Merge pull request #7 from avaje/feature/add-helidon-jwtfilter

Add Helidon JwtAuthFilter

Author: rbygrave

avaje-oauth2-core/src/main/java/module-info.java

@@ -0,0 +1,8 @@
+module io.avaje.oauth2.core {
+
+    exports io.avaje.oauth2.core.data;
+    exports io.avaje.oauth2.core.jwt;
+
+    requires transitive io.avaje.json;
+    requires transitive io.avaje.http.client;
+}

avaje-oauth2-helidon-jwtfilter/pom.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.avaje</groupId>
+        <artifactId>avaje-oauth2-parent</artifactId>
+        <version>0.1</version>
+    </parent>
+
+    <artifactId>avaje-oauth2-helidon-jwtfilter</artifactId>
+
+    <properties>
+        <maven.compiler.source>23</maven.compiler.source>
+        <maven.compiler.target>23</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.avaje</groupId>
+            <artifactId>avaje-oauth2-core</artifactId>
+            <version>0.1</version>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.webserver</groupId>
+            <artifactId>helidon-webserver</artifactId>
+            <version>4.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+
+    </dependencies>
+</project>

avaje-oauth2-helidon-jwtfilter/src/main/java/io/avaje/oauth2/helidon/jwtfilter/AuthFilter.java

@@ -0,0 +1,64 @@
+package io.avaje.oauth2.helidon.jwtfilter;
+
+import io.avaje.oauth2.core.data.AccessToken;
+import io.avaje.oauth2.core.jwt.JwtVerifier;
+import io.helidon.common.context.Context;
+import io.helidon.http.HeaderNames;
+import io.helidon.http.UnauthorizedException;
+import io.helidon.webserver.http.FilterChain;
+import io.helidon.webserver.http.RoutingRequest;
+import io.helidon.webserver.http.RoutingResponse;
+
+import java.security.Principal;
+import java.util.List;
+
+final class AuthFilter implements JwtAuthFilter {
+
+    private static final String BEARER_ = "Bearer ";
+    private static final int BEARER_LENGTH = BEARER_.length();
+
+    private final JwtVerifier verifier;
+    private final String[] allowedPaths;
+
+    AuthFilter(JwtVerifier verifier, List<String> allowedPaths) {
+        this.verifier = verifier;
+        this.allowedPaths = allowedPaths.toArray(new String[0]);
+    }
+
+    @Override
+    public void filter(FilterChain filterChain, RoutingRequest routingRequest, RoutingResponse routingResponse) {
+        String header = routingRequest.headers().first(HeaderNames.AUTHORIZATION).orElse("");
+        if (header.startsWith(BEARER_)) {
+            String token = header.substring(BEARER_LENGTH);
+            AccessToken accessToken = verifier.verifyAccessToken(token);
+            Context context = routingRequest.context();
+            context.register("security.principal", new TokenPrincipal(accessToken.clientId()));
+            context.register("security.roles", accessToken.scope());
+            filterChain.proceed();
+            return;
+        }
+
+        final String path = routingRequest.path().path();
+        for (String allowedPath : allowedPaths) {
+            if (path.startsWith(allowedPath)) {
+                filterChain.proceed();
+                return;
+            }
+        }
+        throw new UnauthorizedException("Unauthorized");
+    }
+
+    private static final class TokenPrincipal implements Principal {
+
+        private final String name;
+
+        TokenPrincipal(String name) {
+            this.name = name;
+        }
+
+        @Override
+        public String getName() {
+            return name;
+        }
+    }
+}

avaje-oauth2-helidon-jwtfilter/src/main/java/io/avaje/oauth2/helidon/jwtfilter/AuthFilterBuilder.java

@@ -0,0 +1,29 @@
+package io.avaje.oauth2.helidon.jwtfilter;
+
+import io.avaje.oauth2.core.jwt.JwtVerifier;
+
+import java.util.ArrayList;
+import java.util.List;
+
+final class AuthFilterBuilder implements JwtAuthFilter.Builder {
+
+    private final List<String> allowedPaths = new ArrayList<>();
+    private JwtVerifier verifier;
+
+    @Override
+    public JwtAuthFilter.Builder permit(String path) {
+        allowedPaths.add(path);
+        return this;
+    }
+
+    @Override
+    public JwtAuthFilter.Builder verifier(JwtVerifier verifier) {
+        this.verifier = verifier;
+        return this;
+    }
+
+    @Override
+    public JwtAuthFilter build() {
+        return new AuthFilter(verifier, allowedPaths);
+    }
+}

avaje-oauth2-helidon-jwtfilter/src/main/java/io/avaje/oauth2/helidon/jwtfilter/JwtAuthFilter.java

@@ -0,0 +1,60 @@
+package io.avaje.oauth2.helidon.jwtfilter;
+
+import io.avaje.oauth2.core.jwt.JwtVerifier;
+import io.helidon.webserver.http.Filter;
+
+/**
+ * Filter that ensures a valid Signed JWT token is presented as a Authorization Bearer header.
+ * <p>
+ * The filter uses a JwtVerifier to verify the SignedJWT is valid.
+ * <p>
+ * The filter can allow some paths to not require a JWT token such as health endpoints.
+ *
+ * <pre>{@code
+ *
+ *   String issuer = "https://cognito-idp.<region>.amazonaws.com/<region>_<foo>";
+ *
+ *   JwtVerifier jwtVerifier = JwtVerifier.builder()
+ *     .issuer(issuer)
+ *     .build();
+ *
+ *   JwtAuthFilter filter = JwtAuthFilter.builder()
+ *     .permit("/health")
+ *     .permit("/ping")
+ *     .verifier(jwtVerifier)
+ *     .build();
+ *
+ * }</pre>
+ */
+public interface JwtAuthFilter extends Filter {
+
+    /**
+     * Return a builder for JwtAuthFilter.
+     */
+    static Builder builder() {
+        return new AuthFilterBuilder();
+    }
+
+    /**
+     * Builder for JwtAuthFilter.
+     */
+    interface Builder {
+
+        /**
+         * Permit paths starting with the given prefix to not require a JWT token.
+         *
+         * @param pathPrefix The path prefix that does not require a JWT token.
+         */
+        Builder permit(String pathPrefix);
+
+        /**
+         * Specify the JwtVerifier to use.
+         */
+        Builder verifier(JwtVerifier verifier);
+
+        /**
+         * Build and return the JwtAuthFilter.
+         */
+        JwtAuthFilter build();
+    }
+}

avaje-oauth2-helidon-jwtfilter/src/main/java/module-info.java

@@ -0,0 +1,7 @@
+module io.avaje.oauth2.helidon.jwtfilter {
+
+    exports io.avaje.oauth2.helidon.jwtfilter;
+
+    requires transitive io.avaje.oauth2.core;
+    requires transitive io.helidon.webserver;
+}

avaje-oauth2-helidon-jwtfilter/src/test/java/io/avaje/oauth2/helidon/jwtfilter/JwtAuthFilterTest.java

@@ -0,0 +1,36 @@
+package io.avaje.oauth2.helidon.jwtfilter;
+
+import io.avaje.oauth2.core.data.JsonDataMapper;
+import io.avaje.oauth2.core.data.KeySet;
+import io.avaje.oauth2.core.jwt.JwtKeySource;
+import io.avaje.oauth2.core.jwt.JwtVerifier;
+import org.junit.jupiter.api.Test;
+
+import java.io.InputStream;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class JwtAuthFilterTest {
+
+    @Test
+    void build() {
+        InputStream is = JwtAuthFilterTest.class.getResourceAsStream("/keys.json");
+        JsonDataMapper jsonMapper = JsonDataMapper.builder().build();
+        KeySet keySet = jsonMapper.readKeySet(is);
+
+        //String issuer = "https://cognito-idp.REGION.amazonaws.com/REGION_FOO";
+        JwtVerifier jwtVerifier = JwtVerifier.builder()
+                // .issuer(issuer)
+                .addRS256()
+                .keySource(JwtKeySource.build(keySet))
+                .build();
+
+        JwtAuthFilter filter = JwtAuthFilter.builder()
+                .permit("/health")
+                .permit("/ping")
+                .verifier(jwtVerifier)
+                .build();
+
+        assertThat(filter).isNotNull();
+    }
+}

avaje-oauth2-helidon-jwtfilter/src/test/resources/keys.json

@@ -0,0 +1,20 @@
+{
+  "keys": [
+    {
+      "alg": "RS256",
+      "e": "AQAB",
+      "kid": "jGyPpG803SsVfJ4mdDdVKDD9UnQk7GCAKqN2h3Of6ic=",
+      "kty": "RSA",
+      "n": "5GSe0QejeIrhbhBPgJBOOfr_KIW6o3wpt6aoR4D_ft48ToLxAQKq6WLq-Ccb4lKIk-j1DbW3lju3DepugwR3IDtUuNO-zCi8--tAI2k_XgU-9oWoEifnz5RD0wlezjxBCjBMxxzhowD_EjcmyN5WUv0u4f3VMnKBsTSWxTkrShzYnmIoo8WEFk-UQKxw9AgDV_VtN4na8NnXiygJ8q0eD-S1tqOz-cvTZeh2qhkLOXyd_dguC7sdlPLb5-I-jszSYx1Ic88Os3UuPqHyLYccVuEd8Jb0dal6625bgD6fQuWVkmdit9xuySJAMKRWT-CSCTDXYcEBm9Vk-PCZOHhAtw",
+      "use": "sig"
+    },
+    {
+      "alg": "RS256",
+      "e": "AQAB",
+      "kid": "iM8z2dS1yIA6PRVdA8gsNXgFlZJwRSM5WeynrLhalqk=",
+      "kty": "RSA",
+      "n": "w2eWpy1C_8dZNCb6tHTMz0Ahb6ZSpBPijK4tvW0rv1tghIdXo2h_NZ5qM-Gg25XLAxQdG3-SF9zUz3MLVnbzZCseFi12zqOe8bkzIk9yeHOarDvSaLn9xcWooSyhY-3vWp26VY-zNWsiDI8aZuZPQNb5tcnozo1LTH0G6RPwMiW_Djar9UIloFfgw7bScYUopyMW-asbFlN2QRVHX-JdxAIb8WDM_DBDR6Sdmd9WOuaapPwBS4BGGHiQlArVeFzoxN0VIM4HyXf1mDo039qDRngZf3ZXWeN29iT-PHEOksYN7PLCn0V6fsNVLl_4mLRLnwAnvTd9vIOU-R71T6d4aw",
+      "use": "sig"
+    }
+  ]
+}

pom.xml

@@ -16,6 +16,7 @@
 
     <modules>
         <module>avaje-oauth2-core</module>
+        <module>avaje-oauth2-helidon-jwtfilter</module>
         <module>avaje-oauth2-oidc-cognito</module>
     </modules>