Summary Table
| Categories |
Total Count |
| PII |
0 |
| URL |
0 |
| DNS |
0 |
| EKL |
0 |
| IP |
0 |
| PORT |
0 |
| VsID |
0 |
| CF |
0 |
| AI |
0 |
| VPD |
0 |
| PL |
0 |
| Other |
0 |
File Content
package gov.va.vamf.scheduling.varutility.security;
import gov.va.vamf.scheduling.varutility.domain.UserSecurityKey;
import gov.va.vamf.scheduling.varutility.domain.UserSecurityKeys;
import gov.va.vamf.scheduling.varutility.serializer.JSONJAXBContextResolver;
import gov.va.vamf.scheduling.varutility.utils.VarUtilityConstants;
import gov.va.vamf.security.v1.VamfJwtClaimsConstants;
import gov.va.vamf.security.v1.VamfUser;
import gov.va.vamf.security.v1.domain.VistaPairedAccount;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.Entity;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
@Service
public class AuthService {
@Value("${user.security.keys.fetch.uri}")
private String userSecurityKeysFetchUri;
@Value("${user.security.keys.session.uri}")
private String userServiceSessionUri;
@Autowired
private Client client;
private ObjectMapper objectMapper;
public AuthService() {
JSONJAXBContextResolver jsonjaxbContextResolver = new JSONJAXBContextResolver();
this.objectMapper = jsonjaxbContextResolver.getContext(UserSecurityKeys.class);
}
public void validateSupervisorKey(ContainerRequestContext crc) {
String xVamfHeader = crc.getHeaderString(VamfJwtClaimsConstants.VAMF_JWT_HEADER);
UserSecurityKeys userSecurityKeys = getUserSecurityKeysFromSession(xVamfHeader);
if (userSecurityKeys == null) {
VistaPairedAccount vpa = getVistaPairedAccount(crc);
if (vpa == null) {
throw new ForbiddenException("Access denied due to security policy.");
} else {
userSecurityKeys = fetchUserSecurityKeys(vpa.getSiteId(), vpa.getDuz(), xVamfHeader);
saveUserSecurityKeysToSession(userSecurityKeys, xVamfHeader);
}
}
if(!supervisorKeyFound(userSecurityKeys)) {
throw new ForbiddenException("Access denied due to security policy.");
}
}
private UserSecurityKeys fetchUserSecurityKeys(String siteId, String duz, String xVamfHeader) {
Map<String, String> pathParams = new HashMap<>();
pathParams.put("site-id", siteId);
pathParams.put("duz", duz);
URI uri = buildUri(userSecurityKeysFetchUri, pathParams);
String uriString = uri.toString();
return getRestClient()
.target(uriString)
.request()
.header(VamfJwtClaimsConstants.VAMF_JWT_HEADER, xVamfHeader)
.accept(MediaType.APPLICATION_JSON)
.get(UserSecurityKeys.class);
}
private Client getRestClient() {
return this.client;
}
private Boolean supervisorKeyFound(UserSecurityKeys userSecurityKeys) {
Boolean supervisorKeyFound = false;
for (UserSecurityKey key : userSecurityKeys) {
if (key.getName().equals(VarUtilityConstants.VISTA_USER_KEY_SD_SUPERVISOR)) {
supervisorKeyFound = true;
break;
}
}
return supervisorKeyFound;
}
private void saveUserSecurityKeysToSession(UserSecurityKeys userSecurityKeys, String xVamfHeader) {
String uriString = userServiceSessionUri;
String requestStr;
try {
requestStr = objectMapper.writeValueAsString(userSecurityKeys);
} catch (JsonProcessingException e) {
throw new WebApplicationException("Could not process json" + e.getMessage(), e);
}
getRestClient()
.target(uriString)
.request(MediaType.WILDCARD_TYPE)
.accept(MediaType.TEXT_PLAIN)
.header(VamfJwtClaimsConstants.VAMF_JWT_HEADER, xVamfHeader)
.put(Entity.entity(requestStr, MediaType.TEXT_PLAIN), String.class);
}
private UserSecurityKeys getUserSecurityKeysFromSession(String xVamfHeader) {
String uriString = userServiceSessionUri;
Response response = getRestClient()
.target(uriString)
.request(MediaType.TEXT_PLAIN)
.header(VamfJwtClaimsConstants.VAMF_JWT_HEADER, xVamfHeader)
.get();
if (response.getStatus() != Response.Status.OK.getStatusCode() ) {
return null;
}
String responseStr = response.readEntity(String.class);
UserSecurityKeys userSecurityKeys = null;
try {
userSecurityKeys = objectMapper.readValue(responseStr, UserSecurityKeys.class);
} catch (IOException e) {
throw new WebApplicationException("Could not process json" + e.getMessage(), e);
}
return userSecurityKeys;
}
private VistaPairedAccount getVistaPairedAccount(ContainerRequestContext crc) {
VistaPairedAccount vpa = null;
for (Cookie c : crc.getCookies().values())
{
if (c.getName().equals(VarUtilityConstants.VAMF_VISTA_ID_COOKIE_NAME)) {
String vistaId = c.getValue();
vpa = this.getVistaPairedAccountFromJwt(vistaId, crc.getHeaderString(VamfJwtClaimsConstants.VAMF_JWT_HEADER));
break;
}
}
return vpa;
}
private VistaPairedAccount getVistaPairedAccountFromJwt(String vistaId, String jwtString) {
VistaPairedAccount vistaPairedAccount = null;
VamfUser newUser = new VamfUser(jwtString);
for (VistaPairedAccount vpa : newUser.getVistaPairedAccounts()) {
if (vpa.getSiteId().equals(vistaId)) {
vistaPairedAccount = vpa;
break;
}
}
return vistaPairedAccount;
}
private URI buildUri(String url, Map<String, String> pathParams) {
return UriBuilder.fromUri(url).buildFromMap(pathParams);
}
}