Refresh Token when Getting Username

Previously, when the username was extracted from the current token, if it had
expired at some point that was propagated as a failure.  This change updates
the code such that if there is token expiration failure, the token is
refreshed and the username is extracted again.  If this does not work, an
error is propagated.

While working on the UsernameProvider, I also updated how signing keys were
acquired.  The new implementation deals with signing key rotation by
attempting to use a cached copy of the keys where possible, but when a key is
requested that does not exist, it refreshes the collection of signing keys and
returns the newly matching one.  If this refresh doesn't find the specified
signing key, an error is propagated.

[resolves #718]

Author: nebhale

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/UaaSigningKeyResolver.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright 2013-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.reactor.uaa;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.SigningKeyResolver;
+import io.jsonwebtoken.impl.Base64Codec;
+import org.cloudfoundry.uaa.tokens.ListTokenKeysRequest;
+import org.cloudfoundry.uaa.tokens.ListTokenKeysResponse;
+import org.cloudfoundry.uaa.tokens.TokenKey;
+import org.cloudfoundry.uaa.tokens.Tokens;
+import reactor.core.Exceptions;
+
+import java.security.Key;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.time.Duration;
+import java.util.HashMap;
+import java.util.Map;
+
+final class UaaSigningKeyResolver implements SigningKeyResolver {
+
+    private static final Base64Codec BASE64 = new Base64Codec();
+
+    private static final String BEGIN = "-----BEGIN PUBLIC KEY-----";
+
+    private static final String END = "-----END PUBLIC KEY-----";
+
+    private final Object monitor = new Object();
+
+    private final Map<String, Key> signingKeys = new HashMap<>();
+
+    private final Tokens tokens;
+
+    UaaSigningKeyResolver(Tokens tokens) {
+        this.tokens = tokens;
+    }
+
+    @Override
+    @SuppressWarnings("rawtypes")
+    public Key resolveSigningKey(JwsHeader header, Claims claims) {
+        return getKey(header.getKeyId());
+    }
+
+    @Override
+    @SuppressWarnings("rawtypes")
+    public Key resolveSigningKey(JwsHeader header, String plaintext) {
+        return getKey(header.getKeyId());
+    }
+
+    private static byte[] decode(TokenKey tokenKey) {
+        return BASE64.decode(tokenKey.getValue().replace(BEGIN, "").replace(END, "").trim());
+    }
+
+    private static Key generateKey(TokenKey tokenKey) {
+        try {
+            return KeyFactory
+                .getInstance(tokenKey.getKeyType().toString())
+                .generatePublic(new X509EncodedKeySpec(decode(tokenKey)));
+        } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+            throw Exceptions.propagate(e);
+        }
+    }
+
+    private Key getKey(String keyId) {
+        synchronized (this.monitor) {
+            Key key = this.signingKeys.get(keyId);
+            if (key != null) {
+                return key;
+            }
+
+            refreshKeys();
+
+            key = this.signingKeys.get(keyId);
+            if (key != null) {
+                return key;
+            }
+
+            throw new IllegalStateException(String.format("Unable to retrieve signing key %s", keyId));
+        }
+    }
+
+    private void refreshKeys() {
+        this.signingKeys.clear();
+        this.signingKeys.putAll(this.tokens
+            .listKeys(ListTokenKeysRequest.builder()
+                .build())
+            .flatMapIterable(ListTokenKeysResponse::getKeys)
+            .collectMap(TokenKey::getId, UaaSigningKeyResolver::generateKey)
+            .block(Duration.ofMinutes(5)));
+    }
+
+}

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/UsernameProvider.java

@@ -17,81 +17,62 @@
 package org.cloudfoundry.reactor.uaa;
 
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.impl.Base64Codec;
+import io.jsonwebtoken.SigningKeyResolver;
 import org.cloudfoundry.reactor.ConnectionContext;
 import org.cloudfoundry.reactor.TokenProvider;
-import org.cloudfoundry.uaa.tokens.GetTokenKeyRequest;
-import org.cloudfoundry.uaa.tokens.GetTokenKeyResponse;
 import org.cloudfoundry.uaa.tokens.Tokens;
 import reactor.core.publisher.Mono;
 
-import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
-import java.security.PublicKey;
-import java.security.spec.X509EncodedKeySpec;
 import java.util.Optional;
 
-import static org.cloudfoundry.util.tuple.TupleUtils.function;
-
 final class UsernameProvider {
 
-    private static final Base64Codec BASE64 = new Base64Codec();
-
-    private static final String BEGIN = "-----BEGIN PUBLIC KEY-----";
-
-    private static final String END = "-----END PUBLIC KEY-----";
-
     private final ConnectionContext connectionContext;
 
-    private final TokenProvider tokenProvider;
+    private final SigningKeyResolver signingKeyResolver;
 
-    private final Tokens tokens;
+    private final TokenProvider tokenProvider;
 
     UsernameProvider(ConnectionContext connectionContext, TokenProvider tokenProvider, Tokens tokens) {
+        this(connectionContext, new UaaSigningKeyResolver(tokens), tokenProvider);
+    }
+
+    UsernameProvider(ConnectionContext connectionContext, SigningKeyResolver signingKeyResolver, TokenProvider tokenProvider) {
         this.connectionContext = connectionContext;
         this.tokenProvider = tokenProvider;
-        this.tokens = tokens;
+        this.signingKeyResolver = signingKeyResolver;
     }
 
     Mono<String> get() {
-        return Mono
-            .when(
-                getSigningKey(this.tokens),
-                this.tokenProvider.getToken(this.connectionContext)
-                    .map(s -> s.split(" ")[1]))
-            .map(function(UsernameProvider::getUsername));
+        return getToken(this.connectionContext, this.tokenProvider)
+            .map(this::getUsername)
+            .retry(1, t -> {
+                if (t instanceof ExpiredJwtException) {
+                    this.tokenProvider.invalidate(this.connectionContext);
+                    return true;
+                }
+
+                return false;
+            });
     }
 
-    private static PublicKey generateKey(String pem) {
-        try {
-            return KeyFactory
-                .getInstance("RSA")
-                .generatePublic(new X509EncodedKeySpec(BASE64.decode(pem)));
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException(e);
-        }
+    private static Mono<String> getToken(ConnectionContext connectionContext, TokenProvider tokenProvider) {
+        return Mono.defer(() -> tokenProvider
+            .getToken(connectionContext))
+            .map(s -> s.split(" ")[1]);
     }
 
-    private static Mono<PublicKey> getSigningKey(Tokens tokens) {
-        return requestTokenKey(tokens)
-            .map(GetTokenKeyResponse::getValue)
-            .map(pem -> pem.replace(BEGIN, "").replace(END, "").trim())
-            .map(UsernameProvider::generateKey);
-    }
+    private String getUsername(String token) {
+        Jws<Claims> jws = Jwts.parser()
+            .setSigningKeyResolver(this.signingKeyResolver)
+            .parseClaimsJws(token);
 
-    private static String getUsername(PublicKey publicKey, String token) {
-        Jws<Claims> jws = Jwts.parser().setSigningKey(publicKey).parseClaimsJws(token);
         return Optional
             .ofNullable(jws.getBody().get("user_name", String.class))
             .orElseThrow(() -> new IllegalStateException("Unable to retrieve username from token"));
     }
 
-    private static Mono<GetTokenKeyResponse> requestTokenKey(Tokens tokens) {
-        return tokens
-            .getKey(GetTokenKeyRequest.builder()
-                .build());
-    }
-
 }

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/uaa/TestUsernameProviderRefresh.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2013-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.reactor.uaa;
+
+import org.cloudfoundry.reactor.DefaultConnectionContext;
+import org.cloudfoundry.reactor.tokenprovider.PasswordGrantTokenProvider;
+import org.cloudfoundry.uaa.UaaClient;
+import org.cloudfoundry.util.DelayUtils;
+
+import java.time.Duration;
+import java.util.concurrent.CountDownLatch;
+
+public final class TestUsernameProviderRefresh {
+
+    public static void main(String[] args) throws InterruptedException {
+        DefaultConnectionContext connectionContext = DefaultConnectionContext.builder()
+            .apiHost("api.run.pivotal.io")
+            .build();
+
+        PasswordGrantTokenProvider tokenProvider = PasswordGrantTokenProvider.builder()
+            .password("rNgdFPs{NgYYVW{PXCAJMqGuokEtVpBgRDu2zjQgJ7nNNFnokA")
+            .username("bhale@pivotal.io")
+            .build();
+
+        UaaClient uaaClient = ReactorUaaClient.builder()
+            .connectionContext(connectionContext)
+            .tokenProvider(tokenProvider)
+            .build();
+
+        CountDownLatch latch = new CountDownLatch(1);
+
+        uaaClient.getUsername()
+            .doOnNext(System.out::println)
+            .filter(s -> false)
+            .repeatWhenEmpty(DelayUtils.fixed(Duration.ofSeconds(30)))
+            .subscribe(System.out::println, t -> {
+                t.printStackTrace();
+                latch.countDown();
+            }, latch::countDown);
+
+        latch.await();
+    }
+
+}