Merge pull request #201 from IABTechLab/tjm-UID2-2771-return-optout-url-from-core

Use the returned OptOut URL from the attestation request

Author: thomasm-ttd

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-shared</artifactId>
-    <version>7.2.0-41efc58fbf</version>
+    <version>7.2.4-SNAPSHOT</version>
     <name>${project.groupId}:${project.artifactId}</name>
     <description>Library for all the shared uid2 operations</description>
     <url>https://github.com/IABTechLab/uid2docs</url>
@@ -209,6 +209,11 @@
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>kms</artifactId>
         </dependency>
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>2.3.1</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
@@ -266,7 +271,7 @@
         <dependency>
             <groupId>org.assertj</groupId>
             <artifactId>assertj-core</artifactId>
-            <version>3.23.1</version>
+            <version>3.25.2</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

src/main/java/com/uid2/shared/attest/AttestationTokenRetriever.java renamed to src/main/java/com/uid2/shared/attest/AttestationResponseHandler.java

@@ -24,8 +24,8 @@
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 
-public class AttestationTokenRetriever {
-    private static final Logger LOGGER = LoggerFactory.getLogger(AttestationTokenRetriever.class);
+public class AttestationResponseHandler {
+    private static final Logger LOGGER = LoggerFactory.getLogger(AttestationResponseHandler.class);
 
     private final IAttestationProvider attestationProvider;
     private final String clientApiToken;
@@ -47,27 +47,28 @@ public class AttestationTokenRetriever {
     private final AttestationTokenDecryptor attestationTokenDecryptor;
     private final String appVersionHeader;
     private final int attestCheckMilliseconds;
-
-    public AttestationTokenRetriever(Vertx vertx,
-                                     String attestationEndpoint,
-                                     String clientApiToken,
-                                     ApplicationVersion appVersion,
-                                     IAttestationProvider attestationProvider,
-                                     Handler<Pair<Integer, String>> responseWatcher,
-                                     Proxy proxy) {
+    private final AtomicReference<String> optOutUrl;
+
+    public AttestationResponseHandler(Vertx vertx,
+                                      String attestationEndpoint,
+                                      String clientApiToken,
+                                      ApplicationVersion appVersion,
+                                      IAttestationProvider attestationProvider,
+                                      Handler<Pair<Integer, String>> responseWatcher,
+                                      Proxy proxy) {
         this(vertx, attestationEndpoint, clientApiToken, appVersion, attestationProvider, responseWatcher, proxy, new InstantClock(), null, null, 60000);
     }
-    public AttestationTokenRetriever(Vertx vertx,
-                                     String attestationEndpoint,
-                                     String clientApiToken,
-                                     ApplicationVersion appVersion,
-                                     IAttestationProvider attestationProvider,
-                                     Handler<Pair<Integer, String>> responseWatcher,
-                                     Proxy proxy,
-                                     IClock clock,
-                                     URLConnectionHttpClient httpClient,
-                                     AttestationTokenDecryptor attestationTokenDecryptor,
-                                     int attestCheckMilliseconds) {
+    public AttestationResponseHandler(Vertx vertx,
+                                      String attestationEndpoint,
+                                      String clientApiToken,
+                                      ApplicationVersion appVersion,
+                                      IAttestationProvider attestationProvider,
+                                      Handler<Pair<Integer, String>> responseWatcher,
+                                      Proxy proxy,
+                                      IClock clock,
+                                      URLConnectionHttpClient httpClient,
+                                      AttestationTokenDecryptor attestationTokenDecryptor,
+                                      int attestCheckMilliseconds) {
         this.vertx = vertx;
         this.attestationEndpoint = attestationEndpoint;
         this.encodedAttestationEndpoint = this.encodeStringUnicodeAttestationEndpoint(attestationEndpoint);
@@ -77,6 +78,7 @@ public AttestationTokenRetriever(Vertx vertx,
         this.attestationToken = new AtomicReference<>(null);
         this.optOutJwt = new AtomicReference<>(null);
         this.coreJwt = new AtomicReference<>(null);
+        this.optOutUrl = new AtomicReference<>(null);
         this.responseWatcher = responseWatcher;
         this.clock = clock;
         this.lock = new ReentrantLock();
@@ -125,7 +127,7 @@ private void attestationExpirationCheck(long timerId) {
             }
 
             attest();
-        } catch (AttestationTokenRetrieverException e) {
+        } catch (AttestationResponseHandlerException e) {
             notifyResponseWatcher(401, e.getMessage());
             LOGGER.info("Re-attest failed: ", e);
         } catch (IOException e){
@@ -144,9 +146,9 @@ private void scheduleAttestationExpirationCheck() {
         }
     }
 
-    public void attest() throws IOException, AttestationTokenRetrieverException {
+    public void attest() throws IOException, AttestationResponseHandlerException {
         if (!attestationProvider.isReady()) {
-            throw new AttestationTokenRetrieverException("attestation provider is not ready");
+            throw new AttestationResponseHandlerException("attestation provider is not ready");
         }
 
         try {
@@ -177,26 +179,26 @@ public void attest() throws IOException, AttestationTokenRetrieverException {
 
             if (statusCode < 200 || statusCode >= 300) {
                 LOGGER.warn("attestation failed with UID2 Core returning statusCode=" + statusCode);
-                throw new AttestationTokenRetrieverException(statusCode, "unexpected status code from uid core service");
+                throw new AttestationResponseHandlerException(statusCode, "unexpected status code from uid core service");
             }
 
             JsonObject responseJson = (JsonObject) Json.decodeValue(responseBody);
             if (isFailed(responseJson)) {
-                throw new AttestationTokenRetrieverException(statusCode, "response did not return a successful status");
+                throw new AttestationResponseHandlerException(statusCode, "response did not return a successful status");
             }
 
             JsonObject innerBody = responseJson.getJsonObject("body");
             if (innerBody == null) {
-                throw new AttestationTokenRetrieverException(statusCode, "response did not contain a body object");
+                throw new AttestationResponseHandlerException(statusCode, "response did not contain a body object");
             }
 
             String atoken = getAttestationToken(innerBody);
             if (atoken == null) {
-                throw new AttestationTokenRetrieverException(statusCode, "response json does not contain body.attestation_token");
+                throw new AttestationResponseHandlerException(statusCode, "response json does not contain body.attestation_token");
             }
             String expiresAt = getAttestationTokenExpiresAt(innerBody);
             if (expiresAt == null) {
-                throw new AttestationTokenRetrieverException(statusCode, "response json does not contain body.expiresAt");
+                throw new AttestationResponseHandlerException(statusCode, "response json does not contain body.expiresAt");
             }
 
             atoken = new String(attestationTokenDecryptor.decrypt(Base64.getDecoder().decode(atoken), keyPair.getPrivate()), StandardCharsets.UTF_8);
@@ -205,12 +207,13 @@ public void attest() throws IOException, AttestationTokenRetrieverException {
             setAttestationTokenExpiresAt(expiresAt);
             setOptoutJWTFromResponse(innerBody);
             setCoreJWTFromResponse(innerBody);
+            setOptoutURLFromResponse(innerBody);
 
             scheduleAttestationExpirationCheck();
         } catch (IOException ioe) {
             throw ioe;
         } catch (Exception e) {
-            throw new AttestationTokenRetrieverException(e);
+            throw new AttestationResponseHandlerException(e);
         }
     }
 
@@ -230,6 +233,10 @@ public String getCoreJWT() {
         return this.coreJwt.get();
     }
 
+    public String getOptOutUrl() {
+        return this.optOutUrl.get();
+    }
+
     public String getAppVersionHeader() {
         return this.appVersionHeader;
     }
@@ -266,6 +273,17 @@ private void setCoreJWTFromResponse(JsonObject responseBody) {
         }
     }
 
+    private void setOptoutURLFromResponse(JsonObject responseBody) {
+        String url = responseBody.getString("optout_url");
+        if (url == null) {
+            LOGGER.info("OptOut URL not received");
+        } else {
+            LOGGER.info("OptOut URL received");
+            LOGGER.debug("OptOut URL to use: {}", url);
+            this.optOutUrl.set(url);
+        }
+    }
+
     private static boolean isFailed(JsonObject responseJson) {
         return responseJson.getString("status") == null || !responseJson.getString("status").equals("success");
     }

src/main/java/com/uid2/shared/attest/AttestationTokenRetrieverException.java renamed to src/main/java/com/uid2/shared/attest/AttestationResponseHandlerException.java

@@ -1,17 +1,17 @@
 package com.uid2.shared.attest;
 
-public class AttestationTokenRetrieverException extends Exception {
+public class AttestationResponseHandlerException extends Exception {
     private int statusCode = 0;
 
-    public AttestationTokenRetrieverException(Throwable t) {
+    public AttestationResponseHandlerException(Throwable t) {
         super(t);
     }
 
-    public AttestationTokenRetrieverException(String message) {
+    public AttestationResponseHandlerException(String message) {
         super(message);
     }
 
-    public AttestationTokenRetrieverException(int statusCode, String message) {
+    public AttestationResponseHandlerException(int statusCode, String message) {
         super("http status: " + String.valueOf(statusCode) + ", " + message);
         this.statusCode = statusCode;
     }

src/main/java/com/uid2/shared/attest/UidCoreClient.java

@@ -21,22 +21,22 @@ public class UidCoreClient implements IUidCoreClient, DownloadCloudStorage {
     private String userToken;
     private final String appVersionHeader;
     private boolean allowContentFromLocalFileSystem = false;
-    private final AttestationTokenRetriever attestationTokenRetriever;
+    private final AttestationResponseHandler attestationResponseHandler;
 
 
-    public static UidCoreClient createNoAttest(String userToken, AttestationTokenRetriever attestationTokenRetriever) {
-        return new UidCoreClient(userToken, CloudUtils.defaultProxy, attestationTokenRetriever, null);
+    public static UidCoreClient createNoAttest(String userToken, AttestationResponseHandler attestationResponseHandler) {
+        return new UidCoreClient(userToken, CloudUtils.defaultProxy, attestationResponseHandler, null);
     }
 
     public UidCoreClient(String userToken,
                          Proxy proxy,
-                         AttestationTokenRetriever attestationTokenRetriever) {
-        this(userToken, proxy, attestationTokenRetriever, null);
+                         AttestationResponseHandler attestationResponseHandler) {
+        this(userToken, proxy, attestationResponseHandler, null);
     }
 
     public UidCoreClient(String userToken,
                          Proxy proxy,
-                         AttestationTokenRetriever attestationTokenRetriever,
+                         AttestationResponseHandler attestationResponseHandler,
                          URLConnectionHttpClient httpClient) {
         this.proxy = proxy;
         this.userToken = userToken;
@@ -46,13 +46,13 @@ public UidCoreClient(String userToken,
         } else {
             this.httpClient = httpClient;
         }
-        if (attestationTokenRetriever == null) {
-            throw new IllegalArgumentException("attestationTokenRetriever can not be null");
+        if (attestationResponseHandler == null) {
+            throw new IllegalArgumentException("attestationResponseHandler can not be null");
         } else {
-            this.attestationTokenRetriever = attestationTokenRetriever;
+            this.attestationResponseHandler = attestationResponseHandler;
         }
 
-        this.appVersionHeader = attestationTokenRetriever.getAppVersionHeader();
+        this.appVersionHeader = attestationResponseHandler.getAppVersionHeader();
     }
 
     @Override
@@ -89,21 +89,21 @@ private InputStream readContentFromLocalFileSystem(String path, Proxy proxy) thr
         return (proxy == null ? new URL(path).openConnection() : new URL(path).openConnection(proxy)).getInputStream();
     }
 
-    private InputStream getWithAttest(String path) throws IOException, AttestationTokenRetrieverException {
-        if (!attestationTokenRetriever.attested()) {
-            attestationTokenRetriever.attest();
+    private InputStream getWithAttest(String path) throws IOException, AttestationResponseHandlerException {
+        if (!attestationResponseHandler.attested()) {
+            attestationResponseHandler.attest();
         }
 
-        String attestationToken = attestationTokenRetriever.getAttestationToken();
+        String attestationToken = attestationResponseHandler.getAttestationToken();
 
         HttpResponse<String> httpResponse;
         httpResponse = sendHttpRequest(path, attestationToken);
 
         // This should never happen, but keeping this part of the code just to be extra safe.
         if (httpResponse.statusCode() == 401) {
             LOGGER.info("Initial response from UID2 Core returned 401, performing attestation");
-            attestationTokenRetriever.attest();
-            attestationToken = attestationTokenRetriever.getAttestationToken();
+            attestationResponseHandler.attest();
+            attestationToken = attestationResponseHandler.getAttestationToken();
             httpResponse = sendHttpRequest(path, attestationToken);
         }
 
@@ -139,8 +139,8 @@ private HttpResponse<String> sendHttpRequest(String path, String attestationToke
         return httpResponse;
     }
 
-    protected AttestationTokenRetriever getAttestationTokenRetriever() {
-        return attestationTokenRetriever;
+    protected AttestationResponseHandler getAttestationTokenRetriever() {
+        return attestationResponseHandler;
     }
 
     public void setUserToken(String userToken) {

src/main/java/com/uid2/shared/attest/UidOptOutClient.java

@@ -1,30 +1,60 @@
 package com.uid2.shared.attest;
 
-import com.uid2.shared.cloud.CloudUtils;
+import com.uid2.shared.cloud.CloudStorageException;
 import com.uid2.shared.util.URLConnectionHttpClient;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
+import java.io.InputStream;
+import java.net.MalformedURLException;
 import java.net.Proxy;
-import java.net.http.HttpClient;
+import java.net.URL;
 
 public class UidOptOutClient extends UidCoreClient {
-    public static UidOptOutClient createNoAttest(String userToken, boolean enforceHttps, AttestationTokenRetriever attestationTokenRetriever) {
-        return new UidOptOutClient(userToken, CloudUtils.defaultProxy, attestationTokenRetriever, null);
-    }
+    private static final Logger LOGGER = LoggerFactory.getLogger(UidOptOutClient.class);
+    private AttestationResponseHandler attestationResponseHandler;
 
     public UidOptOutClient(String userToken,
-                         Proxy proxy,
-                         AttestationTokenRetriever attestationTokenRetriever) {
-        super(userToken, proxy, attestationTokenRetriever, null);
+                           Proxy proxy,
+                           AttestationResponseHandler attestationResponseHandler) {
+        super(userToken, proxy, attestationResponseHandler, null);
+        this.attestationResponseHandler = attestationResponseHandler;
     }
+
     public UidOptOutClient(String userToken,
                            Proxy proxy,
-                           AttestationTokenRetriever attestationTokenRetriever,
+                           AttestationResponseHandler attestationResponseHandler,
                            URLConnectionHttpClient httpClient) {
-        super(userToken, proxy, attestationTokenRetriever, httpClient);
+        super(userToken, proxy, attestationResponseHandler, httpClient);
+        this.attestationResponseHandler = attestationResponseHandler;
     }
 
     @Override
     protected String getJWT() {
         return this.getAttestationTokenRetriever().getOptOutJWT();
     }
+
+    @Override
+    public InputStream download(String path) throws CloudStorageException {
+        if (path == null) {
+            path = "";
+        }
+
+        if (this.attestationResponseHandler.getOptOutUrl() != null) {
+            try {
+                URL baseUrl = new URL(this.attestationResponseHandler.getOptOutUrl());
+                URL fullUrl = new URL(baseUrl, path);
+                return super.download(fullUrl.toExternalForm());
+            } catch (MalformedURLException e) {
+                LOGGER.error("Unable to parse OptOut URL", e);
+            } catch (Exception e) {
+                // Specifically not logging the exception as it might contain sensitive URLs
+                LOGGER.error("Unexpected error in UidOptOutClient download");
+            }
+        } else {
+            LOGGER.warn("UidOptOutClient attempting to download but OptOutUrl not available");
+        }
+
+        return InputStream.nullInputStream();
+    }
 }

src/main/java/com/uid2/shared/optout/OptOutCloudSync.java

@@ -11,7 +11,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.File;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.nio.file.Path;