Added support for jwt based calls

docs-web-common/pom.xml

@@ -69,6 +69,27 @@
       <artifactId>jul-to-slf4j</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>io.github.openfeign</groupId>
+      <artifactId>feign-okhttp</artifactId>
+      <version>13.0</version>
+    </dependency>
+    <dependency>
+      <groupId>io.github.openfeign</groupId>
+      <artifactId>feign-gson</artifactId>
+      <version>13.0</version>
+    </dependency>
+    <dependency>
+      <groupId>io.github.openfeign</groupId>
+      <artifactId>feign-slf4j</artifactId>
+      <version>13.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>java-jwt</artifactId>
+      <version>4.4.0</version>
+    </dependency>
+    
     <!-- Test dependencies -->
     <dependency>
       <groupId>junit</groupId>

docs-web-common/src/main/java/com/sismics/feign/KeycloakClient.java

@@ -0,0 +1,10 @@
+package com.sismics.feign;
+
+import com.sismics.feign.model.KeycloakCertKeys;
+import feign.RequestLine;
+
+public interface KeycloakClient {
+
+    @RequestLine("GET /protocol/openid-connect/certs")
+    KeycloakCertKeys getCert();
+}

docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKey.java

@@ -0,0 +1,27 @@
+package com.sismics.feign.model;
+
+import java.util.List;
+
+public class KeycloakCertKey {
+    public String kid;
+    public List<String> x5c;
+
+    public KeycloakCertKey() {
+    }
+
+    public List<String> getX5c() {
+        return x5c;
+    }
+
+    public void setX5c(List<String> x5c) {
+        this.x5c = x5c;
+    }
+
+    public String getKid() {
+        return kid;
+    }
+
+    public void setKid(String kid) {
+        this.kid = kid;
+    }
+}

docs-web-common/src/main/java/com/sismics/feign/model/KeycloakCertKeys.java

@@ -0,0 +1,18 @@
+package com.sismics.feign.model;
+
+import java.util.List;
+
+public class KeycloakCertKeys {
+    public List<KeycloakCertKey> keys;
+
+    public KeycloakCertKeys() {
+    }
+
+    public List<KeycloakCertKey> getKeys() {
+        return keys;
+    }
+
+    public void setKeys(List<KeycloakCertKey> keys) {
+        this.keys = keys;
+    }
+}

docs-web-common/src/main/java/com/sismics/util/filter/JwtBasedSecurityFilter.java

@@ -0,0 +1,131 @@
+package com.sismics.util.filter;
+
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.impl.JWTParser;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.jwt.interfaces.JWTVerifier;
+import java.util.Base64;
+import com.sismics.docs.core.constant.Constants;
+import com.sismics.docs.core.dao.UserDao;
+import com.sismics.docs.core.model.jpa.User;
+import com.sismics.feign.KeycloakClient;
+import feign.Feign;
+import feign.gson.GsonDecoder;
+import feign.gson.GsonEncoder;
+import feign.okhttp.OkHttpClient;
+import feign.slf4j.Slf4jLogger;
+import jakarta.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.ByteArrayInputStream;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Objects;
+import java.util.UUID;
+
+import static java.util.Optional.ofNullable;
+
+/**
+ * This filter is used to authenticate the user having an active session by validating a jwt token.
+ * The filter extracts the jwt token stored from Authorization header.
+ * It validates the token by calling an Identity Broker like KeyCloak.
+ * If validated, the user is retrieved, and the filter injects a UserPrincipal into the request attribute.
+ *
+ * @author smitra
+ */
+public class JwtBasedSecurityFilter extends SecurityFilter {
+    private static final Logger log = LoggerFactory.getLogger(JwtBasedSecurityFilter.class);
+    /**
+     * Name of the cookie used to store the authentication token.
+     */
+    public static final String HEADER_NAME = "Authorization";
+
+    @Override
+    protected User authenticate(final HttpServletRequest request) {
+        log.info("Jwt authentication started");
+        User user = null;
+        String token = extractAuthToken(request).replace("Bearer ", "");
+        DecodedJWT jwt = JWT.decode(token);
+        if (verifyJwt(jwt, token)) {
+            String email = jwt.getClaim("preferred_username").toString();
+            UserDao userDao = new UserDao();
+            user = userDao.getActiveByUsername(email);
+            if (user == null) {
+                user = new User();
+                user.setRoleId(Constants.DEFAULT_USER_ROLE);
+                user.setUsername(email);
+                user.setEmail(email);
+                user.setStorageQuota(10L);
+                user.setPassword(UUID.randomUUID().toString());
+                try {
+                    userDao.create(user, email);
+                    log.info("user created");
+                } catch (Exception e) {
+                    log.info("Error:" + e.getMessage());
+                    return null;
+                }
+            }
+        }
+        return user;
+    }
+
+    private boolean verifyJwt(final DecodedJWT jwt, final String token) {
+
+        try {
+            buildJWTVerifier(jwt).verify(token);
+            // if token is valid no exception will be thrown
+            log.info("Valid TOKEN");
+            return Boolean.TRUE;
+        } catch (CertificateException e) {
+            //if CertificateException comes from buildJWTVerifier()
+            log.info("InValid TOKEN");
+            e.printStackTrace();
+            return Boolean.FALSE;
+        } catch (JWTVerificationException e) {
+            // if JWT Token in invalid
+            log.info("InValid TOKEN");
+            e.printStackTrace();
+            return Boolean.FALSE;
+        } catch (Exception e) {
+            // If any other exception comes
+            log.info("InValid TOKEN, Exception Occurred");
+            e.printStackTrace();
+            return Boolean.FALSE;
+        }
+    }
+
+    private String extractAuthToken(final HttpServletRequest request) {
+        return ofNullable(request.getHeader("Authorization")).orElse("");
+    }
+
+    private RSAPublicKey getPublicKey(DecodedJWT jwt) {
+        KeycloakClient client = Feign.builder()
+                .client(new OkHttpClient())
+                .encoder(new GsonEncoder())
+                .decoder(new GsonDecoder())
+                .logLevel(feign.Logger.Level.BASIC)
+                .logger(new Slf4jLogger(KeycloakClient.class))
+                .target(KeycloakClient.class, jwt.getIssuer());
+        String publicKey = client.getCert().getKeys().stream().filter(k -> Objects.equals(k.getKid(), jwt.getKeyId()))
+                .findFirst()
+                .map(k -> k.getX5c().get(0))
+                .orElse("");
+        try {
+            var decode = Base64.getDecoder().decode(publicKey);
+            var certificate = CertificateFactory.getInstance("X.509")
+                    .generateCertificate(new ByteArrayInputStream(decode));
+            return (RSAPublicKey)certificate.getPublicKey();
+        } catch (CertificateException ex) {
+            return null;
+        }
+    }
+
+    private JWTVerifier buildJWTVerifier(DecodedJWT jwt) throws CertificateException {
+        var algo = Algorithm.RSA256(getPublicKey(jwt), null);
+        return JWT.require(algo).build();
+    }
+}

docs-web/src/main/webapp/WEB-INF/web.xml

@@ -44,6 +44,12 @@
     <async-supported>true</async-supported>
   </filter>
 
+  <filter>
+    <filter-name>jwtBasedSecurityFilter</filter-name>
+    <filter-class>com.sismics.util.filter.JwtBasedSecurityFilter</filter-class>
+    <async-supported>true</async-supported>
+  </filter>
+
   <filter>
     <filter-name>headerBasedSecurityFilter</filter-name>
     <filter-class>com.sismics.util.filter.HeaderBasedSecurityFilter</filter-class>
@@ -59,6 +65,11 @@
     <url-pattern>/api/*</url-pattern>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>jwtBasedSecurityFilter</filter-name>
+    <url-pattern>/api/*</url-pattern>
+  </filter-mapping>
+
   <filter-mapping>
     <filter-name>headerBasedSecurityFilter</filter-name>
     <url-pattern>/api/*</url-pattern>