CMR-11017: adds support for federated jwt tokens

daniel-zamora · daniel-zamora · commit 799d7a7edcc8 · 2025-12-03T21:24:09.000-05:00
diff --git a/access-control-app/src/cmr/access_control/api/routes.clj b/access-control-app/src/cmr/access_control/api/routes.clj
@@ -331,7 +331,7 @@
           ;; Create a group
           (POST "/"
                 {ctx :request-context params :params headers :headers body :body}
-                (lt-validation/validate-launchpad-token ctx)
+                (lt-validation/validate-write-token ctx)
                 (pv/validate-create-group-route-params params)
                 (create-group ctx
                               headers
@@ -350,14 +350,14 @@
             ;; Delete a group
             (DELETE "/"
                     {ctx :request-context params :params}
-                    (lt-validation/validate-launchpad-token ctx)
+                    (lt-validation/validate-write-token ctx)
                     (pv/validate-group-route-params params)
                     (delete-group ctx group-id))
 
             ;; Update a group
             (PUT "/"
                  {ctx :request-context params :params headers :headers body :body}
-                 (lt-validation/validate-launchpad-token ctx)
+                 (lt-validation/validate-write-token ctx)
                  (pv/validate-group-route-params params)
                  (update-group ctx headers (slurp body) group-id))
 
@@ -370,13 +370,13 @@
 
               (POST "/"
                     {ctx :request-context params :params headers :headers body :body}
-                    (lt-validation/validate-launchpad-token ctx)
+                    (lt-validation/validate-write-token ctx)
                     (pv/validate-group-route-params params)
                     (add-members ctx headers (slurp body) group-id))
 
               (DELETE "/"
                       {ctx :request-context params :params headers :headers body :body}
-                      (lt-validation/validate-launchpad-token ctx)
+                      (lt-validation/validate-write-token ctx)
                       (pv/validate-group-route-params params)
                       (remove-members ctx headers (slurp body) group-id)))))
         (context "/groups" []))
@@ -399,7 +399,7 @@
         ;; Create an ACL
         (POST "/"
               {ctx :request-context params :params headers :headers body :body}
-              (lt-validation/validate-launchpad-token ctx)
+              (lt-validation/validate-write-token ctx)
               (pv/validate-standard-params params)
               (create-acl ctx headers (slurp body)))
 
@@ -409,13 +409,13 @@
           ;; Update an ACL
           (PUT "/"
                {ctx :request-context headers :headers body :body}
-               (lt-validation/validate-launchpad-token ctx)
+               (lt-validation/validate-write-token ctx)
                (update-acl ctx concept-id headers (slurp body)))
 
           ;; Delete an ACL
           (DELETE "/"
                   {ctx :request-context headers :headers}
-                  (lt-validation/validate-launchpad-token ctx)
+                  (lt-validation/validate-write-token ctx)
                   (delete-acl ctx concept-id headers))
 
           ;; Retrieve an ACL
diff --git a/access-control-app/src/cmr/access_control/system.clj b/access-control-app/src/cmr/access_control/system.clj
@@ -104,6 +104,7 @@
                                         [:system-object :provider-object :single-instance-object])
                       provider-cache/cache-key (provider-cache/create-cache)
                       acl/collection-field-constraints-cache-key (acl/create-access-constraints-cache)
+                      acl/token-draft-cache-key (acl/create-token-draft-cache)
                       common-enabled/write-enabled-cache-key (common-enabled/create-write-enabled-cache)
                       common-health/health-cache-key (common-health/create-health-cache)
                       launchpad-user-cache/launchpad-user-cache-key (launchpad-user-cache/create-launchpad-user-cache)
diff --git a/acl-lib/src/cmr/acl/core.clj b/acl-lib/src/cmr/acl/core.clj
@@ -211,6 +211,13 @@
   (has-management-permission?
     context permission-type object-identity-type provider-id "PROVIDER_CONTEXT"))
 
+(defn has-non-nasa-draft-permission?
+  "Returns true if the user has been granted NON_NASA_DRAFT_USER permission.
+  Required for EDL+MFA (assurance level 4) JWT tokens."
+  [context permission-type object-identity-type provider-id]
+  (has-management-permission?
+    context permission-type object-identity-type provider-id "NON_NASA_DRAFT_USER"))
+
 (defn- verify-management-permission
   "Verifies the current user has been granted the permission in permission-fn in ECHO ACLs"
   [context permission-type object-identity-type provider-id cache-key permission-fn]
@@ -308,3 +315,10 @@
      provider-id
      token-pc-cache-key
      has-provider-context-permission?)))
+
+(defn verify-non-nasa-draft-permission
+  "Verifies the user has NON_NASA_DRAFT_USER permission for a provider.
+  Required for EDL+MFA (assurance level 4) JWT tokens."
+  [context permission-type object-identity-type provider-id]
+  (when-not (has-non-nasa-draft-permission? context permission-type object-identity-type provider-id)
+    (errors/throw-service-error :unauthorized "You do not have permission to perform that action.")))
diff --git a/common-app-lib/src/cmr/common_app/api/launchpad_token_validation.clj b/common-app-lib/src/cmr/common_app/api/launchpad_token_validation.clj
@@ -1,10 +1,13 @@
 (ns cmr.common-app.api.launchpad-token-validation
   "Validate Launchpad token."
   (:require
+   [cmr.acl.core :as acl]
    [cmr.common-app.config :as config]
+   [cmr.common.log :refer [info]]
    [cmr.common.services.errors :as errors]
    [cmr.common.util :as common-util]
-   [cmr.transmit.config :as transmit-config]))
+   [cmr.transmit.config :as transmit-config]
+   [cmr.transmit.tokens :as tokens]))
 
 ;; TODO - remove legacy token check after legacy token retirement
 (defn get-token-type
@@ -15,19 +18,76 @@
       (= (transmit-config/echo-system-token) token) "System"
       (re-seq #"[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}" token) "Echo-Token"
       (common-util/is-legacy-token? token) "Legacy-EDL"
+      (tokens/is-launchpad-federated-jwt? token) "JWT-Launchpad-Level-5"
+      (tokens/is-edl-mfa-jwt? token) "JWT-EDL-MFA-Level-4"
       (common-util/is-jwt-token? token) "JWT"
       :else "Launchpad")))
 
-(defn validate-launchpad-token
-  "Validate the token in request context is a Launchpad Token if launchpad token enforcement
-   is turned on. This function should be called on routes that will ingest into CMR.
-   Ingest will only be allowed if the user is in the NAMS CMR Ingest group
-   and also has the right ACLs which is based on Earthdata Login uid."
-  [request-context]
-  (let [token (:token request-context)]
-    (when (and (config/launchpad-token-enforced)
-               (not (common-util/is-launchpad-token? token))
-               (not= (transmit-config/echo-system-token) token))
-      (errors/throw-service-error
-       :bad-request
-       (format "Launchpad token is required. Token [%s] is not a launchpad token." (common-util/scrub-token token))))))
+(defn- get-token-info
+  "Returns token validation info. Returns map with :type, :valid?, :assurance-level, :requires-draft-acl?"
+  [token]
+  (let [is-jwt? (common-util/is-jwt-token? token)
+        assurance-level (when is-jwt? (tokens/get-assurance-level token))
+        is-saml? (common-util/is-launchpad-token? token)
+
+        valid-saml? (and is-saml? (config/enable-launchpad-saml-authentication))
+        valid-jwt? (and is-jwt?
+                       (config/enable-idfed-jwt-authentication)
+                       assurance-level
+                       (>= assurance-level (config/required-assurance-level)))]
+    {:type (cond
+             (= token (transmit-config/echo-system-token)) :system
+             is-saml? :saml
+             (and is-jwt? (= assurance-level 5)) :jwt-level-5
+             (and is-jwt? (= assurance-level 4)) :jwt-level-4
+             is-jwt? :jwt-other
+             :else :unknown)
+     :valid? (or valid-saml? valid-jwt?)
+     :assurance-level assurance-level
+     :requires-draft-acl? (and is-jwt? (= assurance-level 4))}))
+
+(defn- build-error-message
+  "Builds error message for invalid token."
+  [token token-info]
+  (let [{:keys [type assurance-level]} token-info
+        saml-enabled? (config/enable-launchpad-saml-authentication)
+        jwt-enabled? (config/enable-idfed-jwt-authentication)
+        required-level (config/required-assurance-level)]
+    (cond
+      (not (or saml-enabled? jwt-enabled?))
+      "Write operations are disabled. Both Launchpad SAML and IDFed JWT authentication are turned off."
+
+      (and (#{:jwt-level-4 :jwt-other} type) assurance-level jwt-enabled? (< assurance-level required-level))
+      (format "Token [%s] has assurance_level %d, but level %d or higher is required."
+              (common-util/scrub-token token) assurance-level required-level)
+
+      (and (#{:jwt-level-5 :jwt-level-4 :jwt-other} type) (not jwt-enabled?))
+      (format "Token [%s] is a JWT token, but IDFed JWT authentication is disabled."
+              (common-util/scrub-token token))
+
+      (and (= type :saml) (not saml-enabled?))
+      (format "Token [%s] is a Launchpad SAML token, but SAML authentication is disabled."
+              (common-util/scrub-token token))
+
+      :else
+      (format "Token [%s] is not authorized for write operations."
+              (common-util/scrub-token token)))))
+
+(defn validate-write-token
+  "Validates token is authorized for write operations. Level 4 JWT tokens require NON_NASA_DRAFT_USER ACL."
+  ([request-context]
+   (validate-write-token request-context nil))
+  ([request-context provider-id]
+   (let [token (:token request-context)]
+     (when (and (config/launchpad-token-enforced)
+                (not= token (transmit-config/echo-system-token)))
+
+       (let [token-info (get-token-info token)]
+         (info (format "Token validation - Type: %s, Valid: %s" (:type token-info) (:valid? token-info)))
+
+         (when-not (:valid? token-info)
+           (errors/throw-service-error :bad-request (build-error-message token token-info)))
+
+         (when (and provider-id (:requires-draft-acl? token-info))
+           (acl/verify-non-nasa-draft-permission request-context :update :provider-object provider-id)))))))
+
diff --git a/common-app-lib/src/cmr/common_app/config.clj b/common-app-lib/src/cmr/common_app/config.clj
@@ -51,3 +51,28 @@
   "Write a HotSpotDiagnostic file to the path provided. If no path is provided,
    or the value of 'none' is given, then no file will be written."
   {:default ""})
+
+(defconfig enable-idfed-jwt-authentication
+  "Enable EDL Identity Federated JWT tokens with assurance_level for write operations.
+   When true, JWT tokens with assurance_level 5 (Launchpad/PIV) will be accepted for ingest.
+   When false, only traditional Launchpad SAML tokens are accepted for write operations.
+   This allows gradual rollout of IDFed authentication and quick rollback if needed."
+  {:default false
+   :type Boolean})
+
+(defconfig enable-launchpad-saml-authentication
+  "Enable traditional Launchpad SAML tokens for write operations.
+   When true, traditional Launchpad SAML tokens are accepted for ingest.
+   When false, Launchpad SAML tokens are rejected (only IDFed JWT tokens accepted).
+   This allows eventual deprecation of SAML tokens after full IDFed migration."
+  {:default true
+   :type Boolean})
+
+(defconfig required-assurance-level
+  "Minimum assurance level required for JWT tokens to perform write operations.
+   Default is 4 (EDL+MFA). Only applies when enable-idfed-jwt-authentication is true.
+   Assurance levels: 1=Social Login, 2=Social+MFA, 3=EDL, 4=EDL+MFA, 5=Launchpad/PIV
+   Level 4 requires NON_NASA_DRAFT_USER ACL permission for the provider.
+   Level 5 grants full access like traditional Launchpad SAML tokens."
+  {:default 4
+   :type Long})
diff --git a/ingest-app/src/cmr/ingest/api/bulk.clj b/ingest-app/src/cmr/ingest/api/bulk.clj
@@ -24,7 +24,7 @@
     (let [{:keys [body headers request-context]} request
           content (api-core/read-body! body)
           user-id (api-core/get-user-id request-context headers)]
-      (lt-validation/validate-launchpad-token request-context)
+      (lt-validation/validate-write-token request-context provider-id)
       (api-core/verify-provider-exists request-context provider-id)
       (acl/verify-ingest-management-permission request-context :update :provider-object provider-id)
       (let [task-id (bulk-update/validate-and-save-bulk-update
@@ -46,7 +46,7 @@
     (let [{:keys [body headers request-context]} request
           content (api-core/read-body! body)
           user-id (api-core/get-user-id request-context headers)]
-      (lt-validation/validate-launchpad-token request-context)
+      (lt-validation/validate-write-token request-context provider-id)
       (api-core/verify-provider-exists request-context provider-id)
       (acl/verify-ingest-management-permission request-context :update :provider-object provider-id)
       (let [task-id (gran-bulk-update/validate-and-save-bulk-granule-update
diff --git a/ingest-app/src/cmr/ingest/api/collections.clj b/ingest-app/src/cmr/ingest/api/collections.clj
@@ -48,7 +48,7 @@
 (defn ingest-collection
   [provider-id native-id request]
   (let [{:keys [body content-type _params headers request-context]} request]
-    (lt-validation/validate-launchpad-token request-context)
+    (lt-validation/validate-write-token request-context provider-id)
     (api-core/verify-provider-exists request-context provider-id)
     (acl/verify-ingest-management-permission request-context :update :provider-object provider-id)
     (common-enabled/validate-write-enabled request-context "ingest")
diff --git a/ingest-app/src/cmr/ingest/api/core.clj b/ingest-app/src/cmr/ingest/api/core.clj
@@ -319,7 +319,7 @@
                              :concept-type concept-type}
                             (set-revision-id headers)
                             (set-user-id request-context headers))]
-    (lt-validation/validate-launchpad-token request-context)
+    (lt-validation/validate-write-token request-context provider-id)
     (common-enabled/validate-write-enabled request-context "ingest")
     (verify-provider-exists request-context provider-id)
     (acl/verify-ingest-management-permission request-context :update :provider-object provider-id)
diff --git a/ingest-app/src/cmr/ingest/api/generic_documents.clj b/ingest-app/src/cmr/ingest/api/generic_documents.clj
@@ -119,7 +119,7 @@
                         (:provider-id route-params))
         native-id (:native-id route-params)
         concept-type (concept-type->singular route-params)
-        _ (lt-validation/validate-launchpad-token request-context)
+        _ (lt-validation/validate-write-token request-context provider-id)
         _ (api-core/verify-provider-exists request-context provider-id)
         _ (if-not (is-draft-concept? request)
             (acl/verify-ingest-management-permission
diff --git a/ingest-app/src/cmr/ingest/api/granules.clj b/ingest-app/src/cmr/ingest/api/granules.clj
@@ -61,7 +61,7 @@
 (defn ingest-granule
   [provider-id native-id request]
   (let [{:keys [body content-type headers request-context]} request]
-    (lt-validation/validate-launchpad-token request-context)
+    (lt-validation/validate-write-token request-context provider-id)
     (api-core/verify-provider-exists request-context provider-id)
     (acl/verify-ingest-management-permission request-context :update :provider-object provider-id)
     (common-enabled/validate-write-enabled request-context "ingest")
@@ -84,7 +84,7 @@
                           :native-id native-id
                           :concept-type :granule}
                          headers)]
-    (lt-validation/validate-launchpad-token request-context)
+    (lt-validation/validate-write-token request-context provider-id)
     (api-core/verify-provider-exists request-context provider-id)
     (acl/verify-ingest-management-permission request-context :update :provider-object provider-id)
     (common-enabled/validate-write-enabled request-context "ingest")
diff --git a/ingest-app/src/cmr/ingest/api/services.clj b/ingest-app/src/cmr/ingest/api/services.clj
@@ -39,7 +39,7 @@
   (let [{:keys [body content-type headers request-context]} request
         concept (api-core/body->concept!
                  :service provider-id native-id body content-type headers)]
-    (lt-validation/validate-launchpad-token request-context)
+    (lt-validation/validate-write-token request-context provider-id)
     (api-core/verify-provider-exists request-context provider-id)
     (acl/verify-ingest-management-permission
       request-context :update :provider-object provider-id)
diff --git a/ingest-app/src/cmr/ingest/api/tools.clj b/ingest-app/src/cmr/ingest/api/tools.clj
@@ -39,7 +39,7 @@
   (let [{:keys [body content-type headers request-context]} request
         concept (api-core/body->concept!
                  :tool provider-id native-id body content-type headers)]
-    (lt-validation/validate-launchpad-token request-context)
+    (lt-validation/validate-write-token request-context provider-id)
     (api-core/verify-provider-exists request-context provider-id)
     (acl/verify-ingest-management-permission
       request-context :update :provider-object provider-id)
diff --git a/ingest-app/src/cmr/ingest/api/variables.clj b/ingest-app/src/cmr/ingest/api/variables.clj
@@ -35,7 +35,7 @@
          concept (api-core/body->concept!
                   :variable provider-id native-id body content-type headers)]
 
-     (lt-validation/validate-launchpad-token request-context)
+     (lt-validation/validate-write-token request-context provider-id)
      (api-core/verify-provider-exists request-context provider-id)
      (acl/verify-ingest-management-permission
       request-context :update :provider-object provider-id)
diff --git a/transmit-lib/src/cmr/transmit/tokens.clj b/transmit-lib/src/cmr/transmit/tokens.clj
@@ -17,11 +17,49 @@
    [cmr.transmit.connection :as conn]
    [cmr.transmit.launchpad-user-cache :as launchpad-user-cache]))
 
+(def edl-assurance-level-social-login 1)
+(def edl-assurance-level-social-login-mfa 2)
+(def edl-assurance-level-edl 3)
+(def edl-assurance-level-edl-mfa 4)
+(def edl-assurance-level-launchpad-piv 5)
+
+(def edl-public-key-parsed
+  "Cached parsed EDL public key for JWT validation."
+  (delay (buddy-keys/jwk->public-key (json/parse-string (transmit-config/edl-public-key) true))))
+
+(defn get-jwt-claims
+  "Extracts claims from a JWT token. Returns nil if invalid."
+  [token]
+  (try
+    (let [public-key @edl-public-key-parsed
+          bearer-stripped-token (string/replace token #"Bearer\W+" "")]
+      (jwt/unsign bearer-stripped-token public-key {:alg :rs256}))
+    (catch Exception _e
+      nil)))
+
+(defn get-assurance-level
+  "Returns the assurance level from a JWT token, or nil if not found."
+  [token]
+  (when-let [claims (get-jwt-claims token)]
+    (:assurance_level claims)))
+
+(defn is-launchpad-federated-jwt?
+  "Returns true if token is level 5 (Launchpad/PIV)."
+  [token]
+  (when (common-util/is-jwt-token? token)
+    (= edl-assurance-level-launchpad-piv (get-assurance-level token))))
+
+(defn is-edl-mfa-jwt?
+  "Returns true if token is level 4 (EDL+MFA)."
+  [token]
+  (when (common-util/is-jwt-token? token)
+    (= edl-assurance-level-edl-mfa (get-assurance-level token))))
+
 (defn verify-edl-token-locally
   "Uses the EDL public key to verify jwt tokens locally."
   [token]
   (try
-    (let [public-key (buddy-keys/jwk->public-key (json/parse-string (transmit-config/edl-public-key) true))
+    (let [public-key @edl-public-key-parsed
           bearer-stripped-token (string/replace token #"Bearer\W+" "")
           decrypted-token (jwt/unsign bearer-stripped-token public-key {:alg :rs256})]
       (:uid decrypted-token))
@@ -123,17 +161,17 @@
      [status parsed body])))
 
 (defn get-user-id
-  "Get the user-id from EDL or Launchpad for the given token"
+  "Returns the user-id for the given token."
   [context token]
   (if (transmit-config/echo-system-token? token)
-    ;; Short circuit a lookup when we already know who this is.
     (transmit-config/echo-system-username)
     (if (and (common-util/is-jwt-token? token)
              (transmit-config/local-edl-verification))
-      (verify-edl-token-locally token)
+      (if-let [claims (get-jwt-claims token)]
+        (:uid claims)
+        (verify-edl-token-locally token))
       (if (common-util/is-launchpad-token? token)
         (:uid (launchpad-user-cache/get-launchpad-user context token))
-        ;; Legacy services has been shut down, we still use a mock for tests, we will leave this here and handle the 301.
         (let [[status parsed body] (rest-post context "/tokens/get_token_info"
                                                     {:headers {"Accept" mt/json
                                                                "Authorization" (transmit-config/echo-system-token)}
