device authorization of users and loading secrets from vault

pom.xml

@@ -200,6 +200,16 @@
             <artifactId>commons-exec</artifactId>
             <version>1.3</version>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.15.3</version>
+        </dependency>
+        <dependency>
+            <groupId>io.github.jopenlibs</groupId>
+            <artifactId>vault-java-driver</artifactId>
+            <version>6.2.0</version>
+        </dependency>
     </dependencies>
     <dependencyManagement>
         <dependencies>

src/main/java/org/onedatashare/transferservice/odstransferservice/OdsTransferService.java

@@ -1,5 +1,6 @@
 package org.onedatashare.transferservice.odstransferservice;
 
+import org.onedatashare.transferservice.odstransferservice.config.VaultConfiguration;
 import org.springframework.batch.core.configuration.annotation.EnableBatchProcessing;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -13,6 +14,7 @@ public class OdsTransferService {
 
 
     public static void main(String[] args) {
+        VaultConfiguration.loadSecrets();
         SpringApplication.run(OdsTransferService.class, args);
     }
 

src/main/java/org/onedatashare/transferservice/odstransferservice/config/VaultConfiguration.java

@@ -0,0 +1,107 @@
+package org.onedatashare.transferservice.odstransferservice.config;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.github.jopenlibs.vault.Vault;
+import io.github.jopenlibs.vault.VaultConfig;
+
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+
+
+import org.onedatashare.transferservice.odstransferservice.service.AuthenticationService;
+
+public class VaultConfiguration {
+    private static Vault vaultServiceInstance;
+    private static String vaultServerAddress = System.getenv("VAULT_URI");
+    private static String secretsPath = System.getenv("VAULT_SECRETS_PATH");
+    private static String shouldLoadSecrets = System.getenv("VAULT_LOAD_SECRETS");
+    private static String vaultTransferServiceUserRole = System.getenv("VAULT_TRANSFER_SERVICE_USER_ROLE");
+    private VaultConfiguration() {
+
+    }
+
+    public static void loadSecrets() {
+        try {
+
+            if (shouldLoadSecrets == null || !shouldLoadSecrets.equals("true")) {
+                return;
+            }
+            Vault vaultServiceInstance = getInstance();
+            var secrets = vaultServiceInstance.logical().read(secretsPath).getData();
+            for (Map.Entry<String, String> kv : secrets.entrySet()) {
+                System.setProperty(kv.getKey(), kv.getValue());
+            }
+        } catch (Exception e) {
+            System.out.println("Exception while loading secrets from vault:" + e.getMessage());
+        }
+    }
+
+    public static Vault getInstance() throws Exception {
+
+        if (vaultServiceInstance == null) {
+            AuthenticationService authenticator = new AuthenticationService();
+            Map<String, Object> authTokens = authenticator.startDeviceAuthentication();
+            setOdsUserFromToken(authTokens.get("id_token").toString());
+            return authenticateVaultWithIdToken(authTokens.get("id_token").toString());
+
+        }
+        return vaultServiceInstance;
+    }
+
+    private static void setOdsUserFromToken(String idToken) throws Exception {
+        String payload = idToken.split("\\.")[1];
+        String decodedPayload = new String(Base64.getDecoder().decode(payload));
+        ObjectMapper objectMapper = new ObjectMapper();
+        HashMap<String, Object> decodedPayloadMap = objectMapper.readValue(decodedPayload, HashMap.class);
+        System.setProperty("ods.user", decodedPayloadMap.get("email").toString());
+    }
+
+    private static Vault authenticateVaultWithIdToken(String idToken) throws Exception {
+
+
+        String jwtLoginUri = vaultServerAddress + "/v1/auth/jwt/login";
+        HttpClient httpClient = HttpClient.newBuilder()
+                .version(HttpClient.Version.HTTP_2)
+                .build();
+        ObjectMapper objectMapper = new ObjectMapper();
+        Map<String, Object> vaultAuthPayload = new HashMap<>();
+        vaultAuthPayload.put("jwt", idToken);
+        vaultAuthPayload.put("role", vaultTransferServiceUserRole);
+        HttpRequest vaultAuthrequest = HttpRequest.newBuilder()
+                .POST(buildFormDataFromMap(vaultAuthPayload))
+                .uri(URI.create(jwtLoginUri))
+                .setHeader("User-Agent", "Java HttpClient Bot") // add request header
+                .header("Content-Type", "application/x-www-form-urlencoded")
+                .build();
+
+        HttpResponse<String> vaultAuthresponse = httpClient.send(vaultAuthrequest, HttpResponse.BodyHandlers.ofString());
+        HashMap<String, Object> vaultAuthRespnseMap = objectMapper.readValue(vaultAuthresponse.body(), HashMap.class);
+        HashMap<Object, Object> vaultAuthData = (HashMap<Object, Object>) vaultAuthRespnseMap.get("auth");
+        String vaultToken = vaultAuthData.get("client_token").toString();
+
+        // Configure the Vault client with the server address
+        VaultConfig config = new VaultConfig().address(vaultServerAddress).token(vaultToken).engineVersion(2).build();
+        vaultServiceInstance = Vault.create(config);
+        return vaultServiceInstance;
+    }
+
+    private static HttpRequest.BodyPublisher buildFormDataFromMap(Map<String, Object> data) {
+        StringBuilder builder = new StringBuilder();
+        for (Map.Entry<String, Object> entry : data.entrySet()) {
+            if (builder.length() > 0) {
+                builder.append("&");
+            }
+            builder.append(URLEncoder.encode(entry.getKey().toString(), StandardCharsets.UTF_8));
+            builder.append("=");
+            builder.append(URLEncoder.encode(entry.getValue().toString(), StandardCharsets.UTF_8));
+        }
+        return HttpRequest.BodyPublishers.ofString(builder.toString());
+    }
+}

src/main/java/org/onedatashare/transferservice/odstransferservice/service/AuthenticationService.java

@@ -0,0 +1,144 @@
+package org.onedatashare.transferservice.odstransferservice.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.Map;
+
+public class AuthenticationService {
+    private static final String CLIENT_ID = System.getenv("OAUTH_CLIENT_ID");
+    private static final String CLIENT_SECRET = System.getenv("OAUTH_CLIENT_SECRET");
+
+    public Map<String, Object> startDeviceAuthentication() throws Exception {
+        Map<String, Object> tokenResponsePayload = new HashMap<>();
+        String SCOPE = "openid profile email org.cilogon.userinfo";
+        String HOST = "cilogon.org";
+
+        String DEVICE_ENDPOINT = String.format("https://%s/oauth2/device_authorization", HOST);
+        String TOKEN_ENDPOINT = String.format("https://%s/oauth2/token", HOST);
+
+        HttpClient httpClient = HttpClient.newBuilder()
+                .version(HttpClient.Version.HTTP_2)
+                .build();
+        ObjectMapper objectMapper = new ObjectMapper();
+
+        //DEVICE REQUEST
+        Map<String, Object> deviceRequestPayload = new HashMap<>();
+        deviceRequestPayload.put("client_id", CLIENT_ID);
+        deviceRequestPayload.put("client_secret", CLIENT_SECRET);
+        deviceRequestPayload.put("scope", SCOPE);
+
+        HttpRequest deviceRequest = HttpRequest.newBuilder()
+                .POST(buildFormDataFromMap(deviceRequestPayload))
+                .uri(URI.create(DEVICE_ENDPOINT))
+                .setHeader("User-Agent", "Java HttpClient Bot") // add request header
+                .header("Content-Type", "application/x-www-form-urlencoded")
+                .build();
+        HttpResponse<String> deviceResponse = httpClient.send(deviceRequest, HttpResponse.BodyHandlers.ofString());
+        Map<String, Object> deviceResponsePayload = objectMapper.readValue(deviceResponse.body(), HashMap.class);
+
+        //DEVICE RESPONSE CHECK
+        if (deviceResponsePayload.containsKey("error")) {
+            String errorDescription = deviceResponsePayload.get("error_description").toString();
+            if (errorDescription.length() > 0) {
+                System.out.format("Error description : %s", deviceResponsePayload.get("error_description"));
+            }
+            throw new Exception(errorDescription);
+        }
+        String DEVICE_CODE = deviceResponsePayload.get("device_code").toString();
+        String USER_CODE = deviceResponsePayload.get("user_code").toString();
+        String VERIFICATION_URI_COMPLETE = deviceResponsePayload.get("verification_uri_complete").toString();
+        String VERIFICATION_URI = deviceResponsePayload.get("verification_uri").toString();
+        int INTERVAL = 5;
+        if (deviceResponsePayload.containsKey("interval")) {
+            INTERVAL = Integer.parseInt(deviceResponsePayload.get("interval").toString());
+        }
+
+        boolean checks_failed = false;
+        if (DEVICE_CODE.length() == 0) {
+            System.out.println("Error: No device code found in response");
+            checks_failed = true;
+        }
+        if (USER_CODE.length() == 0) {
+            System.out.println("Error: No user code found in response");
+            checks_failed = true;
+        }
+        if (checks_failed) {
+            throw new Exception("device code or user code not found in response");
+        }
+
+        //USER MESSAGE
+        System.out.println("Device code successful");
+        System.out.format("On your computer or mobile device navigate to: %s \n", VERIFICATION_URI_COMPLETE);
+        System.out.format("OR \n Navigate to %s and  enter the following code: %s \n", VERIFICATION_URI, USER_CODE);
+
+
+        //TOKEN REQUEST
+        String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+        Map<String, Object> tokenRequestPayload = new HashMap<>();
+        tokenRequestPayload.put("client_id", CLIENT_ID);
+        tokenRequestPayload.put("client_secret", CLIENT_SECRET);
+        tokenRequestPayload.put("device_code", DEVICE_CODE);
+        tokenRequestPayload.put("grant_type", GRANT_TYPE);
+
+
+        boolean isAuthenticated = false;
+
+        //WAIT FOR AUTH TOKENS
+        while (!isAuthenticated) {
+            System.out.println("Checking if user completed the flow");
+            HttpRequest tokenRequest = HttpRequest.newBuilder()
+                    .POST(buildFormDataFromMap(tokenRequestPayload))
+                    .uri(URI.create(TOKEN_ENDPOINT))
+                    .setHeader("User-Agent", "Java HttpClient") // add request header
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .build();
+            HttpResponse<String> tokenResponse = httpClient.send(tokenRequest, HttpResponse.BodyHandlers.ofString());
+            tokenResponsePayload = objectMapper.readValue(tokenResponse.body(), HashMap.class);
+            if (tokenResponsePayload.containsKey("error")) {
+                String error = tokenResponsePayload.get("error").toString();
+                String error_description = tokenResponsePayload.get("error_description").toString();
+                System.out.println(error_description);
+                if (error.equals("authorization_pending") || error.equals("slow_down")) {
+                    if (error.equals("slow_down")) {
+                        INTERVAL += 5;
+                    }
+                    Thread.sleep(INTERVAL * 1000);
+                } else {
+                    if (error_description.equals("no pending request")) {
+                        System.out.println("Error: User denied user_code. \n Please begin a new device code request");
+                    } else {
+                        System.out.format("Error %s \n", error_description);
+                        if (error_description.equals("device code expired")) {
+                            System.out.println("Please begin new device code request");
+                        }
+                    }
+                    throw new Exception(error_description);
+                }
+            } else {
+                isAuthenticated = true;
+                break;
+            }
+        }
+        return tokenResponsePayload;
+    }
+
+    private HttpRequest.BodyPublisher buildFormDataFromMap(Map<String, Object> data) {
+        StringBuilder builder = new StringBuilder();
+        for (Map.Entry<String, Object> entry : data.entrySet()) {
+            if (builder.length() > 0) {
+                builder.append("&");
+            }
+            builder.append(URLEncoder.encode(entry.getKey().toString(), StandardCharsets.UTF_8));
+            builder.append("=");
+            builder.append(URLEncoder.encode(entry.getValue().toString(), StandardCharsets.UTF_8));
+        }
+        return HttpRequest.BodyPublishers.ofString(builder.toString());
+    }
+}