-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Programming exercises: Add tool token support
#9408
Open
janthoXO
wants to merge
47
commits into
develop
Choose a base branch
from
feature/re-key
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 46 commits
Commits
Show all changes
47 commits
Select commit
Hold shift + click to select a range
5dec295
enable bearer authentication
janthoXO b447b28
Add re-key endpoint
janthoXO a3d0fbb
Implement rabbit feedback
janthoXO 069f2eb
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
janthoXO 39e4bad
make token theia specific
janthoXO ddd8802
fix conversion from day to millis
janthoXO 07afea2
only respond as cookie if asked for
janthoXO b59f8ad
fix class cast error for websockets
janthoXO 896fd4c
let login return json with token
janthoXO 2e247db
add server test for bearer token
janthoXO e8bde67
Merge branch 'develop' into feature/bearer-support
iyannsch c36c6ec
Merge branch 'develop' into feature/re-key
iyannsch 8743e73
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
iyannsch 02e63b7
change theia token to general tool token endpoint
janthoXO 44ca43c
Apply suggestions from code review
janthoXO 6cab497
add tool token annotation
janthoXO e2bb2d0
Merge remote-tracking branch 'origin/feature/re-key' into feature/re-key
janthoXO 6e61b26
move interceptor registration
janthoXO 149a53a
add tool token option to login
janthoXO b0ed73d
change filter chain to only accept one auth method
janthoXO 6b19a87
Merge remote-tracking branch 'origin/feature/bearer-support' into fea…
janthoXO 8df1a6b
write filter a bit nicer
janthoXO 7fe83a9
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
janthoXO 9f61018
annotate endpoints required by Scorpio
janthoXO 5908f73
change bad request behaviour
janthoXO 288a1eb
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/be…
iyannsch 81f4739
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/re…
iyannsch 7a69620
fix server tests
5803813
Merge remote-tracking branch 'origin/feature/re-key' into feature/re-key
1cf7281
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/be…
4dabd91
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
52b816b
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
9ca745b
adjust tests
277f8b1
merge from bearer support
3e93d8c
include rabbit feedback
8715557
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
ca0aa32
include test for allowedTools annotation
f2f2851
change from Date to ZonedDateTime
fe7af6d
use system.currenttimemillis instead of zonedtimedate
28d0c44
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/re…
1b257ed
allow scorpio to get vcs access token
e57a661
allow login and logout with scorpio
7172f9c
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/be…
iyannsch 30a8652
Merge branch 'feature/bearer-support' into feature/re-key
iyannsch 44489c3
allow scorpio to fetch feedback
janthoXO 504b2d3
merge
02c62a5
Merge branch 'develop' into feature/re-key
janthoXO File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 13 additions & 0 deletions
13
src/main/java/de/tum/cit/aet/artemis/core/security/allowedTools/AllowedTools.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| package de.tum.cit.aet.artemis.core.security.allowedTools; | ||
|
|
||
| import java.lang.annotation.ElementType; | ||
| import java.lang.annotation.Retention; | ||
| import java.lang.annotation.RetentionPolicy; | ||
| import java.lang.annotation.Target; | ||
|
|
||
| @Target({ ElementType.METHOD, ElementType.TYPE }) | ||
| @Retention(RetentionPolicy.RUNTIME) | ||
| public @interface AllowedTools { | ||
|
|
||
| ToolTokenType[] value(); | ||
| } |
5 changes: 5 additions & 0 deletions
5
src/main/java/de/tum/cit/aet/artemis/core/security/allowedTools/ToolTokenType.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| package de.tum.cit.aet.artemis.core.security.allowedTools; | ||
|
|
||
| public enum ToolTokenType { | ||
| SCORPIO | ||
| } |
72 changes: 72 additions & 0 deletions
72
src/main/java/de/tum/cit/aet/artemis/core/security/allowedTools/ToolsInterceptor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| package de.tum.cit.aet.artemis.core.security.allowedTools; | ||
|
|
||
| import static de.tum.cit.aet.artemis.core.config.Constants.PROFILE_CORE; | ||
|
|
||
| import java.lang.reflect.Method; | ||
| import java.util.Arrays; | ||
|
|
||
| import jakarta.servlet.http.HttpServletRequest; | ||
| import jakarta.servlet.http.HttpServletResponse; | ||
|
|
||
| import org.springframework.context.annotation.Profile; | ||
| import org.springframework.stereotype.Component; | ||
| import org.springframework.web.method.HandlerMethod; | ||
| import org.springframework.web.servlet.HandlerInterceptor; | ||
|
|
||
| import de.tum.cit.aet.artemis.core.security.jwt.JWTFilter; | ||
| import de.tum.cit.aet.artemis.core.security.jwt.TokenProvider; | ||
|
|
||
| @Profile(PROFILE_CORE) | ||
| @Component | ||
| public class ToolsInterceptor implements HandlerInterceptor { | ||
|
|
||
| private final TokenProvider tokenProvider; | ||
|
|
||
| public ToolsInterceptor(TokenProvider tokenProvider) { | ||
| this.tokenProvider = tokenProvider; | ||
| } | ||
|
|
||
| @Override | ||
| public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { | ||
| String jwtToken; | ||
| try { | ||
| jwtToken = JWTFilter.extractValidJwt(request, tokenProvider); | ||
| } | ||
| catch (IllegalArgumentException e) { | ||
| response.sendError(HttpServletResponse.SC_BAD_REQUEST); | ||
| return false; | ||
| } | ||
|
|
||
| if (handler instanceof HandlerMethod && jwtToken != null) { | ||
| HandlerMethod handlerMethod = (HandlerMethod) handler; | ||
| Method method = handlerMethod.getMethod(); | ||
|
|
||
| // Check if the method or its class has the @AllowedTools annotation | ||
| AllowedTools allowedToolsAnnotation = method.getAnnotation(AllowedTools.class); | ||
| if (allowedToolsAnnotation == null) { | ||
| allowedToolsAnnotation = method.getDeclaringClass().getAnnotation(AllowedTools.class); | ||
| } | ||
|
|
||
| // Extract the "tools" claim from the JWT token | ||
| String toolsClaim = tokenProvider.getClaim(jwtToken, "tools", String.class); | ||
|
|
||
| // If no @AllowedTools annotation is present and the token is a tool token, reject the request | ||
| if (allowedToolsAnnotation == null && toolsClaim != null) { | ||
| response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied due to 'tools' claim."); | ||
| return false; | ||
| } | ||
|
|
||
| // If @AllowedTools is present, check if the toolsClaim is among the allowed values | ||
| if (allowedToolsAnnotation != null && toolsClaim != null) { | ||
| ToolTokenType[] allowedTools = allowedToolsAnnotation.value(); | ||
| // no match between allowed tools and tools claim | ||
| var toolsClaimList = toolsClaim.split(","); | ||
| if (Arrays.stream(allowedTools).noneMatch(tool -> Arrays.asList(toolsClaimList).contains(tool.toString()))) { | ||
| response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied due to 'tools' claim."); | ||
| return false; | ||
| } | ||
| } | ||
| } | ||
| return true; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
src/main/java/de/tum/cit/aet/artemis/core/web/TokenResource.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| package de.tum.cit.aet.artemis.core.web; | ||
|
|
||
| import static de.tum.cit.aet.artemis.core.config.Constants.PROFILE_CORE; | ||
|
|
||
| import java.time.Duration; | ||
|
|
||
| import jakarta.servlet.http.HttpServletRequest; | ||
| import jakarta.servlet.http.HttpServletResponse; | ||
|
|
||
| import org.springframework.context.annotation.Profile; | ||
| import org.springframework.http.HttpHeaders; | ||
| import org.springframework.http.HttpStatus; | ||
| import org.springframework.http.ResponseCookie; | ||
| import org.springframework.http.ResponseEntity; | ||
| import org.springframework.web.bind.annotation.PostMapping; | ||
| import org.springframework.web.bind.annotation.RequestMapping; | ||
| import org.springframework.web.bind.annotation.RequestParam; | ||
| import org.springframework.web.bind.annotation.RestController; | ||
|
|
||
| import de.tum.cit.aet.artemis.core.security.allowedTools.ToolTokenType; | ||
| import de.tum.cit.aet.artemis.core.security.annotations.EnforceAtLeastStudent; | ||
| import de.tum.cit.aet.artemis.core.security.jwt.JWTCookieService; | ||
| import de.tum.cit.aet.artemis.core.security.jwt.JWTFilter; | ||
| import de.tum.cit.aet.artemis.core.security.jwt.TokenProvider; | ||
|
|
||
| @Profile(PROFILE_CORE) | ||
| @RestController | ||
| @RequestMapping("api/") | ||
| public class TokenResource { | ||
|
|
||
| private final JWTCookieService jwtCookieService; | ||
|
|
||
| private final TokenProvider tokenProvider; | ||
|
|
||
| public TokenResource(JWTCookieService jwtCookieService, TokenProvider tokenProvider) { | ||
| this.jwtCookieService = jwtCookieService; | ||
| this.tokenProvider = tokenProvider; | ||
| } | ||
|
|
||
| /** | ||
| * Sends a tool token back as cookie or bearer token | ||
| * | ||
| * @param tool the tool for which the token is requested | ||
| * @param asCookie if true the token is sent back as a cookie | ||
| * @param request HTTP request | ||
| * @param response HTTP response | ||
| * @return the ResponseEntity with status 200 (ok), 401 (unauthorized) and depending on the asCookie flag a bearer token in the body | ||
| */ | ||
| @PostMapping("tool-token") | ||
| @EnforceAtLeastStudent | ||
| public ResponseEntity<String> convertCookieToToolToken(@RequestParam(name = "tool", required = true) ToolTokenType tool, | ||
| @RequestParam(name = "as-cookie", defaultValue = "false") boolean asCookie, HttpServletRequest request, HttpServletResponse response) { | ||
| // remaining time in milliseconds | ||
| var jwtToken = JWTFilter.extractValidJwt(request, tokenProvider); | ||
| if (jwtToken == null) { | ||
| return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); | ||
| } | ||
|
|
||
| // get validity of the token | ||
| long tokenRemainingTime = tokenProvider.getExpirationDate(jwtToken).getTime() - System.currentTimeMillis(); | ||
|
|
||
| // 1 day validity | ||
| long maxDuration = Duration.ofDays(1).toMillis(); | ||
| ResponseCookie responseCookie = jwtCookieService.buildLoginCookie(Math.min(tokenRemainingTime, maxDuration), tool); | ||
|
|
||
| if (asCookie) { | ||
| response.addHeader(HttpHeaders.SET_COOKIE, responseCookie.toString()); | ||
| } | ||
| return ResponseEntity.ok(responseCookie.getValue()); | ||
| } | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Consider restricting interceptor to specific paths.
The interceptor is currently registered globally. Consider restricting it to relevant API paths to avoid unnecessary overhead and potential security implications.
@Override public void addInterceptors(InterceptorRegistry registry) { - registry.addInterceptor(toolsInterceptor); + registry.addInterceptor(toolsInterceptor) + .addPathPatterns("/api/**") + .excludePathPatterns("/api/public/**"); }