catalog: fix AuthenticationManager implementation, #TASK-7192

pfurio · pfurio · commit 0f799ec8a4d6 · 2025-01-21T15:13:42.000+01:00
diff --git a/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/AuthenticationManager.java b/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/AuthenticationManager.java
@@ -79,20 +79,6 @@ Key converStringToKeyObject(String keyString, String jcaAlgorithm) {
     public abstract AuthenticationResponse authenticate(String organizationId, String userId, String password)
             throws CatalogAuthenticationException;
 
-    /**
-     * Authenticate the user against the Authentication server.
-     *
-     * @param organizationId Organization id.
-     * @param userId         User to authenticate
-     * @param password       Password.
-     * @param secretKey      Secret key to apply to the token.
-     * @return AuthenticationResponse object.
-     * @throws CatalogAuthenticationException CatalogAuthenticationException if any of the credentials are wrong or the access is denied
-     *                                        for any other reason.
-     */
-    public abstract AuthenticationResponse authenticate(String organizationId, String userId, String password, String secretKey)
-            throws CatalogAuthenticationException;
-
     /**
      * Authenticate the user against the Authentication server.
      *
@@ -114,19 +100,15 @@ public AuthenticationResponse refreshToken(String refreshToken) throws CatalogAu
      * Validates that the token is valid.
      *
      * @param token     token that have been assigned to a user.
-     * @param secretKey secret key to be used for the token validation (may be null).
+     * @param securityKey key used to fully ensure it corresponds to that user.
      * @throws CatalogAuthenticationException when the token does not correspond to any user, is expired or has been altered.
      */
-    public void validateToken(String token, @Nullable String secretKey) throws CatalogAuthenticationException {
+    public void validateToken(String token, @Nullable String securityKey) throws CatalogAuthenticationException {
         if (StringUtils.isEmpty(token) || "null".equalsIgnoreCase(token)) {
             throw new CatalogAuthenticationException("Token is null or empty.");
         }
-        Key privateKey = null;
-        if (secretKey != null) {
-            privateKey = converStringToKeyObject(secretKey, jwtManager.getAlgorithm().getJcaName());
-        }
 
-        jwtManager.validateToken(token, privateKey);
+        jwtManager.validateToken(token);
     }
 
     /**
@@ -208,20 +190,7 @@ public abstract void changePassword(String organizationId, String userId, String
      * @return A token.
      */
     public String createToken(String organizationId, String userId) throws CatalogAuthenticationException {
-        return createToken(organizationId, userId, Collections.emptyMap(), expiration, (Key) null);
-    }
-
-    /**
-     * Create a token for the user with default expiration time.
-     *
-     * @param organizationId Organization id.
-     * @param userId         user.
-     * @param secretKey      secret key to be used for the token generation.
-     * @throws CatalogAuthenticationException CatalogAuthenticationException
-     * @return A token.
-     */
-    public String createToken(String organizationId, String userId, String secretKey) throws CatalogAuthenticationException {
-        return createToken(organizationId, userId, Collections.emptyMap(), expiration, secretKey);
+        return createToken(organizationId, userId, Collections.emptyMap(), expiration);
     }
 
     /**
@@ -234,57 +203,7 @@ public String createToken(String organizationId, String userId, String secretKey
      * @return A token.
      */
     public String createToken(String organizationId, String userId, Map<String, Object> claims) throws CatalogAuthenticationException {
-        return createToken(organizationId, userId, claims, expiration, (Key) null);
-    }
-
-    /**
-     * Create a token for the user with default expiration time.
-     *
-     * @param organizationId Organization id.
-     * @param userId         user.
-     * @param claims         claims.
-     * @param secretKey      secret key to be used for the token generation.
-     * @throws CatalogAuthenticationException CatalogAuthenticationException
-     * @return A token.
-     */
-    public String createToken(String organizationId, String userId, Map<String, Object> claims, String secretKey)
-            throws CatalogAuthenticationException {
-        return createToken(organizationId, userId, claims, expiration, secretKey);
-    }
-
-    /**
-     * Create a token for the user.
-     *
-     * @param organizationId Organization id.
-     * @param userId         user.
-     * @param claims         claims.
-     * @param expiration     Expiration time in seconds.
-     * @throws CatalogAuthenticationException CatalogAuthenticationException
-     * @return A token.
-     */
-    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration)
-            throws CatalogAuthenticationException {
-        return createToken(organizationId, userId, claims, expiration, (Key) null);
-    }
-
-    /**
-     * Create a token for the user.
-     *
-     * @param organizationId Organization id.
-     * @param userId         user.
-     * @param claims         claims.
-     * @param expiration     Expiration time in seconds.
-     * @param secretKey      Secret key to be used for the token generation.
-     * @throws CatalogAuthenticationException CatalogAuthenticationException
-     * @return A token.
-     */
-    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration, String secretKey)
-            throws CatalogAuthenticationException {
-        Key privateKey = null;
-        if (secretKey != null) {
-            privateKey = converStringToKeyObject(secretKey, jwtManager.getAlgorithm().getJcaName());
-        }
-        return createToken(organizationId, userId, claims, expiration, privateKey);
+        return createToken(organizationId, userId, claims, expiration);
     }
 
     /**
@@ -294,11 +213,10 @@ public String createToken(String organizationId, String userId, Map<String, Obje
      * @param userId         user.
      * @param claims         claims.
      * @param expiration     Expiration time in seconds.
-     * @param secretKey      Secret key to be used for the token generation.
      * @throws CatalogAuthenticationException CatalogAuthenticationException
      * @return A token.
      */
-    public abstract String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration, Key secretKey)
+    public abstract String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration)
             throws CatalogAuthenticationException;
 
     /**
diff --git a/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/AzureADAuthenticationManager.java b/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/AzureADAuthenticationManager.java
@@ -50,7 +50,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
-import java.security.Key;
 import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
@@ -261,12 +260,6 @@ public AuthenticationResponse authenticate(String organizationId, String userId,
         }
     }
 
-    @Override
-    public AuthenticationResponse authenticate(String organizationId, String userId, String password, String secretKey)
-            throws CatalogAuthenticationException {
-        throw new UnsupportedOperationException("AzureAD creates its own tokens. Please, call to the other authenticate method.");
-    }
-
     @Override
     public AuthenticationResponse refreshToken(String refreshToken) throws CatalogAuthenticationException {
         AuthenticationContext context;
@@ -429,7 +422,7 @@ public void newPassword(String organizationId, String userId, String newPassword
     }
 
     @Override
-    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration, Key secretKey) {
+    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration) {
         // Tokens are generated by Azure via authorization code or user-password
         throw new UnsupportedOperationException("Tokens are generated by Azure via authorization code or user-password");
     }
diff --git a/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/CatalogAuthenticationManager.java b/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/CatalogAuthenticationManager.java
@@ -84,17 +84,6 @@ public AuthenticationResponse authenticate(String organizationId, String userId,
         }
     }
 
-    @Override
-    public AuthenticationResponse authenticate(String organizationId, String userId, String password, String secretKey)
-            throws CatalogAuthenticationException {
-        try {
-            dbAdaptorFactory.getCatalogUserDBAdaptor(organizationId).authenticate(userId, password);
-            return new AuthenticationResponse(createToken(organizationId, userId, secretKey));
-        } catch (CatalogDBException e) {
-            throw new CatalogAuthenticationException("Could not validate '" + userId + "' password\n" + e.getMessage(), e);
-        }
-    }
-
     @Override
     public List<User> getUsersFromRemoteGroup(String group) throws CatalogException {
         throw new UnsupportedOperationException();
@@ -121,19 +110,18 @@ public void newPassword(String organizationId, String userId, String newPassword
     }
 
     @Override
-    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration, Key secretKey)
+    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration)
             throws CatalogAuthenticationException {
         List<JwtPayload.FederationJwtPayload> federations = getFederations(organizationId, userId);
         return jwtManager.createJWTToken(organizationId, AuthenticationOrigin.AuthenticationType.OPENCGA, userId, claims, federations,
-                secretKey, expiration);
+                expiration);
     }
 
     @Override
     public String createNonExpiringToken(String organizationId, String userId, Map<String, Object> claims)
             throws CatalogAuthenticationException {
         List<JwtPayload.FederationJwtPayload> federations = getFederations(organizationId, userId);
-        return jwtManager.createJWTToken(organizationId, AuthenticationOrigin.AuthenticationType.OPENCGA, userId, claims, federations,
-                null, 0L);
+        return jwtManager.createJWTToken(organizationId, AuthenticationOrigin.AuthenticationType.OPENCGA, userId, claims, federations, 0L);
     }
 
     @Override
diff --git a/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/JwtManager.java b/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/JwtManager.java
@@ -90,8 +90,7 @@ public JwtManager setPublicKey(Key publicKey) {
     }
 
     public String createJWTToken(String organizationId, AuthenticationOrigin.AuthenticationType type, String userId,
-                                 Map<String, Object> claims, List<JwtPayload.FederationJwtPayload> federations, Key secretKey,
-                                 long expiration) {
+                                 Map<String, Object> claims, List<JwtPayload.FederationJwtPayload> federations, long expiration) {
         long currentTime = System.currentTimeMillis();
 
         JwtBuilder jwtBuilder = Jwts.builder();
@@ -109,7 +108,7 @@ public String createJWTToken(String organizationId, AuthenticationOrigin.Authent
                 .setAudience(organizationId)
                 .setIssuer("OpenCGA")
                 .setIssuedAt(new Date(currentTime))
-                .signWith(secretKey != null ? secretKey : privateKey, algorithm);
+                .signWith(privateKey, algorithm);
 
         // Set the expiration in number of seconds only if 'expiration' is greater than 0
         if (expiration > 0) {
@@ -123,10 +122,6 @@ public void validateToken(String token) throws CatalogAuthenticationException {
         parseClaims(token);
     }
 
-    public void validateToken(String token, Key publicKey) throws CatalogAuthenticationException {
-        parseClaims(token, publicKey);
-    }
-
     public JwtPayload getPayload(String token) throws CatalogAuthenticationException {
         Claims body = parseClaims(token).getBody();
         return new JwtPayload(body.getSubject(), body.getAudience(), getAuthOrigin(body), body.getIssuer(), body.getIssuedAt(),
diff --git a/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/LDAPAuthenticationManager.java b/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/LDAPAuthenticationManager.java
@@ -171,30 +171,6 @@ public AuthenticationResponse authenticate(String organizationId, String userId,
         return new AuthenticationResponse(createToken(organizationId, userId, claims));
     }
 
-    @Override
-    public AuthenticationResponse authenticate(String organizationId, String userId, String password, String secretKey)
-            throws CatalogAuthenticationException {
-        Map<String, Object> claims = new HashMap<>();
-
-        List<Attributes> userInfoFromLDAP = getUserInfoFromLDAP(Arrays.asList(userId), usersSearch);
-        if (userInfoFromLDAP.isEmpty()) {
-            throw new CatalogAuthenticationException("LDAP: The user id " + userId + " could not be found.");
-        }
-
-        String rdn = getDN(userInfoFromLDAP.get(0));
-        claims.put(OPENCGA_DISTINGUISHED_NAME, rdn);
-
-        // Attempt to authenticate
-        Hashtable<String, Object> env = getEnv(rdn, password);
-        try {
-            getDirContext(env).close();
-        } catch (NamingException e) {
-            throw wrapException(e);
-        }
-
-        return new AuthenticationResponse(createToken(organizationId, userId, claims, secretKey));
-    }
-
     @Override
     public List<User> getUsersFromRemoteGroup(String group) throws CatalogException {
         List<String> usersFromLDAP = getUsersFromLDAPGroup(group, groupsSearch);
@@ -261,17 +237,17 @@ public void newPassword(String organizationId, String userId, String newPassword
     }
 
     @Override
-    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration, Key secretKey)
+    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration)
             throws CatalogAuthenticationException {
         List<JwtPayload.FederationJwtPayload> federations = getFederations(organizationId, userId);
-        return jwtManager.createJWTToken(organizationId, AuthenticationType.LDAP, userId, claims, federations, secretKey, expiration);
+        return jwtManager.createJWTToken(organizationId, AuthenticationType.LDAP, userId, claims, federations, expiration);
     }
 
     @Override
     public String createNonExpiringToken(String organizationId, String userId, Map<String, Object> claims)
             throws CatalogAuthenticationException {
         List<JwtPayload.FederationJwtPayload> federations = getFederations(organizationId, userId);
-        return jwtManager.createJWTToken(organizationId, AuthenticationType.LDAP, userId, claims, federations, null, 0L);
+        return jwtManager.createJWTToken(organizationId, AuthenticationType.LDAP, userId, claims, federations, 0L);
     }
 
     /* Private methods */
diff --git a/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/SSOAuthenticationManager.java b/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/SSOAuthenticationManager.java
@@ -42,12 +42,6 @@ public AuthenticationResponse authenticate(String organizationId, String userId,
         throw new NotImplementedException("Authentication should be done through SSO");
     }
 
-    @Override
-    public AuthenticationResponse authenticate(String organizationId, String userId, String password, String secretKey)
-            throws CatalogAuthenticationException {
-        throw new NotImplementedException("Authentication should be done through SSO");
-    }
-
     @Override
     public List<User> getUsersFromRemoteGroup(String group) throws CatalogException {
         throw new NotImplementedException("Operation not implemented");
@@ -79,19 +73,18 @@ public void newPassword(String organizationId, String userId, String newPassword
     }
 
     @Override
-    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration, Key secretKey)
+    public String createToken(String organizationId, String userId, Map<String, Object> claims, long expiration)
             throws CatalogAuthenticationException {
         List<JwtPayload.FederationJwtPayload> federations = getFederations(organizationId, userId);
         return jwtManager.createJWTToken(organizationId, AuthenticationOrigin.AuthenticationType.SSO, userId, claims, federations,
-                secretKey, expiration);
+                expiration);
     }
 
     @Override
     public String createNonExpiringToken(String organizationId, String userId, Map<String, Object> claims)
             throws CatalogAuthenticationException {
         List<JwtPayload.FederationJwtPayload> federations = getFederations(organizationId, userId);
-        return jwtManager.createJWTToken(organizationId, AuthenticationOrigin.AuthenticationType.SSO, userId, claims, federations, null,
-                0L);
+        return jwtManager.createJWTToken(organizationId, AuthenticationOrigin.AuthenticationType.SSO, userId, claims, federations, 0L);
     }
 
     @Override
diff --git a/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/azure/AuthenticationFactory.java b/opencga-catalog/src/main/java/org/opencb/opencga/catalog/auth/authentication/azure/AuthenticationFactory.java
@@ -105,28 +105,23 @@ public String createToken(String organizationId, String authOriginId, String use
 
     public void validateToken(String organizationId, Account.AuthenticationOrigin authenticationOrigin, JwtPayload jwtPayload)
             throws CatalogException {
-        String secretKey = null;
+        String securityKey = null;
         if (authenticationOrigin.isFederation()) {
-            // The user is a federated user, so we need to use a different secret key
-            secretKey = getFederationSecretKey(organizationId, jwtPayload.getUserId());
+            // The user is a federated user, so the token should have been encrypted using the security key
+            securityKey = getFederationSecurityKey(organizationId, jwtPayload.getUserId());
         }
-        getOrganizationAuthenticationManager(organizationId, authenticationOrigin.getId()).validateToken(jwtPayload.getToken(), secretKey);
+        getOrganizationAuthenticationManager(organizationId, authenticationOrigin.getId()).validateToken(jwtPayload.getToken(),
+                securityKey);
     }
 
     public AuthenticationResponse authenticate(String organizationId, Account.AuthenticationOrigin authenticationOrigin, String userId,
                                                String password) throws CatalogException {
         AuthenticationManager organizationAuthenticationManager = getOrganizationAuthenticationManager(organizationId,
                 authenticationOrigin.getId());
-        if (authenticationOrigin.isFederation()) {
-            // The user is a federated user, so we need to use a different secret key
-            String secretKey = getFederationSecretKey(organizationId, userId);
-            return organizationAuthenticationManager.authenticate(organizationId, userId, password, secretKey);
-        } else {
-            return organizationAuthenticationManager.authenticate(organizationId, userId, password);
-        }
+        return organizationAuthenticationManager.authenticate(organizationId, userId, password);
     }
 
-    private String getFederationSecretKey(String organizationId, String userId) throws CatalogException {
+    private String getFederationSecurityKey(String organizationId, String userId) throws CatalogException {
         QueryOptions options = new QueryOptions(QueryOptions.INCLUDE, OrganizationDBAdaptor.QueryParams.FEDERATION.key());
         Organization organization = catalogDBAdaptorFactory.getCatalogOrganizationDBAdaptor(organizationId).get(options).first();
         if (organization.getFederation() == null) {
diff --git a/opencga-catalog/src/test/java/org/opencb/opencga/catalog/auth/authentication/JwtSessionManagerTest.java b/opencga-catalog/src/test/java/org/opencb/opencga/catalog/auth/authentication/JwtSessionManagerTest.java
@@ -53,7 +53,7 @@ public void setUp() throws Exception  {
 
     @Test
     public void testCreateJWTToken() throws Exception {
-        jwtToken = jwtSessionManager.createJWTToken(organizationId, null, "testUser", Collections.emptyMap(), null, null, 60L);
+        jwtToken = jwtSessionManager.createJWTToken(organizationId, null, "testUser", Collections.emptyMap(), null, 60L);
     }
 
     @Test
@@ -81,7 +81,7 @@ public void testInvalidSecretKey() throws CatalogAuthenticationException {
 
     @Test
     public void testNonExpiringToken() throws CatalogException {
-        String nonExpiringToken = jwtSessionManager.createJWTToken(organizationId, null, "System", null, null, null, -1L);
+        String nonExpiringToken = jwtSessionManager.createJWTToken(organizationId, null, "System", null, null, -1L);
         assertEquals(jwtSessionManager.getUser(nonExpiringToken), "System");
         assertNull(jwtSessionManager.getExpiration(nonExpiringToken));
     }

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public void setUp() throws Exception {`
`53`	`53`
`54`	`54`	`@Test`
`55`	`55`	`public void testCreateJWTToken() throws Exception {`
`56`		`- jwtToken = jwtSessionManager.createJWTToken(organizationId, null, "testUser", Collections.emptyMap(), null, null, 60L);`
	`56`	`+ jwtToken = jwtSessionManager.createJWTToken(organizationId, null, "testUser", Collections.emptyMap(), null, 60L);`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`@Test`
`@@ -81,7 +81,7 @@ public void testInvalidSecretKey() throws CatalogAuthenticationException {`
`81`	`81`
`82`	`82`	`@Test`
`83`	`83`	`public void testNonExpiringToken() throws CatalogException {`
`84`		`- String nonExpiringToken = jwtSessionManager.createJWTToken(organizationId, null, "System", null, null, null, -1L);`
	`84`	`+ String nonExpiringToken = jwtSessionManager.createJWTToken(organizationId, null, "System", null, null, -1L);`
`85`	`85`	`assertEquals(jwtSessionManager.getUser(nonExpiringToken), "System");`
`86`	`86`	`assertNull(jwtSessionManager.getExpiration(nonExpiringToken));`
`87`	`87`	`}`