ls1intum · janthoXO · Oct 1, 2024 · Oct 1, 2024 · Oct 2, 2024 · Oct 4, 2024
diff --git a/src/main/java/de/tum/cit/aet/artemis/core/config/websocket/WebsocketConfiguration.java b/src/main/java/de/tum/cit/aet/artemis/core/config/websocket/WebsocketConfiguration.java
@@ -19,7 +19,7 @@
 import java.util.regex.Pattern;
 
 import jakarta.annotation.Nullable;
-import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.validation.constraints.NotNull;
 
 import org.slf4j.Logger;
@@ -52,7 +52,6 @@
 import org.springframework.web.socket.server.HandshakeInterceptor;
 import org.springframework.web.socket.server.support.DefaultHandshakeHandler;
 import org.springframework.web.socket.sockjs.transport.handler.WebSocketTransportHandler;
-import org.springframework.web.util.WebUtils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Iterators;
@@ -203,8 +202,7 @@ public boolean beforeHandshake(@NotNull ServerHttpRequest request, @NotNull Serv
                     @NotNull Map<String, Object> attributes) {
                 if (request instanceof ServletServerHttpRequest servletRequest) {
                     attributes.put(IP_ADDRESS, servletRequest.getRemoteAddress());
-                    Cookie jwtCookie = WebUtils.getCookie(servletRequest.getServletRequest(), JWTFilter.JWT_COOKIE_NAME);
-                    return JWTFilter.isJwtCookieValid(tokenProvider, jwtCookie);
+                    return JWTFilter.extractValidJwt((HttpServletRequest) servletRequest, tokenProvider) != null;
                 }
                 return false;
             }

@@ -41,6 +41,17 @@ public ResponseCookie buildLoginCookie(boolean rememberMe) {
         return buildJWTCookie(jwt, duration);
     }
 
+    /**
+     * Builds the cookie with Theia flag
+     *
+     * @param duration the duration of the cookie and the jwt
+     * @return the login ResponseCookie containing the JWT
+     */
+    public ResponseCookie buildTheiaCookie(long duration) {
+        String jwt = tokenProvider.createToken(SecurityContextHolder.getContext().getAuthentication(), duration, "THEIA");
+        return buildJWTCookie(jwt, Duration.of(duration, ChronoUnit.MILLIS));
+    }
+
     /**
      * Builds the cookie containing the jwt for a logout and sets it in the response
      *

diff --git a/src/main/java/de/tum/cit/aet/artemis/core/security/jwt/JWTFilter.java b/src/main/java/de/tum/cit/aet/artemis/core/security/jwt/JWTFilter.java
@@ -9,6 +9,7 @@
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 
+import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.util.StringUtils;
@@ -31,26 +32,72 @@ public JWTFilter(TokenProvider tokenProvider) {
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
         HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
-        Cookie jwtCookie = WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME);
-        if (isJwtCookieValid(this.tokenProvider, jwtCookie)) {
-            Authentication authentication = this.tokenProvider.getAuthentication(jwtCookie.getValue());
+
+        // check if valid JWT token is in the cookie or in the Authorization header
+        // then proceed to do authentication with this token
+        String jwtToken = extractValidJwt(httpServletRequest, this.tokenProvider);
+        if (jwtToken != null) {
+            Authentication authentication = this.tokenProvider.getAuthentication(jwtToken);
             SecurityContextHolder.getContext().setAuthentication(authentication);
         }
+
         filterChain.doFilter(servletRequest, servletResponse);
     }
 
     /**
-     * Checks if the cookie containing the jwt is valid
+     * // Extracts the first valid jwt token found in the cookie or the Authorization header
      *
-     * @param tokenProvider the artemis token provider used to generate and validate jwt's
-     * @param jwtCookie     the cookie containing the jwt
-     * @return true if the jwt is valid, false if missing or invalid
+     * @param httpServletRequest the http request
+     * @param tokenProvider      the artemis token provider used to generate and validate jwt's
+     * @return the valid jwt token or null if not found or invalid
      */
-    public static boolean isJwtCookieValid(TokenProvider tokenProvider, Cookie jwtCookie) {
+    public static @Nullable String extractValidJwt(HttpServletRequest httpServletRequest, TokenProvider tokenProvider) {
+        String jwtToken = getJwtFromCookie(WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME));
+        if (isJwtValid(tokenProvider, jwtToken)) {
+            return jwtToken;
+        }
+        jwtToken = getJwtFromBearer(httpServletRequest.getHeader("Authorization"));
+        if (isJwtValid(tokenProvider, jwtToken)) {
+            return jwtToken;
+        }
+        return null;
+    }
+
+    /**
+     * Extracts the jwt token from the cookie
+     *
+     * @param jwtCookie the cookie with Key "jwt"
+     * @return the jwt token or null if not found
+     */
+    private static @Nullable String getJwtFromCookie(Cookie jwtCookie) {
         if (jwtCookie == null) {
-            return false;
+            return null;
         }
-        String jwt = jwtCookie.getValue();
-        return StringUtils.hasText(jwt) && tokenProvider.validateTokenForAuthority(jwt);
+        return jwtCookie.getValue();
+    }
+
+    /**
+     * Extracts the jwt token from the Authorization header
+     *
+     * @param jwtBearer the content of the Authorization header
+     * @return the jwt token or null if not found
+     */
+    private static @Nullable String getJwtFromBearer(String jwtBearer) {
+        if (!StringUtils.hasText(jwtBearer) || !jwtBearer.startsWith("Bearer ")) {
+            return null;
+        }
+
+        return jwtBearer.substring(7).trim();
+    }
+
+    /**
+     * Checks if the jwt token is valid
+     *
+     * @param tokenProvider the artemis token provider used to generate and validate jwt's
+     * @param jwtToken      the jwt token
+     * @return true if the jwt is valid, false if missing or invalid
+     */
+    private static boolean isJwtValid(TokenProvider tokenProvider, String jwtToken) {
+        return StringUtils.hasText(jwtToken) && tokenProvider.validateTokenForAuthority(jwtToken);
     }
 }
@@ -95,11 +95,26 @@ public long getTokenValidity(boolean rememberMe) {
      * @return JWT Token
      */
     public String createToken(Authentication authentication, boolean rememberMe) {
+        return createToken(authentication, getTokenValidity(rememberMe));
+    }
+
+    /**
+     * Create JWT Token a fully populated <code>Authentication</code> object.
+     *
+     * @param authentication Authentication Object
+     * @param duration       the Token lifetime
+     * @param tools          tools this token is used for
+     * @return JWT Token
+     */
+    public String createToken(Authentication authentication, long duration, String... tools) {
         String authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.joining(","));
 
+        String toolClaims = String.join(",", tools);
+
         long now = (new Date()).getTime();
-        Date validity = new Date(now + getTokenValidity(rememberMe));
-        return Jwts.builder().subject(authentication.getName()).claim(AUTHORITIES_KEY, authorities).signWith(key, Jwts.SIG.HS512).expiration(validity).compact();
+        Date validity = new Date(now + duration);
+        return Jwts.builder().subject(authentication.getName()).claim(AUTHORITIES_KEY, authorities).claim("tools", toolClaims).signWith(key, Jwts.SIG.HS512).expiration(validity)
+                .compact();
     }
 
     /**

@@ -2,6 +2,9 @@
 
 import static de.tum.cit.aet.artemis.core.config.Constants.PROFILE_CORE;
 
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
 import java.util.Optional;
 
 import jakarta.servlet.ServletException;
@@ -33,8 +36,11 @@
 import de.tum.cit.aet.artemis.core.exception.AccessForbiddenException;
 import de.tum.cit.aet.artemis.core.security.SecurityUtils;
 import de.tum.cit.aet.artemis.core.security.UserNotActivatedException;
+import de.tum.cit.aet.artemis.core.security.annotations.EnforceAtLeastStudent;
 import de.tum.cit.aet.artemis.core.security.annotations.EnforceNothing;
 import de.tum.cit.aet.artemis.core.security.jwt.JWTCookieService;
+import de.tum.cit.aet.artemis.core.security.jwt.JWTFilter;
+import de.tum.cit.aet.artemis.core.security.jwt.TokenProvider;
 import de.tum.cit.aet.artemis.core.service.connectors.SAML2Service;
 
 /**
@@ -49,12 +55,15 @@ public class PublicUserJwtResource {
 
     private final JWTCookieService jwtCookieService;
 
+    private final TokenProvider tokenProvider;
+
     private final AuthenticationManager authenticationManager;
 
     private final Optional<SAML2Service> saml2Service;
 
-    public PublicUserJwtResource(JWTCookieService jwtCookieService, AuthenticationManager authenticationManager, Optional<SAML2Service> saml2Service) {
+    public PublicUserJwtResource(JWTCookieService jwtCookieService, TokenProvider tokenProvider, AuthenticationManager authenticationManager, Optional<SAML2Service> saml2Service) {
         this.jwtCookieService = jwtCookieService;
+        this.tokenProvider = tokenProvider;
         this.authenticationManager = authenticationManager;
         this.saml2Service = saml2Service;
     }
@@ -69,7 +78,7 @@ public PublicUserJwtResource(JWTCookieService jwtCookieService, AuthenticationMa
      */
     @PostMapping("authenticate")
     @EnforceNothing
-    public ResponseEntity<Void> authorize(@Valid @RequestBody LoginVM loginVM, @RequestHeader("User-Agent") String userAgent, HttpServletResponse response) {
+    public ResponseEntity<String> authorize(@Valid @RequestBody LoginVM loginVM, @RequestHeader("User-Agent") String userAgent, HttpServletResponse response) {
 
         var username = loginVM.getUsername();
         var password = loginVM.getPassword();
@@ -86,14 +95,41 @@ public ResponseEntity<Void> authorize(@Valid @RequestBody LoginVM loginVM, @Requ
             ResponseCookie responseCookie = jwtCookieService.buildLoginCookie(rememberMe);
             response.addHeader(HttpHeaders.SET_COOKIE, responseCookie.toString());
 
-            return ResponseEntity.ok().build();
+            return ResponseEntity.ok(responseCookie.getValue());
         }
         catch (BadCredentialsException ex) {
             log.warn("Wrong credentials during login for user {}", loginVM.getUsername());
             return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
         }
     }
 
+    /**
+     * Sends a theia token back as cookie and bearer token
+     *
+     * @param request  HTTP request
+     * @param response HTTP response
+     * @return the ResponseEntity with status 200 (ok), 401 (unauthorized)
+     */
+    @PostMapping("theia-token")
+    @EnforceAtLeastStudent
+    public ResponseEntity<String> reKey(HttpServletRequest request, HttpServletResponse response) {
+        // remaining time in milliseconds
+        var jwtToken = JWTFilter.extractValidJwt(request, tokenProvider);
+        if (jwtToken == null) {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+        }
+
+        // get validity of the token
+        long tokenRemainingTime = tokenProvider.getExpirationDate(jwtToken).getTime() - new Date().getTime();
+
+        // 1 day validity
+        long maxDuration = Duration.ofDays(1).get(ChronoUnit.MILLIS);
+        ResponseCookie responseCookie = jwtCookieService.buildTheiaCookie(Math.min(tokenRemainingTime, maxDuration));
+
+        response.addHeader(HttpHeaders.SET_COOKIE, responseCookie.toString());
+        return ResponseEntity.ok(responseCookie.getValue());
+    }
+
     /**
      * Authorizes a User logged in with SAML2
      *