Return-Path: 
 <commits-return-36159-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 66BDE17599
	for <apmail-cxf-commits-archive@www.apache.org>;
 Tue,  7 Apr 2015 16:46:00 +0000 (UTC)
Received: (qmail 54409 invoked by uid 500); 7 Apr 2015 16:45:54 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 54351 invoked by uid 500); 7 Apr 2015 16:45:54 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 54342 invoked by uid 99); 7 Apr 2015 16:45:54 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Apr 2015 16:45:54 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id DA0DBE17A7; Tue,  7 Apr 2015 16:45:53 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sergeyb@apache.org
To: commits@cxf.apache.org
Message-Id: <32531730edba4eabbbadc2e1f1eb3269@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: cxf git commit: Adding some initial OAuth2 client filter support
Date: Tue,  7 Apr 2015 16:45:53 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/master 2fd810353 -> e49894be6


Adding some initial OAuth2 client filter support


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e49894be
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e49894be
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e49894be

Branch: refs/heads/master
Commit: e49894be6a817844066e517903f6c4aea7ce0a0c
Parents: 2fd8103
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Apr 7 17:45:36 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Apr 7 17:45:36 2015 +0100

----------------------------------------------------------------------
 .../oauth2/client/AbstractAuthSupplier.java     |  37 ++++++
 .../oauth2/client/BearerAuthSupplier.java       | 130 +++++++++++++++++++
 .../oauth2/client/BearerClientFilter.java       |  43 ++++++
 .../oauth2/common/ClientAccessToken.java        |   4 +
 4 files changed, 214 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
new file mode 100644
index 0000000..5932f28
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+
+public abstract class AbstractAuthSupplier {
+    protected ClientAccessToken clientAccessToken = new ClientAccessToken();
+    protected AbstractAuthSupplier(String type) {
+        clientAccessToken = new ClientAccessToken();
+        clientAccessToken.setTokenType(type);
+    }
+    public void setAccessToken(String accessToken) {
+        clientAccessToken.setTokenKey(accessToken);
+    }
+    protected String createAuthorizationHeader() {
+        return clientAccessToken.getTokenType() + " " + clientAccessToken.getTokenKey();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
new file mode 100644
index 0000000..557a825
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import java.net.URI;
+import java.util.Collections;
+
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.transport.http.auth.HttpAuthSupplier;
+
+public class BearerAuthSupplier extends AbstractAuthSupplier implements HttpAuthSupplier {
+    private Consumer consumer; 
+    private String accessTokenServiceUri;
+    private boolean refreshEarly; 
+    public BearerAuthSupplier() {
+        super(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
+    }
+
+    public boolean requiresRequestCaching() {
+        return true;
+    }
+
+    public String getAuthorization(AuthorizationPolicy authPolicy,
+                                   URI currentURI,
+                                   Message message,
+                                   String fullHeader) {
+        if (clientAccessToken.getTokenKey() == null) {
+            return null;
+        }
+        
+        
+        if (fullHeader == null) {
+            // regular authorization
+            if (refreshEarly) {
+                refreshAccessTokenIfExpired(authPolicy);
+            }
+            return createAuthorizationHeader();
+        }
+        // the last call resulted in 401, trying to refresh the token(s)
+        if (refreshAccessToken(authPolicy)) {
+            return createAuthorizationHeader();
+        } else {
+            return null;
+            
+        }
+    }
+    private void refreshAccessTokenIfExpired(AuthorizationPolicy authPolicy) {
+        if (clientAccessToken.getExpiresIn() != -1 
+            && OAuthUtils.isExpired(clientAccessToken.getIssuedAt(), 
+                                    clientAccessToken.getExpiresIn())) {
+            refreshAccessToken(authPolicy);
+        }
+        
+    }
+
+
+    private boolean refreshAccessToken(AuthorizationPolicy authPolicy) {
+        if (clientAccessToken.getRefreshToken() == null) {
+            return false;
+        }
+        // Client id and secret are needed to refresh the tokens
+        // AuthorizationPolicy can hold them by default, Consumer can also be injected into this supplier
+        // and checked if the policy is null. 
+        // Client TLS authentication is also fine as an alternative authentication mechanism,
+        // how can we check here that a 2-way TLS has been set up ?
+        Consumer theConsumer = consumer;
+        if (theConsumer == null 
+            && authPolicy != null && authPolicy.getUserName() != null && authPolicy.getPassword() != null) {
+            theConsumer = new Consumer(authPolicy.getUserName(), authPolicy.getPassword());
+            return false;
+        }
+        if (theConsumer == null) {
+            return false;
+        }
+        // Can WebCient be safely constructed at HttpConduit initialization time ?
+        // If yes then createAccessTokenServiceClient() can be called inside
+        // setAccessTokenServiceUri, though given that the token refreshment would
+        // not be done on every request the current approach is quite reasonable 
+        
+        WebClient accessTokenService = createAccessTokenServiceClient();
+        clientAccessToken = OAuthClientUtils.refreshAccessToken(accessTokenService, theConsumer, clientAccessToken);
+        return true;
+    }
+
+    private WebClient createAccessTokenServiceClient() {
+        return WebClient.create(accessTokenServiceUri, Collections.singletonList(new OAuthJSONProvider()));
+    }
+
+    public void setRefreshToken(String refreshToken) {
+        clientAccessToken.setRefreshToken(refreshToken);
+    }
+
+    public void setAccessTokenServiceUri(String uri) {
+        this.accessTokenServiceUri = uri;
+    }
+
+    public Consumer getConsumer() {
+        return consumer;
+    }
+    public void setConsumer(Consumer consumer) {
+        this.consumer = consumer;
+    }
+
+    public void setRefreshEarly(boolean refreshEarly) {
+        this.refreshEarly = refreshEarly;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
new file mode 100644
index 0000000..30a7eeb
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import java.io.IOException;
+
+import javax.ws.rs.client.ClientRequestContext;
+import javax.ws.rs.client.ClientRequestFilter;
+import javax.ws.rs.core.HttpHeaders;
+
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+public class BearerClientFilter extends AbstractAuthSupplier implements ClientRequestFilter {
+
+    public BearerClientFilter() {
+        super(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
+    }
+    
+    @Override
+    public void filter(ClientRequestContext requestContext) throws IOException {
+        requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, 
+                                              createAuthorizationHeader());
+        
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
index 745339a..e59075d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
@@ -31,6 +31,10 @@ public class ClientAccessToken extends AccessToken {
     private static final long serialVersionUID = 831870452726298523L;
     private String scope;
         
+    public ClientAccessToken() {
+        
+    }
+    
     public ClientAccessToken(String tokenType, String tokenKey) {
         super(tokenType, tokenKey);
     }