Source code

001/*
002 * (C) Copyright 2016 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Gabriel Barata <gbarata@nuxeo.com>
018 */
019package org.nuxeo.ecm.restapi.server.jaxrs;
020
021import com.google.api.client.auth.oauth2.Credential;
022import org.codehaus.jackson.map.ObjectMapper;
023
024import javax.servlet.http.HttpServletResponse;
025import javax.ws.rs.core.Response.Status;
026import javax.ws.rs.core.Response.StatusType;
027
028import org.nuxeo.ecm.automation.server.jaxrs.RestOperationException;
029import org.nuxeo.ecm.core.api.DocumentModel;
030import org.nuxeo.ecm.core.api.NuxeoException;
031import org.nuxeo.ecm.platform.oauth2.providers.AbstractOAuth2UserEmailProvider;
032import org.nuxeo.ecm.platform.oauth2.providers.NuxeoOAuth2ServiceProvider;
033import org.nuxeo.ecm.platform.oauth2.providers.OAuth2ServiceProvider;
034import org.nuxeo.ecm.platform.oauth2.providers.OAuth2ServiceProviderRegistry;
035import org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token;
036import org.nuxeo.ecm.webengine.model.WebObject;
037import org.nuxeo.ecm.webengine.model.impl.AbstractResource;
038import org.nuxeo.ecm.webengine.model.impl.ResourceTypeImpl;
039import org.nuxeo.runtime.api.Framework;
040
041import javax.servlet.http.HttpServletRequest;
042import javax.ws.rs.GET;
043import javax.ws.rs.Path;
044import javax.ws.rs.PathParam;
045import javax.ws.rs.core.Context;
046import javax.ws.rs.core.MediaType;
047import javax.ws.rs.core.Response;
048import java.io.IOException;
049import java.io.Serializable;
050import java.util.HashMap;
051import java.util.List;
052import java.util.Map;
053
054/**
055 * Endpoint to retrieve OAuth2 authentication data
056 * @since 8.4
057 */
058@WebObject(type = "oauth2")
059public class OAuth2Object extends AbstractResource<ResourceTypeImpl> {
060
061    /**
062     * Retrieves oauth2 data for a given provider.
063     */
064    @GET
065    @Path("provider/{providerId}")
066    public Response getProvider(@PathParam("providerId") String providerId,
067                                @Context HttpServletRequest request) throws IOException, RestOperationException {
068
069        NuxeoOAuth2ServiceProvider provider = getProvider(providerId);
070
071        Map<String,Object> result = new HashMap<>();
072        result.put("serviceName", provider.getServiceName());
073        result.put("isAvailable", provider.isProviderAvailable());
074        result.put("clientId", provider.getClientId());
075        result.put("authorizationURL", provider.getClientId() == null ? null : provider.getAuthorizationUrl(request));
076
077        String username = request.getUserPrincipal().getName();
078        NuxeoOAuth2Token token = getToken(provider, username);
079        boolean isAuthorized = (token != null);
080        String login = isAuthorized ? token.getServiceLogin() : null;
081        result.put("isAuthorized", isAuthorized);
082        result.put("userId", login);
083
084        return buildResponse(Status.OK, result);
085    }
086
087    /**
088     * Retrieves a valid access token for a given provider and the current user.
089     * If expired, the token will be refreshed.
090     */
091    @GET
092    @Path("provider/{providerId}/token")
093    public Response getToken(@PathParam("providerId") String providerId,
094                             @Context HttpServletRequest request) throws IOException, RestOperationException {
095
096        NuxeoOAuth2ServiceProvider provider = getProvider(providerId);
097
098        String username = request.getUserPrincipal().getName();
099        NuxeoOAuth2Token token = getToken(provider, username);
100        if (token == null) {
101            return Response.status(Status.NOT_FOUND).build();
102        }
103        Credential credential = getCredential(provider, token);
104
105        if (credential == null) {
106            return Response.status(Status.NOT_FOUND).build();
107        }
108        Long expiresInSeconds = credential.getExpiresInSeconds();
109        if (expiresInSeconds != null && expiresInSeconds <= 0) {
110            credential.refreshToken();
111        }
112        Map<String,Object> result = new HashMap<>();
113        result.put("token", credential.getAccessToken());
114        return buildResponse(Status.OK, result);
115    }
116
117    private NuxeoOAuth2Token getToken(NuxeoOAuth2ServiceProvider provider, String nxuser) {
118        Map<String, Serializable> filter = new HashMap<>();
119        filter.put("serviceName", provider.getId());
120        filter.put(NuxeoOAuth2Token.KEY_NUXEO_LOGIN, nxuser);
121        return Framework.doPrivileged(() -> {
122            List<DocumentModel> entries = provider.getCredentialDataStore().query(filter);
123            if (entries != null) {
124                if (entries.size() > 1) {
125                    throw new NuxeoException("Found multiple " + provider.getId() + " accounts for " + nxuser);
126                } else if (entries.size() == 1) {
127                    return new NuxeoOAuth2Token(entries.get(0));
128                }
129            }
130            return null;
131        });
132    }
133
134    private Credential getCredential(NuxeoOAuth2ServiceProvider provider, NuxeoOAuth2Token token) {
135        return provider.loadCredential(
136            (provider instanceof AbstractOAuth2UserEmailProvider) ? token.getServiceLogin() : token.getNuxeoLogin());
137    }
138
139    private NuxeoOAuth2ServiceProvider getProvider(String providerId) throws RestOperationException {
140        OAuth2ServiceProvider provider = Framework.getService(OAuth2ServiceProviderRegistry.class)
141            .getProvider(providerId);
142        if (provider == null || !(provider instanceof NuxeoOAuth2ServiceProvider)) {
143            RestOperationException err = new RestOperationException("Invalid provider: " + providerId);
144            err.setStatus(HttpServletResponse.SC_BAD_REQUEST);
145            throw err;
146        }
147        return (NuxeoOAuth2ServiceProvider) provider;
148    }
149
150    private Response buildResponse(StatusType status, Object obj) throws IOException {
151        ObjectMapper mapper = new ObjectMapper();
152        String message = mapper.writeValueAsString(obj);
153
154        return Response.status(status)
155            .header("Content-Length", message.getBytes("UTF-8").length)
156            .type(MediaType.APPLICATION_JSON + "; charset=UTF-8")
157            .entity(message)
158            .build();
159    }
160
161}