[Fix #1064] Adding Diggest auth

Signed-off-by: fjtirado <[email protected]>

Author: fjtirado

impl/core/src/main/java/io/serverlessworkflow/impl/auth/AuthProvider.java

@@ -18,10 +18,11 @@
 import io.serverlessworkflow.impl.TaskContext;
 import io.serverlessworkflow.impl.WorkflowContext;
 import io.serverlessworkflow.impl.WorkflowModel;
+import java.net.URI;
 
 public interface AuthProvider {
 
-  String authScheme();
+  String scheme();
 
-  String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model);
+  String content(WorkflowContext workflow, TaskContext task, WorkflowModel model, URI uri);
 }

impl/core/src/main/java/io/serverlessworkflow/impl/auth/AuthProviderFactory.java

@@ -31,36 +31,40 @@ public static Optional<AuthProvider> getAuth(
       WorkflowDefinition definition, EndpointConfiguration configuration) {
     return configuration == null
         ? Optional.empty()
-        : getAuth(definition, configuration.getAuthentication());
+        : getAuth(definition, configuration.getAuthentication(), "GET");
   }
 
   public static Optional<AuthProvider> getAuth(
-      WorkflowDefinition definition, ReferenceableAuthenticationPolicy auth) {
+      WorkflowDefinition definition, ReferenceableAuthenticationPolicy auth, String method) {
     if (auth == null) {
       return Optional.empty();
     }
     if (auth.getAuthenticationPolicyReference() != null) {
       return buildFromReference(
           definition.application(),
           definition.workflow(),
-          auth.getAuthenticationPolicyReference().getUse());
+          auth.getAuthenticationPolicyReference().getUse(),
+          method);
     } else if (auth.getAuthenticationPolicy() != null) {
       return buildFromPolicy(
-          definition.application(), definition.workflow(), auth.getAuthenticationPolicy());
+          definition.application(), definition.workflow(), auth.getAuthenticationPolicy(), method);
     }
     return Optional.empty();
   }
 
   private static Optional<AuthProvider> buildFromReference(
-      WorkflowApplication app, Workflow workflow, String use) {
+      WorkflowApplication app, Workflow workflow, String use, String method) {
     return workflow.getUse().getAuthentications().getAdditionalProperties().entrySet().stream()
         .filter(s -> s.getKey().equals(use))
         .findAny()
-        .flatMap(e -> buildFromPolicy(app, workflow, e.getValue()));
+        .flatMap(e -> buildFromPolicy(app, workflow, e.getValue(), method));
   }
 
   private static Optional<AuthProvider> buildFromPolicy(
-      WorkflowApplication app, Workflow workflow, AuthenticationPolicyUnion authenticationPolicy) {
+      WorkflowApplication app,
+      Workflow workflow,
+      AuthenticationPolicyUnion authenticationPolicy,
+      String method) {
     if (authenticationPolicy.getBasicAuthenticationPolicy() != null) {
       return Optional.of(
           new BasicAuthProvider(
@@ -70,8 +74,10 @@ private static Optional<AuthProvider> buildFromPolicy(
           new BearerAuthProvider(
               app, workflow, authenticationPolicy.getBearerAuthenticationPolicy()));
     } else if (authenticationPolicy.getDigestAuthenticationPolicy() != null) {
-      // TODO implement digest authentication
-      return Optional.empty();
+      //
+      return Optional.of(
+          new DigestAuthProvider(
+              app, workflow, authenticationPolicy.getDigestAuthenticationPolicy(), method));
     } else if (authenticationPolicy.getOAuth2AuthenticationPolicy() != null) {
       return Optional.of(
           new OAuth2AuthProvider(

impl/core/src/main/java/io/serverlessworkflow/impl/auth/BasicAuthProvider.java

@@ -28,6 +28,7 @@
 import io.serverlessworkflow.impl.WorkflowModel;
 import io.serverlessworkflow.impl.WorkflowUtils;
 import io.serverlessworkflow.impl.WorkflowValueResolver;
+import java.net.URI;
 import java.util.Base64;
 
 class BasicAuthProvider implements AuthProvider {
@@ -57,7 +58,7 @@ public BasicAuthProvider(
   }
 
   @Override
-  public String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+  public String content(WorkflowContext workflow, TaskContext task, WorkflowModel model, URI uri) {
     return new String(
         Base64.getEncoder()
             .encode(
@@ -69,7 +70,7 @@ public String authParameter(WorkflowContext workflow, TaskContext task, Workflow
   }
 
   @Override
-  public String authScheme() {
+  public String scheme() {
     return "Basic";
   }
 }

impl/core/src/main/java/io/serverlessworkflow/impl/auth/BearerAuthProvider.java

@@ -28,6 +28,7 @@
 import io.serverlessworkflow.impl.WorkflowModel;
 import io.serverlessworkflow.impl.WorkflowUtils;
 import io.serverlessworkflow.impl.WorkflowValueResolver;
+import java.net.URI;
 
 class BearerAuthProvider implements AuthProvider {
 
@@ -48,12 +49,12 @@ public BearerAuthProvider(
   }
 
   @Override
-  public String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+  public String content(WorkflowContext workflow, TaskContext task, WorkflowModel model, URI uri) {
     return tokenFilter.apply(workflow, task, model);
   }
 
   @Override
-  public String authScheme() {
+  public String scheme() {
     return "Bearer";
   }
 }

impl/core/src/main/java/io/serverlessworkflow/impl/auth/CommonOAuthProvider.java

@@ -25,6 +25,7 @@
 import io.serverlessworkflow.impl.WorkflowContext;
 import io.serverlessworkflow.impl.WorkflowModel;
 import io.serverlessworkflow.impl.WorkflowValueResolver;
+import java.net.URI;
 import java.util.Arrays;
 import java.util.Map;
 import java.util.ServiceLoader;
@@ -48,12 +49,12 @@ protected CommonOAuthProvider(WorkflowValueResolver<AccessTokenProvider> tokenPr
   }
 
   @Override
-  public String authParameter(WorkflowContext workflow, TaskContext task, WorkflowModel model) {
+  public String content(WorkflowContext workflow, TaskContext task, WorkflowModel model, URI uri) {
     return tokenProvider.apply(workflow, task, model).validateAndGet(workflow, task, model).token();
   }
 
   @Override
-  public String authScheme() {
+  public String scheme() {
     return "Bearer";
   }
 

impl/core/src/main/java/io/serverlessworkflow/impl/auth/DigestAuthProvider.java

@@ -0,0 +1,252 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.serverlessworkflow.impl.auth;
+
+import static io.serverlessworkflow.impl.WorkflowUtils.checkSecret;
+import static io.serverlessworkflow.impl.WorkflowUtils.secretProp;
+import static io.serverlessworkflow.impl.auth.AuthUtils.PASSWORD;
+import static io.serverlessworkflow.impl.auth.AuthUtils.USER;
+
+import io.serverlessworkflow.api.types.DigestAuthenticationPolicy;
+import io.serverlessworkflow.api.types.DigestAuthenticationProperties;
+import io.serverlessworkflow.api.types.Workflow;
+import io.serverlessworkflow.impl.TaskContext;
+import io.serverlessworkflow.impl.WorkflowApplication;
+import io.serverlessworkflow.impl.WorkflowContext;
+import io.serverlessworkflow.impl.WorkflowModel;
+import io.serverlessworkflow.impl.WorkflowUtils;
+import io.serverlessworkflow.impl.WorkflowValueResolver;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.net.HttpURLConnection;
+import java.net.URI;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.EnumSet;
+import java.util.Optional;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.stream.Collectors;
+
+class DigestAuthProvider implements AuthProvider {
+
+  private static final String NONCE = "nonce";
+  private static final String REALM = "realm";
+  private static final String QOP_KEY = "qop";
+  private static final String OPAQUE = "opaque";
+
+  private static class DigestServerInfo {
+
+    private Algorithm algorithm = Algorithm.MD5;
+    private String nonce;
+    private String opaque;
+    private String realm;
+    private Collection<QOP> qop = Set.of();
+
+    public static DigestServerInfo from(String header) {
+      DigestServerInfo serverInfo = new DigestServerInfo();
+      StringTokenizer tokenizer = new StringTokenizer(header);
+      while (tokenizer.hasMoreElements()) {
+        String token = tokenizer.nextToken();
+
+        int indexOf = token.indexOf("=");
+        if (indexOf != -1) {
+          String key = token.substring(0, indexOf).trim().toLowerCase();
+          String value = token.substring(indexOf + 1).trim();
+          switch (key) {
+            case "algorithm":
+              serverInfo.algorithm = Algorithm.valueOf(value.toUpperCase());
+              break;
+            case NONCE:
+              serverInfo.nonce = value;
+              break;
+            case OPAQUE:
+              serverInfo.opaque = value;
+              break;
+            case REALM:
+              serverInfo.realm = value;
+              break;
+            case QOP_KEY:
+              serverInfo.qop =
+                  Arrays.stream(value.split(","))
+                      .map(String::toUpperCase)
+                      .map(QOP::valueOf)
+                      .collect(Collectors.toCollection(() -> EnumSet.noneOf(QOP.class)));
+              break;
+          }
+        }
+      }
+      return serverInfo;
+    }
+
+    boolean isAuthQOP() {
+      return qop.contains(QOP.AUTH) || qop.contains(QOP.AUTH_INT);
+    }
+
+    Optional<String> qop() {
+      return qop.isEmpty()
+          ? Optional.empty()
+          : Optional.of(qop.iterator().next().toString().toLowerCase());
+    }
+  }
+
+  private static enum Algorithm {
+    MD5,
+    MD5SESSS
+  };
+
+  private static enum QOP {
+    AUTH,
+    AUTH_INT,
+  };
+
+  private final WorkflowValueResolver<String> userFilter;
+  private final WorkflowValueResolver<String> passwordFilter;
+  private final String method;
+
+  public DigestAuthProvider(
+      WorkflowApplication app,
+      Workflow workflow,
+      DigestAuthenticationPolicy authPolicy,
+      String method) {
+    DigestAuthenticationProperties properties =
+        authPolicy.getDigest().getDigestAuthenticationProperties();
+    if (properties != null) {
+      userFilter = WorkflowUtils.buildStringFilter(app, properties.getUsername());
+      passwordFilter = WorkflowUtils.buildStringFilter(app, properties.getPassword());
+    } else if (authPolicy.getDigest().getDigestAuthenticationPolicySecret() != null) {
+      String secretName =
+          checkSecret(workflow, authPolicy.getDigest().getDigestAuthenticationPolicySecret());
+      userFilter = (w, t, m) -> secretProp(w, secretName, USER);
+      passwordFilter = (w, t, m) -> secretProp(w, secretName, PASSWORD);
+    } else {
+      throw new IllegalStateException(
+          "Both secret and properties are null for digest authorization");
+    }
+    this.method = method;
+  }
+
+  @Override
+  public String scheme() {
+    return "Digest";
+  }
+
+  @Override
+  public String content(WorkflowContext workflow, TaskContext task, WorkflowModel model, URI uri) {
+    try {
+      HttpURLConnection connection = (HttpURLConnection) uri.toURL().openConnection();
+      connection.setRequestMethod(method);
+      int responseCode = connection.getResponseCode();
+      if (responseCode == 401) {
+        DigestServerInfo serverInfo =
+            DigestServerInfo.from(connection.getHeaderField("WWW-Authenticate"));
+        String userName = userFilter.apply(workflow, task, model);
+        String path = uri.getPath();
+        String ha1 =
+            calculateHash(userName, serverInfo.realm, passwordFilter.apply(workflow, task, model));
+
+        String nonceCount;
+        String clientNonce;
+        if (serverInfo.isAuthQOP() || serverInfo.algorithm == Algorithm.MD5SESSS) {
+          nonceCount = Integer.toString(nc.getAndIncrement());
+          clientNonce = getClientNonce(nonceCount);
+        } else {
+          nonceCount = null;
+          clientNonce = null;
+        }
+        String response;
+        if (serverInfo.algorithm == Algorithm.MD5SESSS) {
+          ha1 = calculateHash(ha1, serverInfo.nonce, clientNonce);
+        }
+        String ha2 = calculateHash(String.format("%s:%s", method, uri));
+        if (serverInfo.isAuthQOP()) {
+          response =
+              calculateHash(
+                  ha1,
+                  serverInfo.nonce,
+                  nonceCount,
+                  clientNonce,
+                  serverInfo.qop().orElseThrow(),
+                  ha2);
+        } else {
+          response = calculateHash(ha1, serverInfo.nonce, ha2);
+        }
+
+        return buildResponseInfo(serverInfo, userName, path, clientNonce, nonceCount, response);
+      } else {
+        throw new IllegalStateException(
+            "URI "
+                + uri
+                + " is not digest protected, it returned code "
+                + responseCode
+                + " when invoked without authentication header, but it should have returned 401 as per RFC 2617");
+      }
+    } catch (IOException io) {
+      throw new UncheckedIOException(io);
+    }
+  }
+
+  private String buildResponseInfo(
+      DigestServerInfo digestInfo,
+      String userName,
+      String uri,
+      String clientNonce,
+      String nonceCount,
+      String response) {
+    StringBuilder sb = new StringBuilder("username=" + userName);
+    addHeader(sb, "uri", uri);
+    addHeader(sb, "response", response);
+    addHeader(sb, NONCE, digestInfo.nonce);
+    addHeader(sb, REALM, digestInfo.realm);
+    if (digestInfo.opaque != null) {
+      addHeader(sb, OPAQUE, digestInfo.opaque);
+    }
+    digestInfo.qop().ifPresent(qop -> addHeader(sb, QOP_KEY, qop));
+
+    if (clientNonce != null) {
+      addHeader(sb, "cnonce", clientNonce);
+      addHeader(sb, "nc", nonceCount);
+    }
+    return sb.toString();
+  }
+
+  private StringBuilder addHeader(StringBuilder sb, String key, String value) {
+    return sb.append(',').append(key).append('=').append(value);
+  }
+
+  private static AtomicInteger nc = new AtomicInteger(1);
+
+  private static String getClientNonce(String nonceCount) {
+    return "impl-" + nonceCount;
+  }
+
+  private String calculateHash(String firstOne, String... strs) {
+    try {
+
+      MessageDigest md = MessageDigest.getInstance("MD5");
+      StringBuilder sb = new StringBuilder(firstOne);
+      for (String str : strs) {
+        sb.append(':').append(str);
+      }
+      return new String(md.digest(sb.toString().getBytes()));
+    } catch (NoSuchAlgorithmException ex) {
+      throw new UnsupportedOperationException("System is not supporting MD5!!!!", ex);
+    }
+  }
+}