2 * Copyright 2016-2017, Nokia Corporation
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.vnfm;
18 import com.google.common.annotations.VisibleForTesting;
19 import com.google.gson.Gson;
20 import com.google.gson.annotations.SerializedName;
22 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.api.VnfmInfoProvider;
23 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.SystemFunctions;
24 import org.onap.vnfmdriver.model.VnfmInfo;
25 import org.slf4j.Logger;
26 import org.springframework.beans.factory.annotation.Autowired;
27 import org.springframework.beans.factory.annotation.Value;
28 import org.springframework.stereotype.Component;
30 import javax.net.ssl.HostnameVerifier;
31 import javax.net.ssl.SSLSocketFactory;
32 import java.io.IOException;
34 import static org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.CbamUtils.buildFatalFailure;
35 import static org.slf4j.LoggerFactory.getLogger;
36 import static org.springframework.http.HttpHeaders.CONTENT_TYPE;
37 import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED_VALUE;
40 * Responsible for providing a token to access CBAM APIs
43 //even if the value for grant type an user password is the same they do not mean the same thing
44 //the duplication of this is intentional
45 @SuppressWarnings("squid:S1192")
46 public class CbamTokenProvider extends CbamSecurityProvider {
47 public static final int MAX_RETRY_COUNT = 5;
48 public static final String GRANT_TYPE = "password";
49 public static final String CLIENT_SECRET = "password";
50 private static final String CBAM_TOKEN_URL = "realms/cbam/protocol/openid-connect/token";
51 private static Logger logger = getLogger(CbamTokenProvider.class);
52 private final VnfmInfoProvider vnfmInfoProvider;
53 @Value("${cbamKeyCloakBaseUrl}")
54 private String cbamKeyCloakBaseUrl;
55 @Value("${cbamUsername}")
56 private String username;
57 @Value("${cbamPassword}")
58 private String password;
59 private volatile CurrentToken token;
62 CbamTokenProvider(VnfmInfoProvider vnfmInfoProvider) {
63 this.vnfmInfoProvider = vnfmInfoProvider;
67 * @return the token to access CBAM APIs (ex. 123456)
69 public Interceptor getToken(String vnfmId) {
70 VnfmInfo vnfmInfo = vnfmInfoProvider.getVnfmInfo(vnfmId);
71 return new OauthInterceptor(getToken(vnfmInfo.getUserName(), vnfmInfo.getPassword()));
74 private String getToken(String clientId, String clientSecret) {
75 logger.trace("Requesting token for accessing CBAM API");
77 long now = SystemFunctions.systemFunctions().currentTimeMillis();
78 if (token == null || token.refreshAfter < now) {
80 logger.debug("No token: getting first token");
82 logger.debug("Token expired {} ms ago", (now - token.refreshAfter));
84 refresh(clientId, clientSecret);
86 logger.debug("Token will expire in {} ms", (now - token.refreshAfter));
89 return token.token.accessToken;
92 private void refresh(String clientId, String clientSecret) {
93 FormBody body = new FormBody.Builder()
94 .add("grant_type", GRANT_TYPE)
95 .add("client_id", clientId)
96 .add("client_secret", clientSecret)
97 .add("username", username)
98 .add(CLIENT_SECRET, password).build();
99 Request request = new Request.Builder().url(cbamKeyCloakBaseUrl + CBAM_TOKEN_URL).addHeader(CONTENT_TYPE, APPLICATION_FORM_URLENCODED_VALUE).post(body).build();
100 OkHttpClient.Builder builder = new OkHttpClient.Builder();
101 SSLSocketFactory sslSocketFac = buildSSLSocketFactory();
102 HostnameVerifier hostnameVerifier = buildHostnameVerifier();
103 OkHttpClient client = builder.sslSocketFactory(sslSocketFac).hostnameVerifier(hostnameVerifier).build();
104 Exception lastException = null;
105 for (int i = 0; i < MAX_RETRY_COUNT; i++) {
107 Response response = execute(client.newCall(request));
108 if (response.isSuccessful()) {
109 String json = response.body().string();
110 TokenResponse tokenResponse = new Gson().fromJson(json, TokenResponse.class);
111 //token is scheduled to be refreshed in the half time before expiring
112 token = new CurrentToken(tokenResponse, getTokenRefreshTime(tokenResponse));
115 throw buildFatalFailure(logger, "Bad response from CBAM KeyStone");
117 } catch (Exception e) {
119 logger.warn("Unable to get token to access CBAM API (" + (i + 1) + "/" + MAX_RETRY_COUNT + ")", e);
122 throw buildFatalFailure(logger, "Unable to get token to access CBAM API (giving up retries)", lastException);
126 Response execute(Call call) throws IOException {
127 return call.execute();
131 * - a new token is requested after the half of the time has expired till which the currently
132 * used token is valid
134 * @param token the currently held token
135 * @return the point in time after which a new token must be requested
137 private long getTokenRefreshTime(TokenResponse token) {
138 return SystemFunctions.systemFunctions().currentTimeMillis() + token.expiresIn * (1000 / 2);
141 private static class OauthInterceptor implements Interceptor {
142 private final String token;
144 OauthInterceptor(String token) {
149 public Response intercept(Chain chain) throws IOException {
150 Request request = chain.request();
151 Request.Builder builder = request.newBuilder();
152 builder.addHeader("Authorization", "Bearer " + token);
153 Request request1 = builder.build();
154 return chain.proceed(request1);
158 private static class CurrentToken {
159 private final TokenResponse token;
160 private final long refreshAfter;
162 CurrentToken(TokenResponse token, long refreshAfter) {
163 this.refreshAfter = refreshAfter;
169 * Represents the token received from CBAM
171 private static class TokenResponse {
172 @SerializedName("access_token")
174 @SerializedName("expires_in")
176 @SerializedName("id_token")
178 @SerializedName("not-before-policy")
180 @SerializedName("refresh_expires_in")
181 int refreshExpiresIn;
182 @SerializedName("refresh_token")
184 @SerializedName("session_state")
186 @SerializedName("token_type")