- public enum TOKEN_TYPE {unknown,bearer,refresh}
- public enum GRANT_TYPE {unknown,password,client_credentials,refresh_token};
- public enum CLIENT_TYPE {unknown,confidential};
-
- // Additional Expires
- private final DAO<AuthzTrans, ?>[] daos;
- public final OAuthTokenDAO tokenDAO;
- private final DirectAAFUserPass directUserPass;
- private final TokenClientFactory tcf;
- private TokenClient altIntrospectClient;
- private String altDomain;
- private final JSONPermLoader permLoader;
+ private static final int TOK_EXP = 60*60*1000; // 1 hour, millis.
+
+ public enum TOKEN_TYPE {unknown,bearer,refresh}
+ public enum GRANT_TYPE {unknown,password,client_credentials,refresh_token};
+ public enum CLIENT_TYPE {unknown,confidential};
+
+ // Additional Expires
+ private final DAO<AuthzTrans, ?>[] daos;
+ public final OAuthTokenDAO tokenDAO;
+ private final DirectAAFUserPass directUserPass;
+ private final TokenClientFactory tcf;
+ private TokenClient altIntrospectClient;
+ private String altDomain;
+ private final JSONPermLoader permLoader;
+
+
+ // If we add more CAs, may want to parameterize
+
+ @SuppressWarnings("unchecked")
+ public OAuthService(final Access access, final AuthzTrans trans, final Question q) throws APIException, IOException {
+ permLoader = JSONPermLoaderFactory.direct(q);
+ tokenDAO = new OAuthTokenDAO(trans, q.historyDAO());
+ daos =(DAO<AuthzTrans, ?>[]) new DAO<?,?>[] {
+ tokenDAO
+ };
+ try {
+ String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null);
+ if (alt_url!=null) {
+ tcf = TokenClientFactory.instance(access);
+ String[] split = Split.split(',', alt_url);
+ int timeout = split.length>1?Integer.parseInt(split[1]):3000;
+ altIntrospectClient = tcf.newClient(split[0], timeout);
+ altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null),
+ access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null));
+ altDomain = '@'+access.getProperty(Config.AAF_ALT_OAUTH2_DOMAIN,null);
+ } else {
+ tcf = null;
+ }
+ directUserPass = new DirectAAFUserPass(trans.env(), q);
+ } catch (GeneralSecurityException | CadiException | LocatorException e) {
+ throw new APIException("Could not construct TokenClientFactory",e);
+ }
+
+ }
+
+ public Result<Void> validate(AuthzTrans trans, OCreds creds) {
+ if (directUserPass.validate(creds.username, Type.PASSWORD, creds.password, trans)) {
+ return Result.ok();
+ } else {
+ return Result.err(Result.ERR_Security, "Invalid Credential for ",creds.username);
+ }
+ }
+
+ public Result<Data> createToken(AuthzTrans trans, HttpServletRequest req, OAuthTokenDAO.Data odd, Holder<GRANT_TYPE> hgt) {
+ switch(hgt.get()) {
+ case client_credentials:
+ case password:
+ return createBearerToken(trans, odd);
+ case refresh_token:
+ return refreshBearerToken(trans, odd);
+ default:
+ return Result.err(Result.ERR_BadData, "Unknown Grant Type");
+ }
+ }
+
+ private Result<Data> createBearerToken(AuthzTrans trans, OAuthTokenDAO.Data odd) {
+ if (odd.user==null) {
+ odd.user = trans.user();
+ }
+ odd.id = AAFToken.toToken(UUID.randomUUID());
+ odd.refresh = AAFToken.toToken(UUID.randomUUID());
+ odd.active = true;
+ long exp;
+ exp=(System.currentTimeMillis()+TOK_EXP);
+ odd.expires = new Date(exp);
+ odd.exp_sec = exp/1000;
+ odd.req_ip = trans.ip();