discoverygarden · qadan · Jun 29, 2021 · Jun 10, 2021 · Jun 11, 2021 · Jun 14, 2021
diff --git a/islandora.services.yml b/islandora.services.yml
@@ -59,3 +59,8 @@ services:
   islandora.gemini.lookup:
     class: Drupal\islandora\GeminiLookup
     arguments: ['@islandora.gemini.client', '@jwt.authentication.jwt', '@islandora.media_source_service', '@http_client', '@logger.channel.islandora']
+  islandora.stomp.auth_header_listener:
+    class: Drupal\islandora\EventSubscriber\StompHeaderEventSubscriber
+    arguments: ['@jwt.authentication.jwt']
+    tags:
+      - { name: event_subscriber }
diff --git a/src/Event/StompHeaderEvent.php b/src/Event/StompHeaderEvent.php
@@ -0,0 +1,97 @@
+<?php
+
+namespace Drupal\islandora\Event;
+
+use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Session\AccountInterface;
+
+use Symfony\Component\HttpFoundation\ParameterBag;
+use Symfony\Component\EventDispatcher\Event;
+
+/**
+ * Event used to build headers for STOMP.
+ */
+class StompHeaderEvent extends Event implements StompHeaderEventInterface {
+
+  /**
+   * Stashed entity, for context.
+   *
+   * @var \Drupal\Core\Entity\EntityInterface
+   */
+  protected $entity;
+
+  /**
+   * Stashed user info, for context.
+   *
+   * @var \Drupal\Core\Session\AccountInterface
+   */
+  protected $user;
+
+  /**
+   * An array of data to be sent with the STOMP request, for context.
+   *
+   * @var array
+   */
+  protected $data;
+
+  /**
+   * An array of configuration used to generate $data, for context.
+   *
+   * @var array
+   */
+  protected $configuration;
+
+  /**
+   * The set of headers.
+   *
+   * @var \Symfony\Component\HttpFoundation\ParameterBag
+   */
+  protected $headers;
+
+  /**
+   * Constructor.
+   */
+  public function __construct(EntityInterface $entity, AccountInterface $user, array $data, array $configuration) {
+    $this->entity = $entity;
+    $this->user = $user;
+    $this->data = $data;
+    $this->configuration = $configuration;
+    $this->headers = new ParameterBag();
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getEntity() {
+    return $this->entity;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getUser() {
+    return $this->user;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getData() {
+    return $this->data;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getHeaders() {
+    return $this->headers;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getConfiguration() {
+    return $this->configuration;
+  }
+
+}
diff --git a/src/Event/StompHeaderEventException.php b/src/Event/StompHeaderEventException.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Drupal\islandora\Event;
+
+/**
+ * Typification for handling exceptions specific to STOMP header generation.
+ */
+class StompHeaderEventException extends \Exception {}
diff --git a/src/Event/StompHeaderEventInterface.php b/src/Event/StompHeaderEventInterface.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace Drupal\islandora\Event;
+
+/**
+ * Contract for representing an event to build headers for STOMP messages.
+ */
+interface StompHeaderEventInterface {
+
+  const EVENT_NAME = 'islandora.stomp.header_event';
+
+  /**
+   * Get the headers being built for STOMP.
+   *
+   * XXX: Ironically, using ParameterBag instead of HeaderBag due to case-
+   * sensitivity: In the context of HTTP, headers are case insensitive (and is
+   * what HeaderBag is intended; however, STOMP headers are case sensitive.
+   *
+   * @return \Symfony\Component\HttpFoundation\ParameterBag
+   *   The headers
+   */
+  public function getHeaders();
+
+  /**
+   * Fetch the entity provided as context.
+   *
+   * @return \Drupal\Core\Entity\EntityInterface
+   *   The entity provided as context.
+   */
+  public function getEntity();
+
+  /**
+   * Fetch the user provided as context.
+   *
+   * @return \Drupal\Core\Session\AccountInterface
+   *   The user provided as context.
+   */
+  public function getUser();
+
+  /**
+   * Fetch the data to be sent in the body of the request.
+   *
+   * @return array
+   *   The array of data.
+   */
+  public function getData();
+
+  /**
+   * Fetch the configuration of the action, for context.
+   *
+   * @return array
+   *   The array of configuration for the upstream action.
+   */
+  public function getConfiguration();
+
+}
diff --git a/src/EventGenerator/EmitEvent.php b/src/EventGenerator/EmitEvent.php
@@ -9,11 +9,13 @@
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
 use Drupal\Core\Session\AccountInterface;
-use Drupal\jwt\Authentication\Provider\JwtAuth;
+use Drupal\islandora\Event\StompHeaderEvent;
+use Drupal\islandora\Event\StompHeaderEventException;
 use Stomp\Exception\StompException;
 use Stomp\StatefulStomp;
 use Stomp\Transport\Message;
 use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 
 /**
  * Configurable action base for actions that publish messages to queues.
@@ -49,11 +51,11 @@ abstract class EmitEvent extends ConfigurableActionBase implements ContainerFact
   protected $stomp;
 
   /**
-   * The JWT Auth Service.
+   * Event dispatcher service.
    *
-   * @var \Drupal\jwt\Authentication\Provider\JwtAuth
+   * @var \Symfony\Component\EventDispatcher\EventDispatcherInterface
    */
-  protected $auth;
+  protected $eventDispatcher;
 
   /**
    * Constructs a EmitEvent action.
@@ -72,8 +74,8 @@ abstract class EmitEvent extends ConfigurableActionBase implements ContainerFact
    *   EventGenerator service to serialize AS2 events.
    * @param \Stomp\StatefulStomp $stomp
    *   Stomp client.
-   * @param \Drupal\jwt\Authentication\Provider\JwtAuth $auth
-   *   JWT Auth client.
+   * @param \Symfony\Component\EventDispatcher\EventDispatcherInterface $event_dispatcher
+   *   Event dispatcher service.
    */
   public function __construct(
     array $configuration,
@@ -83,14 +85,14 @@ public function __construct(
     EntityTypeManagerInterface $entity_type_manager,
     EventGeneratorInterface $event_generator,
     StatefulStomp $stomp,
-    JwtAuth $auth
+    EventDispatcherInterface $event_dispatcher
   ) {
     parent::__construct($configuration, $plugin_id, $plugin_definition);
     $this->account = $account;
     $this->entityTypeManager = $entity_type_manager;
     $this->eventGenerator = $event_generator;
     $this->stomp = $stomp;
-    $this->auth = $auth;
+    $this->eventDispatcher = $event_dispatcher;
   }
 
   /**
@@ -105,37 +107,34 @@ public static function create(ContainerInterface $container, array $configuratio
       $container->get('entity_type.manager'),
       $container->get('islandora.eventgenerator'),
       $container->get('islandora.stomp'),
-      $container->get('jwt.authentication.jwt')
+      $container->get('event_dispatcher')
     );
   }
 
   /**
    * {@inheritdoc}
    */
   public function execute($entity = NULL) {
-
-    // Include a token for later authentication in the message.
-    $token = $this->auth->generateToken();
-    if (empty($token)) {
-      // JWT isn't properly configured. Log and notify user.
-      \Drupal::logger('islandora')->error(
-        t('Error getting JWT token for message. Check JWT Configuration.')
-      );
-      drupal_set_message(
-        t('Error getting JWT token for message. Check JWT Configuration.'), 'error'
-      );
-      return;
-    }
-
     // Generate event as stomp message.
     try {
       $user = $this->entityTypeManager->getStorage('user')->load($this->account->id());
       $data = $this->generateData($entity);
+
+      $event = $this->eventDispatcher->dispatch(
+        StompHeaderEvent::EVENT_NAME,
+        new StompHeaderEvent($entity, $user, $data, $this->getConfiguration())
+      );
+
       $message = new Message(
         $this->eventGenerator->generateEvent($entity, $user, $data),
-        ['Authorization' => "Bearer $token"]
+        $event->getHeaders()->all()
       );
     }
+    catch (StompHeaderEventException $e) {
+      \Drupal::logger('islandora')->error($e->getMessage());
+      drupal_set_message($e->getMessage(), 'error');
+      return;
+    }
     catch (\RuntimeException $e) {
       // Notify the user the event couldn't be generated and abort.
       \Drupal::logger('islandora')->error(

diff --git a/src/EventSubscriber/JwtEventSubscriber.php b/src/EventSubscriber/JwtEventSubscriber.php
@@ -19,6 +19,8 @@
  */
 class JwtEventSubscriber implements EventSubscriberInterface {
 
+  const AUDIENCE = 'islandora';
+
   /**
    * User storage to load users.
    *
@@ -100,6 +102,7 @@ public function setIslandoraClaims(JwtAuthGenerateEvent $event) {
     $event->addClaim('sub', $this->currentUser->getAccountName());
     $event->addClaim('roles', $this->currentUser->getRoles(FALSE));
 
+    $event->addClaim('aud', [static::AUDIENCE]);
   }
 
   /**
@@ -111,6 +114,18 @@ public function setIslandoraClaims(JwtAuthGenerateEvent $event) {
   public function validate(JwtAuthValidateEvent $event) {
     $token = $event->getToken();
 
+    $aud = $token->getClaim('aud');
+
+    if (!$aud) {
+      // Deprecation cycle: Avoid invalidating if there's no "aud" claim, to
+      // allow tokens in flight before the introduction of this claim to remain
+      // valid.
+    }
+    elseif (!in_array(static::AUDIENCE, $aud, TRUE)) {
+      $event->invalidate('Missing audience entry.');
+      return;
+    }
+
     $uid = $token->getClaim('webid');
     $name = $token->getClaim('sub');
     $roles = $token->getClaim('roles');

diff --git a/src/EventSubscriber/StompHeaderEventSubscriber.php b/src/EventSubscriber/StompHeaderEventSubscriber.php
@@ -0,0 +1,63 @@
+<?php
+
+namespace Drupal\islandora\EventSubscriber;
+
+use Drupal\islandora\Event\StompHeaderEventInterface;
+use Drupal\jwt\Authentication\Provider\JwtAuth;
+
+use Drupal\Core\StringTranslation\StringTranslationTrait;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Base STOMP header listener.
+ */
+class StompHeaderEventSubscriber implements EventSubscriberInterface {
+
+  use StringTranslationTrait;
+
+  /**
+   * The JWT auth service.
+   *
+   * @var \Drupal\jwt\Authentication\Provider\JwtAuth
+   */
+  protected $auth;
+
+  /**
+   * Constructor.
+   */
+  public function __construct(
+    JwtAuth $auth
+  ) {
+    $this->auth = $auth;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function getSubscribedEvents() {
+    return [
+      StompHeaderEventInterface::EVENT_NAME => ['baseAuth', -100],
+    ];
+  }
+
+  /**
+   * Event callback; generate and add base authorization header if none is set.
+   */
+  public function baseAuth(StompHeaderEventInterface $stomp_event) {
+    $headers = $stomp_event->getHeaders();
+    if (!$headers->has('Authorization')) {
+      $token = $this->auth->generateToken();
+      if (empty($token)) {
+        // JWT does not seem to be properly configured.
+        // phpcs:ignore DrupalPractice.General.ExceptionT.ExceptionT
+        throw new StompHeaderEventException($this->t('Error getting JWT token for message. Check JWT Configuration.'));
+      }
+      else {
+        $headers->set('Authorization', "Bearer $token");
+      }
+    }
+
+  }
+
+}