Merge branch '718-username-provider-refresh-token'

Author: nebhale

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/UaaSigningKeyResolver.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright 2013-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.reactor.uaa;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.SigningKeyResolver;
+import io.jsonwebtoken.impl.Base64Codec;
+import org.cloudfoundry.uaa.tokens.ListTokenKeysRequest;
+import org.cloudfoundry.uaa.tokens.ListTokenKeysResponse;
+import org.cloudfoundry.uaa.tokens.TokenKey;
+import org.cloudfoundry.uaa.tokens.Tokens;
+import reactor.core.Exceptions;
+
+import java.security.Key;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.time.Duration;
+import java.util.HashMap;
+import java.util.Map;
+
+final class UaaSigningKeyResolver implements SigningKeyResolver {
+
+    private static final Base64Codec BASE64 = new Base64Codec();
+
+    private static final String BEGIN = "-----BEGIN PUBLIC KEY-----";
+
+    private static final String END = "-----END PUBLIC KEY-----";
+
+    private final Object monitor = new Object();
+
+    private final Map<String, Key> signingKeys = new HashMap<>();
+
+    private final Tokens tokens;
+
+    UaaSigningKeyResolver(Tokens tokens) {
+        this.tokens = tokens;
+    }
+
+    @Override
+    @SuppressWarnings("rawtypes")
+    public Key resolveSigningKey(JwsHeader header, Claims claims) {
+        return getKey(header.getKeyId());
+    }
+
+    @Override
+    @SuppressWarnings("rawtypes")
+    public Key resolveSigningKey(JwsHeader header, String plaintext) {
+        return getKey(header.getKeyId());
+    }
+
+    private static byte[] decode(TokenKey tokenKey) {
+        return BASE64.decode(tokenKey.getValue().replace(BEGIN, "").replace(END, "").trim());
+    }
+
+    private static Key generateKey(TokenKey tokenKey) {
+        try {
+            return KeyFactory
+                .getInstance(tokenKey.getKeyType().toString())
+                .generatePublic(new X509EncodedKeySpec(decode(tokenKey)));
+        } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+            throw Exceptions.propagate(e);
+        }
+    }
+
+    private Key getKey(String keyId) {
+        synchronized (this.monitor) {
+            Key key = this.signingKeys.get(keyId);
+            if (key != null) {
+                return key;
+            }
+
+            refreshKeys();
+
+            key = this.signingKeys.get(keyId);
+            if (key != null) {
+                return key;
+            }
+
+            throw new IllegalStateException(String.format("Unable to retrieve signing key %s", keyId));
+        }
+    }
+
+    private void refreshKeys() {
+        this.signingKeys.clear();
+        this.signingKeys.putAll(this.tokens
+            .listKeys(ListTokenKeysRequest.builder()
+                .build())
+            .flatMapIterable(ListTokenKeysResponse::getKeys)
+            .collectMap(TokenKey::getId, UaaSigningKeyResolver::generateKey)
+            .block(Duration.ofMinutes(5)));
+    }
+
+}

cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/UsernameProvider.java

@@ -17,81 +17,62 @@
 package org.cloudfoundry.reactor.uaa;
 
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.impl.Base64Codec;
+import io.jsonwebtoken.SigningKeyResolver;
 import org.cloudfoundry.reactor.ConnectionContext;
 import org.cloudfoundry.reactor.TokenProvider;
-import org.cloudfoundry.uaa.tokens.GetTokenKeyRequest;
-import org.cloudfoundry.uaa.tokens.GetTokenKeyResponse;
 import org.cloudfoundry.uaa.tokens.Tokens;
 import reactor.core.publisher.Mono;
 
-import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
-import java.security.PublicKey;
-import java.security.spec.X509EncodedKeySpec;
 import java.util.Optional;
 
-import static org.cloudfoundry.util.tuple.TupleUtils.function;
-
 final class UsernameProvider {
 
-    private static final Base64Codec BASE64 = new Base64Codec();
-
-    private static final String BEGIN = "-----BEGIN PUBLIC KEY-----";
-
-    private static final String END = "-----END PUBLIC KEY-----";
-
     private final ConnectionContext connectionContext;
 
-    private final TokenProvider tokenProvider;
+    private final SigningKeyResolver signingKeyResolver;
 
-    private final Tokens tokens;
+    private final TokenProvider tokenProvider;
 
     UsernameProvider(ConnectionContext connectionContext, TokenProvider tokenProvider, Tokens tokens) {
+        this(connectionContext, new UaaSigningKeyResolver(tokens), tokenProvider);
+    }
+
+    UsernameProvider(ConnectionContext connectionContext, SigningKeyResolver signingKeyResolver, TokenProvider tokenProvider) {
         this.connectionContext = connectionContext;
         this.tokenProvider = tokenProvider;
-        this.tokens = tokens;
+        this.signingKeyResolver = signingKeyResolver;
     }
 
     Mono<String> get() {
-        return Mono
-            .when(
-                getSigningKey(this.tokens),
-                this.tokenProvider.getToken(this.connectionContext)
-                    .map(s -> s.split(" ")[1]))
-            .map(function(UsernameProvider::getUsername));
+        return getToken(this.connectionContext, this.tokenProvider)
+            .map(this::getUsername)
+            .retry(1, t -> {
+                if (t instanceof ExpiredJwtException) {
+                    this.tokenProvider.invalidate(this.connectionContext);
+                    return true;
+                }
+
+                return false;
+            });
     }
 
-    private static PublicKey generateKey(String pem) {
-        try {
-            return KeyFactory
-                .getInstance("RSA")
-                .generatePublic(new X509EncodedKeySpec(BASE64.decode(pem)));
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException(e);
-        }
+    private static Mono<String> getToken(ConnectionContext connectionContext, TokenProvider tokenProvider) {
+        return Mono.defer(() -> tokenProvider
+            .getToken(connectionContext))
+            .map(s -> s.split(" ")[1]);
     }
 
-    private static Mono<PublicKey> getSigningKey(Tokens tokens) {
-        return requestTokenKey(tokens)
-            .map(GetTokenKeyResponse::getValue)
-            .map(pem -> pem.replace(BEGIN, "").replace(END, "").trim())
-            .map(UsernameProvider::generateKey);
-    }
+    private String getUsername(String token) {
+        Jws<Claims> jws = Jwts.parser()
+            .setSigningKeyResolver(this.signingKeyResolver)
+            .parseClaimsJws(token);
 
-    private static String getUsername(PublicKey publicKey, String token) {
-        Jws<Claims> jws = Jwts.parser().setSigningKey(publicKey).parseClaimsJws(token);
         return Optional
             .ofNullable(jws.getBody().get("user_name", String.class))
             .orElseThrow(() -> new IllegalStateException("Unable to retrieve username from token"));
     }
 
-    private static Mono<GetTokenKeyResponse> requestTokenKey(Tokens tokens) {
-        return tokens
-            .getKey(GetTokenKeyRequest.builder()
-                .build());
-    }
-
 }

cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/uaa/TestUsernameProviderRefresh.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2013-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.reactor.uaa;
+
+import org.cloudfoundry.reactor.DefaultConnectionContext;
+import org.cloudfoundry.reactor.tokenprovider.PasswordGrantTokenProvider;
+import org.cloudfoundry.uaa.UaaClient;
+import org.cloudfoundry.util.DelayUtils;
+
+import java.time.Duration;
+import java.util.concurrent.CountDownLatch;
+
+public final class TestUsernameProviderRefresh {
+
+    public static void main(String[] args) throws InterruptedException {
+        DefaultConnectionContext connectionContext = DefaultConnectionContext.builder()
+            .apiHost("api.run.pivotal.io")
+            .build();
+
+        PasswordGrantTokenProvider tokenProvider = PasswordGrantTokenProvider.builder()
+            .password("rNgdFPs{NgYYVW{PXCAJMqGuokEtVpBgRDu2zjQgJ7nNNFnokA")
+            .username("bhale@pivotal.io")
+            .build();
+
+        UaaClient uaaClient = ReactorUaaClient.builder()
+            .connectionContext(connectionContext)
+            .tokenProvider(tokenProvider)
+            .build();
+
+        CountDownLatch latch = new CountDownLatch(1);
+
+        uaaClient.getUsername()
+            .doOnNext(System.out::println)
+            .filter(s -> false)
+            .repeatWhenEmpty(DelayUtils.fixed(Duration.ofSeconds(30)))
+            .subscribe(System.out::println, t -> {
+                t.printStackTrace();
+                latch.countDown();
+            }, latch::countDown);
+
+        latch.await();
+    }
+
+}