Feature OpenID

LaunchServer/build.gradle

@@ -88,6 +88,7 @@ dependencies {
     bundle group: 'org.slf4j', name: 'slf4j-api', version: rootProject['verSlf4j']
     bundle group: 'com.mysql', name: 'mysql-connector-j', version: rootProject['verMySQLConn']
     bundle group: 'org.postgresql', name: 'postgresql', version: rootProject['verPostgreSQLConn']
+    bundle group: 'com.h2database', name: 'h2', version: rootProject['verH2Conn']
     bundle group: 'com.guardsquare', name: 'proguard-base', version: rootProject['verProguard']
     bundle group: 'org.apache.logging.log4j', name: 'log4j-core', version: rootProject['verLog4j']
     bundle group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: rootProject['verLog4j']

LaunchServer/src/main/java/pro/gravit/launchserver/auth/AuthException.java

@@ -16,6 +16,10 @@ public AuthException(String message) {
         super(message);
     }
 
+    public AuthException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
     public static AuthException need2FA() {
         return new AuthException(AuthRequestEvent.TWO_FACTOR_NEED_ERROR_MESSAGE);
     }

LaunchServer/src/main/java/pro/gravit/launchserver/auth/HikariSQLSourceConfig.java

@@ -0,0 +1,50 @@
+package pro.gravit.launchserver.auth;
+
+import com.zaxxer.hikari.HikariConfig;
+import com.zaxxer.hikari.HikariDataSource;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.util.Properties;
+import java.util.function.Consumer;
+
+public class HikariSQLSourceConfig implements SQLSourceConfig {
+    private transient HikariDataSource dataSource;
+    private String dsClass;
+    private Properties dsProps;
+    private String driverClass;
+    private String jdbcUrl;
+    private String username;
+    private String password;
+
+    public void init() {
+        if (dataSource != null) {
+            return;
+        }
+        HikariConfig config = new HikariConfig();
+        consumeIfNotNull(config::setDataSourceClassName, dsClass);
+        consumeIfNotNull(config::setDataSourceProperties, dsProps);
+        consumeIfNotNull(config::setDriverClassName, driverClass);
+        consumeIfNotNull(config::setJdbcUrl, jdbcUrl);
+        consumeIfNotNull(config::setUsername, username);
+        consumeIfNotNull(config::setPassword, password);
+
+        this.dataSource = new HikariDataSource(config);
+    }
+
+    @Override
+    public Connection getConnection() throws SQLException {
+        return dataSource.getConnection();
+    }
+
+    @Override
+    public void close() {
+        dataSource.close();
+    }
+
+    private static <T> void consumeIfNotNull(Consumer<T> consumer, T val) {
+        if (val != null) {
+            consumer.accept(val);
+        }
+    }
+}

LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/AuthCoreProvider.java

@@ -16,6 +16,7 @@
 import pro.gravit.launchserver.auth.core.interfaces.provider.AuthSupportGetAllUsers;
 import pro.gravit.launchserver.auth.core.interfaces.provider.AuthSupportHardware;
 import pro.gravit.launchserver.auth.core.interfaces.provider.AuthSupportRegistration;
+import pro.gravit.launchserver.auth.core.openid.OpenIDAuthCoreProvider;
 import pro.gravit.launchserver.manangers.AuthManager;
 import pro.gravit.launchserver.socket.Client;
 import pro.gravit.launchserver.socket.response.auth.AuthResponse;
@@ -45,6 +46,7 @@ public static void registerProviders() {
             providers.register("postgresql", PostgresSQLCoreProvider.class);
             providers.register("memory", MemoryAuthCoreProvider.class);
             providers.register("merge", MergeAuthCoreProvider.class);
+            providers.register("openid", OpenIDAuthCoreProvider.class);
             registredProviders = true;
         }
     }

LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/AccessTokenResponse.java

@@ -0,0 +1,14 @@
+package pro.gravit.launchserver.auth.core.openid;
+
+import com.google.gson.annotations.SerializedName;
+
+public record AccessTokenResponse(@SerializedName("access_token") String accessToken,
+                                  @SerializedName("expires_in") Long expiresIn,
+                                  @SerializedName("refresh_expires_in") Long refreshExpiresIn,
+                                  @SerializedName("refresh_token") String refreshToken,
+                                  @SerializedName("token_type") String tokenType,
+                                  @SerializedName("id_token") String idToken,
+                                  @SerializedName("not-before-policy") Integer notBeforePolicy,
+                                  @SerializedName("session_state") String sessionState,
+                                  @SerializedName("scope") String scope) {
+}

LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDAuthCoreProvider.java

@@ -0,0 +1,178 @@
+package pro.gravit.launchserver.auth.core.openid;
+
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+import pro.gravit.launcher.ClientPermissions;
+import pro.gravit.launcher.events.request.GetAvailabilityAuthRequestEvent;
+import pro.gravit.launcher.request.auth.AuthRequest;
+import pro.gravit.launcher.request.auth.password.AuthCodePassword;
+import pro.gravit.launchserver.LaunchServer;
+import pro.gravit.launchserver.auth.AuthException;
+import pro.gravit.launchserver.auth.HikariSQLSourceConfig;
+import pro.gravit.launchserver.auth.core.AuthCoreProvider;
+import pro.gravit.launchserver.auth.core.User;
+import pro.gravit.launchserver.auth.core.UserSession;
+import pro.gravit.launchserver.manangers.AuthManager;
+import pro.gravit.launchserver.socket.Client;
+import pro.gravit.launchserver.socket.response.auth.AuthResponse;
+import pro.gravit.utils.helper.LogHelper;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+import java.util.List;
+import java.util.UUID;
+import java.util.concurrent.TimeUnit;
+
+public class OpenIDAuthCoreProvider extends AuthCoreProvider {
+    private transient SQLUserStore sqlUserStore;
+    private transient SQLServerSessionStore sqlSessionStore;
+    private transient OpenIDAuthenticator openIDAuthenticator;
+    private transient LaunchServer server;
+
+    private OpenIDConfig openIDConfig;
+    private HikariSQLSourceConfig sqlSourceConfig;
+
+    @Override
+    public List<GetAvailabilityAuthRequestEvent.AuthAvailabilityDetails> getDetails(Client client) {
+        return openIDAuthenticator.getDetails();
+    }
+
+    @Override
+    public User getUserByUsername(String username) {
+        return sqlUserStore.getByUsername(username);
+    }
+
+    @Override
+    public User getUserByUUID(UUID uuid) {
+        return sqlUserStore.getUserByUUID(uuid);
+    }
+
+    @Override
+    public UserSession getUserSessionByOAuthAccessToken(String accessToken) throws OAuthAccessTokenExpired {
+        return openIDAuthenticator.getUserSessionByOAuthAccessToken(accessToken);
+    }
+
+    @Override
+    public AuthManager.AuthReport refreshAccessToken(String oldRefreshToken, AuthResponse.AuthContext context) {
+        var tokens = openIDAuthenticator.refreshAccessToken(oldRefreshToken);
+        var accessToken = tokens.accessToken();
+        var refreshToken = tokens.refreshToken();
+        long expiresIn = TimeUnit.SECONDS.toMillis(tokens.accessTokenExpiresIn());
+
+        UserSession session;
+        try {
+            session = openIDAuthenticator.getUserSessionByOAuthAccessToken(accessToken);
+        } catch (OAuthAccessTokenExpired e) {
+            throw new RuntimeException("invalid token", e);
+        }
+
+
+        return AuthManager.AuthReport.ofOAuth(accessToken, refreshToken,
+                expiresIn, session);
+    }
+
+    @Override
+    public AuthManager.AuthReport authorize(String login, AuthResponse.AuthContext context, AuthRequest.AuthPasswordInterface password, boolean minecraftAccess) throws IOException {
+        if (password == null) {
+            throw AuthException.wrongPassword();
+        }
+        var authCodePassword = (AuthCodePassword) password;
+
+        var tokens = openIDAuthenticator.authorize(authCodePassword);
+
+        var accessToken = tokens.accessToken();
+        var refreshToken = tokens.refreshToken();
+        var user = openIDAuthenticator.createUserFromToken(accessToken);
+        long expiresIn = TimeUnit.SECONDS.toMillis(tokens.accessTokenExpiresIn());
+
+        sqlUserStore.createOrUpdateUser(user);
+
+        UserSession session;
+        try {
+            session = openIDAuthenticator.getUserSessionByOAuthAccessToken(accessToken);
+        } catch (OAuthAccessTokenExpired e) {
+            throw new AuthException("invalid token", e);
+        }
+
+        if (minecraftAccess) {
+            var minecraftToken = generateMinecraftToken(user);
+            return AuthManager.AuthReport.ofOAuthWithMinecraft(minecraftToken, accessToken, refreshToken,
+                    expiresIn, session);
+        } else {
+            return AuthManager.AuthReport.ofOAuth(accessToken, refreshToken,
+                    expiresIn, session);
+        }
+    }
+
+    private String generateMinecraftToken(User user) {
+        return Jwts.builder()
+                .issuer("LaunchServer")
+                .subject(user.getUUID().toString())
+                .claim("preferred_username", user.getUsername())
+                .expiration(Date.from(Instant.now().plus(24, ChronoUnit.HOURS)))
+                .signWith(server.keyAgreementManager.ecdsaPrivateKey)
+                .compact();
+    }
+
+    private User createUserFromMinecraftToken(String accessToken) throws AuthException {
+        try {
+            var parser = Jwts.parser()
+                    .requireIssuer("LaunchServer")
+                    .verifyWith(server.keyAgreementManager.ecdsaPublicKey)
+                    .build();
+            var claims = parser.parseSignedClaims(accessToken);
+            var username = claims.getPayload().get("preferred_username", String.class);
+            var uuid = UUID.fromString(claims.getPayload().getSubject());
+            return new UserEntity(username, uuid, new ClientPermissions());
+        } catch (JwtException e) {
+            throw new AuthException("Bad minecraft token", e);
+        }
+    }
+
+    @Override
+    public void init(LaunchServer server) {
+        this.server = server;
+        this.sqlSourceConfig.init();
+        this.sqlUserStore = new SQLUserStore(sqlSourceConfig);
+        this.sqlUserStore.init();
+        this.sqlSessionStore = new SQLServerSessionStore(sqlSourceConfig);
+        this.sqlSessionStore.init();
+        this.openIDAuthenticator = new OpenIDAuthenticator(openIDConfig);
+    }
+
+    @Override
+    public User checkServer(Client client, String username, String serverID) throws IOException {
+        var savedServerId = sqlSessionStore.getServerIdByUsername(username);
+        if (!serverID.equals(savedServerId)) {
+            return null;
+        }
+
+        return sqlUserStore.getByUsername(username);
+    }
+
+    @Override
+    public boolean joinServer(Client client, String username, UUID uuid, String accessToken, String serverID) throws IOException {
+        User user;
+        try {
+            user = createUserFromMinecraftToken(accessToken);
+        } catch (AuthException e) {
+            LogHelper.error(e);
+            return false;
+        }
+        if (!user.getUUID().equals(uuid)) {
+            return false;
+        }
+
+        sqlUserStore.createOrUpdateUser(user);
+
+        return sqlSessionStore.joinServer(user.getUUID(), user.getUsername(), serverID);
+    }
+
+    @Override
+    public void close() {
+        sqlSourceConfig.close();
+    }
+
+}