add user-access interceptor to httpServer

Psilo · Psilo · commit e659d95cf12f · 2020-10-19T16:25:25.000+02:00
allows to intercept user-credentials for authentication-bound endpoints
bump version
diff --git a/pom.xml b/pom.xml
@@ -17,7 +17,7 @@
 
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>http-server</artifactId>
-	<version>0.1.2</version>
+	<version>0.1.3</version>
 	<name>HttpServer</name>
 	<packaging>jar</packaging>
 
diff --git a/src/main/java/info/unterrainer/commons/httpserver/HttpServer.java b/src/main/java/info/unterrainer/commons/httpserver/HttpServer.java
@@ -10,6 +10,7 @@
 import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Consumer;
 
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
@@ -26,6 +27,7 @@
 import info.unterrainer.commons.httpserver.handlers.HealthHandler;
 import info.unterrainer.commons.httpserver.handlers.PostmanCollectionHandler;
 import info.unterrainer.commons.httpserver.jsons.MessageJson;
+import info.unterrainer.commons.httpserver.jsons.UserDataJson;
 import info.unterrainer.commons.jreutils.ShutdownHook;
 import info.unterrainer.commons.rdbutils.entities.BasicJpa;
 import info.unterrainer.commons.serialization.JsonMapper;
@@ -36,6 +38,7 @@
 import io.javalin.http.Handler;
 import io.javalin.http.HandlerType;
 import lombok.Builder;
+import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import ma.glasnost.orika.MapperFactory;
 import ma.glasnost.orika.impl.DefaultMapperFactory;
@@ -53,6 +56,8 @@ public class HttpServer {
 	private List<HandlerInstance> handlerInstances = new ArrayList<>();
 	ExecutorService executorService;
 	List<String> appVersionFqns;
+	@Getter
+	private Consumer<UserDataJson> userAccessInterceptor;
 
 	private HttpServer() {
 	}
@@ -167,6 +172,11 @@ public void start() {
 			javalin.addHandler(hi.handlerType(), hi.path(), hi.handler(), hi.roles());
 	}
 
+	public HttpServer setUserAccessInterceptor(final Consumer<UserDataJson> userAccessInterceptor) {
+		this.userAccessInterceptor = userAccessInterceptor;
+		return this;
+	}
+
 	public HttpServer get(final String path, final Handler handler, final Role... roles) {
 		handlerInstances.add(HandlerInstance.builder()
 				.path(path)
diff --git a/src/main/java/info/unterrainer/commons/httpserver/accessmanager/HttpAccessManager.java b/src/main/java/info/unterrainer/commons/httpserver/accessmanager/HttpAccessManager.java
@@ -9,6 +9,7 @@
 import java.net.http.HttpResponse.BodyHandlers;
 import java.security.PublicKey;
 import java.util.Set;
+import java.util.function.Consumer;
 
 import org.eclipse.jetty.http.HttpHeader;
 import org.keycloak.TokenVerifier;
@@ -18,10 +19,12 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 
+import info.unterrainer.commons.httpserver.HttpServer;
 import info.unterrainer.commons.httpserver.enums.Attribute;
 import info.unterrainer.commons.httpserver.exceptions.ForbiddenException;
 import info.unterrainer.commons.httpserver.exceptions.GatewayTimeoutException;
 import info.unterrainer.commons.httpserver.exceptions.UnauthorizedException;
+import info.unterrainer.commons.httpserver.jsons.UserDataJson;
 import io.javalin.core.security.AccessManager;
 import io.javalin.core.security.Role;
 import io.javalin.http.Context;
@@ -49,7 +52,8 @@ public HttpAccessManager(final String host, final String realm) {
 
 	@Override
 	public void manage(final Handler handler, final Context ctx, final Set<Role> permittedRoles) throws Exception {
-		checkAccess(ctx, permittedRoles);
+		checkAccess(ctx, permittedRoles,
+				((HttpServer) ctx.attribute(Attribute.JAVALIN_SERVER)).getUserAccessInterceptor());
 		handler.handle(ctx);
 	}
 
@@ -79,10 +83,13 @@ private void initPublicKey() {
 				}
 				return response.body();
 			}).thenAccept(body -> {
-				if (body == null)
+				if (body == null) {
+					log.warn("Received empty body.");
 					return;
+				}
 				try {
 					publicKey = objectMapper.readValue(body, PublishedRealmRepresentation.class).getPublicKey();
+					log.info("Public key received.");
 				} catch (IOException e) {
 					log.error("Error parsing answer from keycloak.");
 					throw new UncheckedIOException(e);
@@ -94,9 +101,10 @@ private void initPublicKey() {
 		}
 	}
 
-	private void checkAccess(final Context ctx, final Set<Role> permittedRoles) {
+	private void checkAccess(final Context ctx, final Set<Role> permittedRoles,
+			final Consumer<UserDataJson> userAccessInterceptor) {
 		try {
-			TokenVerifier<AccessToken> tokenVerifier = persistUserInfoInContext(ctx);
+			TokenVerifier<AccessToken> tokenVerifier = persistUserInfoInContext(ctx, userAccessInterceptor);
 
 			if (permittedRoles.isEmpty() || permittedRoles.contains(DefaultRole.OPEN) && permittedRoles.size() == 1)
 				return;
@@ -137,7 +145,8 @@ private boolean hasPermittedRole(final Context ctx, final Set<Role> permittedRol
 		return false;
 	}
 
-	private TokenVerifier<AccessToken> persistUserInfoInContext(final Context ctx) {
+	private TokenVerifier<AccessToken> persistUserInfoInContext(final Context ctx,
+			final Consumer<UserDataJson> userAccessInterceptor) {
 		String authorizationHeader = ctx.header(HttpHeader.AUTHORIZATION.asString());
 
 		if (authorizationHeader == null || authorizationHeader.isBlank())
@@ -167,6 +176,19 @@ private TokenVerifier<AccessToken> persistUserInfoInContext(final Context ctx) {
 				clientRoles = token.getResourceAccess().get(key).getRoles();
 			ctx.attribute(Attribute.USER_CLIENT_ROLES, clientRoles);
 
+			userAccessInterceptor.accept(UserDataJson.builder()
+					.userName(userName)
+					.givenName(token.getGivenName())
+					.client(token.getIssuedFor())
+					.familyName(token.getFamilyName())
+					.email(token.getEmail())
+					.emailVerified(token.getEmailVerified())
+					.realmRoles(token.getRealmAccess().getRoles())
+					.clientRoles(clientRoles)
+					.isActive(token.isActive())
+					.isBearer(token.getType().equalsIgnoreCase("bearer"))
+					.build());
+
 			if (!token.isActive()) {
 				setTokenRejectionReason(ctx, "Token is inactive.");
 				return null;
diff --git a/src/main/java/info/unterrainer/commons/httpserver/jsons/UserDataJson.java b/src/main/java/info/unterrainer/commons/httpserver/jsons/UserDataJson.java
@@ -0,0 +1,28 @@
+package info.unterrainer.commons.httpserver.jsons;
+
+import java.util.Set;
+
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.experimental.SuperBuilder;
+
+@Data
+@NoArgsConstructor
+@SuperBuilder(toBuilder = true)
+public class UserDataJson {
+
+	private String userName;
+	private String client;
+
+	private String givenName;
+	private String familyName;
+
+	private String email;
+	private boolean emailVerified;
+
+	private Set<String> realmRoles;
+	private Set<String> clientRoles;
+
+	private boolean isActive;
+	private boolean isBearer;
+}
