Mercurial > hg > thermostat-ng > agent

view agent/core/src/main/java/com/redhat/thermostat/agent/internal/http/KeycloakAccessTokenServiceImpl.java @ 2756:d844cfb19af1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Use singleton for HttpClient instance. Reviewed-by: neugens Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2017-September/024970.html PR3447
author Severin Gehwolf <sgehwolf@redhat.com>
date Tue, 12 Sep 2017 17:01:54 +0200
parents f31a81430347
children
line wrap: on
line source

/*
 * Copyright 2012-2017 Red Hat, Inc.
 *
 * This file is part of Thermostat.
 *
 * Thermostat is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published
 * by the Free Software Foundation; either version 2, or (at your
 * option) any later version.
 *
 * Thermostat is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with Thermostat; see the file COPYING.  If not see
 * <http://www.gnu.org/licenses/>.
 *
 * Linking this code with other modules is making a combined work
 * based on this code.  Thus, the terms and conditions of the GNU
 * General Public License cover the whole combination.
 *
 * As a special exception, the copyright holders of this code give
 * you permission to link this code with independent modules to
 * produce an executable, regardless of the license terms of these
 * independent modules, and to copy and distribute the resulting
 * executable under terms of your choice, provided that you also
 * meet, for each linked independent module, the terms and conditions
 * of the license of that module.  An independent module is a module
 * which is not derived from or based on this code.  If you modify
 * this code, you may extend this exception to your version of the
 * library, but you are not obligated to do so.  If you do not wish
 * to do so, delete this exception statement from your version.
 */

package com.redhat.thermostat.agent.internal.http;

import java.util.logging.Level;
import java.util.logging.Logger;

import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.client.util.StringContentProvider;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.HttpStatus;

import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.redhat.thermostat.agent.http.RequestFailedException;
import com.redhat.thermostat.agent.keycloak.KeycloakAccessToken;
import com.redhat.thermostat.agent.keycloak.KeycloakAccessTokenService;
import com.redhat.thermostat.common.utils.LoggingUtils;
import com.redhat.thermostat.shared.config.CommonPaths;
import com.redhat.thermostat.shared.config.SSLConfiguration;

@Component
@Service(value = KeycloakAccessTokenService.class)
public class KeycloakAccessTokenServiceImpl extends BasicHttpService implements KeycloakAccessTokenService {

    private static final Logger logger = LoggingUtils.getLogger(KeycloakAccessTokenServiceImpl.class);
    private static final String KEYCLOAK_TOKEN_SERVICE = "/auth/realms/__REALM__/protocol/openid-connect/token";
    private static final String KEYCLOAK_CONTENT_TYPE = "application/x-www-form-urlencoded";
    private final Object accessTokenLock = new Object();
    private final Gson gson = new GsonBuilder().create();
    private KeycloakAccessToken keycloakAccessToken;

    @Reference
    private SSLConfiguration sslConfig;
    @Reference
    private CommonPaths commonPaths;

    public KeycloakAccessTokenServiceImpl() {
        this(new HttpClientCreator(), new ConfigCreator(), new CredentialsCreator());
    }

    // For testing purposes
    KeycloakAccessTokenServiceImpl(HttpClientCreator clientCreator, ConfigCreator configCreator, CredentialsCreator credsCreator) {
        super(clientCreator, configCreator, credsCreator);
    }

    @Activate
    public void activate() {
        super.doActivate(commonPaths, sslConfig, KeycloakAccessTokenService.class.getSimpleName());
    }

    @Override
    public KeycloakAccessToken getAccessToken() throws RequestFailedException {
        synchronized(accessTokenLock) {
            if (keycloakAccessToken == null) {
                keycloakAccessToken = acquireKeycloakToken();
            } else if (keycloakAccessToken.isKeycloakTokenExpired()) {
                logger.log(Level.FINE, "Keycloak Token expired attempting to reacquire via refresh_token");
                keycloakAccessToken = refreshKeycloakToken();

                if (keycloakAccessToken == null) {
                    logger.log(Level.WARNING, "Unable to refresh Keycloak token, attempting to acquire new token");
                    keycloakAccessToken = acquireKeycloakToken();
                }

                if (keycloakAccessToken == null) {
                    logger.log(Level.SEVERE, "Unable to reacquire KeycloakToken.");
                    throw new RequestFailedException("Keycloak token expired and attempt to refresh and reacquire Keycloak token failed.");
                }
            }

        }
        return keycloakAccessToken;
    }

    private KeycloakAccessToken acquireKeycloakToken() {
        return requestKeycloakToken(getKeycloakAccessPayload());
    }

    private KeycloakAccessToken refreshKeycloakToken() {
        return requestKeycloakToken(getKeycloakRefreshPayload());
    }

    private KeycloakAccessToken requestKeycloakToken(String payload) {
        String url = agentStartupConfiguration.getKeycloakUrl() + KEYCLOAK_TOKEN_SERVICE.replace("__REALM__", agentStartupConfiguration.getKeycloakRealm());
        Request request = client.newRequest(url);
        request.content(new StringContentProvider(payload), KEYCLOAK_CONTENT_TYPE);
        request.method(HttpMethod.POST);

        try {
            ContentResponse response = request.send();
            if (response.getStatus() == HttpStatus.OK_200) {

                String content = response.getContentAsString();

                keycloakAccessToken = gson.fromJson(content, KeycloakAccessToken.class);
                keycloakAccessToken.setAcquireTime(System.nanoTime());

                logger.log(Level.FINE, "Keycloak Token acquired");
                return keycloakAccessToken;
            } else {
                logger.log(Level.WARNING, "Failed to acquire Keycloak token: " + response.getStatus() + " " + response.getReason());
            }
        } catch (Exception e) {
            logger.log(Level.WARNING, "Failed to acquire Keycloak token", e);
        }
        return null;
    }

    private String getKeycloakAccessPayload() {
        String username = creds.getUsername();
        String password = new String(creds.getPassword());
        return "grant_type=password&client_id=" + agentStartupConfiguration.getKeycloakClient() +
                "&username=" + username +
                "&password=" + password;
    }

    private String getKeycloakRefreshPayload() {
        return "grant_type=refresh_token&client_id=" + agentStartupConfiguration.getKeycloakClient() +
                "&refresh_token=" + keycloakAccessToken.getRefreshToken();
    }

    // For testing purpuses
    void setKeycloakAccessToken(KeycloakAccessToken token) {
        synchronized (accessTokenLock) {
            this.keycloakAccessToken = token;
        }
    }
}