ls1intum · janthoXO · Sep 23, 2024 · Sep 24, 2024 · Sep 28, 2024 · Sep 28, 2024
@@ -27,7 +27,10 @@
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
+import de.tum.cit.aet.artemis.core.security.allowedTools.ToolsInterceptor;
 import de.tum.cit.aet.artemis.core.security.filter.CachingHttpHeadersFilter;
 import tech.jhipster.config.JHipsterProperties;
 
@@ -36,17 +39,20 @@
  */
 @Profile(PROFILE_CORE)
 @Configuration
-public class WebConfigurer implements ServletContextInitializer, WebServerFactoryCustomizer<WebServerFactory> {
+public class WebConfigurer implements ServletContextInitializer, WebServerFactoryCustomizer<WebServerFactory>, WebMvcConfigurer {
 
     private static final Logger log = LoggerFactory.getLogger(WebConfigurer.class);
 
     private final Environment env;
 
     private final JHipsterProperties jHipsterProperties;
 
-    public WebConfigurer(Environment env, JHipsterProperties jHipsterProperties) {
+    private final ToolsInterceptor toolsInterceptor;
+
+    public WebConfigurer(Environment env, JHipsterProperties jHipsterProperties, ToolsInterceptor toolsInterceptor) {
         this.env = env;
         this.jHipsterProperties = jHipsterProperties;
+        this.toolsInterceptor = toolsInterceptor;
     }
 
     @Override
@@ -125,4 +131,9 @@ public CorsFilter corsFilter() {
         }
         return new CorsFilter(source);
     }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(toolsInterceptor);
+    }
 }
@@ -19,7 +19,6 @@
 import java.util.regex.Pattern;
 
 import jakarta.annotation.Nullable;
-import jakarta.servlet.http.Cookie;
 import jakarta.validation.constraints.NotNull;
 
 import org.slf4j.Logger;
@@ -28,6 +27,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.http.HttpStatusCode;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.http.server.ServerHttpRequest;
 import org.springframework.http.server.ServerHttpResponse;
@@ -52,7 +52,6 @@
 import org.springframework.web.socket.server.HandshakeInterceptor;
 import org.springframework.web.socket.server.support.DefaultHandshakeHandler;
 import org.springframework.web.socket.sockjs.transport.handler.WebSocketTransportHandler;
-import org.springframework.web.util.WebUtils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Iterators;
@@ -201,9 +200,14 @@ public HandshakeInterceptor httpSessionHandshakeInterceptor() {
             public boolean beforeHandshake(@NotNull ServerHttpRequest request, @NotNull ServerHttpResponse response, @NotNull WebSocketHandler wsHandler,
                     @NotNull Map<String, Object> attributes) {
                 if (request instanceof ServletServerHttpRequest servletRequest) {
-                    attributes.put(IP_ADDRESS, servletRequest.getRemoteAddress());
-                    Cookie jwtCookie = WebUtils.getCookie(servletRequest.getServletRequest(), JWTFilter.JWT_COOKIE_NAME);
-                    return JWTFilter.isJwtCookieValid(tokenProvider, jwtCookie);
+                    try {
+                        attributes.put(IP_ADDRESS, servletRequest.getRemoteAddress());
+                        return JWTFilter.extractValidJwt(servletRequest.getServletRequest(), tokenProvider) != null;
+                    }
+                    catch (IllegalArgumentException e) {
+                        response.setStatusCode(HttpStatusCode.valueOf(400));
+                        return false;
+                    }
                 }
                 return false;
             }

@@ -0,0 +1,13 @@
+package de.tum.cit.aet.artemis.core.security.allowedTools;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ ElementType.METHOD, ElementType.TYPE })
+@Retention(RetentionPolicy.RUNTIME)
+public @interface AllowedTools {
+
+    ToolTokenType[] value();
+}
@@ -0,0 +1,5 @@
+package de.tum.cit.aet.artemis.core.security.allowedTools;
+
+public enum ToolTokenType {
+    SCORPIO
+}
@@ -0,0 +1,68 @@
+package de.tum.cit.aet.artemis.core.security.allowedTools;
+
+import java.lang.reflect.Method;
+import java.util.Arrays;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Component;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+import de.tum.cit.aet.artemis.core.security.jwt.JWTFilter;
+import de.tum.cit.aet.artemis.core.security.jwt.TokenProvider;
+
+@Component
+public class ToolsInterceptor implements HandlerInterceptor {
+
+    private final TokenProvider tokenProvider;
+
+    public ToolsInterceptor(TokenProvider tokenProvider) {
+        this.tokenProvider = tokenProvider;
+    }
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+        String jwtToken;
+        try {
+            jwtToken = JWTFilter.extractValidJwt(request, tokenProvider);
+        }
+        catch (IllegalArgumentException e) {
+            response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+            return false;
+        }
+
+        if (handler instanceof HandlerMethod && jwtToken != null) {
+            HandlerMethod handlerMethod = (HandlerMethod) handler;
+            Method method = handlerMethod.getMethod();
+
+            // Check if the method or its class has the @AllowedTools annotation
+            AllowedTools allowedToolsAnnotation = method.getAnnotation(AllowedTools.class);
+            if (allowedToolsAnnotation == null) {
+                allowedToolsAnnotation = method.getDeclaringClass().getAnnotation(AllowedTools.class);
+            }
+
+            // Extract the "tools" claim from the JWT token
+            String toolsClaim = tokenProvider.getClaim(jwtToken, "tools");
+
+            // If no @AllowedTools annotation is present and the token is a tool token, reject the request
+            if (allowedToolsAnnotation == null && toolsClaim != null) {
+                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied due to 'tools' claim.");
+                return false;
+            }
+
+            // If @AllowedTools is present, check if the toolsClaim is among the allowed values
+            if (allowedToolsAnnotation != null && toolsClaim != null) {
+                ToolTokenType[] allowedTools = allowedToolsAnnotation.value();
+                // no match between allowed tools and tools claim
+                var toolsClaimList = toolsClaim.split(",");
+                if (Arrays.stream(allowedTools).noneMatch(tool -> Arrays.asList(toolsClaimList).contains(tool.toString()))) {
+                    response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access denied due to 'tools' claim.");
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+}
@@ -14,6 +14,8 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 
+import de.tum.cit.aet.artemis.core.security.allowedTools.ToolTokenType;
+
 @Profile(PROFILE_CORE)
 @Service
 public class JWTCookieService {
@@ -36,9 +38,30 @@ public JWTCookieService(TokenProvider tokenProvider, Environment environment) {
      * @return the login ResponseCookie containing the JWT
      */
     public ResponseCookie buildLoginCookie(boolean rememberMe) {
-        String jwt = tokenProvider.createToken(SecurityContextHolder.getContext().getAuthentication(), rememberMe);
-        Duration duration = Duration.of(tokenProvider.getTokenValidity(rememberMe), ChronoUnit.MILLIS);
-        return buildJWTCookie(jwt, duration);
+        return buildLoginCookie(rememberMe, null);
+    }
+
+    /**
+     * Builds the cookie containing the jwt for a login
+     *
+     * @param rememberMe boolean used to determine the duration of the jwt.
+     * @param tool       the tool claim in the jwt
+     * @return the login ResponseCookie containing the JWT
+     */
+    public ResponseCookie buildLoginCookie(boolean rememberMe, ToolTokenType tool) {
+        return buildLoginCookie(tokenProvider.getTokenValidity(rememberMe), tool);
+    }
+
+    /**
+     * Builds a cookie with the tool claim in the jwt
+     *
+     * @param duration the duration of the cookie in milli seconds and the jwt
+     * @param tool     the tool claim in the jwt
+     * @return the login ResponseCookie containing the JWT
+     */
+    public ResponseCookie buildLoginCookie(long duration, ToolTokenType tool) {
+        String jwt = tokenProvider.createToken(SecurityContextHolder.getContext().getAuthentication(), duration, tool);
+        return buildJWTCookie(jwt, Duration.of(duration, ChronoUnit.MILLIS));
     }
 
     /**

@@ -2,12 +2,14 @@
 
 import java.io.IOException;
 
+import jakarta.annotation.Nullable;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -31,26 +33,88 @@ public JWTFilter(TokenProvider tokenProvider) {
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
         HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
-        Cookie jwtCookie = WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME);
-        if (isJwtCookieValid(this.tokenProvider, jwtCookie)) {
-            Authentication authentication = this.tokenProvider.getAuthentication(jwtCookie.getValue());
+        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+        String jwtToken;
+        try {
+            jwtToken = extractValidJwt(httpServletRequest, this.tokenProvider);
+        }
+        catch (IllegalArgumentException e) {
+            httpServletResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
+            return;
+        }
+
+        if (jwtToken != null) {
+            Authentication authentication = this.tokenProvider.getAuthentication(jwtToken);
             SecurityContextHolder.getContext().setAuthentication(authentication);
         }
+
         filterChain.doFilter(servletRequest, servletResponse);
     }
 
     /**
-     * Checks if the cookie containing the jwt is valid
+     * Extracts the valid jwt found in the cookie or the Authorization header
      *
-     * @param tokenProvider the artemis token provider used to generate and validate jwt's
-     * @param jwtCookie     the cookie containing the jwt
-     * @return true if the jwt is valid, false if missing or invalid
+     * @param httpServletRequest the http request
+     * @param tokenProvider      the Artemis token provider used to generate and validate jwt's
+     * @return the valid jwt or null if not found or invalid
      */
-    public static boolean isJwtCookieValid(TokenProvider tokenProvider, Cookie jwtCookie) {
+    public static @Nullable String extractValidJwt(HttpServletRequest httpServletRequest, TokenProvider tokenProvider) {
+        var cookie = WebUtils.getCookie(httpServletRequest, JWT_COOKIE_NAME);
+        var authHeader = httpServletRequest.getHeader("Authorization");
+
+        if (cookie == null && authHeader == null) {
+            return null;
+        }
+
+        if (cookie != null && authHeader != null) {
+            // Single Method Enforcement: Only one method of authentication is allowed
+            throw new IllegalArgumentException("Only one method of authentication is allowed");
+        }
+
+        String jwtToken = cookie != null ? getJwtFromCookie(cookie) : getJwtFromBearer(authHeader);
+
+        if (!isJwtValid(tokenProvider, jwtToken)) {
+            return null;
+        }
+
+        return jwtToken;
+    }
+
+    /**
+     * Extracts the jwt from the cookie
+     *
+     * @param jwtCookie the cookie with Key "jwt"
+     * @return the jwt or null if not found
+     */
+    private static @Nullable String getJwtFromCookie(@Nullable Cookie jwtCookie) {
         if (jwtCookie == null) {
-            return false;
+            return null;
+        }
+        return jwtCookie.getValue();
+    }
+
+    /**
+     * Extracts the jwt from the Authorization header
+     *
+     * @param jwtBearer the content of the Authorization header
+     * @return the jwt or null if not found
+     */
+    private static @Nullable String getJwtFromBearer(@Nullable String jwtBearer) {
+        if (!StringUtils.hasText(jwtBearer) || !jwtBearer.startsWith("Bearer ")) {
+            return null;
         }
-        String jwt = jwtCookie.getValue();
-        return StringUtils.hasText(jwt) && tokenProvider.validateTokenForAuthority(jwt);
+
+        return jwtBearer.substring(7).trim();
+    }
+
+    /**
+     * Checks if the jwt is valid
+     *
+     * @param tokenProvider the Artemis token provider used to generate and validate jwt's
+     * @param jwtToken      the jwt
+     * @return true if the jwt is valid, false if missing or invalid
+     */
+    private static boolean isJwtValid(TokenProvider tokenProvider, @Nullable String jwtToken) {
+        return StringUtils.hasText(jwtToken) && tokenProvider.validateTokenForAuthority(jwtToken);
     }
 }
@@ -8,6 +8,7 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
+import jakarta.annotation.Nullable;
 import jakarta.annotation.PostConstruct;
 
 import javax.crypto.SecretKey;
@@ -24,6 +25,7 @@
 import org.springframework.util.StringUtils;
 
 import de.tum.cit.aet.artemis.core.management.SecurityMetersService;
+import de.tum.cit.aet.artemis.core.security.allowedTools.ToolTokenType;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jwts;
@@ -95,11 +97,28 @@ public long getTokenValidity(boolean rememberMe) {
      * @return JWT Token
      */
     public String createToken(Authentication authentication, boolean rememberMe) {
+        return createToken(authentication, getTokenValidity(rememberMe), null);
+    }
+
+    /**
+     * Create JWT Token a fully populated <code>Authentication</code> object.
+     *
+     * @param authentication Authentication Object
+     * @param duration       the Token lifetime in milli seconds
+     * @param tool           tool this token is used for. If null, it's a general access token
+     * @return JWT Token
+     */
+    public String createToken(Authentication authentication, long duration, @Nullable ToolTokenType tool) {
         String authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.joining(","));
 
         long now = (new Date()).getTime();
-        Date validity = new Date(now + getTokenValidity(rememberMe));
-        return Jwts.builder().subject(authentication.getName()).claim(AUTHORITIES_KEY, authorities).signWith(key, Jwts.SIG.HS512).expiration(validity).compact();
+        Date validity = new Date(now + duration);
+        var jwtBuilder = Jwts.builder().subject(authentication.getName()).claim(AUTHORITIES_KEY, authorities);
+        if (tool != null) {
+            jwtBuilder.claim("tools", tool);
+        }
+
+        return jwtBuilder.signWith(key, Jwts.SIG.HS512).expiration(validity).compact();
     }
 
     /**
@@ -170,6 +189,11 @@ private Claims parseClaims(String authToken) {
         return Jwts.parser().verifyWith(key).build().parseSignedClaims(authToken).getPayload();
     }
 
+    public String getClaim(String token, String claimName) {
+        Claims claims = parseClaims(token);
+        return claims.get(claimName, String.class);
+    }
+
     public Date getExpirationDate(String authToken) {
         return parseClaims(authToken).getExpiration();
     }