Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Programming exercises: Add tool token support #9408

Open
wants to merge 47 commits into
base: develop
Choose a base branch
from
Open

Programming exercises: Add tool token support #9408

Show file tree
Hide file tree
Changes from 42 commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
5dec295
enable bearer authentication
janthoXO Oct 1, 2024
b447b28
Add re-key endpoint
janthoXO Oct 1, 2024
a3d0fbb
Implement rabbit feedback
janthoXO Oct 2, 2024
069f2eb
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
janthoXO Oct 4, 2024
39e4bad
make token theia specific
janthoXO Oct 4, 2024
ddd8802
fix conversion from day to millis
janthoXO Oct 4, 2024
07afea2
only respond as cookie if asked for
janthoXO Oct 4, 2024
b59f8ad
fix class cast error for websockets
janthoXO Oct 5, 2024
896fd4c
let login return json with token
janthoXO Oct 7, 2024
2e247db
add server test for bearer token
janthoXO Nov 6, 2024
e8bde67
Merge branch 'develop' into feature/bearer-support
iyannsch Nov 7, 2024
c36c6ec
Merge branch 'develop' into feature/re-key
iyannsch Nov 7, 2024
8743e73
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
iyannsch Nov 7, 2024
02e63b7
change theia token to general tool token endpoint
janthoXO Nov 8, 2024
44ca43c
Apply suggestions from code review
janthoXO Nov 8, 2024
6cab497
add tool token annotation
janthoXO Nov 9, 2024
e2bb2d0
Merge remote-tracking branch 'origin/feature/re-key' into feature/re-key
janthoXO Nov 9, 2024
6e61b26
move interceptor registration
janthoXO Nov 9, 2024
149a53a
add tool token option to login
janthoXO Nov 11, 2024
b0ed73d
change filter chain to only accept one auth method
janthoXO Nov 11, 2024
6b19a87
Merge remote-tracking branch 'origin/feature/bearer-support' into fea…
janthoXO Nov 11, 2024
8df1a6b
write filter a bit nicer
janthoXO Nov 11, 2024
7fe83a9
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
janthoXO Nov 12, 2024
9f61018
annotate endpoints required by Scorpio
janthoXO Nov 12, 2024
5908f73
change bad request behaviour
janthoXO Nov 12, 2024
288a1eb
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/be…
iyannsch Nov 18, 2024
81f4739
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/re…
iyannsch Nov 18, 2024
7a69620
fix server tests
Nov 19, 2024
5803813
Merge remote-tracking branch 'origin/feature/re-key' into feature/re-key
Nov 19, 2024
1cf7281
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/be…
Nov 19, 2024
4dabd91
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
Nov 19, 2024
52b816b
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
Nov 19, 2024
9ca745b
adjust tests
Nov 19, 2024
277f8b1
merge from bearer support
Nov 19, 2024
3e93d8c
include rabbit feedback
Nov 19, 2024
8715557
Merge branch 'feature/bearer-support' of github.com:ls1intum/Artemis …
Nov 19, 2024
ca0aa32
include test for allowedTools annotation
Nov 20, 2024
f2f2851
change from Date to ZonedDateTime
Nov 20, 2024
fe7af6d
use system.currenttimemillis instead of zonedtimedate
Nov 20, 2024
28d0c44
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/re…
Nov 20, 2024
1b257ed
allow scorpio to get vcs access token
Nov 20, 2024
e57a661
allow login and logout with scorpio
Nov 26, 2024
7172f9c
Merge branch 'develop' of github.com:ls1intum/Artemis into feature/be…
iyannsch Nov 26, 2024
30a8652
Merge branch 'feature/bearer-support' into feature/re-key
iyannsch Nov 26, 2024
44489c3
allow scorpio to fetch feedback
janthoXO Dec 5, 2024
504b2d3
merge
Dec 9, 2024
02c62a5
Merge branch 'develop' into feature/re-key
janthoXO Dec 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions src/main/java/de/tum/cit/aet/artemis/core/config/WebConfigurer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,10 @@
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

import de.tum.cit.aet.artemis.core.security.allowedTools.ToolsInterceptor;
import de.tum.cit.aet.artemis.core.security.filter.CachingHttpHeadersFilter;
import tech.jhipster.config.JHipsterProperties;

Expand All @@ -37,17 +40,20 @@
*/
@Profile(PROFILE_CORE)
@Configuration
public class WebConfigurer implements ServletContextInitializer, WebServerFactoryCustomizer<WebServerFactory> {
public class WebConfigurer implements ServletContextInitializer, WebServerFactoryCustomizer<WebServerFactory>, WebMvcConfigurer {

private static final Logger log = LoggerFactory.getLogger(WebConfigurer.class);

private final Environment env;

private final JHipsterProperties jHipsterProperties;

public WebConfigurer(Environment env, JHipsterProperties jHipsterProperties) {
private final ToolsInterceptor toolsInterceptor;

public WebConfigurer(Environment env, JHipsterProperties jHipsterProperties, ToolsInterceptor toolsInterceptor) {
this.env = env;
this.jHipsterProperties = jHipsterProperties;
this.toolsInterceptor = toolsInterceptor;
}

@Override
Expand Down Expand Up @@ -126,4 +132,9 @@ public CorsFilter corsFilter() {
}
return new CorsFilter(source);
}

@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(toolsInterceptor);
}
Comment on lines +136 to +139
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider restricting interceptor to specific paths.

The interceptor is currently registered globally. Consider restricting it to relevant API paths to avoid unnecessary overhead and potential security implications.

 @Override
 public void addInterceptors(InterceptorRegistry registry) {
-    registry.addInterceptor(toolsInterceptor);
+    registry.addInterceptor(toolsInterceptor)
+        .addPathPatterns("/api/**")
+        .excludePathPatterns("/api/public/**");
 }

Committable suggestion skipped: line range outside the PR's diff.

}
14 changes: 9 additions & 5 deletions src/main/java/de/tum/cit/aet/artemis/core/config/websocket/WebsocketConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import java.util.regex.Pattern;

import jakarta.annotation.Nullable;
import jakarta.servlet.http.Cookie;
import jakarta.validation.constraints.NotNull;

import org.slf4j.Logger;
Expand All @@ -28,6 +27,7 @@
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServerHttpResponse;
Expand All @@ -52,7 +52,6 @@
import org.springframework.web.socket.server.HandshakeInterceptor;
import org.springframework.web.socket.server.support.DefaultHandshakeHandler;
import org.springframework.web.socket.sockjs.transport.handler.WebSocketTransportHandler;
import org.springframework.web.util.WebUtils;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Iterators;
Expand Down Expand Up @@ -201,9 +200,14 @@ public HandshakeInterceptor httpSessionHandshakeInterceptor() {
public boolean beforeHandshake(@NotNull ServerHttpRequest request, @NotNull ServerHttpResponse response, @NotNull WebSocketHandler wsHandler,
@NotNull Map<String, Object> attributes) {
if (request instanceof ServletServerHttpRequest servletRequest) {
attributes.put(IP_ADDRESS, servletRequest.getRemoteAddress());
Cookie jwtCookie = WebUtils.getCookie(servletRequest.getServletRequest(), JWTFilter.JWT_COOKIE_NAME);
return JWTFilter.isJwtCookieValid(tokenProvider, jwtCookie);
try {
attributes.put(IP_ADDRESS, servletRequest.getRemoteAddress());
return JWTFilter.extractValidJwt(servletRequest.getServletRequest(), tokenProvider) != null;
}
catch (IllegalArgumentException e) {
response.setStatusCode(HttpStatusCode.valueOf(400));
return false;
}
}
return false;
}
Expand Down
13 changes: 13 additions & 0 deletions src/main/java/de/tum/cit/aet/artemis/core/security/allowedTools/AllowedTools.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package de.tum.cit.aet.artemis.core.security.allowedTools;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
public @interface AllowedTools {

ToolTokenType[] value();
}
5 changes: 5 additions & 0 deletions src/main/java/de/tum/cit/aet/artemis/core/security/allowedTools/ToolTokenType.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
package de.tum.cit.aet.artemis.core.security.allowedTools;

public enum ToolTokenType {
SCORPIO
}
72 changes: 72 additions & 0 deletions src/main/java/de/tum/cit/aet/artemis/core/security/allowedTools/ToolsInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
package de.tum.cit.aet.artemis.core.security.allowedTools;

import static de.tum.cit.aet.artemis.core.config.Constants.PROFILE_CORE;

import java.lang.reflect.Method;
import java.util.Arrays;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import org.springframework.context.annotation.Profile;
import org.springframework.stereotype.Component;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;

import de.tum.cit.aet.artemis.core.security.jwt.JWTFilter;
import de.tum.cit.aet.artemis.core.security.jwt.TokenProvider;

@Profile(PROFILE_CORE)
@Component
public class ToolsInterceptor implements HandlerInterceptor {

private final TokenProvider tokenProvider;

public ToolsInterceptor(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String jwtToken;
try {
jwtToken = JWTFilter.extractValidJwt(request, tokenProvider);
}
catch (IllegalArgumentException e) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return false;
}

if (handler instanceof HandlerMethod && jwtToken != null) {
HandlerMethod handlerMethod = (HandlerMethod) handler;
Method method = handlerMethod.getMethod();

// Check if the method or its class has the @AllowedTools annotation
AllowedTools allowedToolsAnnotation = method.getAnnotation(AllowedTools.class);
if (allowedToolsAnnotation == null) {
allowedToolsAnnotation = method.getDeclaringClass().getAnnotation(AllowedTools.class);
}

// Extract the "tools" claim from the JWT token
String toolsClaim = tokenProvider.getClaim(jwtToken, "tools", String.class);

// If no @AllowedTools annotation is present and the token is a tool token, reject the request
if (allowedToolsAnnotation == null && toolsClaim != null) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied due to 'tools' claim.");
return false;
}

// If @AllowedTools is present, check if the toolsClaim is among the allowed values
if (allowedToolsAnnotation != null && toolsClaim != null) {
ToolTokenType[] allowedTools = allowedToolsAnnotation.value();
// no match between allowed tools and tools claim
var toolsClaimList = toolsClaim.split(",");
if (Arrays.stream(allowedTools).noneMatch(tool -> Arrays.asList(toolsClaimList).contains(tool.toString()))) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied due to 'tools' claim.");
return false;
}
}
}
return true;
}
}
29 changes: 26 additions & 3 deletions src/main/java/de/tum/cit/aet/artemis/core/security/jwt/JWTCookieService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;

import de.tum.cit.aet.artemis.core.security.allowedTools.ToolTokenType;

@Profile(PROFILE_CORE)
@Service
public class JWTCookieService {
Expand All @@ -36,9 +38,30 @@ public JWTCookieService(TokenProvider tokenProvider, Environment environment) {
* @return the login ResponseCookie containing the JWT
*/
public ResponseCookie buildLoginCookie(boolean rememberMe) {
String jwt = tokenProvider.createToken(SecurityContextHolder.getContext().getAuthentication(), rememberMe);
Duration duration = Duration.of(tokenProvider.getTokenValidity(rememberMe), ChronoUnit.MILLIS);
return buildJWTCookie(jwt, duration);
return buildLoginCookie(rememberMe, null);
}

/**
* Builds the cookie containing the jwt for a login
*
* @param rememberMe boolean used to determine the duration of the jwt.
* @param tool the tool claim in the jwt
* @return the login ResponseCookie containing the JWT
*/
public ResponseCookie buildLoginCookie(boolean rememberMe, ToolTokenType tool) {
return buildLoginCookie(tokenProvider.getTokenValidity(rememberMe), tool);
}

/**
* Builds a cookie with the tool claim in the jwt
*
* @param duration the duration of the cookie in milli seconds and the jwt
* @param tool the tool claim in the jwt
* @return the login ResponseCookie containing the JWT
*/
public ResponseCookie buildLoginCookie(long duration, ToolTokenType tool) {
String jwt = tokenProvider.createToken(SecurityContextHolder.getContext().getAuthentication(), duration, tool);
return buildJWTCookie(jwt, Duration.of(duration, ChronoUnit.MILLIS));
}

/**
Expand Down
91 changes: 80 additions & 11 deletions src/main/java/de/tum/cit/aet/artemis/core/security/jwt/JWTFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@

import java.io.IOException;

import jakarta.annotation.Nullable;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
Expand All @@ -22,6 +24,10 @@ public class JWTFilter extends GenericFilterBean {

public static final String JWT_COOKIE_NAME = "jwt";

private static final String AUTHORIZATION_HEADER = "Authorization";

private static final String BEARER_PREFIX = "Bearer ";

private final TokenProvider tokenProvider;

public JWTFilter(TokenProvider tokenProvider) {
Expand All @@ -31,26 +37,89 @@ public JWTFilter(TokenProvider tokenProvider) {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
Cookie jwtCookie = WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME);
if (isJwtCookieValid(this.tokenProvider, jwtCookie)) {
Authentication authentication = this.tokenProvider.getAuthentication(jwtCookie.getValue());
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
String jwtToken;
try {
jwtToken = extractValidJwt(httpServletRequest, this.tokenProvider);
}
catch (IllegalArgumentException e) {
httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}

if (jwtToken != null) {
Authentication authentication = this.tokenProvider.getAuthentication(jwtToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
}

filterChain.doFilter(servletRequest, servletResponse);
}

/**
* Checks if the cookie containing the jwt is valid
* Extracts the valid jwt found in the cookie or the Authorization header
*
* @param tokenProvider the artemis token provider used to generate and validate jwt's
* @param jwtCookie the cookie containing the jwt
* @return true if the jwt is valid, false if missing or invalid
* @param httpServletRequest the http request
* @param tokenProvider the Artemis token provider used to generate and validate jwt's
* @return the valid jwt or null if not found or invalid
*/
public static boolean isJwtCookieValid(TokenProvider tokenProvider, Cookie jwtCookie) {
public static @Nullable String extractValidJwt(HttpServletRequest httpServletRequest, TokenProvider tokenProvider) {
var cookie = WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME);
var authHeader = httpServletRequest.getHeader(AUTHORIZATION_HEADER);

if (cookie == null && authHeader == null) {
return null;
}

if (cookie != null && authHeader != null) {
// Single Method Enforcement: Only one method of authentication is allowed
throw new IllegalArgumentException("Multiple authentication methods detected: Both JWT cookie and Bearer token are present");
}

String jwtToken = cookie != null ? getJwtFromCookie(cookie) : getJwtFromBearer(authHeader);

if (!isJwtValid(tokenProvider, jwtToken)) {
return null;
}

return jwtToken;
}

/**
* Extracts the jwt from the cookie
*
* @param jwtCookie the cookie with Key "jwt"
* @return the jwt or null if not found
*/
private static @Nullable String getJwtFromCookie(@Nullable Cookie jwtCookie) {
if (jwtCookie == null) {
return false;
return null;
}
return jwtCookie.getValue();
}

/**
* Extracts the jwt from the Authorization header
*
* @param jwtBearer the content of the Authorization header
* @return the jwt or null if not found
*/
private static @Nullable String getJwtFromBearer(@Nullable String jwtBearer) {
if (!StringUtils.hasText(jwtBearer) || !jwtBearer.startsWith(BEARER_PREFIX)) {
return null;
}
String jwt = jwtCookie.getValue();
return StringUtils.hasText(jwt) && tokenProvider.validateTokenForAuthority(jwt);

String token = jwtBearer.substring(BEARER_PREFIX.length()).trim();
return StringUtils.hasText(token) ? token : null;
}

/**
* Checks if the jwt is valid
*
* @param tokenProvider the Artemis token provider used to generate and validate jwt's
* @param jwtToken the jwt
* @return true if the jwt is valid, false if missing or invalid
*/
private static boolean isJwtValid(TokenProvider tokenProvider, @Nullable String jwtToken) {
return StringUtils.hasText(jwtToken) && tokenProvider.validateTokenForAuthority(jwtToken);
}
}
Loading
Loading