2 * Copyright 2016-2017, Nokia Corporation
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.vnfm;
18 import com.google.common.annotations.VisibleForTesting;
19 import com.google.gson.Gson;
20 import com.google.gson.annotations.SerializedName;
21 import java.io.IOException;
22 import javax.net.ssl.HostnameVerifier;
23 import javax.net.ssl.SSLSocketFactory;
25 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.api.VnfmInfoProvider;
26 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.onap.core.GenericExternalSystemInfoProvider;
27 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.onap.core.VnfmCredentials;
28 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.onap.core.VnfmUrls;
29 import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.SystemFunctions;
30 import org.slf4j.Logger;
32 import static org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.CbamUtils.buildFatalFailure;
33 import static org.slf4j.LoggerFactory.getLogger;
34 import static org.springframework.http.HttpHeaders.CONTENT_TYPE;
35 import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED_VALUE;
38 * Responsible for providing a token to access CBAM APIs
40 //even if the value for grant type an user password is the same they do not mean the same thing
41 //the duplication of this is intentional
42 @SuppressWarnings("squid:S1192")
43 public class CbamTokenProvider extends CbamSecurityProvider {
44 public static final int MAX_RETRY_COUNT = 5;
45 public static final String GRANT_TYPE = "password";
46 public static final String CLIENT_SECRET = "password";
47 private static final String CBAM_TOKEN_URL = "realms/cbam/protocol/openid-connect/token";
48 private static Logger logger = getLogger(CbamTokenProvider.class);
49 private final VnfmInfoProvider vnfmInfoProvider;
50 private volatile CurrentToken token;
52 CbamTokenProvider(VnfmInfoProvider vnfmInfoProvider) {
53 this.vnfmInfoProvider = vnfmInfoProvider;
57 * @return the token to access CBAM APIs (ex. 123456)
59 public Interceptor getToken(String vnfmId) {
60 return new OauthInterceptor(getTokenInternal(vnfmId));
63 private String getTokenInternal(String vnfmId) {
64 logger.trace("Requesting token for accessing CBAM API");
66 long now = SystemFunctions.systemFunctions().currentTimeMillis();
67 if (token == null || token.refreshAfter < now) {
69 logger.debug("No token: getting first token");
71 logger.debug("Token expired {} ms ago", (now - token.refreshAfter));
75 logger.debug("Token will expire in {} ms", (now - token.refreshAfter));
78 return token.token.accessToken;
81 private void refresh(String vnfmId) {
82 VnfmUrls vnfmUrls = GenericExternalSystemInfoProvider.convert(vnfmInfoProvider.getVnfmInfo(vnfmId));
83 VnfmCredentials vnfmCredentials = GenericExternalSystemInfoProvider.convertToCredentials(vnfmInfoProvider.getVnfmInfo(vnfmId));
85 FormBody body = new FormBody.Builder()
86 .add("grant_type", GRANT_TYPE)
87 .add("client_id", vnfmCredentials.getClientId())
88 .add("client_secret", vnfmCredentials.getClientSecret())
89 .add("username", vnfmCredentials.getUsername())
90 .add(CLIENT_SECRET, vnfmCredentials.getPassword()).build();
91 String cbamKeyCloakBaseUrl = vnfmUrls.getAuthUrl();
92 Request request = new Request.Builder().url(cbamKeyCloakBaseUrl + CBAM_TOKEN_URL).addHeader(CONTENT_TYPE, APPLICATION_FORM_URLENCODED_VALUE).post(body).build();
93 OkHttpClient.Builder builder = new OkHttpClient.Builder();
94 SSLSocketFactory sslSocketFac = buildSSLSocketFactory();
95 HostnameVerifier hostnameVerifier = buildHostnameVerifier();
96 OkHttpClient client = builder.sslSocketFactory(sslSocketFac).hostnameVerifier(hostnameVerifier).build();
97 Exception lastException = null;
98 for (int i = 0; i < MAX_RETRY_COUNT; i++) {
100 Response response = execute(client.newCall(request));
101 if (response.isSuccessful()) {
102 String json = response.body().string();
103 TokenResponse tokenResponse = new Gson().fromJson(json, TokenResponse.class);
104 //token is scheduled to be refreshed in the half time before expiring
105 token = new CurrentToken(tokenResponse, getTokenRefreshTime(tokenResponse));
108 throw buildFatalFailure(logger, "Bad response from CBAM KeyStone");
110 } catch (Exception e) {
112 logger.warn("Unable to get token to access CBAM API (" + (i + 1) + "/" + MAX_RETRY_COUNT + ")", e);
115 throw buildFatalFailure(logger, "Unable to get token to access CBAM API (giving up retries)", lastException);
119 Response execute(Call call) throws IOException {
120 return call.execute();
124 * - a new token is requested after the half of the time has expired till which the currently
125 * used token is valid
127 * @param token the currently held token
128 * @return the point in time after which a new token must be requested
130 private long getTokenRefreshTime(TokenResponse token) {
131 return SystemFunctions.systemFunctions().currentTimeMillis() + token.expiresIn * (1000 / 2);
134 private static class OauthInterceptor implements Interceptor {
135 private final String token;
137 OauthInterceptor(String token) {
142 public Response intercept(Chain chain) throws IOException {
143 Request request = chain.request();
144 Request.Builder builder = request.newBuilder();
145 builder.addHeader("Authorization", "Bearer " + token);
146 Request request1 = builder.build();
147 return chain.proceed(request1);
151 private static class CurrentToken {
152 private final TokenResponse token;
153 private final long refreshAfter;
155 CurrentToken(TokenResponse token, long refreshAfter) {
156 this.refreshAfter = refreshAfter;
162 * Represents the token received from CBAM
164 private static class TokenResponse {
165 @SerializedName("access_token")
167 @SerializedName("expires_in")
169 @SerializedName("id_token")
171 @SerializedName("not-before-policy")
173 @SerializedName("refresh_expires_in")
174 int refreshExpiresIn;
175 @SerializedName("refresh_token")
177 @SerializedName("session_state")
179 @SerializedName("token_type")