length); UUID authzEntryUUID = new UUID(bytesToLong(mostSignificantBits), bytesToLong(leastSignificantBits)); try { Entry entry = serverContext.getInternalRootConnection().searchForEntry( authorizationUserBaseDN.toString(), SearchScope.SUB, Filter.createEqualityFilter("entryUUID", authzEntryUUID.toString())); if (entry != null) { return entry.getParsedDN(); } else { throw new LDAPException(ResultCode.NO_SUCH_OBJECT); } } catch (LDAPException e) { throw new GeneralSecurityException( "Could not find the authorization entry", e); } } /** * Helper to verify that the given scope has the privileges specified by the * given bit mask. * * @param scope the OAuth scope bytes from the access token. * @param bitMask the scope bytes to check against. * @return an {@link OAuthTokenStatus} instance indicating whether the given * token scope allows the access required to perform the requested * operation. */ private OAuthTokenStatus checkScope(final int scope, final int bitMask) { if ((scope & bitMask) != 0) { return new OAuthTokenStatus( OAuthTokenStatus.ErrorCode.OK); } else { return new OAuthTokenStatus( OAuthTokenStatus.ErrorCode.INSUFFICIENT_SCOPE); } } /** * Helper to expand a compact 8-byte array to a Java long object. * * @param bytes the byte array to convert. * @return a Java long object */ private long bytesToLong(final byte[] bytes) throws IllegalArgumentException { if (bytes == null || bytes.length != 8) { throw new IllegalArgumentException( "The byte array did not contain exactly 8 bytes"); } long l = 0L; for (int i = 0; i < bytes.length; i++) { l <<= 8; l |= (bytes[i] & 0xFF); } return l; } }