in custos-services/custos-integration-services/user-management-service/src/main/java/org/apache/custos/user/management/interceptors/UserManagementAuthInterceptorImpl.java [59:494]
public <ReqT> ReqT intercept(String method, Metadata headers, ReqT msg) {
if (method.equals("addUserAttributes")) {
AddUserAttributesRequest userAttributesRequest = (AddUserAttributesRequest) msg;
headers = attachUserToken(headers, userAttributesRequest.getClientId());
Optional<AuthClaim> claim = authorize(headers, userAttributesRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
long tenantId = claim.get().getTenantId();
AuthToken token = getSAToken(claim.get().getIamAuthId(),
claim.get().getIamAuthSecret(), claim.get().getTenantId());
if (token == null || token.getAccessToken() == null) {
throw new UnAuthorizedException("Request is not authorized SA token is invalid", null);
}
return (ReqT) ((AddUserAttributesRequest) msg).toBuilder()
.setClientId(oauthId)
.setTenantId(tenantId)
.setAccessToken(token.getAccessToken())
.setPerformedBy(claim.get().getPerformedBy())
.build();
} else if (method.equals("deleteUserAttributes")) {
DeleteUserAttributeRequest userAttributesRequest = (DeleteUserAttributeRequest) msg;
headers = attachUserToken(headers, userAttributesRequest.getClientId());
Optional<AuthClaim> claim = authorize(headers, userAttributesRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
long tenantId = claim.get().getTenantId();
AuthToken token = getSAToken(claim.get().getIamAuthId(), claim.get().getIamAuthSecret(),
claim.get().getTenantId());
if (token == null || token.getAccessToken() == null) {
throw new UnAuthorizedException("Request is not authorized SA token is invalid", null);
}
return (ReqT) ((DeleteUserAttributeRequest) msg).toBuilder()
.setClientId(oauthId)
.setTenantId(tenantId)
.setAccessToken(token.getAccessToken())
.setPerformedBy(claim.get().getPerformedBy())
.build();
} else if (method.equals("addRolesToUsers")) {
AddUserRolesRequest userAttributesRequest = (AddUserRolesRequest) msg;
headers = attachUserToken(headers, userAttributesRequest.getClientId());
Optional<AuthClaim> claim = authorize(headers, userAttributesRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
long tenantId = claim.get().getTenantId();
AuthToken token = getSAToken(claim.get().getIamAuthId(), claim.get().getIamAuthSecret(),
claim.get().getTenantId());
if (token == null || token.getAccessToken() == null) {
throw new UnAuthorizedException("Request is not authorized SA token is invalid", null);
}
return (ReqT) ((AddUserRolesRequest) msg).toBuilder()
.setClientId(oauthId)
.setTenantId(tenantId)
.setAccessToken(token.getAccessToken())
.setPerformedBy(claim.get().getPerformedBy())
.build();
} else if (method.equals("registerAndEnableUsers")) {
RegisterUsersRequest registerUsersRequest = (RegisterUsersRequest) msg;
headers = attachUserToken(headers, registerUsersRequest.getClientId());
Optional<AuthClaim> claim = authorize(headers, registerUsersRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
String oauthSec = claim.get().getIamAuthSecret();
Optional<String> userTokenOp = getUserTokenFromUserTokenHeader(headers);
String userToken = null;
if (userTokenOp.isEmpty()) {
userToken = getToken(headers);
} else {
userToken = userTokenOp.get();
}
long tenantId = claim.get().getTenantId();
org.apache.custos.iam.service.RegisterUsersRequest registerUserRequest =
((RegisterUsersRequest) msg).toBuilder()
.setTenantId(tenantId)
.setClientId(oauthId)
.setAccessToken(userToken)
.setPerformedBy(claim.get().getPerformedBy())
.build();
return (ReqT) registerUserRequest;
} else if (method.equals("deleteUserRoles")) {
DeleteUserRolesRequest deleteUserRolesRequest = (DeleteUserRolesRequest) msg;
headers = attachUserToken(headers, deleteUserRolesRequest.getClientId());
Optional<AuthClaim> claim = authorize(headers, deleteUserRolesRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
long tenantId = claim.get().getTenantId();
AuthToken token = getSAToken(claim.get().getIamAuthId(), claim.get().getIamAuthSecret(),
claim.get().getTenantId());
if (token == null || token.getAccessToken() == null) {
throw new UnAuthorizedException("Request is not authorized SA token is invalid", null);
}
DeleteUserRolesRequest operationRequest = ((DeleteUserRolesRequest) msg)
.toBuilder()
.setClientId(oauthId)
.setAccessToken(token.getAccessToken())
.setTenantId(tenantId)
.setPerformedBy(claim.get().getPerformedBy().isEmpty() ? Constants.SYSTEM : claim.get().getPerformedBy())
.build();
return (ReqT) operationRequest;
} else if (method.equals("deleteUser") || method.equals("grantAdminPrivileges") ||
method.equals("removeAdminPrivileges")) {
UserSearchRequest userSearchRequest = (UserSearchRequest) msg;
headers = attachUserToken(headers, userSearchRequest.getClientId());
Optional<AuthClaim> claim =
validateRoleManagementAuthorizations(headers, userSearchRequest.getClientId());
String oauthId = claim.get().getIamAuthId();
String oauthSec = claim.get().getIamAuthSecret();
AuthToken token = getSAToken(claim.get().getIamAuthId(), claim.get().getIamAuthSecret(), claim.get().getTenantId());
if (token == null || token.getAccessToken() == null) {
throw new UnAuthorizedException("Request is not authorized SA token is invalid", null);
}
long tenantId = claim.get().getTenantId();
UserSearchRequest operationRequest = ((UserSearchRequest) msg)
.toBuilder()
.setClientId(oauthId)
.setClientSec(oauthSec)
.setTenantId(tenantId)
.setAccessToken(token.getAccessToken())
.setPerformedBy(Constants.SYSTEM)
.build();
return (ReqT) operationRequest;
} else if (method.equals("linkUserProfile")) {
String token = getToken(headers);
Optional<AuthClaim> claim = authorizeUsingUserToken(headers);
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
String oauthSec = claim.get().getIamAuthSecret();
long tenantId = claim.get().getTenantId();
LinkUserProfileRequest operationRequest = ((LinkUserProfileRequest) msg)
.toBuilder()
.setIamClientId(oauthId)
.setIamClientSecret(oauthSec)
.setTenantId(tenantId)
.setAccessToken(token)
.setPerformedBy(claim.get().getPerformedBy())
.build();
return (ReqT) operationRequest;
} else if (method.equals("deleteUserProfile")) {
UserProfileRequest request = (UserProfileRequest) msg;
Optional<AuthClaim> claim = authorize(headers, request.getClientId());
return claim.map(cl -> {
String oauthId = cl.getIamAuthId();
String oauthSec = cl.getIamAuthSecret();
long tenantId = cl.getTenantId();
return (ReqT) ((UserProfileRequest) msg).toBuilder()
.setClientId(oauthId)
.setClientSecret(oauthSec)
.setTenantId(tenantId)
.build();
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("registerUser")) {
RegisterUserRequest request = (RegisterUserRequest) msg;
Optional<AuthClaim> claim = authorize(headers, request.getClientId());
return claim.map(cl -> {
String oauthId = cl.getIamAuthId();
String oauthSec = cl.getIamAuthSecret();
long tenantId = cl.getTenantId();
org.apache.custos.iam.service.RegisterUserRequest registerUserRequest =
((RegisterUserRequest) msg).toBuilder()
.setTenantId(tenantId)
.setClientId(oauthId)
.setClientSec(oauthSec)
.build();
return (ReqT) registerUserRequest;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("enableUser") || method.equals("disableUser") ||
method.equals("isUserEnabled") || method.equals("isUsernameAvailable")) {
UserSearchRequest request = (UserSearchRequest) msg;
Optional<AuthClaim> claim = authorize(headers, request.getClientId());
return claim.map(cl -> {
String oauthId = cl.getIamAuthId();
String oauthSec = cl.getIamAuthSecret();
long tenantId = cl.getTenantId();
UserSearchRequest info = ((UserSearchRequest) msg)
.toBuilder()
.setClientId(oauthId)
.setClientSec(oauthSec)
.setTenantId(tenantId)
.build();
return (ReqT) info;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("getUserProfile")) {
UserProfileRequest req = (UserProfileRequest) msg;
Optional<AuthClaim> claim = authorize(headers, req.getClientId());
return claim.map(cl -> {
long tenantId = cl.getTenantId();
UserProfileRequest request = ((UserProfileRequest) msg)
.toBuilder()
.setTenantId(tenantId).build();
return (ReqT) request;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("getAllUserProfilesInTenant")) {
UserProfileRequest req = (UserProfileRequest) msg;
Optional<AuthClaim> claim = authorize(headers, req.getClientId());
return claim.map(cl -> {
long tenantId = cl.getTenantId();
UserProfileRequest request = ((UserProfileRequest) msg)
.toBuilder().setTenantId(tenantId).build();
return (ReqT) request;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("getUserProfileAuditTrails")) {
Optional<AuthClaim> claim = authorize(headers);
return claim.map(cl -> {
long tenantId = cl.getTenantId();
GetUpdateAuditTrailRequest request = ((GetUpdateAuditTrailRequest) msg)
.toBuilder()
.setTenantId(tenantId)
.build();
return (ReqT) request;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("resetPassword")) {
ResetUserPassword req = (ResetUserPassword) msg;
Optional<AuthClaim> claim = authorize(headers, req.getClientId());
return claim.map(cl -> {
String oauthId = cl.getIamAuthId();
String oauthSec = cl.getIamAuthSecret();
long tenantId = cl.getTenantId();
ResetUserPassword request = ((ResetUserPassword) msg)
.toBuilder()
.setClientId(oauthId)
.setClientSec(oauthSec)
.setTenantId(tenantId)
.build();
return (ReqT) request;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("getUser")) {
UserSearchRequest req = (UserSearchRequest) msg;
Optional<AuthClaim> claim = authorize(headers, req.getClientId());
return claim.map(cl -> {
String oauthId = cl.getIamAuthId();
String oauthSec = cl.getIamAuthSecret();
long tenantId = cl.getTenantId();
UserSearchRequest request = ((UserSearchRequest) msg)
.toBuilder()
.setClientId(oauthId)
.setTenantId(tenantId)
.setClientSec(oauthSec)
.build();
return (ReqT) request;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("findUsers")) {
FindUsersRequest req = (FindUsersRequest) msg;
Optional<AuthClaim> claim = authorize(headers, req.getClientId());
return claim.map(cl -> {
String oauthId = cl.getIamAuthId();
String oauthSec = cl.getIamAuthSecret();
long tenantId = cl.getTenantId();
FindUsersRequest request = ((FindUsersRequest) msg)
.toBuilder()
.setClientId(oauthId)
.setClientSec(oauthSec)
.setTenantId(tenantId).build();
return (ReqT) request;
}).orElseThrow(() -> {
throw new UnAuthorizedException("Request is not authorized", null);
});
} else if (method.equals("updateUserProfile")) {
UserProfileRequest userProfileRequest = (UserProfileRequest) msg;
Optional<AuthClaim> claim = authorize(headers, userProfileRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
String oauthSec = claim.get().getIamAuthSecret();
long tenantId = claim.get().getTenantId();
AuthToken token = getSAToken(claim.get().getIamAuthId(), claim.get().getIamAuthSecret(), claim.get().getTenantId());
if (token == null || token.getAccessToken() == null) {
throw new UnAuthorizedException("Request is not authorized SA token is invalid", null);
}
return (ReqT) ((UserProfileRequest) msg).toBuilder()
.setAccessToken(token.getAccessToken())
.setTenantId(tenantId)
.setClientId(oauthId)
.setClientSecret(oauthSec)
.setPerformedBy(Constants.SYSTEM)
.build();
} else if (method.equals("deleteExternalIDPsOfUsers")) {
DeleteExternalIDPsRequest deleteExternalIDPsRequest = (DeleteExternalIDPsRequest) msg;
Optional<AuthClaim> claim = authorize(headers, deleteExternalIDPsRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
long tenantId = claim.get().getTenantId();
return (ReqT) ((DeleteExternalIDPsRequest) msg).toBuilder()
.setTenantId(tenantId)
.setClientId(oauthId)
.build();
} else if (method.equals("getExternalIDPsOfUsers")) {
GetExternalIDPsRequest getExternalIDPsRequest = (GetExternalIDPsRequest) msg;
Optional<AuthClaim> claim = authorize(headers, getExternalIDPsRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
long tenantId = claim.get().getTenantId();
return (ReqT) ((GetExternalIDPsRequest) msg).toBuilder()
.setTenantId(tenantId)
.setClientId(oauthId)
.build();
} else if (method.equals("addExternalIDPsOfUsers")) {
AddExternalIDPLinksRequest getExternalIDPsRequest = (AddExternalIDPLinksRequest) msg;
Optional<AuthClaim> claim = authorize(headers, getExternalIDPsRequest.getClientId());
if (claim.isEmpty()) {
throw new UnAuthorizedException("Request is not authorized", null);
}
String oauthId = claim.get().getIamAuthId();
long tenantId = claim.get().getTenantId();
return (ReqT) ((AddExternalIDPLinksRequest) msg).toBuilder()
.setTenantId(tenantId)
.setClientId(oauthId)
.build();
}
return msg;
}