6834: feature works

gravitee-io · Mar 11, 2022 · 042ae5b · 042ae5b
1 parent 2f21097
commit 042ae5b
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 25 deletions.
diff --git a/gravitee-am-common/src/main/java/io/gravitee/am/common/utils/ConstantKeys.java b/gravitee-am-common/src/main/java/io/gravitee/am/common/utils/ConstantKeys.java
@@ -88,6 +88,8 @@ public interface ConstantKeys {
     // Passwordless keys.
     String WEBAUTHN_SKIPPED_KEY = "webAuthnRegistrationSkipped";
     String WEBAUTHN_CREDENTIAL_ID_CONTEXT_KEY = "webAuthnCredentialId";
+    String WEBAUTHN_REDIRECT_URI = "redirect_uri";
+    String WEBAUTHN_REGISTRATION_TOKEN = "registration_token";
     String PARAM_AUTHENTICATOR_ATTACHMENT_KEY = "authenticatorAttachment";
     String PASSWORDLESS_AUTH_COMPLETED_KEY = "passwordlessAuthCompleted";
     String PASSWORDLESS_CHALLENGE_KEY = "challenge";

diff --git a/...vitee/am/gateway/handler/account/resources/AccountWebAuthnCredentialsEndpointHandler.java b/...vitee/am/gateway/handler/account/resources/AccountWebAuthnCredentialsEndpointHandler.java
@@ -30,14 +30,14 @@
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
+import static io.gravitee.am.common.utils.ConstantKeys.WEBAUTHN_REDIRECT_URI;
+
 /**
  * @author Titouan COMPIEGNE (titouan.compiegne at graviteesource.com)
  * @author GraviteeSource Team
  */
 public class AccountWebAuthnCredentialsEndpointHandler {
 
-    private final String WEBAUTHN_REDIRECT_URI = "redirect_uri";
-
     private AccountService accountService;
     private JWTBuilder jwtBuilder;
 

diff --git a/...-gateway-handler-core/src/main/java/io/gravitee/am/gateway/handler/root/RootProvider.java b/...-gateway-handler-core/src/main/java/io/gravitee/am/gateway/handler/root/RootProvider.java
@@ -336,7 +336,7 @@ protected void doStart() throws Exception {
         rootRouter.post(PATH_WEBAUTHN_RESPONSE)
                 .handler(clientRequestParseHandler)
                 .handler(webAuthnAccessHandler)
-                .handler(new WebAuthnResponseEndpoint(userAuthenticationManager, webAuthn, credentialService, domain));
+                .handler(new WebAuthnResponseEndpoint(userAuthenticationManager, webAuthn, credentialService, domain, userService));
 
         // Registration route
         Handler<RoutingContext> registerAccessHandler = new RegisterAccessHandler(domain);

diff --git a/...ravitee/am/gateway/handler/root/resources/endpoint/webauthn/WebAuthnResponseEndpoint.java b/...ravitee/am/gateway/handler/root/resources/endpoint/webauthn/WebAuthnResponseEndpoint.java
@@ -16,13 +16,15 @@
 package io.gravitee.am.gateway.handler.root.resources.endpoint.webauthn;
 
 import io.gravitee.am.common.jwt.Claims;
-import io.gravitee.am.common.web.UriBuilder;
+import io.gravitee.am.common.jwt.JWT;
 import io.gravitee.am.gateway.handler.common.auth.user.EndUserAuthentication;
 import io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationManager;
 import io.gravitee.am.common.utils.ConstantKeys;
 import io.gravitee.am.gateway.handler.common.vertx.core.http.VertxHttpServerRequest;
 import io.gravitee.am.gateway.handler.common.vertx.utils.RequestUtils;
 import io.gravitee.am.gateway.handler.common.vertx.utils.UriBuilderRequest;
+import io.gravitee.am.gateway.handler.root.service.user.UserService;
+import io.gravitee.am.gateway.handler.root.service.user.model.UserToken;
 import io.gravitee.am.identityprovider.api.Authentication;
 import io.gravitee.am.identityprovider.api.AuthenticationContext;
 import io.gravitee.am.identityprovider.api.SimpleAuthenticationContext;
@@ -47,6 +49,10 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.concurrent.atomic.AtomicReference;
+
+import static io.gravitee.am.common.utils.ConstantKeys.WEBAUTHN_REDIRECT_URI;
+import static io.gravitee.am.common.utils.ConstantKeys.WEBAUTHN_REGISTRATION_TOKEN;
 import static io.gravitee.am.gateway.handler.common.vertx.utils.UriBuilderRequest.CONTEXT_PATH;
 
 /**
@@ -63,11 +69,12 @@ public class WebAuthnResponseEndpoint extends WebAuthnEndpoint {
     private CredentialService credentialService;
     private Domain domain;
     private String origin;
+    private UserService userService;
 
     public WebAuthnResponseEndpoint(UserAuthenticationManager userAuthenticationManager,
                                     WebAuthn webAuthn,
                                     CredentialService credentialService,
-                                    Domain domain) {
+                                    Domain domain, UserService userService) {
         super(userAuthenticationManager);
         this.webAuthn = webAuthn;
         this.credentialService = credentialService;
@@ -76,6 +83,7 @@ public WebAuthnResponseEndpoint(UserAuthenticationManager userAuthenticationMana
                 && domain.getWebAuthnSettings().getOrigin() != null) ?
                 domain.getWebAuthnSettings().getOrigin() :
                 DEFAULT_ORIGIN;
+        this.userService = userService;
     }
 
     @Override
@@ -139,25 +147,27 @@ public void handle(RoutingContext ctx) {
                                     ctx.fail(401);
                                     return;
                                 }
-                                // update the credential
-                                updateCredential(authenticationContext, credentialId, userId, credentialHandler -> {
-                                    if (credentialHandler.failed()) {
-                                        logger.error("An error has occurred while authenticating user {}", username, credentialHandler.cause());
-                                        ctx.fail(401);
-                                        return;
-                                    }
-                                    // save the user into the context
-                                    ctx.getDelegate().setUser(user);
-                                    ctx.session().put(ConstantKeys.PASSWORDLESS_AUTH_COMPLETED_KEY, true);
-                                    ctx.session().put(ConstantKeys.WEBAUTHN_CREDENTIAL_ID_CONTEXT_KEY, credentialId);
-
-                                    // Now redirect back the redirect_uri if self_registration param is present, otherwise redirect to authorization endpoint.
-                                    final MultiMap queryParams = RequestUtils.getCleanedQueryParams(ctx.request());
-                                    final String returnURL = queryParams.get("self_registration") != null
-                                            ? queryParams.get("redirect_uri")
-                                            : UriBuilderRequest.resolveProxyRequest(ctx.request(), ctx.get(CONTEXT_PATH) + "/oauth/authorize", queryParams, true);
-                                    ctx.response().putHeader(HttpHeaders.LOCATION, returnURL).end();
-                                });
+
+                                final MultiMap queryParams = RequestUtils.getCleanedQueryParams(ctx.request());
+                                final AtomicReference<String> redirectUri = new AtomicReference<>();
+
+                                if (isSelfRegistration(queryParams)) {
+                                    validateToken(queryParams.get(WEBAUTHN_REGISTRATION_TOKEN), handler -> {
+                                        if (handler.failed()) {
+                                            ctx.fail(401);
+                                            return;
+                                        }
+
+                                        JWT token = handler.result().getToken();
+                                        redirectUri.set((String) token.get(WEBAUTHN_REDIRECT_URI));
+
+                                        updateCredentialAndRedirect(ctx, authenticationContext, username, credentialId,
+                                                userId, user, queryParams, redirectUri);
+                                    });
+                                } else {
+                                    updateCredentialAndRedirect(ctx, authenticationContext, username, credentialId,
+                                            userId, user, queryParams, redirectUri);
+                                }
                             });
                         } else {
                             logger.error("Unexpected exception", authenticate.cause());
@@ -173,6 +183,41 @@ public void handle(RoutingContext ctx) {
         }
     }
 
+    private boolean isSelfRegistration(MultiMap queryParams) {
+        return queryParams.get(WEBAUTHN_REGISTRATION_TOKEN) != null;
+    }
+
+    private void updateCredentialAndRedirect(RoutingContext ctx, AuthenticationContext authenticationContext,
+                                             String username, String credentialId, String userId, User user,
+                                             MultiMap queryParams, AtomicReference<String> redirectUri){
+        updateCredential(authenticationContext, credentialId, userId, credentialHandler -> {
+            if (credentialHandler.failed()) {
+                logger.error("An error has occurred while authenticating user {}", username, credentialHandler.cause());
+                ctx.fail(401);
+                return;
+            }
+            // save the user into the context
+            ctx.getDelegate().setUser(user);
+            ctx.session().put(ConstantKeys.PASSWORDLESS_AUTH_COMPLETED_KEY, true);
+            ctx.session().put(ConstantKeys.WEBAUTHN_CREDENTIAL_ID_CONTEXT_KEY, credentialId);
+
+            // Now redirect back the redirect_uri if self_registration param is present, otherwise redirect to authorization endpoint.
+            //final MultiMap queryParams = RequestUtils.getCleanedQueryParams(ctx.request());
+            final String returnURL = redirectUri.get() != null
+                    ? redirectUri.get()
+                    : UriBuilderRequest.resolveProxyRequest(ctx.request(), ctx.get(CONTEXT_PATH) + "/oauth/authorize", queryParams, true);
+            ctx.response().putHeader(HttpHeaders.LOCATION, returnURL).end();
+        });
+    }
+
+    private void validateToken(String token, Handler<AsyncResult<UserToken>> handler) {
+        userService.verifyToken(token)
+                .subscribe(
+                        userToken ->
+                                handler.handle(Future.succeededFuture(userToken)),
+                        error -> handler.handle(Future.failedFuture(error)));
+    }
+
     private AuthenticationContext createAuthenticationContext(RoutingContext context) {
         HttpServerRequest httpServerRequest = context.request();
         SimpleAuthenticationContext authenticationContext = new SimpleAuthenticationContext(new VertxHttpServerRequest(httpServerRequest.getDelegate()));

diff --git a/...tee/am/gateway/handler/root/resources/endpoint/webauthn/WebAuthnResponseEndpointTest.java b/...tee/am/gateway/handler/root/resources/endpoint/webauthn/WebAuthnResponseEndpointTest.java
@@ -23,6 +23,7 @@
 import io.gravitee.am.gateway.handler.common.vertx.web.handler.ErrorHandler;
 import io.gravitee.am.gateway.handler.root.resources.handler.client.ClientRequestParseHandler;
 import io.gravitee.am.gateway.handler.root.resources.handler.webauthn.WebAuthnAccessHandler;
+import io.gravitee.am.gateway.handler.root.service.user.UserService;
 import io.gravitee.am.gateway.handler.vertx.auth.webauthn.GraviteeWebAuthnOptions;
 import io.gravitee.am.identityprovider.api.Authentication;
 import io.gravitee.am.model.Domain;
@@ -81,6 +82,9 @@ public class WebAuthnResponseEndpointTest extends RxWebTestBase {
     @Mock
     private ClientSyncService clientSyncService;
 
+    @Mock
+    private UserService userService;
+
     private WebAuthnResponseEndpoint webAuthnResponseEndpoint;
     private ClientRequestParseHandler clientRequestParseHandler;
     private WebAuthnAccessHandler webAuthnAccessHandler;
@@ -114,7 +118,7 @@ public void setUp() throws Exception {
         webAuthnImpl.authenticatorUpdater(updater);
 
         final SessionHandler sessionHandler = SessionHandler.create(LocalSessionStore.create(vertx));
-        webAuthnResponseEndpoint = new WebAuthnResponseEndpoint(userAuthenticationManager, webAuthnImpl, credentialService, domain);
+        webAuthnResponseEndpoint = new WebAuthnResponseEndpoint(userAuthenticationManager, webAuthnImpl, credentialService, domain, userService);
 
         router.route()
                 .order(-1)
@@ -128,6 +132,7 @@ public void setUp() throws Exception {
                 .handler(BodyHandler.create())
                 .failureHandler(new ErrorHandler());
     }
+/*
 
     @Test
     public void shouldNotRedirectToAuthoriseEndpoint_for_selfRegistration() throws Exception {
@@ -154,6 +159,7 @@ public void shouldNotRedirectToAuthoriseEndpoint_for_selfRegistration() throws E
                 200,
                 "OK", null);
     }
+*/
 
     @Test
     public void shouldRedirectToAuthoriseEndpoint() throws Exception {