APP-2887 - Authentication API

README.md

@@ -1,4 +1,9 @@
-# Symphony Java BDK [![CircleCI](https://circleci.com/gh/SymphonyPlatformSolutions/symphony-api-client-java.svg?style=shield)](https://circleci.com/gh/SymphonyPlatformSolutions/symphony-api-client-java) [![Known Vulnerabilities](https://snyk.io/test/github/SymphonyPlatformSolutions/symphony-api-client-java/badge.svg)](https://snyk.io/test/github/SymphonyPlatformSolutions/symphony-api-client-java) [![License: MIT](https://img.shields.io/badge/License-MIT-purple.svg)](https://opensource.org/licenses/MIT)  [![Email](https://img.shields.io/static/v1?label=contact&message=email&color=darkgoldenrod)](mailto:platformsolutions@symphony.com?subject=Java%20SDK)
+# Symphony Java BDK 
+[![CircleCI](https://circleci.com/gh/SymphonyPlatformSolutions/symphony-api-client-java.svg?style=shield)](https://circleci.com/gh/SymphonyPlatformSolutions/symphony-api-client-java)
+[![Known Vulnerabilities](https://snyk.io/test/github/SymphonyPlatformSolutions/symphony-api-client-java/badge.svg)](https://snyk.io/test/github/SymphonyPlatformSolutions/symphony-api-client-java)
+[![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.symphony.platformsolutions/symphony-api-client-java/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.symphony.platformsolutions/symphony-api-client-java)
+[![License: MIT](https://img.shields.io/badge/License-MIT-purple.svg)](https://opensource.org/licenses/MIT)
+[![Email](https://img.shields.io/static/v1?label=contact&message=email&color=darkgoldenrod)](mailto:platformsolutions@symphony.com?subject=Java%20SDK)
 
 The Symphony Java BDK helps you to create Bots and Applications on top of the [Symphony REST APIs](https://developers.symphony.com/restapi/reference). 
 

docs/authentication.md

@@ -0,0 +1,3 @@
+# Authentication
+
+To be done...

pom.xml

@@ -22,6 +22,7 @@
         <lombok.version>1.18.12</lombok.version>
         <jacoco-maven-plugin.version>0.8.5</jacoco-maven-plugin.version>
         <migbase64.version>2.2</migbase64.version>
+        <resilience4j-retry.version>1.4.0</resilience4j-retry.version>
         <slf4j.version>1.7.30</slf4j.version>
 
         <!-- Test dependencies -->
@@ -105,6 +106,12 @@
                 <scope>runtime</scope>
             </dependency>
 
+            <dependency>
+                <groupId>io.github.resilience4j</groupId>
+                <artifactId>resilience4j-retry</artifactId>
+                <version>${resilience4j-retry.version}</version>
+            </dependency>
+
             <!-- Testing -->
             <dependency>
                 <groupId>org.junit.jupiter</groupId>

symphony-bdk-core-invokers/symphony-bdk-core-invoker-api/src/main/java/com/symphony/bdk/core/api/invoker/ApiClientProvider.java

@@ -0,0 +1,14 @@
+package com.symphony.bdk.core.api.invoker;
+
+/**
+ * New {@link ApiClient} instances provider.
+ */
+public interface ApiClientProvider {
+
+  /**
+   * Creates a new {@link ApiClient} instance.
+   *
+   * @return a new {@link ApiClient} instance.
+   */
+  ApiClient newInstance();
+}

symphony-bdk-core-invokers/symphony-bdk-core-invoker-api/src/main/java/com/symphony/bdk/core/api/invoker/ApiException.java

@@ -55,4 +55,13 @@ public ApiException(int code, String message, Map<String, List<String>> response
         this.responseHeaders = responseHeaders;
         this.responseBody = responseBody;
     }
+
+    /**
+     * Check if response status if unauthorized or not.
+     *
+     * @return true if response status is 401, false otherwise
+     */
+    public boolean isUnauthorized() {
+        return this.code == 401;
+    }
 }

symphony-bdk-core-invokers/symphony-bdk-core-invoker-api/src/main/java/com/symphony/bdk/core/api/invoker/ApiRuntimeException.java

@@ -0,0 +1,26 @@
+package com.symphony.bdk.core.api.invoker;
+
+import lombok.Getter;
+import org.apiguardian.api.API;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Runtime version of the {@link ApiException}.
+ */
+@Getter
+@API(status = API.Status.EXPERIMENTAL)
+public class ApiRuntimeException extends RuntimeException {
+
+  private final int code;
+  private final Map<String, List<String>> responseHeaders;
+  private final String responseBody;
+
+  public ApiRuntimeException(ApiException source) {
+    super(source);
+    this.code = source.getCode();
+    this.responseHeaders = source.getResponseHeaders();
+    this.responseBody = source.getResponseBody();
+  }
+}

symphony-bdk-core-invokers/symphony-bdk-core-invoker-jersey2/src/main/java/com/symphony/bdk/core/api/invoker/jersey2/ApiClientProviderJersey2.java

@@ -0,0 +1,18 @@
+package com.symphony.bdk.core.api.invoker.jersey2;
+
+import com.symphony.bdk.core.api.invoker.ApiClient;
+import com.symphony.bdk.core.api.invoker.ApiClientProvider;
+
+/**
+ * Provides new {@link ApiClientJersey2} implementation of the {@link ApiClient} interface.
+ */
+public class ApiClientProviderJersey2 implements ApiClientProvider {
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public ApiClient newInstance() {
+    return new ApiClientJersey2();
+  }
+}

symphony-bdk-core-invokers/symphony-bdk-core-invoker-jersey2/src/main/resources/META-INF/services/com.symphony.bdk.core.api.invoker.ApiClientProvider

@@ -0,0 +1 @@
+com.symphony.bdk.core.api.invoker.jersey2.ApiClientProviderJersey2

symphony-bdk-core/pom.xml

@@ -97,6 +97,12 @@
             <version>${jackson.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-yaml</artifactId>
+            <version>2.11.0</version>
+        </dependency>
+
         <!-- ******************************** -->
         <!-- * CodeGen related dependencies * -->
         <!-- ******************************** -->
@@ -129,6 +135,17 @@
             <artifactId>mockserver-netty</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.symphony.platformsolutions</groupId>
+            <artifactId>symphony-bdk-core-invoker-jersey2</artifactId>
+            <version>1.2.0-SNAPSHOT</version>
+            <scope>test</scope>
+        </dependency>
 
     </dependencies>
 

symphony-bdk-core/src/main/java/com/symphony/bdk/core/SymphonyBdk.java

@@ -0,0 +1,54 @@
+package com.symphony.bdk.core;
+
+import com.symphony.bdk.core.auth.AuthSession;
+import com.symphony.bdk.core.auth.AuthenticatorFactory;
+import com.symphony.bdk.core.auth.OboAuthenticator;
+import com.symphony.bdk.core.auth.exception.AuthInitializationException;
+import com.symphony.bdk.core.service.Obo;
+import com.symphony.bdk.core.client.ApiClientFactory;
+import com.symphony.bdk.core.config.model.BdkConfig;
+import com.symphony.bdk.core.service.V4MessageService;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apiguardian.api.API;
+
+/**
+ * BDK entry point.
+ */
+@Slf4j
+@API(status = API.Status.EXPERIMENTAL)
+public class SymphonyBdk {
+
+  private final ApiClientFactory apiClientFactory;
+
+  private final AuthSession botSession;
+  private final OboAuthenticator oboAuthenticator;
+
+  public SymphonyBdk(BdkConfig config) throws AuthInitializationException {
+
+    this.apiClientFactory = new ApiClientFactory(config);
+
+    final AuthenticatorFactory authenticatorFactory = new AuthenticatorFactory(
+        config,
+        apiClientFactory.getLoginClient(),
+        apiClientFactory.getRelayClient()
+    );
+
+    this.botSession = authenticatorFactory.getBotAuthenticator().authenticateBot();
+    this.oboAuthenticator = authenticatorFactory.getOboAuthenticator();
+  }
+
+  public V4MessageService messages() {
+    return new V4MessageService(this.apiClientFactory.getAgentClient(), this.botSession);
+  }
+
+  public V4MessageService messages(Obo.Handle oboHandle) {
+    AuthSession oboSession;
+    if (oboHandle.hasUsername()) {
+      oboSession = this.oboAuthenticator.authenticateByUsername(oboHandle.getUsername());
+    } else {
+      oboSession = this.oboAuthenticator.authenticateByUserId(oboHandle.getUserId());
+    }
+    return new V4MessageService(this.apiClientFactory.getAgentClient(), oboSession);
+  }
+}

symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/AuthSession.java

@@ -0,0 +1,37 @@
+package com.symphony.bdk.core.auth;
+
+import com.symphony.bdk.core.auth.exception.AuthUnauthorizedException;
+
+import org.apiguardian.api.API;
+
+import javax.annotation.Nullable;
+
+/**
+ * Authentication session handle. The {@link AuthSession#refresh()} will trigger a re-auth against the API endpoints.
+ * <p>
+ *   You should keep using the same token until you receive a HTTP 401, at which you should re-authenticate and
+ *   get a new token for a new session.
+ * </p>
+ */
+@API(status = API.Status.STABLE)
+public interface AuthSession {
+
+  /**
+   * Pod's authentication token.
+   *
+   * @return the Pod session token
+   */
+  @Nullable String getSessionToken();
+
+  /**
+   * KeyManager's authentication token.
+   *
+   * @return the KeyManager token, null if OBO
+   */
+  @Nullable String getKeyManagerToken();
+
+  /**
+   * Trigger re-authentication to refresh tokens.
+   */
+  void refresh() throws AuthUnauthorizedException;
+}

symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/AuthenticatorFactory.java

@@ -0,0 +1,88 @@
+package com.symphony.bdk.core.auth;
+
+import com.symphony.bdk.core.api.invoker.ApiClient;
+import com.symphony.bdk.core.auth.exception.AuthInitializationException;
+import com.symphony.bdk.core.auth.impl.BotAuthenticatorRSAImpl;
+import com.symphony.bdk.core.auth.impl.OboAuthenticatorRSAImpl;
+import com.symphony.bdk.core.auth.jwt.JwtHelper;
+import com.symphony.bdk.core.config.model.BdkConfig;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.IOUtils;
+import org.apiguardian.api.API;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+
+import javax.annotation.Nonnull;
+
+/**
+ * Factory class that provides new instances for the main authenticators :
+ * <ul>
+ *   <li>{@link BotAuthenticator} : to authenticate the main Bot service account</li>
+ *   <li>{@link OboAuthenticator} : to perform on-behalf-of authentication</li>
+ * </ul>
+ */
+@Slf4j
+@API(status = API.Status.STABLE)
+public class AuthenticatorFactory {
+
+  private final BdkConfig config;
+  private final ApiClient loginApiClient;
+  private final ApiClient relayApiClient;
+
+  private JwtHelper jwtHelper = new JwtHelper();
+
+  public AuthenticatorFactory(@Nonnull BdkConfig bdkConfig, @Nonnull ApiClient loginClient, @Nonnull ApiClient relayClient) {
+    this.config = bdkConfig;
+    this.loginApiClient = loginClient;
+    this.relayApiClient = relayClient;
+  }
+
+  /**
+   * Creates a new instance of a {@link BotAuthenticator} service.
+   *
+   * @return a new {@link BotAuthenticator} instance.
+   */
+  public @Nonnull BotAuthenticator getBotAuthenticator() throws AuthInitializationException {
+
+    return new BotAuthenticatorRSAImpl(
+        this.config.getBot().getUsername(),
+        this.loadPrivateKeyFromPath(this.config.getBot().getPrivateKeyPath()),
+        this.loginApiClient,
+        this.relayApiClient
+    );
+  }
+
+  /**
+   * Creates a new instance of an {@link OboAuthenticator} service.
+   *
+   * @return a new {@link OboAuthenticator} instance.
+   */
+  public @Nonnull OboAuthenticator getOboAuthenticator() throws AuthInitializationException {
+
+    return new OboAuthenticatorRSAImpl(
+        this.config.getApp().getAppId(),
+        this.loadPrivateKeyFromPath(this.config.getApp().getPrivateKeyPath()),
+        this.loginApiClient
+    );
+  }
+
+  private PrivateKey loadPrivateKeyFromPath(String privateKeyPath) throws AuthInitializationException {
+    log.debug("Loading RSA privateKey from path : {}", privateKeyPath);
+    try {
+      return this.jwtHelper.parseRSAPrivateKey(IOUtils.toString(new FileInputStream(privateKeyPath), StandardCharsets.UTF_8));
+    } catch (GeneralSecurityException e) {
+      final String message = "Unable to parse RSA Private Key located at " + privateKeyPath;
+      log.error(message, e);
+      throw new AuthInitializationException(message, e);
+    } catch (IOException e) {
+      final String message = "Unable to read or find RSA Private Key from path " + privateKeyPath;
+      log.error(message, e);
+      throw new AuthInitializationException(message, e);
+    }
+  }
+}

symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/BotAuthenticator.java

@@ -0,0 +1,19 @@
+package com.symphony.bdk.core.auth;
+
+import org.apiguardian.api.API;
+
+import javax.annotation.Nonnull;
+
+/**
+ * Bot authenticator service.
+ */
+@API(status = API.Status.STABLE)
+public interface BotAuthenticator {
+
+  /**
+   * Authenticates a Bot's service account.
+   *
+   * @return the authentication session.
+   */
+  @Nonnull AuthSession authenticateBot();
+}

symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/OboAuthenticator.java

@@ -0,0 +1,28 @@
+package com.symphony.bdk.core.auth;
+
+import org.apiguardian.api.API;
+
+import javax.annotation.Nonnull;
+
+/**
+ * On-behalf-of authenticator service.
+ */
+@API(status = API.Status.STABLE)
+public interface OboAuthenticator {
+
+  /**
+   * Authenticates on-behalf-of a particular user using his username.
+   *
+   * @param username Username of the user.
+   * @return the authentication session.
+   */
+  @Nonnull AuthSession authenticateByUsername(@Nonnull String username);
+
+  /**
+   * Authenticates on behalf of a particular user using his userId.
+   *
+   * @param userId Id of the user.
+   * @return the authentication sessions.
+   */
+  @Nonnull AuthSession authenticateByUserId(@Nonnull Long userId);
+}

symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/exception/AuthInitializationException.java

@@ -0,0 +1,16 @@
+package com.symphony.bdk.core.auth.exception;
+
+import org.apiguardian.api.API;
+
+import javax.annotation.Nonnull;
+
+/**
+ * Thrown when unable to read/parse a RSA Private Key or a certificate.
+ */
+@API(status = API.Status.STABLE)
+public class AuthInitializationException extends Exception {
+
+  public AuthInitializationException(@Nonnull String message, @Nonnull Throwable source) {
+    super(message, source);
+  }
+}