Java tutorial
// Copyright 2017 The Nomulus Authors. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package google.registry.request.auth; import static com.google.common.base.Preconditions.checkArgument; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Optional; import com.google.common.collect.ImmutableList; import com.google.common.collect.Ordering; import google.registry.util.FormattingLogger; import javax.inject.Inject; import javax.servlet.http.HttpServletRequest; /** Top-level authentication/authorization class; calls authentication mechanisms as needed. */ public class RequestAuthenticator { private final AppEngineInternalAuthenticationMechanism appEngineInternalAuthenticationMechanism; private final ImmutableList<AuthenticationMechanism> apiAuthenticationMechanisms; private final LegacyAuthenticationMechanism legacyAuthenticationMechanism; private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass(); @VisibleForTesting @Inject public RequestAuthenticator(AppEngineInternalAuthenticationMechanism appEngineInternalAuthenticationMechanism, ImmutableList<AuthenticationMechanism> apiAuthenticationMechanisms, LegacyAuthenticationMechanism legacyAuthenticationMechanism) { this.appEngineInternalAuthenticationMechanism = appEngineInternalAuthenticationMechanism; this.apiAuthenticationMechanisms = apiAuthenticationMechanisms; this.legacyAuthenticationMechanism = legacyAuthenticationMechanism; } /** * Attempts to authenticate and authorize the user, according to the settings of the action. * * @param auth the auth settings of the action, which determine what authentication and * authorization are allowed * @param req the {@link HttpServletRequest}; some authentication mechanisms use HTTP headers * @return an authentication result if authentication/authorization was successful, or absent() if * not; authentication can be "successful" even without any authentication if the action's * auth settings are set to NONE -- in this case, NOT_AUTHENTICATED is returned */ public Optional<AuthResult> authorize(Auth auth, HttpServletRequest req) { logger.infofmt("Action requires auth: %s", auth); AuthResult authResult = authenticate(auth, req); switch (auth.minimumLevel()) { case NONE: // Any authentication result is ok. break; case APP: if (!authResult.isAuthenticated()) { logger.info("Not authorized; no authentication found"); return Optional.absent(); } break; case USER: if (authResult.authLevel() != AuthLevel.USER) { logger.info("Not authorized; no authenticated user"); // TODO(mountford): change this so that the caller knows to return a more helpful error return Optional.absent(); } break; } switch (auth.userPolicy()) { case IGNORED: if (authResult.authLevel() == AuthLevel.USER) { logger.info("Not authorized; user policy is IGNORED, but a user was found"); return Optional.absent(); } break; case PUBLIC: // Any user auth result is okay. break; case ADMIN: if (authResult.userAuthInfo().isPresent() && !authResult.userAuthInfo().get().isUserAdmin()) { logger.info("Not authorized; user policy is ADMIN, but the user was not an admin"); return Optional.absent(); } break; } logger.info("Authorized"); return Optional.of(authResult); } /** * Attempts to authenticate the user, according to the settings of the action. * * @param auth the auth settings of the action, which determine what authentication is allowed * @param req the {@link HttpServletRequest}; some authentication mechanisms use HTTP headers * @return an authentication result; if no authentication was made, returns NOT_AUTHENTICATED */ private AuthResult authenticate(Auth auth, HttpServletRequest req) { checkAuthConfig(auth); for (Auth.AuthMethod authMethod : auth.methods()) { switch (authMethod) { // App Engine internal authentication, using the queue name header case INTERNAL: logger.info("Checking internal auth"); // INTERNAL should be skipped if a user is required. if (auth.minimumLevel() != AuthLevel.USER) { AuthResult authResult = appEngineInternalAuthenticationMechanism.authenticate(req); if (authResult.isAuthenticated()) { logger.infofmt("Authenticated: %s", authResult); return authResult; } } break; // API-based user authentication mechanisms, such as OAuth case API: // checkAuthConfig will have insured that the user policy is not IGNORED. for (AuthenticationMechanism authMechanism : apiAuthenticationMechanisms) { logger.infofmt("Checking %s", authMechanism); AuthResult authResult = authMechanism.authenticate(req); if (authResult.isAuthenticated()) { logger.infofmt("Authenticated: %s", authResult); return authResult; } } break; // Legacy authentication via UserService case LEGACY: // checkAuthConfig will have insured that the user policy is not IGNORED. logger.info("Checking legacy auth"); AuthResult authResult = legacyAuthenticationMechanism.authenticate(req); if (authResult.isAuthenticated()) { logger.infofmt("Authenticated: %s", authResult); return authResult; } break; } } logger.info("No authentication found"); return AuthResult.NOT_AUTHENTICATED; } /** Validates an Auth object, checking for invalid setting combinations. */ void checkAuthConfig(Auth auth) { ImmutableList<Auth.AuthMethod> authMethods = ImmutableList.copyOf(auth.methods()); checkArgument(!authMethods.isEmpty(), "Must specify at least one auth method"); checkArgument( Ordering.explicit(Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API, Auth.AuthMethod.LEGACY) .isStrictlyOrdered(authMethods), "Auth methods must be unique and strictly in order - INTERNAL, API, LEGACY"); checkArgument(authMethods.contains(Auth.AuthMethod.INTERNAL), "Auth method INTERNAL must always be specified, and as the first auth method"); if (authMethods.equals(ImmutableList.of(Auth.AuthMethod.INTERNAL))) { checkArgument(!auth.minimumLevel().equals(AuthLevel.USER), "Actions with only INTERNAL auth may not require USER auth level"); } else { checkArgument(!auth.userPolicy().equals(Auth.UserPolicy.IGNORED), "Actions with auth methods beyond INTERNAL must not specify the IGNORED user policy"); } } }