|
| 1 | +/* |
| 2 | + * Copyright (c) 2025 Metaform Systems, Inc. |
| 3 | + * |
| 4 | + * This program and the accompanying materials are made available under the |
| 5 | + * terms of the Apache License, Version 2.0 which is available at |
| 6 | + * https://www.apache.org/licenses/LICENSE-2.0 |
| 7 | + * |
| 8 | + * SPDX-License-Identifier: Apache-2.0 |
| 9 | + * |
| 10 | + * Contributors: |
| 11 | + * Metaform Systems, Inc. - initial API and implementation |
| 12 | + * |
| 13 | + */ |
| 14 | + |
| 15 | +package org.eclipse.edc.virtualized.api.authentication.filter; |
| 16 | + |
| 17 | +import jakarta.annotation.Priority; |
| 18 | +import jakarta.ws.rs.Priorities; |
| 19 | +import jakarta.ws.rs.container.ContainerRequestContext; |
| 20 | +import jakarta.ws.rs.container.ContainerRequestFilter; |
| 21 | +import jakarta.ws.rs.container.PreMatching; |
| 22 | +import jakarta.ws.rs.core.Response; |
| 23 | +import org.eclipse.edc.keys.spi.PublicKeyResolver; |
| 24 | +import org.eclipse.edc.token.spi.TokenValidationRule; |
| 25 | +import org.eclipse.edc.token.spi.TokenValidationService; |
| 26 | + |
| 27 | +import java.util.List; |
| 28 | + |
| 29 | +import static org.eclipse.edc.virtualized.api.authentication.filter.Constants.REQUEST_PROPERTY_CLAIMS; |
| 30 | + |
| 31 | +/** |
| 32 | + * Validates the JWT signature against the IdP's public key and validates basic claims, such as {@code iss} and {@code exp}. |
| 33 | + */ |
| 34 | +@PreMatching |
| 35 | +@Priority(Priorities.AUTHENTICATION) |
| 36 | +class JwtValidatorFilter implements ContainerRequestFilter { |
| 37 | + |
| 38 | + private final TokenValidationService tokenValidationService; |
| 39 | + private final PublicKeyResolver publicKeyResolver; |
| 40 | + private final List<TokenValidationRule> rules; |
| 41 | + |
| 42 | + JwtValidatorFilter(TokenValidationService tokenValidationService, PublicKeyResolver publicKeyResolver, List<TokenValidationRule> rules) { |
| 43 | + this.publicKeyResolver = publicKeyResolver; |
| 44 | + this.rules = rules; |
| 45 | + this.tokenValidationService = tokenValidationService; |
| 46 | + } |
| 47 | + |
| 48 | + |
| 49 | + @Override |
| 50 | + public void filter(ContainerRequestContext requestContext) { |
| 51 | + var authHeader = requestContext.getHeaderString("Authorization"); |
| 52 | + if (authHeader == null || !authHeader.startsWith("Bearer ")) { |
| 53 | + abort(requestContext, "Missing Authorization header"); |
| 54 | + return; |
| 55 | + } |
| 56 | + |
| 57 | + var token = authHeader.substring("Bearer ".length()).trim(); |
| 58 | + |
| 59 | + var tokenValidationResult = tokenValidationService.validate(token, publicKeyResolver, rules); |
| 60 | + |
| 61 | + if (tokenValidationResult.failed()) { |
| 62 | + abort(requestContext, tokenValidationResult.getFailureDetail()); |
| 63 | + return; |
| 64 | + } |
| 65 | + |
| 66 | + requestContext.setProperty(REQUEST_PROPERTY_CLAIMS, tokenValidationResult.getContent()); |
| 67 | + } |
| 68 | + |
| 69 | + |
| 70 | + private void abort(ContainerRequestContext ctx, String message) { |
| 71 | + ctx.abortWith(Response.status(Response.Status.UNAUTHORIZED) |
| 72 | + .entity("{\"error\":\"" + message + "\"}") |
| 73 | + .build()); |
| 74 | + } |
| 75 | +} |
0 commit comments